index.rst (14015B)
1 .. _mozilla_projects_nss_jss_jss_faq: 2 3 JSS FAQ 4 ======= 5 6 .. _jss_frequently_asked_questions: 7 8 `JSS Frequently Asked Questions <#jss_frequently_asked_questions>`__ 9 -------------------------------------------------------------------- 10 11 .. container:: 12 13 Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org:119/mozilla.dev.tech.crypto>`__ 14 15 **Content:** 16 17 - `What versions of JDK and JCE do you suggest? <#jdkjce1>`__ 18 - `Does JSS have 64 bit support? <#64bit>`__ 19 - `Is JSS FIPS Compliant? <#fips>`__ 20 - `Is there any sample code and documentation? <#sample>`__ 21 - `If I don't call setCipherPolicy, is the DOMESTIC policy used by 22 default? <#setcipherpolicy>`__ 23 - `My SSL connection is hanging on Windows? <#ssl_hanging>`__ 24 - `How can I tell which SSL/TLS ciphers JSS supports? <#ssltls_cipher>`__ 25 - `How can I debug my SSL connection? <#ssl_debug>`__ 26 - `Can you explain JSS SSL certificate approval callbacks? <#ssl_callback>`__ 27 - `Can I have multiple JSS instances reading separate db's? <#jss_instance>`__ 28 - `Once JSS initialized, I can't get anymore instances with 29 CertificateFactory.getInstance(X.509)? <#jss_init>`__ 30 - `Is it possible to sign data in Java with JSS? <#sign_date>`__ 31 - `How do I convert org.mozilla.jss.crypto.X509Certificate to 32 org.mozilla.jss.pkix.cert.Certificate? <#convertx509>`__ 33 - `How do I convert org.mozilla.jss.pkix.cert to 34 org.mozilla.jss.crypto.X509Certificate? <#convertpkix>`__ 35 - `Is it possible to use JSS to access cipher functionality from pkcs11 modules? <#pkc11>`__ 36 - `Can you explain token names and keys with regards to JSS? <#token_name>`__ 37 - `JSS 3.2 has JCA support. When will JSS have JSSE support? <#jssjsse>`__ 38 39 **What versions of JDK and JRE do you suggest?** 40 41 - JSS 3.x works with JDK versions 1.2 or higher, except version 1.3.0. Most attention for future 42 development and bug fixing will go to JDK 1.4 and later, so use that if you can. If you are 43 using JDK 1.3.x, you will need to use at least version 1.3.1--see `bug 44 113808 <http://bugzilla.mozilla.org/show_bug.cgi?id=113808>`__. JSS only supports the native 45 threading model (no green threads). For JSS 3.2 and higher, if you use JDK 1.4 or higher you 46 will not need to install the JCE, but if you using an earlier version of the JDK then you will 47 also have to install JCE 1.2.1. See also the document `Using JSS <Using_JSS>`__. 48 49 **Does JSS have 64 bit support?** 50 51 - Yes, JSS 3.2 and higher supports 64 bit. You will need JDK 1.4 or higher and all the 64 bit 52 versions of NSPR, and NSS. As well you must use the java flag -d64 to specify the 64-bit data 53 model. 54 55 **Is JSS FIPS Compliant?** 56 57 - NSS is a FIPS-certified software library. JSS is considered a FIPS-compliant software library 58 since it only uses NSS for any and all crypto routines. 59 60 **Is there any sample code and documentation?** 61 62 - The `Using JSS <Using_JSS>`__ document describes how to set up your environment to run JSS. 63 The only other documentation is the 64 `Javadoc <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM/doc/JSS_4_3_RTM-doc.zip>`__. 65 66 JSS example code is essentially developer test code; with that understanding, the best 67 directory to look for sample code is in the org/mozilla/jss/tests directory: 68 69 http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests 70 71 | `org/mozilla/jss/tests/CloseDBs.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/CloseDBs.java#47>`__ 72 | `org/mozilla/jss/tests/KeyFactoryTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/KeyFactoryTest.java#81>`__ 73 | `org/mozilla/jss/tests/DigestTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/DigestTest.java#44>`__ 74 | `org/mozilla/jss/tests/JCASigTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JCASigTest.java#50>`__ 75 | `org/mozilla/jss/tests/KeyWrapping.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/KeyWrapping.java#45>`__ 76 | `org/mozilla/jss/tests/ListCerts.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCerts.java#40>`__ 77 | `org/mozilla/jss/tests/PK10Gen.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/PK10Gen.java#43>`__ 78 | `org/mozilla/jss/tests/SDR.