diff --git a/dom/media/webrtc/transport/nricectx.cpp b/dom/media/webrtc/transport/nricectx.cpp
--- a/dom/media/webrtc/transport/nricectx.cpp
+++ b/dom/media/webrtc/transport/nricectx.cpp
@@ -124,23 +124,30 @@
 static int nr_crypto_nss_hmac(UCHAR* key, size_t keyl, UCHAR* buf, size_t bufl,
                               UCHAR* result) {
   CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC;
   PK11SlotInfo* slot = nullptr;
   MOZ_ASSERT(keyl > 0);
-  SECItem keyi = {siBuffer, key, static_cast<unsigned int>(keyl)};
+  CK_KEY_DERIVATION_STRING_DATA idkey = {key, keyl};
+  SECItem keyi = {siBuffer, (unsigned char*)&idkey, sizeof(idkey)};
+  PK11SymKey* tmpKey = nullptr;
   PK11SymKey* skey = nullptr;
   PK11Context* hmac_ctx = nullptr;
   SECStatus status;
   unsigned int hmac_len;
   SECItem param = {siBuffer, nullptr, 0};
   int err = R_INTERNAL;
 
   slot = PK11_GetInternalKeySlot();
   if (!slot) goto abort;
 
-  skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_SIGN, &keyi,
-                           nullptr);
+  // HMAC is used for hash calculation only so use derive instead of import
+  // to be FIPS compliant.
+  tmpKey = PK11_KeyGen(slot, mech, NULL, keyl, nullptr);
+  if (!tmpKey) goto abort;
+
+  skey = PK11_Derive(tmpKey, CKM_CONCATENATE_DATA_AND_BASE, &keyi, mech,
+                     CKA_SIGN, keyl);
   if (!skey) goto abort;
 
   hmac_ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, skey, &param);
   if (!hmac_ctx) goto abort;
 
@@ -157,10 +164,11 @@
 
   err = 0;
 
 abort:
   if (hmac_ctx) PK11_DestroyContext(hmac_ctx, PR_TRUE);
+  if (tmpKey) PK11_FreeSymKey(tmpKey);
   if (skey) PK11_FreeSymKey(skey);
   if (slot) PK11_FreeSlot(slot);
 
   return err;
 }