We import symmetric keys in non-FIPS mode using PK11_ImportSymKeyWithFlags(...).

This doesn't work in FIPS mode. Instead, we'll need to generate a new key, encrypt the existing key, and unwrap it into the NSS DB.

Note that I broke this as I suggested we use ImportKey instead of the earlier dance with Unwrap/Wrap in PKI and the test suite; this should fix that.

I think e791542 is the commit I was thinking of in JSS and dogtagpki/pki@879114a in PKI.