On 05/18/2015 03:04 PM, Arthur Ramsey wrote:
I have a requirement to disable key export on a key stored in a NSS DB in FIPS mode. I read through the documentation and found mention of the ability to do this, but not how. Where can I find information on how to disable key export? I will be using the NSS module via Java to obtain FIPS 140-2 compliance. I imported the key via p12 format, but I could complete the entire process via NSS if needed.
We only support sensitive, not extractable in the NSS FIPS.If you are talking about database keys, the actual key is stored p12 encrypted in a database, so there would be no way to prevent someone how has both the database and the password for the database from extracting the key.
That being said several versions of NSS already has FIPS 140-2. I believe FIPS 140-2 allows extracting keys with wrapping keys.
bob
Thanks, Arthur
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
