Yevgeniy Gubenko wrote, On 2008-08-06 05:10: > Hello, > > I have some predefined key to use it by some symmetric algorithm > (AES/CBC/NoPadding for example) for encryption/decryption in Java 1.6 > code which works with NSS crypto in fips mode through PKCS#11 bridge. > > The questions are: > > 1. Am I constrained to import the predefined key to NSS db in > order to initialize the Cipher with that key?
Not into a DB, but into NSS. NSS does all encryption in PKCS#11 "tokens". In these tokens, all keys are either temporary or persistent. The PKCS#11 terms for "temporary" and "persistent" are "session" and "token". So a temporary key is a "session" key, and a persistent key is a "token" key. NSS stores token objects in a DB, but not session objects. But you do need to import the key into a PKCS#11 token (as either session or token object) to be able to do crypto on it. > 2. If so, what is the right syntax to perform it dynamically > during runtime? Someone else will need to answer that. > Is it mandatory to use JSS, or maybe somehow by means of > KeyStore instance? I don't understand this question. Use of JSS is never mandatory. Perhaps you are asking if there is any way other than JSS to import a key so that NSS can use it. The answer is yes. There is a JCE provider that is a wrapper for PKCS#11 directly. With that wrapper, it is possible to use any PKCS#11 module (including NSS's). > 3. Is there a difference or additional restrictions when importing > symmetric key to NSS db when I fips mode? Yes. In FIPS mode, symmetric keys may not be imported in plain non-encrypted form. When outside of a FIPS token, they must be "wrapped" (encrypted), and the act of importing them necessitates that they be unwrapped (decrypted). > Thanks in advance > > Yevgeniy _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
