322871: JSS needs to handle ECC keys and certs`

Back out changes by rrelyea (2006-02-10) and glen.beasley (2006-02-14).
r+: wtc

security/jss/build_java.pl

@@ -45,7 +45,6 @@ org.mozilla.jss.pkcs11.PK11KeyPairGenerator
 org.mozilla.jss.pkcs11.SigContextProxy
 org.mozilla.jss.pkcs11.PK11RSAPublicKey
 org.mozilla.jss.pkcs11.PK11DSAPublicKey
-org.mozilla.jss.pkcs11.PK11ECPublicKey
 org.mozilla.jss.pkcs11.PK11SecureRandom 
 org.mozilla.jss.provider.java.security.JSSKeyStoreSpi
 org.mozilla.jss.SecretDecoderRing.KeyManager

security/jss/lib/jss.def

@@ -118,7 +118,6 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_getKeyType;
 Java_org_mozilla_jss_pkcs11_PK11SymKey_getOwningToken;
 Java_org_mozilla_jss_pkcs11_PK11SymKey_getStrength;
 Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPair;
-Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPair;
 Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPair;
 Java_org_mozilla_jss_pkcs11_PK11KeyGenerator_generateNormal;
 Java_org_mozilla_jss_pkcs11_PK11KeyGenerator_generatePBE;
@@ -165,8 +164,6 @@ Java_org_mozilla_jss_pkcs11_PK11DSAPublicKey_getGByteArray;
 Java_org_mozilla_jss_pkcs11_PK11DSAPublicKey_getPByteArray;
 Java_org_mozilla_jss_pkcs11_PK11DSAPublicKey_getQByteArray;
 Java_org_mozilla_jss_pkcs11_PK11DSAPublicKey_getYByteArray;
-Java_org_mozilla_jss_pkcs11_PK11ECPublicKey_getCurveByteArray;
-Java_org_mozilla_jss_pkcs11_PK11ECPublicKey_getWByteArray;
 Java_org_mozilla_jss_pkcs11_PK11SecureRandom_nextBytes;
 Java_org_mozilla_jss_pkcs11_PK11SecureRandom_setSeed;
 Java_org_mozilla_jss_ssl_SSLServerSocket_clearSessionCache;

security/jss/org/mozilla/jss/JSSProvider.java

@@ -100,32 +100,6 @@ public final class JSSProvider extends java.security.Provider {
             "org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA512RSA");
         put("Alg.Alias.Signature.SHA512/RSA", "SHA-512/RSA");
         put("Alg.Alias.Signature.SHA512withRSA", "SHA-512/RSA");
-// ECC
-        put("Signature.SHA1withEC",
-            "org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA1EC");
-        put("Alg.Alias.Signature.EC", "SHA1withEC");
-        put("Alg.Alias.Signature.ECC", "SHA1withEC");
-        put("Alg.Alias.Signature.ECDSA", "SHA1withEC");
-        put("Alg.Alias.Signature.SHA/EC", "SHA1withEC");
-        put("Alg.Alias.Signature.SHA1/EC", "SHA1withEC");
-        put("Alg.Alias.Signature.SHA-1/EC", "SHA1withEC");
-        put("Alg.Alias.Signature.SHA/ECDSA", "SHA1withEC");
-        put("Alg.Alias.Signature.SHA1/ECDSA", "SHA1withEC");
-
-        put("Signature.SHA256withEC",
-            "org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA256EC");
-        put("Alg.Alias.Signature.SHA256/EC", "SHA256withEC");
-        put("Alg.Alias.Signature.SHA-256/EC", "SHA256withEC");
-
-        put("Signature.SHA384withEC",
-            "org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA384EC");
-        put("Alg.Alias.Signature.SHA384/EC", "SHA384withEC");
-        put("Alg.Alias.Signature.SHA-384/EC", "SHA384withEC");
-
-        put("Signature.SHA512withEC",
-            "org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA512EC");
-        put("Alg.Alias.Signature.SHA512/EC", "SHA512withEC");
-        put("Alg.Alias.Signature.SHA-512/EC", "SHA384withEC");
 
         /////////////////////////////////////////////////////////////
         // Message Digesting
@@ -163,8 +137,6 @@ public final class JSSProvider extends java.security.Provider {
             "org.mozilla.jss.provider.java.security.JSSKeyPairGeneratorSpi$RSA");
         put("KeyPairGenerator.DSA",
             "org.mozilla.jss.provider.java.security.JSSKeyPairGeneratorSpi$DSA");
-        put("KeyPairGenerator.EC",
-            "org.mozilla.jss.provider.java.security.JSSKeyPairGeneratorSpi$EC");
 
         /////////////////////////////////////////////////////////////
         // KeyFactory
@@ -173,8 +145,6 @@ public final class JSSProvider extends java.security.Provider {
             "org.mozilla.jss.provider.java.security.KeyFactorySpi1_2");
         put("KeyFactory.DSA",
             "org.mozilla.jss.provider.java.security.KeyFactorySpi1_2");
-        put("KeyFactory.EC",
-            "org.mozilla.jss.provider.java.security.KeyFactorySpi1_2");
 
