Bug 502111 - Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function
Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function
Product: Dogtag Certificate System
Classification: Community
Component: JSS (Show other bugs)
All Linux
urgent Severity medium
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
Depends On:
Blocks: 443788 455305
  Show dependency treegraph
Reported: 2009-05-21 18:33 EDT by Christina Fu
Modified: 2015-01-04 18:38 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:35:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Christina Fu 2009-05-21 18:33:21 EDT
There is a new NSS function called GenerateKeyPairWithOpFlags that will allow caller to pass in information so that certain hsm knows what kind of keys to generate.
We need to expose that via JSS so our JAVA subsystems can generate their keys on hsm such as nethsm.

Here is the NSS C interface in /usr/include/nss3/pk11pub.h:

* Explicitly set the key usage for the generated private key.
* This allows us to specify single use EC and RSA keys whose usage
* can be regulated by the underlying token.
* The underlying key usage is set using opFlags. opFlagsMask specifies
* which operations are specified by opFlags. For instance to turn encrypt
* on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and
* need to specify both the public and private key flags,
* PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the
* correct key type. Flags not specified in opFlagMask will be defaulted
* according to mechanism type and token capabilities.
SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,
  CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
  PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask,
   void *wincx); 

We should make sure the existing functions still work.
Comment 1 Chandrasekar Kannan 2009-05-26 16:07:49 EDT
shud be in assigned state
Comment 2 Jack Magne 2009-05-29 12:56:13 EDT
I'm making good progress on this.
Performing more cleanup and testing.
Comment 3 Jack Magne 2009-06-02 20:28:56 EDT
I have already provided Christina with a working version of this new interface. She has verified that it works.

The bug that was generated to actually package up and build this new code is here:


This new JSS should be available soon.

Note You need to log in before you can comment on or make changes to this bug.