There is a new NSS function called GenerateKeyPairWithOpFlags that will allow caller to pass in information so that certain hsm knows what kind of keys to generate. We need to expose that via JSS so our JAVA subsystems can generate their keys on hsm such as nethsm. Here is the NSS C interface in /usr/include/nss3/pk11pub.h: /* * Explicitly set the key usage for the generated private key. * * This allows us to specify single use EC and RSA keys whose usage * can be regulated by the underlying token. * * The underlying key usage is set using opFlags. opFlagsMask specifies * which operations are specified by opFlags. For instance to turn encrypt * on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and * opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You * need to specify both the public and private key flags, * PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the * correct key type. Flags not specified in opFlagMask will be defaulted * according to mechanism type and token capabilities. */ SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask, void *wincx); We should make sure the existing functions still work.
shud be in assigned state
I'm making good progress on this. Performing more cleanup and testing.
I have already provided Christina with a working version of this new interface. She has verified that it works. The bug that was generated to actually package up and build this new code is here: https://bugzilla.redhat.com/show_bug.cgi?id=503809 This new JSS should be available soon.