         /////////////////////////////////////////////////////////////
         // AlgorithmParameters

security/jss/org/mozilla/jss/crypto/Algorithm.c

@@ -103,13 +103,7 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
 /* 40 */    {SEC_OID_SHA512, SEC_OID_TAG},
 /* 41 */    {SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION, SEC_OID_TAG},
 /* 42 */    {SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION, SEC_OID_TAG},
-/* 43 */    {SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION, SEC_OID_TAG},
+/* 43 */    {SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION, SEC_OID_TAG}
-/* 44 */    {SEC_OID_ANSIX962_EC_PUBLIC_KEY, SEC_OID_TAG},
-/* 45 */    {SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE, SEC_OID_TAG},
-/* 46 */    {CKM_EC_KEY_PAIR_GEN, PK11_MECH},
-/* 47 */    {SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, SEC_OID_TAG},
-/* 48 */    {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG},
-/* 49 */    {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG},
 /* REMEMBER TO UPDATE NUM_ALGS!!! */
 };
 

security/jss/org/mozilla/jss/crypto/Algorithm.h

@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
     JSS_AlgType type;
 } JSS_AlgInfo;
 
-#define NUM_ALGS 50
+#define NUM_ALGS 44
 
 extern JSS_AlgInfo JSS_AlgTable[];
 extern CK_ULONG JSS_symkeyUsage[];

security/jss/org/mozilla/jss/crypto/Algorithm.java

@@ -168,8 +168,6 @@ public class Algorithm {
     //////////////////////////////////////////////////////////////
     static final OBJECT_IDENTIFIER ANSI_X9_ALGORITHM = 
         new OBJECT_IDENTIFIER( new long[] { 1, 2, 840, 10040, 4 } );
-    static final OBJECT_IDENTIFIER ANSI_X962_OID = 
-        new OBJECT_IDENTIFIER( new long[] { 1, 2, 840, 10045 } );
 
     // Algorithm indices.  These must be kept in sync with the
     // algorithm array in Algorithm.c.
@@ -226,11 +224,5 @@ public class Algorithm {
     protected static final short SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION=41;
     protected static final short SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION=42;
     protected static final short SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION=43;
-    protected static final short SEC_OID_ANSIX962_EC_PUBLIC_KEY=44;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE=45;
-    protected static final short CKM_EC_KEY_PAIR_GEN=46;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
 
 }

security/jss/org/mozilla/jss/crypto/CryptoToken.java

@@ -148,7 +148,7 @@ public interface CryptoToken {
      * on this token.
      *
      * @param algorithm The algorithm that the keys will be used with (RSA,
-     *      DSA, EC, etc.)
+     *      DSA, etc.)
      * @exception java.security.NoSuchAlgorithmException If this token does
      *      not support the given algorithm.
      * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})

security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java

@@ -93,15 +93,9 @@ public class KeyPairAlgorithm extends Algorithm {
     public static final Algorithm
     DSAFamily = new Algorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA");
 
-    public static final Algorithm
-    ECFamily = new Algorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, "EC");
-
     public static final KeyPairAlgorithm
     RSA = new KeyPairAlgorithm(CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA", RSAFamily);
 
     public static final KeyPairAlgorithm
     DSA = new KeyPairAlgorithm(CKM_DSA_KEY_PAIR_GEN, "DSA", DSAFamily);
-
-    public static final KeyPairAlgorithm
-    EC = new KeyPairAlgorithm(CKM_EC_KEY_PAIR_GEN, "EC", ECFamily);
 }

security/jss/org/mozilla/jss/crypto/PrivateKey.java

@@ -50,7 +50,6 @@ public interface PrivateKey extends java.security.PrivateKey
 
     public static final Type RSA = Type.RSA;
     public static final Type DSA = Type.DSA;
-    public static final Type EC = Type.EC;
     public static final Type DiffieHellman = Type.DiffieHellman;
 
     /**
@@ -113,7 +112,7 @@ public interface PrivateKey extends java.security.PrivateKey
 
         /**
          * Returns a string representation of the algorithm, such as
-         * "RSA", "DSA", or "EC".
+         * "RSA" or "DSA".
          */
         public String toString() {
             return name;
@@ -135,16 +134,11 @@ public interface PrivateKey extends java.security.PrivateKey
         private static int CKK_RSA = 0x0;
         private static int CKK_DSA = 0x1;
         private static int CKK_DH = 0x2;
-        private static int CKK_EC = 0x3;
-        private static int CKK_X9_42_DH = 0x4;
-        private static int CKK_KEA = 0x5;
         
         public static final Type RSA = new Type(
                 OBJECT_IDENTIFIER.PKCS1.subBranch(1), "RSA", CKK_RSA );
         public static final Type DSA = new Type(
                 Algorithm.ANSI_X9_ALGORITHM.subBranch(1), "DSA", CKK_DSA); 
-        public static final Type EC = new Type(
-            Algorithm.ANSI_X962_OID.subBranch(2).subBranch(1), "EC", CKK_EC); 
         public static final Type DiffieHellman = new Type(
                 DH_OID, "DiffieHellman", CKK_DH );
                 

security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java

@@ -113,21 +113,12 @@ public class SignatureAlgorithm extends Algorithm {
 
     /**********************************************************************
      * Raw DSA signing. This algorithm does not do any hashing, it merely
-     * operates on its input, which should be a hash.
+     * encrypts its input, which should be a hash.
      */
     public static final SignatureAlgorithm
     DSASignature = new SignatureAlgorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA",
         null, null, ANSI_X9_ALGORITHM.subBranch(1) );
 
