Bug 502111

Summary: Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function
Product: [Retired] Dogtag Certificate System Reporter: Christina Fu <cfu>
Component: JSSAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: urgent    
Version: unspecifiedCC: benl, cfu, mharmsen, rrelyea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:35:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788, 455305    

Description Christina Fu 2009-05-21 22:33:21 UTC 
There is a new NSS function called GenerateKeyPairWithOpFlags that will allow caller to pass in information so that certain hsm knows what kind of keys to generate.
We need to expose that via JSS so our JAVA subsystems can generate their keys on hsm such as nethsm.

Here is the NSS C interface in /usr/include/nss3/pk11pub.h:

/*
* Explicitly set the key usage for the generated private key.
*
* This allows us to specify single use EC and RSA keys whose usage
* can be regulated by the underlying token.
*
* The underlying key usage is set using opFlags. opFlagsMask specifies
* which operations are specified by opFlags. For instance to turn encrypt
* on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and
* opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You
* need to specify both the public and private key flags,
* PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the
* correct key type. Flags not specified in opFlagMask will be defaulted
* according to mechanism type and token capabilities.
*/
SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,
  CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
  PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask,
   void *wincx); 

We should make sure the existing functions still work.
Comment 1 Chandrasekar Kannan 2009-05-26 20:07:49 UTC 
shud be in assigned state
Comment 2 Jack Magne 2009-05-29 16:56:13 UTC 
I'm making good progress on this.
Performing more cleanup and testing.
Comment 3 Jack Magne 2009-06-03 00:28:56 UTC 
I have already provided Christina with a working version of this new interface. She has verified that it works.

The bug that was generated to actually package up and build this new code is here:

https://bugzilla.redhat.com/show_bug.cgi?id=503809

This new JSS should be available soon.