or, "can I pretty please delete all this code?" ^_^ Hi Christina,
Ade has reviewed my PKCS #12 AES patches for CC effort (thanks Ade!) We have one main area where we need your feedback. The KRA PKCS #12 recovery process for encrypted (cf. wrapped) keys previously performed the encryption and assembled the EncryptedPrivateKeyInfo structure in a rather "manual" way (~80 LOC). In my patch to convert this code path to use AES encrypted, I take an alternative (and much fewer LOC) approach: importing the private key to the *internal* key storage token, as a *temporary* key, and then invoking the same routine as is used for the wrapped key case. Our question: is this fine to do when the system is in FIPS mode? The assumption is that the internal crypto token is always available and that it can do raw (unencrypted) private key import, and wrapping private keys to a symmetric key, while in FIPS mode. We just need to check this assumption. The gerrit review of the patch involved is here: https://review.gerrithub.io/#/c/359027/ Thanks, Fraser _______________________________________________ Pki-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/pki-devel