-    /**********************************************************************
-     * Raw EC signing. This algorithm does not do any hashing, it merely
-     * operates on its input, which should be a hash.
-     */
-    public static final SignatureAlgorithm
-    ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, 
-	"EC",
-        null, null, ANSI_X962_OID.subBranch(2).subBranch(1) );
-
     //////////////////////////////////////////////////////////////////////
     public static final SignatureAlgorithm
     RSASignatureWithMD2Digest =
@@ -156,34 +147,6 @@ public class SignatureAlgorithm extends Algorithm {
             "DSASignatureWithSHA1Digest", DSASignature, DigestAlgorithm.SHA1,
             ANSI_X9_ALGORITHM.subBranch(3) );
 
-    //////////////////////////////////////////////////////////////////////
-    public static final SignatureAlgorithm
-    ECSignatureWithSHA1Digest =
-        new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE,
-            "ECSignatureWithSHA1Digest", ECSignature, DigestAlgorithm.SHA1,
-            ANSI_X962_OID.subBranch(4).subBranch(1) );
-
-    //////////////////////////////////////////////////////////////////////
-    public static final SignatureAlgorithm
-    ECSignatureWithSHA256Digest =
-        new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE,
-            "ECSignatureWithSHA256Digest", ECSignature, DigestAlgorithm.SHA256,
-            ANSI_X962_OID.subBranch(4).subBranch(3).subBranch(2) );
-
-    //////////////////////////////////////////////////////////////////////
-    public static final SignatureAlgorithm
-    ECSignatureWithSHA384Digest =
-        new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE,
-            "ECSignatureWithSHA384Digest", ECSignature, DigestAlgorithm.SHA384,
-            ANSI_X962_OID.subBranch(4).subBranch(3).subBranch(3) );
-
-    //////////////////////////////////////////////////////////////////////
-    public static final SignatureAlgorithm
-    ECSignatureWithSHA512Digest =
-        new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE,
-            "ECSignatureWithSHA512Digest", ECSignature, DigestAlgorithm.SHA512,
-            ANSI_X962_OID.subBranch(4).subBranch(3).subBranch(4) );
-
     //////////////////////////////////////////////////////////////////////
     public static final SignatureAlgorithm
     RSASignatureWithSHA256Digest =

security/jss/org/mozilla/jss/pkcs11/KeyType.java

@@ -164,19 +164,6 @@ public final class KeyType {
                     "DSA"
                 );
 
-    //////////////////////////////////////////////////////////////
-    static public final KeyType
-    EC     = new KeyType(new Algorithm[]
-                    {
-                    SignatureAlgorithm.ECSignature,
-                    SignatureAlgorithm.ECSignatureWithSHA1Digest,
-                    SignatureAlgorithm.ECSignatureWithSHA256Digest,
-                    SignatureAlgorithm.ECSignatureWithSHA384Digest,
-                    SignatureAlgorithm.ECSignatureWithSHA512Digest
-                    },
-                    "EC"
-                );
-
     //////////////////////////////////////////////////////////////
     static public final KeyType
     FORTEZZA = new KeyType(new Algorithm[0], "FORTEZZA");

security/jss/org/mozilla/jss/pkcs11/PK11ECPrivateKey.java

@@ -1,45 +0,0 @@
-package org.mozilla.jss.pkcs11;
-
-import org.mozilla.jss.crypto.PrivateKey;
-import org.mozilla.jss.crypto.TokenException;
-import org.mozilla.jss.util.Assert;
-import java.math.BigInteger;
-// requires JAVA 1.5
-//import java.security.interfaces.ECPrivateKey;
-
-class PK11ECPrivateKey
-//    extends PK11PrivKey implements ECPrivateKey
-    extends PK11PrivKey 
-{
-
-    private PK11ECPrivateKey() { super(null); }
-
-    protected PK11ECPrivateKey(byte[] pointer) {
-        super(pointer);
-    }
-
-    public PrivateKey.Type getType() {
-        return PrivateKey.Type.EC;
-    }
-
-    /**
-     * If this fails, we just return null, since no exceptions are allowed.
-     */
-// requires JAVA 1.5
-//    public ECParams getParams() {
-//      try {
-//        return getECParams();
-//      } catch(TokenException te) {
-//            return null;
-//      }
-//    }
-
-    /**
-     * Not implemented. NSS doesn't support extracting private key material
-     * like this.
-     */
-// requires JAVA 1.5
-//    public BigInteger getW() {
-//        return null;
-//    }
-}

security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java

@@ -1,72 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape Security Services for Java.
- * 
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation.  Portions created by Netscape are 
- * Copyright (C) 1998-2000 Netscape Communications Corporation.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-package org.mozilla.jss.pkcs11;
-
-import org.mozilla.jss.util.Assert;
-// Requires JAVA 1.5
-//import java.security.interfaces.ECPublicKey;
-import java.math.BigInteger;
-
-//
-// Requires JAVA 1.5
-//public final class PK11ECPublicKey extends PK11PubKey implements ECPublicKey {
-public final class PK11ECPublicKey extends PK11PubKey {
-    
-    public PK11ECPublicKey(byte[] pointer) {
-        super(pointer);
-    }
-
-//
-// Requires JAVA 1.5
-//    public ECParams getCurve() {
-//      try {
-//        return new BigInteger( getCurveByteArray() );
-//      } catch(NumberFormatException e) {
-//       Assert.notReached("Unable to decode DSA parameters");
-//       return null;
-//      }
-//    }
-//
-//    public BigInteger getW() {
-//      try {
-//        return new BigInteger( getWByteArray() );
-//      } catch(NumberFormatException e) {
-//        Assert.notReached("Unable to decode DSA public value");
-//        return null;
-//      }
-//    }
-//
-//    private native byte[] getCurveByteArray();
-//    private native byte[] getWByteArray();
-}

security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c

@@ -120,19 +120,37 @@ finish:
 
 int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int);
 
