Thanks a lot for your answer.
I still need some clarifications:
1. If I understand you right, when I have to use a predefined persistent key to
do a crypto with it, there is no way, other than
importing the key into a PKCS#11 token as a token object in NSS db? (Even if
the key is an input from third party application).
2. As you noticed, in FIPS mode symmetric keys may not be imported in plain
non-encrypted form.
But if they should be encrypted before the import act, there must be another
key to encrypt the imported key with it.
But this key also must be stored in PKCS#11 token, right? If So, it should
generated by NSS or be imported by itself?
3. Some other related question: when I try to export some symmetric Key from
NSS to datafile by:
symkeyutil -E -n testaes -k aestest.txt -d .
I get an exception: symkeyutil: Failure to load dynamic library.
Any idea what can be wrong? Maybe my NSS libraries should be located in the
some specific folder which is transparent to symkeyutil command?
Thanks,
Yevgeniy
-----Original Message-----
From: Nelson B Bolyard [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 06, 2008 19:44
To: mozilla's crypto code discussion list
Subject: Re: Importing symmetric keys to NSS from Java code
Yevgeniy Gubenko wrote, On 2008-08-06 05:10:
> Hello,
>
> I have some predefined key to use it by some symmetric algorithm
> (AES/CBC/NoPadding for example) for encryption/decryption in Java 1.6
> code which works with NSS crypto in fips mode through PKCS#11 bridge.
>
> The questions are:
>
> 1. Am I constrained to import the predefined key to NSS db in
> order to initialize the Cipher with that key?
Not into a DB, but into NSS. NSS does all encryption in PKCS#11 "tokens".
In these tokens, all keys are either temporary or persistent. The PKCS#11
terms for "temporary" and "persistent" are "session" and "token". So a
temporary key is a "session" key, and a persistent key is a "token" key.
NSS stores token objects in a DB, but not session objects.
But you do need to import the key into a PKCS#11 token (as either session
or token object) to be able to do crypto on it.
> 2. If so, what is the right syntax to perform it dynamically
> during runtime?
Someone else will need to answer that.
> Is it mandatory to use JSS, or maybe somehow by means of
> KeyStore instance?
I don't understand this question. Use of JSS is never mandatory.
Perhaps you are asking if there is any way other than JSS to import a key
so that NSS can use it. The answer is yes. There is a JCE provider that
is a wrapper for PKCS#11 directly. With that wrapper, it is possible to
use any PKCS#11 module (including NSS's).
> 3. Is there a difference or additional restrictions when importing
> symmetric key to NSS db when I fips mode?
Yes. In FIPS mode, symmetric keys may not be imported in plain
non-encrypted form. When outside of a FIPS token, they must be "wrapped"
(encrypted), and the act of importing them necessitates that they be
unwrapped (decrypted).
> Thanks in advance
>
> Yevgeniy
This email and any files transmitted with it are confidential material. They
are intended solely for the use of the designated individual or entity to whom
they are addressed. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, use, distribution or
copying of this communication is strictly prohibited and may be unlawful.
If you have received this email in error please immediately notify the sender
and delete or destroy any copy of this message
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
