Wan-Teh Chang wrote: > Now let's go back to the JSS code. It hasn't changed since > we open-sourced it in 2000, and the comments say it is a > workaround for a bug: > http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c#321 > > 321 mech = JSS_getPK11MechFromAlg(env, alg); > 322 > 323 if( mech == CKM_PBA_SHA1_WITH_SHA1_HMAC ) { > 324 > 325 /* special case, construct key by hand. Bug #336587 */ > 326 > 327 skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount); > 328 if( skey==NULL ) { > 329 /* exception was thrown */ > 330 goto finish; > 331 } > 332 > 333 } else { > > It is possible that "Bug #336587" has been fixed. So please try > removing the special case for CKM_PBA_SHA1_WITH_SHA1_HMAC > and just keeping the code block in the 'else' branch. Does it > work for CKM_PBA_SHA1_WITH_SHA1_HMAC? If not, could > you try some other mechanism such as CKM_PBE_SHA1_DES3_EDE_CBC? > > Wan-Teh
Now that I'm able to build NSS/JSS on windows I finally got around to trying this out. I commented out the if block and left the else...when the code gets there it bombs big and takes the java vm down with it with no warning. I'm not sure how I could try another algorithm. I'm not specifying one in the call that is throwing the exception (org.mozilla.jss.pkcs12.PFX.computeMacData). Based on the javadoc for that method I tried passing in null for the salt so it would make its own and used 1 for the iteration count and got the same (expected) error. I *can* successfully build the PKCS12 if I omit that call, but the resulting PKCS12 has issues with at least nss itself and openssl. java keytool lists the contents but I don't know if I could actually use it: mbn public # nsspk12util -l 1.1.1.1-ID.p12 Enter password for PKCS12 file: nsspk12util: PKCS12 decoding failed: security library: improperly formatted DER-encoded message. nsspk12util: PKCS12 decode not verified: security library: improperly formatted DER-encoded message. nsspk12util: PKCS12 decode not verified: security library: improperly formatted DER-encoded message. mbn public # openssl pkcs12 -nodes -in 1.1.1.1-ID.p12 Enter Import Password: Mac verify error: invalid password? 15335:error:2307E06C:PKCS12 routines:PKCS12_verify_mac:mac absent:p12_mutl.c:110: mbn public # keytool -list -keystore 1.1.1.1-ID.p12 -storetype PKCS12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry cn=1.1.1.1, Oct 18, 2007, PrivateKeyEntry, Certificate fingerprint (MD5): 74:C2:1E:D0:95:4F:76:BB:75:9C:24:0F:9A:2E:B3:58 A quick aside, I filed a bug with gentoo and got them to edit the ebuild for nss to add a flag for installing the command-line utils. They added the "utils" use flag. They all get "nss" prepended to their names because the dev didn't like the idea of an executable called "example" or "digest". That's why I used "nsspk12util" above. Dave _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