-/*
+/**********************************************************************
- * make a common key gen function for both this file and PK11Token.c
+ * PK11KeyPairGenerator.generateRSAKeyPair
  */
-SECStatus
+JNIEXPORT jobject JNICALL
-JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism, 
+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPair
-    PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk,
+  (JNIEnv *env, jobject this, jobject token, jint keySize, jlong publicExponent,
-    void *params, PRBool temporary, jint sensitive, jint extractable)
+    jboolean temporary, jint sensitive, jint extractable)
 {
+    PK11SlotInfo* slot;
+    PK11RSAGenParams params;
+    SECKEYPrivateKey *privk=NULL;
+    SECKEYPublicKey *pubk=NULL;
+    jobject keyPair=NULL;
     PK11AttrFlags attrFlags = 0;
-    *privk=NULL;
-    *pubk=NULL;
 
-    PR_ASSERT(env!=NULL && slot!=NULL);
+    PR_ASSERT(env!=NULL && this!=NULL && token!=NULL);
+
+    /**************************************************
+     * get the slot pointer
+     *************************************************/
+    if( JSS_PK11_getTokenSlotPtr(env, token, &slot) != PR_SUCCESS) {
+        PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
+        goto finish;
+    }
+    PR_ASSERT(slot != NULL);
+
+    /**************************************************
+     * setup parameters
+     *************************************************/
+    params.keySizeInBits = keySize;
+    params.pe = publicExponent;
 
     /**************************************************
      * login to the token if necessary
@@ -173,13 +191,13 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
     } else {
         attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC);
     }
-    *privk = PK11_GenerateKeyPairWithFlags(slot,
+    privk = PK11_GenerateKeyPairWithFlags(slot,
-                                          mechanism,
+                                          CKM_RSA_PKCS_KEY_PAIR_GEN,
-                                          params, 
+                                          &params, /* params is not a ptr */
-                                          pubk,
+                                          &pubk,
                                           attrFlags,
                                           NULL /* default PW callback */ );
-    if( *privk == NULL ) {
+    if( privk == NULL ) {
         int errLength;
         char *errBuf;
         char *msgBuf;
@@ -202,51 +220,6 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
         PR_Free(msgBuf);
         goto finish;
     }
-    return SECSuccess;
-
-
-finish:
-    if(*privk!=NULL) {
-        SECKEY_DestroyPrivateKey(*privk);
-	*privk = NULL;
-    }
-    if(*pubk!=NULL) {
-        SECKEY_DestroyPublicKey(*pubk);
-	*pubk = NULL;
-    }
-    return SECFailure;
-}
-
-/**********************************************************************
- * Local generic helper
- */
-static jobject 
-PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token, 
-    CK_MECHANISM_TYPE mechanism, void *params, 
-    jboolean temporary, jint sensitive, jint extractable)
-{
-    PK11SlotInfo* slot;
-    SECKEYPrivateKey *privk=NULL;
-    SECKEYPublicKey *pubk=NULL;
-    jobject keyPair=NULL;
-    SECStatus rv;
-
-    PR_ASSERT(env!=NULL && this!=NULL && token!=NULL);
-
-    /**************************************************
-     * get the slot pointer
-     *************************************************/
-    if( JSS_PK11_getTokenSlotPtr(env, token, &slot) != PR_SUCCESS) {
-        PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
-        goto finish;
-    }
-    PR_ASSERT(slot != NULL);
-
-    rv = JSS_PK11_generateKeyPair(env, mechanism, slot, &pubk, &privk,
-    	params, temporary, sensitive, extractable);
-    if (rv != SECSuccess) {
-        goto finish;
-    }
 
     /**************************************************
      * wrap in a Java KeyPair object
@@ -267,28 +240,6 @@ finish:
     return keyPair;
 }
 
-/**********************************************************************
- * PK11KeyPairGenerator.generateRSAKeyPair
- */
-JNIEXPORT jobject JNICALL
-Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPair
-  (JNIEnv *env, jobject this, jobject token, jint keySize, jlong publicExponent,
-    jboolean temporary, jint sensitive, jint extractable)
-{
-    PK11RSAGenParams params;
-
-    PR_ASSERT(env!=NULL && this!=NULL && token!=NULL);
-
-    /**************************************************
-     * setup parameters
-     *************************************************/
-    params.keySizeInBits = keySize;
-    params.pe = publicExponent;
-
-    return PK11KeyPairGenerator(env, this, token, CKM_RSA_PKCS_KEY_PAIR_GEN,
-     &params, temporary, sensitive, extractable);
-}
-
 #define ZERO_SECITEM(item) {(item).len=0; (item).data=NULL;}
 
