Bug 502111 - Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function
Summary: Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: JSS
Version: unspecified
Hardware: All
OS: Linux
urgent
medium
Target Milestone: ---
Assignee: Jack Magne
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 443788 455305
TreeView+ depends on / blocked
 
Reported: 2009-05-21 22:33 UTC by Christina Fu
Modified: 2015-01-04 23:38 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-07-22 23:35:32 UTC
Embargoed:


Attachments (Terms of Use)

Description Christina Fu 2009-05-21 22:33:21 UTC
There is a new NSS function called GenerateKeyPairWithOpFlags that will allow caller to pass in information so that certain hsm knows what kind of keys to generate.
We need to expose that via JSS so our JAVA subsystems can generate their keys on hsm such as nethsm.

Here is the NSS C interface in /usr/include/nss3/pk11pub.h:

/*
* Explicitly set the key usage for the generated private key.
*
* This allows us to specify single use EC and RSA keys whose usage
* can be regulated by the underlying token.
*
* The underlying key usage is set using opFlags. opFlagsMask specifies
* which operations are specified by opFlags. For instance to turn encrypt
* on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and
* opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You
* need to specify both the public and private key flags,
* PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the
* correct key type. Flags not specified in opFlagMask will be defaulted
* according to mechanism type and token capabilities.
*/
SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot,
  CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk,
  PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask,
   void *wincx); 

We should make sure the existing functions still work.

Comment 1 Chandrasekar Kannan 2009-05-26 20:07:49 UTC
shud be in assigned state

Comment 2 Jack Magne 2009-05-29 16:56:13 UTC
I'm making good progress on this.
Performing more cleanup and testing.

Comment 3 Jack Magne 2009-06-03 00:28:56 UTC
I have already provided Christina with a working version of this new interface. She has verified that it works.

The bug that was generated to actually package up and build this new code is here:

https://bugzilla.redhat.com/show_bug.cgi?id=503809

This new JSS should be available soon.


Note You need to log in before you can comment on or make changes to this bug.