Thanks for your answer, but does the Keystore implementation support
hardware tokens like smart card??,
https://developer.mozilla.org/en-US/docs/JSS
Java provides a JCE provider called SunPKCS11, see Java PKCS#11 Reference
> Guide<
http://download.java.net/jdk7/docs/technotes/guides/security/p11guide.html>,
> SunPKCS11 can be configured to use NSS module as the crytographic provider.
> If you are planning to just use JSS JCE provider as a bridge to NSS's FIPS
> validated PKCS#11 module, then the SunPKCS11 JCE provider may do all that
> you need. Note that Java 1.5 claimed no FIPS compliance, and Java 1.6<
http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements.html> or
> higher needs to be used. *A current limitation to the configured
> SunPKCS11-NSS bridge configuration is if you add a PKCS#11 module to the
> NSS database such as for a smartcard, you won't be able to access that
> smartcard through the SunPKCS11-NSS bridge. * If you use JSS, you can
> easily get lists of modules and tokens that are configured in the NSS DB
> and freely access all of it.
furthermore, check this:
http://www.mozilla.org/projects/security/pki/jss/provider_notes.html
> The following classes don't work very well:
>
>
> - *KeyStore:* There are many serious problems mapping the JCA keystore
> interface onto NSS's model of PKCS #11 modules. The current implementation
> is almost useless. Since these problems lie deep in the NSS design and
> implementation, there is no clear timeframe for fixing them. Meanwhile, the
> org.mozilla.jss.crypto.CryptoStore class can be used for some of this
> functionality.
>
>
On Fri, Apr 12, 2013 at 4:54 AM, helpcrypto helpcrypto <
helpc...@gmail.com
> wrote:
> On Thu, Apr 11, 2013 at 11:59 PM, Jaime Hablutzel Egoavil <
>
hablu...@gmail.com> wrote:
>
> > Hi, I have a hardware token accesible via PKCS#11 which is storing
> private
> > keys and certificate like this :
> >
> > certificate A, CKA_ID: 1234
> > certificate B, CKA_ID: 1234
> >
>
> Hi Jaime.
> In our case CKA_ID=hash(public key)...i think sha1.
> This way its much more "friendly".
>
>
Yes, that would be a wise choose for CKA_ID but as I told you our provider
is doing that and the PKCS#11 spec doesn't push him to do otherwise.
> --
> dev-tech-crypto mailing list
>
dev-tec...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-tech-crypto