 /**********************************************************************
@@ -301,9 +252,13 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPair
   (JNIEnv *env, jobject this, jobject token, jbyteArray P, jbyteArray Q,
     jbyteArray G, jboolean temporary, jint sensitive, jint extractable)
 {
+    PK11SlotInfo *slot;
+    SECKEYPrivateKey *privk=NULL;
+    SECKEYPublicKey *pubk=NULL;
     SECItem p, q, g;
     PQGParams *params=NULL;
     jobject keyPair=NULL;
+    PK11AttrFlags attrFlags = 0;
 
     PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && P!=NULL && Q!=NULL
                 && G!=NULL);
@@ -313,6 +268,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPair
     ZERO_SECITEM(q);
     ZERO_SECITEM(g);
 
+
+    /**************************************************
+     * Get the slot pointer
+     *************************************************/
+    if( JSS_PK11_getTokenSlotPtr(env, token, &slot) != PR_SUCCESS) {
+        PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
+        goto finish;
+    }
+
     /**************************************************
      * Setup the parameters
      *************************************************/
@@ -328,8 +292,66 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPair
         JSS_throw(env, OUT_OF_MEMORY_ERROR);
         goto finish;
     }
-    keyPair = PK11KeyPairGenerator(env, this, token, CKM_DSA_KEY_PAIR_GEN,
+
-     			params, temporary, sensitive, extractable);
+    /**************************************************
+     * login to the token if necessary
+     *************************************************/
+    if( PK11_Authenticate(slot, PR_TRUE /*loadcerts*/, NULL /* default pwcb*/)
+           != SECSuccess)
+    {
+        JSS_throwMsg(env, TOKEN_EXCEPTION, "unable to login to token");
+        goto finish;
+    }
+
+    /**************************************************
+     * generate the key pair on the token
+     *************************************************/
+    if( temporary ) {
+        attrFlags |= PK11_ATTR_SESSION;
+    } else {
+        attrFlags |= PK11_ATTR_TOKEN;
+    }
+    if( extractable == 1 ) {
+        attrFlags |= PK11_ATTR_EXTRACTABLE;
+    } else if( extractable == 0 ) {
+        attrFlags |= PK11_ATTR_UNEXTRACTABLE;
+    }
+    /*
+     * The default of sensitive is set this way to be backward
+     * compatible.
+     */
+    if( sensitive == -1 ) {
+        sensitive = !temporary; /* workaround bug 129563 */
+    }
+    /*
+     * The PRIVATE/PUBLIC attributes are set this way to be backward
+     * compatible with the original PK11_GenerateKeyPair call.
+     */
+    if( sensitive ) {
+        attrFlags |= (PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE);
+    } else {
+        attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC);
+    }
+    privk = PK11_GenerateKeyPairWithFlags(slot,
+                                          CKM_DSA_KEY_PAIR_GEN,
+                                          params, /* params is a ptr */
+                                          &pubk,
+                                          attrFlags,
+                                          NULL /* default PW callback */);
+    if( privk == NULL ) {
+        JSS_throwMsg(env, TOKEN_EXCEPTION,
+                "Keypair Generation failed on PKCS #11 token");
+        goto finish;
+    }
+
+    /**************************************************
+     * wrap in a Java KeyPair object
+     *************************************************/
+    keyPair = keysToKeyPair(env, &privk, &pubk);
+    if(keyPair == NULL) {
+        PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
+        goto finish;
+    }
 
 finish:
     SECITEM_FreeItem(&p, PR_FALSE);
@@ -338,50 +360,3 @@ finish:
     PK11_PQG_DestroyParams(params);
     return keyPair;
 }
-
-void
-DumpItem(SECItem *item)
-{
-  unsigned char *data = item->data;
-  int i;
-
-  for (i=0; i < item->len; i++) {
-    printf(" %02x",data[i]);
-  }
-  printf(" : 0x%08x %d\n", data, item->len);
-}
-
-/**********************************************************************
- *
- * PK11KeyPairGenerator.generateECKeyPair
- *
- */
-JNIEXPORT jobject JNICALL
-Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPair
-  (JNIEnv *env, jobject this, jobject token, jbyteArray Curve, 
-    jboolean temporary, jint sensitive, jint extractable)
-{
-    SECItem curve;
-    jobject keyPair=NULL;
-
-    PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && Curve!=NULL );
-
-    /* zero these so we can free them indiscriminately later */
-    ZERO_SECITEM(curve);
-
-    /**************************************************
-     * Setup the parameters
-     *************************************************/
-    if( JSS_ByteArrayToOctetString(env, Curve, &curve))
-    {
-        PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
-        goto finish;
-    }
-
-    keyPair = PK11KeyPairGenerator(env, this, token, CKM_EC_KEY_PAIR_GEN,
-     			&curve, temporary, sensitive, extractable);
-
-finish:
-    SECITEM_FreeItem(&curve, PR_FALSE);
-    return keyPair;
-}

security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java

@@ -38,14 +38,12 @@ package org.mozilla.jss.pkcs11;
 
 import org.mozilla.jss.crypto.*;
 import org.mozilla.jss.util.*;
-import org.mozilla.jss.asn1.*;
 import java.math.BigInteger;
 import java.security.*;
 import java.security.SecureRandom;
 import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.DSAParameterSpec;
 