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SDR.java#47>`__ 79 | `org/mozilla/jss/tests/SelfTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SelfTest.java#46>`__ 80 | `org/mozilla/jss/tests/SetupDBs.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java#42>`__ 81 | `org/mozilla/jss/tests/SigTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SigTest.java#64>`__ 82 | `org/mozilla/jss/tests/SymKeyGen.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SymKeyGen.java#44>`__ 83 | `org/mozilla/jss/tests/TestKeyGen.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/TestKeyGen.java#64>`__ 84 | `org/mozilla/jss/tests/SSLClientAuth.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SSLClientAuth.java#99>`__ 85 | `org/mozilla/jss/tests/ListCACerts.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCACerts.java#8>`__ 86 | `org/mozilla/jss/tests/KeyStoreTest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/KeyStoreTest.java#68>`__ 87 | `org/mozilla/jss/tests/VerifyCert.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/VerifyCert.java#86>`__ 88 89 SSL examples: 90 91 | `org/mozilla/jss/tests/SSLClientAuth.java <http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests/SSLClientAuth.java>`__ 92 | `org/mozilla/jss/ssl/SSLClient.java <http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLClient.java>`__ 93 | `org/mozilla/jss/ssl/SSLServer.java <http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLServer.java>`__ 94 | `org/mozilla/jss/ssl/SSLTest.java <http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLTest.java>`__ 95 96 Other test code that may prove useful: 97 98 | `org/mozilla/jss/asn1/INTEGER.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/asn1/INTEGER.java#131>`__ 99 | `org/mozilla/jss/asn1/SEQUENCE.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/asn1/SEQUENCE.java#574>`__ 100 | `org/mozilla/jss/asn1/SET.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/asn1/SET.java#876>`__ 101 | `org/mozilla/jss/pkcs10/CertificationRequest.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs10/CertificationRequest.java#269>`__ 102 | `org/mozilla/jss/pkcs12/PFX.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkcs12/PFX.java#329>`__ 103 | `org/mozilla/jss/pkix/cert/Certificate.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cert/Certificate.java#279>`__ 104 | `org/mozilla/jss/pkix/cmmf/CertRepContent.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/cmmf/CertRepContent.java#148>`__ 105 | `org/mozilla/jss/pkix/crmf/CertReqMsg.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java#265>`__ 106 | `org/mozilla/jss/pkix/crmf/CertTemplate.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/crmf/CertTemplate.java#530>`__ 107 | `org/mozilla/jss/pkix/primitive/Name.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/primitive/Name.java#276>`__ 108 | `org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java#287>`__ 109 | `org/mozilla/jss/util/UTF8Converter.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/util/UTF8Converter.java#302>`__ 110 | `org/mozilla/jss/util/Base64InputStream.java <http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/util/Base64InputStream.java#237>`__ 111 | `jss/samples/PQGGen.java <http://lxr.mozilla.org/security/source/security/jss/samples/PQGGen.java#44>`__ 112 | `jss/samples/pkcs12.java <http://lxr.mozilla.org/security/source/security/jss/samples/pkcs12.java#57>`__ 113 114 **If I don't call setCipherPolicy, is the DOMESTIC policy used by default?** 115 116 - Yes, domestic is the default because we call NSS_SetDomesticPolicy() during 117 CryptoManager.initialize(). setCipherPolicy does not need to be called by a JSS app unless 118 that app wants to limit itself to export-allowed cipher suites. 119 120 **My SSL connection is hanging on Windows?** 121 122 - NSPR makes use of NT vs. Windows distinction and provides different NT and Windows builds. 123 Many Netscape products, including NSS, have NT and Windows builds that are essentially the 124 same except one difference: one is linked with the NT version of NSPR and the other is linked 125 with the Windows version of NSPR. The NT fiber problem affects applications that call blocking 126 system calls from the primordial thread. Either use the WIN 95 version of NSPR/NSS/JSS 127 components (essentially all non-fiber builds) or set the environment variable 128 NSPR_NATIVE_THREADS_ONLY=1. You can find more information in bugzilla bug 129 `102251 <http://bugzilla.mozilla.org/show_bug.cgi?id=102251>`__ SSL session cache locking 130 issue with NT fibers 131 132 **How can I tell which SSL/TLS ciphers JSS supports?