Wan-Teh Chang wrote: > Now let's go back to the JSS code. It hasn't changed since > we open-sourced it in 2000, and the comments say it is a > workaround for a bug: > http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c#321 > > 321 mech = JSS_getPK11MechFromAlg(env, alg); > 322 > 323 if( mech == CKM_PBA_SHA1_WITH_SHA1_HMAC ) { > 324 > 325 /* special case, construct key by hand. Bug #336587 */ > 326 > 327 skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount); > 328 if( skey==NULL ) { > 329 /* exception was thrown */ > 330 goto finish; > 331 } > 332 > 333 } else { > > It is possible that "Bug #336587" has been fixed. So please try > removing the special case for CKM_PBA_SHA1_WITH_SHA1_HMAC > and just keeping the code block in the 'else' branch. Does it > work for CKM_PBA_SHA1_WITH_SHA1_HMAC? If not, could > you try some other mechanism such as CKM_PBE_SHA1_DES3_EDE_CBC?
I imagine what you are suggesting involves recompiling JSS as PFX.computeMacData doesn't take any algorithm parameters. There is a constructor for PFX that takes a MacData, but again, I don't see any way to specify the algorithm (besides the hash algorithm). I remember reading that JSS needed to be signed as it is a Java Security Provider. Does the signature have to be from a "trusted" source or "just signed". If the latter, we have no shortage of keys/certs here... So if I need to do what I think I need to do, do you recommend using a particular version or just grabbing the current CVS? Thanks, Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
