Closed Bug 117978 Opened 23 years ago Closed 23 years ago

support Java Keystore API

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jamie-bugzilla, Assigned: rrelyea)

References

Details

Attachments

(2 files)

Add functions needed by JCE KeyStore API
23.86 KB, patch
Details | Diff | Splinter Review
Correct patch for nss.def
917 bytes, patch
Details | Diff | Splinter Review 
In order to implement the JCA Keystore API, I need the following functionality.
"Object" means a key or a certificate.

1. Enumerate a list of all objects on a token, accompanied with labels.

2. Lookup a token object by label. Should return a list of all objects with
matching label.

3. Lookup token certificate by another certificate. This could mean looking up a
certificate by Issuer/Serial or some other unique collection of attributes.

4. Store an object with an associated label.

5. Delete an object. PK11_DeleteTokenCertAndKey is not appropriate because it
deletes the cert AND the key.
All this stuff is very straightforward from a PKCS #11 point of view.
Blocks: 112882
Target Milestone: --- → 3.4
Component: Build → Libraries
Set priority to P1 for NSS 3.4.
Priority: -- → P1
Jamie, a couple of questions.

Do you want objects returned as their base object types, or do you want objects
returned as PKCS #11 handles (knowing that PKCS #11 handles will probably
disappear in 4.0). Would it be acceptable to have 4 different functions (return
all the symkeys, return all the private keys, return all the public keys, and
return all the certs?)

What do you want passed in the "find cert by cert" call? a DERCert, a
CERTCertificate? What do you want returned? (this function should be simple
because we often look up certs by certs in a given token internally (we use
DERCert BTW).

I want to use base object types, not PKCS #11 handles. It is fine to have
multiple versions of the functions for different types.

The "find cert by cert function" can take a DERCert. It can return a
CERTCertificate.

The keystore API for deletion is delete by alias/label. I could implement this
by doing a search by label and then deleting the object(s) returned by the search.
OK, I will have to add some functions, and may expose some others, but there
shouldn't be a problem getting this functions for you. Do remember that multiple
objects may have the same label. If that's a problem in JCA Keystore you'll have
to do some label mapping.

bob
patch (included exported function) looks good.
r=relyea
Bob, what patch were you referring to?
Comment went into the wrong bug... should have gone into Kaie's bug 112961 

bob
This match has incorrect diffs for nss.def Will attach corrected diffs for
nss.def

    
    

    
  
PK11_ListPrivKeysInSlot returns NULL if there are no private keys on the slot, 
instead of returning an empty list. Is this the intended behavior? My
 concern is I have no way of differentiating an empty token from an 
error condition.


    
    

    
  
reopen if functions do work.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: