Closed Bug 507524 Opened 16 years ago Closed 16 years ago

[patch] Expose PK11_GenerateKeyPairWithOpFlags through JSS

Categories

(JSS Graveyard :: Library, enhancement)

Product:
JSS Graveyard
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mharmsen, Assigned: glenbeasley)

References

(
URL
)

Details

Attachments

(1 file, 1 obsolete file)

patch as checked in
32.46 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.19) Gecko/20081216 Fedora/2.0.0.19-1.fc8 Firefox/2.0.0.19 Build Identifier: There is a new NSS function called GenerateKeyPairWithOpFlags that will allow a caller to pass in information so that certain hsm knows what kind of keys to generate. We need to expose that via JSS so our JAVA subsystems can generate their keys on hsm such as nethsm. Here is the NSS C interface in /usr/include/nss3/pk11pub.h: /* * Explicitly set the key usage for the generated private key. * * This allows us to specify single use EC and RSA keys whose usage * can be regulated by the underlying token. * * The underlying key usage is set using opFlags. opFlagsMask specifies * which operations are specified by opFlags. For instance to turn encrypt * on and signing off, opFlags would be CKF_ENCRYPT|CKF_DECRYPT and * opFlagsMask would be CKF_ENCRYPT|CKF_DECRYPT|CKF_SIGN|CKF_VERIFY. You * need to specify both the public and private key flags, * PK11_GenerateKeyPairWithOpFlags will sort out the correct flag to the * correct key type. Flags not specified in opFlagMask will be defaulted * according to mechanism type and token capabilities. */ SECKEYPrivateKey *PK11_GenerateKeyPairWithOpFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, void *param, SECKEYPublicKey **pubk, PK11AttrFlags attrFlags, CK_FLAGS opFlags, CK_FLAGS opFlagsMask, void *wincx); We should make sure the existing functions still work. Reproducible: Always Both Red Hat Certificate System 8.0 and Dogtag Certificate System 1.2.0 use a JSS 4.2.6 which utilizes this patch. Therefore, it needs to be applied to both the JSS 4.2.6 BRANCH as well as the JSS TIP.
Severity: normal → enhancement
Summary: Key Pair Usage with Op Flags Patch → [patch] Expose PK11_GenerateKeyPairWithOpFlags through JSS
NOTE: This is 1 of 4 patches that need to be applied to the JSS 4.2.6 BRANCH as well as the JSS TIP.
Attachment #391758 - Flags: review?(glen.beasley)
Blocks: 518270
Comment on attachment 391758 [details] [diff] [review] Patch 1: Key Pair Usage with Op Flags r+ this patch is a benefit to JSS. A user can also generate keys using the Mozilla-JSS provider more support needs to be added but I open bug 518270 to address this need. I added test code to the patch that sets the keyusage SigTest.java
Attachment #391758 - Flags: review?(glen.beasley) → review+
/cvsroot/mozilla/security/jss/lib/jss.def,v <-- jss.def new revision: 1.44; previous revision: 1.43 done Checking in org/mozilla/jss/crypto/KeyPairGenerator.java; /cvsroot/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java,v <-- KeyPairGenerator.java new revision: 1.9; previous revision: 1.8 done Checking in org/mozilla/jss/crypto/KeyPairGeneratorSpi.java; /cvsroot/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java,v <-- KeyPairGeneratorSpi.java new revision: 1.6; previous revision: 1.5 done Checking in org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c; /cvsroot/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c,v <-- PK11KeyPairGenerator.c new revision: 1.15; previous revision: 1.14 done Checking in org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java; /cvsroot/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java,v <-- PK11KeyPairGenerator.java new revision: 1.12; previous revision: 1.11 done Checking in org/mozilla/jss/pkcs11/pk11util.h; /cvsroot/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h,v <-- pk11util.h new revision: 1.11; previous revision: 1.10 done Checking in org/mozilla/jss/tests/SigTest.java; /cvsroot/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java,v <-- SigTest.java new revision: 1.9; previous revision: 1.8 done Checking in org/mozilla/jss/tests/all.pl; /cvsroot/mozilla/security/jss/org/mozilla/jss/tests/all.pl,v <-- all.pl new revision: 1.55; previous revision: 1.54 done
Attachment #391758 - Attachment is obsolete: true
Target Milestone: --- → 4.3.1
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Blocks: 472016
We are in the process of preparing integration of JSS patches from Red Hat (Fedora and RHEL) branches into Mozilla JSS. All those patches will bear the correct authorship as well as reviewer(s), and patch origin (bug ids, etc.) to the best of our knowledge. During the preparation process, we found one patch not being able to be applied, which turned out to be already applied. That leads us to this particular Mozilla bug (507524). Our (Red Hat) record of this patch was the following: Resolves: bug 502111 - <cfu@redhat.com> Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function However, the Mozilla hg log shows the following with incorrect authorship, and lack of accurate patch origin: description: Expose PK11_GenerateKeyPairWithOpFlags through JSS patch from Matthew Harmsen r=glen If possible, we would like to fix the authorship, and in addition, add information tying back to the Red Hat bug number in the spirit of keeping accurate history of the code patch per Mozilla Committing Rules and Responsibilities: https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Committing_Rules_and_Responsibilities I am seeking recommendation to whether it can be done, or should be done, if not too much trouble.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: