PK11_CopySymKeyForSigning does a key exchange in FIPS mode

RESOLVED FIXED in 3.8

Status

NSS
Libraries
--
enhancement
RESOLVED FIXED
15 years ago
15 years ago

People

(Reporter: Jamie Nicolson, Assigned: Robert Relyea)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

15 years ago
PK11_CopySymKeyForSigning is used to set the CKA_SIGN attribute on a key, for
example so it can be used for HMAC. This should be implemented with a
C_SetAttribute, and failing that, a C_CopyObject. Instead, the wrapper layer
tries to extract the key value, and if that fails, does a key exchange.
Extracting the key value will fail in FIPS mode, so a key exchange will be
performed. The key exchange involves a public-key encryption and decryption, and
possibly even a key generation. These are very heavy-duty operations, and a big
waste of resources when all we want to do is change the value of a flag on a key.
(Assignee)

Comment 1

15 years ago
This seems like a reasonable small enhancement for 3.8
Severity: normal → enhancement
Target Milestone: --- → 3.8
(Assignee)

Comment 2

15 years ago
Created attachment 112452 [details] [diff] [review]
Try just setting the attribute on the key rather than copying it.

I've kept the copy code in case the token doesn't allow the attribute to be
changed on an existing key.
(Assignee)

Comment 3

15 years ago
Fixed in revision 1.64 of pk11skey.c
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.