Bug 2029657

Summary: Enable the export of keys in plain from the NSS Software Token while in FIPS mode [rhel-9, openjdk-17]
Product: Red Hat Enterprise Linux 9 Reporter: Andrew John Hughes <ahughes>
Component: java-17-openjdkAssignee: Martin Balao <mbalao>
Status: CLOSED ERRATA QA Contact: OpenJDK QA <java-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: fferrari, jandrlik, jvanek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-17-openjdk-17.0.3.0.7-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2123579 (view as bug list) Environment:
Last Closed: 2022-11-15 10:01:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1994682    
Bug Blocks: 2029665, 2123579    

Description Andrew John Hughes 2021-12-07 01:44:43 UTC 
This bug was initially created as a copy of Bug #2023467

I am copying this bug because: 

RHEL 9 needs to be kept in sync.

In the context of RH1991003, we implemented an enhancement to import plain secret and private keys (i.e.: obtained from a file-based keystore) into the NSS Software token in FIPS mode. The goal now is to enable the reverse operation: export keys in plain from the NSS Software Token while in FIPS mode.

The scope will be initially constrained to keys of CKO_SECRET_KEY class, as this is what we require for TLS 1.3 key-derivation in FIPS mode (see RH2020290). In the future, we might extend the exporter functionality to support keys of CKO_PRIVATE_KEY class.

In the same way that for the importer functionality, the exporter can be disabled by means of the 'com.redhat.fips.plainKeySupport' system property: -Dcom.redhat.fips.plainKeySupport=false. Default behavior is enabled.

As part of this work, we aim to implement several code, debugging and reliability improvements to the FIPS Key Importer.
Comment 17 errata-xmlrpc 2022-11-15 10:01:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (java-17-openjdk bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:6709