-
 /**
  * A Key Pair Generator implemented using PKCS #11.
  *
@@ -65,9 +63,8 @@ public final class PK11KeyPairGenerator
      * Constructor for PK11KeyPairGenerator.
      * @param token The PKCS #11 token that the keypair will be generated on.
      * @param algorithm The type of key that will be generated.  Currently,
-     *      <code>KeyPairAlgorithm.RSA</code> , 
+     *      <code>KeyPairAlgorithm.RSA</code> and
-     *      <code>KeyPairAlgorithm.DSA</code> and
+     *      <code>KeyPairAlgorithm.DSA</code> are supported.
-     *      <code>KeyPairAlgorithm.EC</code> are supported.
      */
     public PK11KeyPairGenerator(PK11Token token, KeyPairAlgorithm algorithm)
         throws NoSuchAlgorithmException, TokenException
@@ -118,7 +115,8 @@ public final class PK11KeyPairGenerator
         if(algorithm == KeyPairAlgorithm.RSA) {
             params =
                 new RSAParameterSpec(strength, DEFAULT_RSA_PUBLIC_EXPONENT);
-        } else if(algorithm == KeyPairAlgorithm.DSA) {
+        } else {
+            Assert._assert( algorithm == KeyPairAlgorithm.DSA );
             if(strength==512) {
                 params = PQG512;
             } else if(strength==768) {
@@ -130,9 +128,6 @@ public final class PK11KeyPairGenerator
                     "In order to use pre-cooked PQG values, key strength must"+
                     "be 512, 768, or 1024.");
             }
-        } else {
-            Assert._assert( algorithm == KeyPairAlgorithm.EC );
-            params = getCurve(strength);
         }
     }
 
@@ -166,22 +161,12 @@ public final class PK11KeyPairGenerator
                 throw new InvalidAlgorithmParameterException(
                         "RSA Public Exponent must fit in 31 or fewer bits.");
             }
-        } else if ( algorithm == KeyPairAlgorithm.DSA ){
+        } else {
+            Assert._assert( algorithm == KeyPairAlgorithm.DSA);
             if(! (params instanceof DSAParameterSpec) ) {
                 throw new InvalidAlgorithmParameterException();
             }
-        } else {
+        }
-            Assert._assert( algorithm == KeyPairAlgorithm.EC);
-            // requires JAVA 1.5 
-            // if(! (params instanceof ECParameterSpec) ) {
-            //   throw new InvalidAlgorithmParameterException();
-            //}
-            // requires JAVA 1.5 
-            if(! (params instanceof PK11ParameterSpec) ) {
-               throw new InvalidAlgorithmParameterException();
-            }
-	} // future add support for X509EncodedSpec 
-
         this.params = params;
     }
 
@@ -211,7 +196,8 @@ public final class PK11KeyPairGenerator
                                     sensitivePairMode,
                                     extractablePairMode);
             }
-        } else if(algorithm == KeyPairAlgorithm.DSA ) {
+        } else {
+            Assert._assert( algorithm == KeyPairAlgorithm.DSA );
             if(params==null) {
                 params = PQG1024;
             }
@@ -224,22 +210,7 @@ public final class PK11KeyPairGenerator
                 temporaryPairMode,
                 sensitivePairMode,
                 extractablePairMode);
-        } else {
+        }
-            Assert._assert( algorithm == KeyPairAlgorithm.EC );
-            // requires JAVA 1.5 for ECParameters.
-            //
-            //AlgorithmParameters ecParams = 
-	    //			AlgorithmParameters.getInstance("ECParameters");
-	    // ecParams.init(params);
-            PK11ParameterSpec ecParams = (PK11ParameterSpec) params;
-
-            return generateECKeyPair(
-                token,
-		ecParams.getEncoded(), /* curve */
-                temporaryPairMode,
-                sensitivePairMode,
-                extractablePairMode);
-        } 
     }
 
     /**
@@ -274,15 +245,6 @@ public final class PK11KeyPairGenerator
             boolean temporary, int sensitive, int extractable)
         throws TokenException;
 
-    /**
-     * Generates a EC key pair with the given a curve.
-     * Curves are stored as DER Encoded Parameters.
-     */
-    private native KeyPair
-    generateECKeyPair(PK11Token token, byte[] Curve, 
-            boolean temporary, int sensitive, int extractable)
-        throws TokenException;
-
     ///////////////////////////////////////////////////////////////////////
     ///////////////////////////////////////////////////////////////////////
     // Defaults
@@ -397,266 +359,6 @@ public final class PK11KeyPairGenerator
         extractablePairMode = extractable ? 1 : 0;
     }
 
