1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
.. _mozilla_projects_nss_jss_jss_faq:
JSS FAQ
=======
.. _jss_frequently_asked_questions:
`JSS Frequently Asked Questions <#jss_frequently_asked_questions>`__
--------------------------------------------------------------------
.. container::
Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org:119/mozilla.dev.tech.crypto>`__
**Content:**
- `What versions of JDK and JCE do you suggest? <#jdkjce1>`__
- `Does JSS have 64 bit support? <#64bit>`__
- `Is JSS FIPS Compliant? <#fips>`__
- `Is there any sample code and documentation? <#sample>`__
- `If I don't call setCipherPolicy, is the DOMESTIC policy used by
default? <#setcipherpolicy>`__
- `My SSL connection is hanging on Windows? <#ssl_hanging>`__
- `How can I tell which SSL/TLS ciphers JSS supports? <#ssltls_cipher>`__
- `How can I debug my SSL connection? <#ssl_debug>`__
- `Can you explain JSS SSL certificate approval callbacks? <#ssl_callback>`__
- `Can I have multiple JSS instances reading separate db's? <#jss_instance>`__
- `Once JSS initialized, I can't get anymore instances with
CertificateFactory.getInstance(X.509)? <#jss_init>`__
- `Is it possible to sign data in Java with JSS? <#sign_date>`__
- `How do I convert org.mozilla.jss.crypto.X509Certificate to
org.mozilla.jss.pkix.cert.Certificate? <#convertx509>`__
- `How do I convert org.mozilla.jss.pkix.cert to
org.mozilla.jss.crypto.X509Certificate? <#convertpkix>`__
- `Is it possible to use JSS to access cipher functionality from pkcs11 modules? <#pkc11>`__
- `Can you explain token names and keys with regards to JSS? <#token_name>`__
- `JSS 3.2 has JCA support. When will JSS have JSSE support? <#jssjsse>`__
**What versions of JDK and JRE do you suggest?**
- JSS 3.x works with JDK versions 1.2 or higher, except version 1.3.0. Most attention for future
development and bug fixing will go to JDK 1.4 and later, so use that if you can. If you are
using JDK 1.3.x, you will need to use at least version 1.3.1--see `bug
113808 <http://bugzilla.mozilla.org/show_bug.cgi?id=113808>`__. JSS only supports the native
threading model (no green threads). For JSS 3.2 and higher, if you use JDK 1.4 or higher you
will not need to install the JCE, but if you using an earlier version of the JDK then you will
also have to install JCE 1.2.1. See also the document `Using JSS <Using_JSS>`__.
**Does JSS have 64 bit support?**
- Yes, JSS 3.2 and higher supports 64 bit. You will need JDK 1.4 or higher and all the 64 bit
versions of NSPR, and NSS. As well you must use the java flag -d64 to specify the 64-bit data
model.
**Is JSS FIPS Compliant?**
- NSS is a FIPS-certified software library. JSS is considered a FIPS-compliant software library
since it only uses NSS for any and all crypto routines.
**Is there any sample code and documentation?**
- The `Using JSS <Using_JSS>`__ document describes how to set up your environment to run JSS.
The only other documentation is the
`Javadoc <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM/doc/JSS_4_3_RTM-doc.zip>`__.
JSS example code is essentially developer test code; with that understanding, the best
directory to look for sample code is in the org/mozilla/jss/tests directory:
http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests
| `org/mozilla/jss/tests/CloseDBs.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/CloseDBs.java#47>`__
| `org/mozilla/jss/tests/KeyFactoryTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/KeyFactoryTest.java#81>`__
| `org/mozilla/jss/tests/DigestTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/DigestTest.java#44>`__
| `org/mozilla/jss/tests/JCASigTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASigTest.java#50>`__
| `org/mozilla/jss/tests/KeyWrapping.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/KeyWrapping.java#45>`__
| `org/mozilla/jss/tests/ListCerts.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCerts.java#40>`__
| `org/mozilla/jss/tests/PK10Gen.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/PK10Gen.java#43>`__
| `org/mozilla/jss/tests/SDR.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SDR.java#47>`__
| `org/mozilla/jss/tests/SelfTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SelfTest.java#46>`__
| `org/mozilla/jss/tests/SetupDBs.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java#42>`__
| `org/mozilla/jss/tests/SigTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SigTest.java#64>`__
| `org/mozilla/jss/tests/SymKeyGen.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SymKeyGen.java#44>`__
| `org/mozilla/jss/tests/TestKeyGen.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/TestKeyGen.java#64>`__
| `org/mozilla/jss/tests/SSLClientAuth.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SSLClientAuth.java#99>`__
| `org/mozilla/jss/tests/ListCACerts.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCACerts.java#8>`__
| `org/mozilla/jss/tests/KeyStoreTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/KeyStoreTest.java#68>`__
| `org/mozilla/jss/tests/VerifyCert.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/VerifyCert.java#86>`__
SSL examples:
| `org/mozilla/jss/tests/SSLClientAuth.java <http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests/SSLClientAuth.java>`__
| `org/mozilla/jss/ssl/SSLClient.java <http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLClient.java>`__
| `org/mozilla/jss/ssl/SSLServer.java <http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLServer.java>`__
| `org/mozilla/jss/ssl/SSLTest.java <http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLTest.java>`__
Other test code that may prove useful:
| `org/mozilla/jss/asn1/INTEGER.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/asn1/INTEGER.java#131>`__
| `org/mozilla/jss/asn1/SEQUENCE.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/asn1/SEQUENCE.java#574>`__
| `org/mozilla/jss/asn1/SET.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/asn1/SET.java#876>`__
| `org/mozilla/jss/pkcs10/CertificationRequest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs10/CertificationRequest.java#269>`__
| `org/mozilla/jss/pkcs12/PFX.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs12/PFX.java#329>`__
| `org/mozilla/jss/pkix/cert/Certificate.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cert/Certificate.java#279>`__
| `org/mozilla/jss/pkix/cmmf/CertRepContent.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cmmf/CertRepContent.java#148>`__
| `org/mozilla/jss/pkix/crmf/CertReqMsg.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java#265>`__
| `org/mozilla/jss/pkix/crmf/CertTemplate.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/crmf/CertTemplate.java#530>`__
| `org/mozilla/jss/pkix/primitive/Name.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/primitive/Name.java#276>`__
| `org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java#287>`__
| `org/mozilla/jss/util/UTF8Converter.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/util/UTF8Converter.java#302>`__
| `org/mozilla/jss/util/Base64InputStream.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/util/Base64InputStream.java#237>`__
| `jss/samples/PQGGen.java <http://lxr.mozilla.org/security/source/security/jss/samples/PQGGen.java#44>`__
| `jss/samples/pkcs12.java <http://lxr.mozilla.org/security/source/security/jss/samples/pkcs12.java#57>`__
**If I don't call setCipherPolicy, is the DOMESTIC policy used by default?**
- Yes, domestic is the default because we call NSS_SetDomesticPolicy() during
CryptoManager.initialize(). setCipherPolicy does not need to be called by a JSS app unless
that app wants to limit itself to export-allowed cipher suites.
