User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:184.108.40.206) Gecko/20081112 Fedora/220.127.116.11-1.fc8 Firefox/18.104.22.168 Build Identifier: trunk org.mozilla.jss.pkcs11.PK11KeyPairGenerator API does not have a way to specify generated key usage. PK11KeyPairGenerator.c currently delegates native methods calls to PK11_GenerateKeyPairWithFlags method, using recently added (https://bugzilla.mozilla.org/show_bug.cgi?id=376417) PK11_GenerateKeyPairWithOpFlags method instead instead should help. For e.g. this issue makes it impossible to generate keys on some devices which require single-usage keys, such as some Aladdin eTokens. Reproducible: Always Steps to Reproduce: 1. There is no way in org.mozilla.jss.pkcs11.PK11KeyPairGenerator API to specify key usage. Actual Results: Impossible to generate single-usage keys
Created attachment 355409 [details] [diff] [review] A patch to specify key usage for RSA key generation through pk11 The attached is a patch which allow to specify key usage when generating RSA key pair via pk11. Key usage is specified via org.mozilla.jss.crypto.RSAParameterSpec in order to use javax.crypto.KeyGenerator JCA interface for key pair generation. The practical issue I had here requires only RSA so this patch solves only problem for RSA key pair generation, key usage for DSA and EC is not implemented in it. Tested successfully on Aladdin eToken Pro 64K via opensc pkcs11 library using TestSingleUsageKeyGen.java test case.
Comment on attachment 355409 [details] [diff] [review] A patch to specify key usage for RSA key generation through pk11 bug 507524 provided support to specify key usage when generating keys. Bug 507524 did not expose support for the javax.crypto.KeyGenerator JCA interface for key pair generation. This patch should be written to use the current source that exposes PK11_GenerateKeyPairWithOpFlags and add support for the Mozilla-JSS avax.crypto.KeyGenerator JCA interface.