-    //
-    // requires JAVA 1.5
-    //
-    //private AlgorithmParameterSpec getCurve(int strength) {
-    //}
-
-
-    private static final OBJECT_IDENTIFIER ANSI_X962_PRIME_CURVE =
-	new OBJECT_IDENTIFIER( new long[] { 1, 2, 840, 10045, 3, 1 } );
-    private static final OBJECT_IDENTIFIER ANSI_X962_BINARY_CURVE =
-	new OBJECT_IDENTIFIER( new long[] { 1, 2, 840, 10045, 3, 0 } );
-    private static final OBJECT_IDENTIFIER SECG_EC_CURVE =
-	new OBJECT_IDENTIFIER( new long[] { 1, 3, 132, 0 } );
-
-    // ANSI Prime curves
-    static final OBJECT_IDENTIFIER CURVE_ANSI_P192V1 
-	= ANSI_X962_PRIME_CURVE.subBranch(1);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_P192V2 
-	= ANSI_X962_PRIME_CURVE.subBranch(2);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_P192V3 
-	= ANSI_X962_PRIME_CURVE.subBranch(3);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_P239V1 
-	= ANSI_X962_PRIME_CURVE.subBranch(4);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_P239V2 
-	= ANSI_X962_PRIME_CURVE.subBranch(5);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_P239V3 
-	= ANSI_X962_PRIME_CURVE.subBranch(6);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_P256V1 
-	= ANSI_X962_PRIME_CURVE.subBranch(7);
-
-    // ANSI Binary curves
-    static final OBJECT_IDENTIFIER CURVE_ANSI_PNB163V1 
-	=ANSI_X962_BINARY_CURVE.subBranch(1);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_PNB163V2 
-	=ANSI_X962_BINARY_CURVE.subBranch(2);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_PNB163V3 
-	=ANSI_X962_BINARY_CURVE.subBranch(3);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_PNB176V1 
-	=ANSI_X962_BINARY_CURVE.subBranch(4);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_TNB191V1 
-	=ANSI_X962_BINARY_CURVE.subBranch(5);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_TNB191V2 
-	=ANSI_X962_BINARY_CURVE.subBranch(6);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_TNB191V3 
-	=ANSI_X962_BINARY_CURVE.subBranch(7);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_ONB191V4 
-	=ANSI_X962_BINARY_CURVE.subBranch(8);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_ONB191V5 
-	=ANSI_X962_BINARY_CURVE.subBranch(9);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_PNB208W1 
-	=ANSI_X962_BINARY_CURVE.subBranch(10);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_TNB239V1 
-	=ANSI_X962_BINARY_CURVE.subBranch(11);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_TNB239V2 
-	=ANSI_X962_BINARY_CURVE.subBranch(12);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_TNB239V3 
-	=ANSI_X962_BINARY_CURVE.subBranch(13);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_ONB239V4 
-	=ANSI_X962_BINARY_CURVE.subBranch(14);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_ONB239V5 
-	=ANSI_X962_BINARY_CURVE.subBranch(15);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_PNB272W1 
-	=ANSI_X962_BINARY_CURVE.subBranch(16);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_PNB304W1 
-	=ANSI_X962_BINARY_CURVE.subBranch(17);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_TNB359V1 
-	=ANSI_X962_BINARY_CURVE.subBranch(18);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_PNB368W1 
-	=ANSI_X962_BINARY_CURVE.subBranch(19);
-    static final OBJECT_IDENTIFIER CURVE_ANSI_TNB431R1 
-	=ANSI_X962_BINARY_CURVE.subBranch(20);
-
-    // SEG Prime curves
-    static final OBJECT_IDENTIFIER CURVE_SECG_P112R1
-	= SECG_EC_CURVE.subBranch(6);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P112R2
-	= SECG_EC_CURVE.subBranch(7);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P128R1
-	= SECG_EC_CURVE.subBranch(28);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P128R2
-	= SECG_EC_CURVE.subBranch(29);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P160K1
-	= SECG_EC_CURVE.subBranch(9);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P160R1
-	= SECG_EC_CURVE.subBranch(8);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P160R2
-	= SECG_EC_CURVE.subBranch(30);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P192K1
-	= SECG_EC_CURVE.subBranch(31);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P224K1
-	= SECG_EC_CURVE.subBranch(32);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P224R1
-	= SECG_EC_CURVE.subBranch(33);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P256K1
-	= SECG_EC_CURVE.subBranch(10);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P384R1
-	= SECG_EC_CURVE.subBranch(34);
-    static final OBJECT_IDENTIFIER CURVE_SECG_P521R1
-	= SECG_EC_CURVE.subBranch(35);
-
-    // SEG Binary curves
-    static final OBJECT_IDENTIFIER CURVE_SECG_T113R1
-	= SECG_EC_CURVE.subBranch(4);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T113R2
-	= SECG_EC_CURVE.subBranch(5);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T131R1
-	= SECG_EC_CURVE.subBranch(22);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T131R2
-	= SECG_EC_CURVE.subBranch(23);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T163K1
-	= SECG_EC_CURVE.subBranch(1);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T163R1
-	= SECG_EC_CURVE.subBranch(2);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T163R2