** 133 134 - Check 135 http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLSocket.java#730 136 137 **How can I debug my SSL connection?** 138 139 - By using the NSS tool :ref:`mozilla_projects_nss_tools_ssltap` 140 141 **Can you explain JSS SSL certificate approval callbacks?** 142 143 - NSS has three callbacks related to certificates. JSS has two. But JSS combines two of the NSS 144 callbacks into one. 145 146 - NSS's three SSL cert callbacks are: 147 148 #. SSL_AuthCertificateHook sets a callback to authenticate the peer's certificate. It is 149 called instead of NSS's routine for authenticating certificates. 150 #. SSL_BadCertHook sets a callback that is called when NSS's routine fails to authenticate the 151 certificate. 152 #. SSL_GetClientAuthDataHook sets a callback to return the local certificate for SSL client 153 auth. 154 155 JSS's two callbacks are: 156 157 #. SSLCertificateApprovalCallback is a combination of SSL_AuthCertificateHook and 158 SSL_BadCertHook. It runs NSS's cert authentication check, then calls the callback 159 regardless of whether the cert passed or failed. The callback is told whether the cert 160 passed, and then can do anything extra that it wants to do before making a final decision. 161 #. SSLClientCertificateSelectionCallback is analogous to SSL_GetClientAuthDataHook. 162 163 | 164 | **Can I have multiple JSS instances reading separate db's?** 165 166 - No, you can only have one initialized instance of JSS for each database. 167 168 **Once JSS initialized, I can't get anymore instances with 169 CertificateFactory.getInstance("X.509")?** 170 171 - In version previous to JSS 3.1, JSS removes the default SUN provider on startup. Upgrade to 172 the latest JSS, or, in the ``CryptoManager.InitializationValues`` object you pass to 173 ``CryptoManager.initialize()``, set ``removeSunProivider=true``. 174 175 **Is it possible to sign data in Java with JSS? What I am trying to do is write a Java applet 176 that will access the Netscape certificate store, retrieve a X509 certificate and then sign some 177 data.** 178 179 - The best way to do this is with the PKCS #7 signedData type. Check out the 180 `javadoc <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM/doc/JSS_4_3_RTM-doc.zip>`__. 181 182 **How do I convert org.mozilla.jss.crypto.X509Certificate to 183 org.mozilla.jss.pkix.cert.Certificate?** 184 185 - .. code:: 186 187 import java.io.ByteArrayInputStream; 188 189 [...] 190 191 Certificate cert = (Certificate) ASN1Util.decode( 192 Certificate.getTemplate(),x509Cert.getEncoded() ); 193 194 **How do I convert org.mozilla.jss.pkix.cert to org.mozilla.jss.crypto.X509Certificate?** 195 196 - `Cryptomanager.importCertPackage() <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_RTM/doc/JSS_4_3_RTM-doc.zip>`__ 197 198 **Is it possible to use JSS to acces cipher functionality from pkcs11 modules?** 199 200 - Yes. Before JSS 3.2 you would use CryptoManager to obtain the CryptoToken you want to use, 201 then call CryptoToken.getCipherContext() to get an encryption engine. But as of JSS 3.2 you 202 would use the `JSS JCA provider <JSS_Provider_Notes>`__. 203 204 **Can you explain token names and keys with regards to JSS?** 205 206 - The token name is different depending on which application you are running. In JSS, the token 207 is called "Internal Key Storage Token". You can look it up by name using 208 CryptoManager.getTokenByName(), but a better way is to call 209 CryptoManager.getInternalKeyStorageToken(), which works no matter what the token is named. In 210 general, a key is a handle to an underlying object on a PKCS #11 token, not merely a Java 211 object residing in memory. Symmetric Key usage: basically encrypt/decrypt is for data and 212 wrap/unwrap is for keys. 213 214 J\ **SS 3.2 has JCA support. When will JSS have JSSE support?** 215 216 - Not in the near future due to pluggability is disabled in the JSSE version included in J2SE 217 1.4.x for export control reasons.