**My SSL connection is hanging on Windows?**
- NSPR makes use of NT vs. Windows distinction and provides different NT and Windows builds.
Many Netscape products, including NSS, have NT and Windows builds that are essentially the
same except one difference: one is linked with the NT version of NSPR and the other is linked
with the Windows version of NSPR. The NT fiber problem affects applications that call blocking
system calls from the primordial thread. Either use the WIN 95 version of NSPR/NSS/JSS
components (essentially all non-fiber builds) or set the environment variable
NSPR_NATIVE_THREADS_ONLY=1. You can find more information in bugzilla bug
`102251 <http://bugzilla.mozilla.org/show_bug.cgi?id=102251>`__ SSL session cache locking
issue with NT fibers
**How can I tell which SSL/TLS ciphers JSS supports?**
- Check
http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLSocket.java#730
**How can I debug my SSL connection?**
- By using the NSS tool :ref:`mozilla_projects_nss_tools_ssltap`
**Can you explain JSS SSL certificate approval callbacks?**
- NSS has three callbacks related to certificates. JSS has two. But JSS combines two of the NSS
callbacks into one.
- NSS's three SSL cert callbacks are:
#. SSL_AuthCertificateHook sets a callback to authenticate the peer's certificate. It is
called instead of NSS's routine for authenticating certificates.
#. SSL_BadCertHook sets a callback that is called when NSS's routine fails to authenticate the
certificate.
#. SSL_GetClientAuthDataHook sets a callback to return the local certificate for SSL client
auth.
JSS's two callbacks are:
#. SSLCertificateApprovalCallback is a combination of SSL_AuthCertificateHook and
SSL_BadCertHook. It runs NSS's cert authentication check, then calls the callback
regardless of whether the cert passed or failed. The callback is told whether the cert
passed, and then can do anything extra that it wants to do before making a final decision.
#. SSLClientCertificateSelectionCallback is analogous to SSL_GetClientAuthDataHook.
|
| **Can I have multiple JSS instances reading separate db's?**
- No, you can only have one initialized instance of JSS for each database.
**Once JSS initialized, I can't get anymore instances with
CertificateFactory.getInstance("X.509")?**
- In version previous to JSS 3.1, JSS removes the default SUN provider on startup. Upgrade to
the latest JSS, or, in the ``CryptoManager.InitializationValues`` object you pass to
``CryptoManager.initialize()``, set ``removeSunProivider=true``.
**Is it possible to sign data in Java with JSS? What I am trying to do is write a Java applet
that will access the Netscape certificate store, retrieve a X509 certificate and then sign some
data.**
- The best way to do this is with the PKCS #7 signedData type. Check out the
`javadoc <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM/doc/JSS_4_3_RTM-doc.zip>`__.
**How do I convert org.mozilla.jss.crypto.X509Certificate to
org.mozilla.jss.pkix.cert.Certificate?**
- .. code::
import java.io.ByteArrayInputStream;
[...]
Certificate cert = (Certificate) ASN1Util.decode(
Certificate.getTemplate(),x509Cert.getEncoded() );
**How do I convert org.mozilla.jss.pkix.cert to org.mozilla.jss.crypto.X509Certificate?**
- `Cryptomanager.importCertPackage() <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM/doc/JSS_4_3_RTM-doc.zip>`__
**Is it possible to use JSS to acces cipher functionality from pkcs11 modules?**
- Yes. Before JSS 3.2 you would use CryptoManager to obtain the CryptoToken you want to use,
then call CryptoToken.getCipherContext() to get an encryption engine. But as of JSS 3.2 you
would use the `JSS JCA provider <JSS_Provider_Notes>`__.
**Can you explain token names and keys with regards to JSS?**
- The token name is different depending on which application you are running. In JSS, the token
is called "Internal Key Storage Token". You can look it up by name using
CryptoManager.getTokenByName(), but a better way is to call
CryptoManager.getInternalKeyStorageToken(), which works no matter what the token is named. In
general, a key is a handle to an underlying object on a PKCS #11 token, not merely a Java
object residing in memory. Symmetric Key usage: basically encrypt/decrypt is for data and
wrap/unwrap is for keys.
J\ **SS 3.2 has JCA support. When will JSS have JSSE support?**
- Not in the near future due to pluggability is disabled in the JSSE version included in J2SE
1.4.x for export control reasons.
|