-	= SECG_EC_CURVE.subBranch(15);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T193R1
-	= SECG_EC_CURVE.subBranch(24);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T193R2
-	= SECG_EC_CURVE.subBranch(25);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T233K1
-	= SECG_EC_CURVE.subBranch(26);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T233R1
-	= SECG_EC_CURVE.subBranch(27);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T239K1
-	= SECG_EC_CURVE.subBranch(3);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T283K1
-	= SECG_EC_CURVE.subBranch(16);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T283R1
-	= SECG_EC_CURVE.subBranch(17);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T409K1
-	= SECG_EC_CURVE.subBranch(36);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T409R1
-	= SECG_EC_CURVE.subBranch(37);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T571K1
-	= SECG_EC_CURVE.subBranch(38);
-    static final OBJECT_IDENTIFIER CURVE_SECG_T571R1
-	= SECG_EC_CURVE.subBranch(39);
-
-    private AlgorithmParameterSpec getCurve(int strength) 
-        throws InvalidParameterException
-    {
-	OBJECT_IDENTIFIER oid;
-	switch (strength) {
-	case 112:
-	    oid = CURVE_SECG_P112R1; // == WTLS-6
-        // Can't get to curve SECG P-112R2
-        // Can't get to curve WTLS-8 (No oid for WTLS-8)
-	    break;
-        case 113:
-	    oid = CURVE_SECG_T113R1; // == WTLS-4
-        // Can't get to curve SECG T-113R2
-        // Can't get to curve WTLS-1 (No oid for WTLS-1)
-	    break;
-	case 128:
-	    oid = CURVE_SECG_P128R1;
-        // Can't get to curve SECG P-128R2
-	    break;
-	case 131:
-	    oid = CURVE_SECG_T131R1;
-        // Can't get to curve SECG T-131R2
-	    break;
-	case 160:
-	    oid = CURVE_SECG_P160R1; // == WTLS-7 (TLS-16)
-        // Can't get to curve SECG P-160K1 (TLS-15)
-        // Can't get to curve SECG P-160R2 (TLS-17)
-        // Can't get to curve WTLS-9 (No oid for WTLS-9)
-	    break;
-	case 163:
-	    oid = CURVE_SECG_T163K1; // == NIST K-163 == WTLS-3 (TLS-1)
-        // Can't get to curve ANSI C2-PNB163V1 == WTLS-5
-        // Can't get to curve ANSI C2-PNB163V2
-        // Can't get to curve ANSI C2-PNB163V3
-        // Can't get to curve SECG T-163R1 (TLS-2)
-	// Can't get to curve SECG T-163R2 == NIST B-163 (TLS-3)
-	    break;
-	case 176:
-	    oid = CURVE_ANSI_PNB176V1;
-	    break;
-	case 191:
-	    oid = CURVE_ANSI_TNB191V1;
-	// Can't get to curve ANSI C2-TNB191V2
-	// Can't get to curve ANSI C2-TNB191V3
-	// Can't get to curve ANSI C2-ONB191V4
-	// Can't get to curve ANSI C2-ONB191V5
-	    break;
-	case 192:
-	    oid = CURVE_ANSI_P192V1; // == NIST P-192 == SECG P-192R1 (TLS-19)
-	// Can't get to curve ANSI P-192V2
-	// Can't get to curve ANSI P-192V3
-        // Can't get to curve SECG P-192K1 (TLS-18)
-	    break;
-	case 193:
-	    oid = CURVE_SECG_T193R1;  // (TLS-4)
-        // Can't get to curve SECG T-193R2 // (TLS-5)
-	    break;
-	case 208:
-	    oid = CURVE_ANSI_PNB208W1;
-	    break;
-	case 224:
-	    oid = CURVE_SECG_P224R1; // == NIST P-224 == WTLS-12 (TLS-21)
-        // Can't get to curve SECG P-224K1 (TLS-20)
-	    break;
-	case 233:
-	    oid = CURVE_SECG_T233R1; // == NIST B-233 == WTLS-11 (TLS-7)
-        // Can't get to curve SECG T-233K1 == NIST K-233 == WTLS-10 (TLS-6)
-	    break;
-	case 239:
-	    oid = CURVE_SECG_T239K1; // (TLS8)
-        // Can't get to curve ANSI P-239V1
-        // Can't get to curve ANSI P-239V2
-	// Can't get to curve ANSI P-239V3
-	// Can't get to curve ANSI C2-TNB239V1
-	// Can't get to curve ANSI C2-TNB239V2
-	// Can't get to curve ANSI C2-TNB239V3
-	// Can't get to curve ANSI C2-ONB239V4
-	// Can't get to curve ANSI C2-ONB239V5
-	    break;
-	case 256:
-	    oid = CURVE_ANSI_P256V1; // == NIST P-256 == SECG P-256R1 (TLS-23)
-	// Can't get to curve SECG P-256K1 (TLS-22)
-	    break;
-	case 272:
-	    oid = CURVE_ANSI_PNB272W1;
-	    break;
-	case 283:
-	    oid = CURVE_SECG_T283R1; // == NIST B-283 (TLS-10)
-        // Can't get to curve SECG T-283K1 == NIST K-283 (TLS-9)
-	    break;
-	case 304:
-	    oid = CURVE_ANSI_PNB304W1;
-	    break;
-	case 359:
-	    oid = CURVE_ANSI_TNB359V1;
-	    break;
-	case 368:
-	    oid = CURVE_ANSI_PNB368W1;
-	    break;
-	case 384:
-	    oid = CURVE_SECG_P384R1; // == NIST P-384 (TLS-24)
-	    break;
-	case 409:
-	    oid = CURVE_SECG_T409R1; // == NIST B-409 (TLS-12)
-        // Can't get to curve SECG T-409K1 == NIST K-409 (TLS-11)
-	    break;
-	case 431:
-	    oid = CURVE_ANSI_TNB431R1;
-	    break;
-	case 521:
-	    oid = CURVE_SECG_P521R1; // == NIST P-521 (TLS-25)
-	    break;
-	case 571:
-	    oid = CURVE_SECG_T571R1; // == NIST B-571 (TLS-14)
-        // Can't get to curve SECG T-571K1 == NIST K-571 (TLS-13)
-	    break;
-	default:
-             throw new InvalidParameterException();
-        }
-        return new PK11ParameterSpec(ASN1Util.encode(oid));
-    }
-
 
     ///////////////////////////////////////////////////////////////////////
     ///////////////////////////////////////////////////////////////////////

security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c

@@ -393,35 +393,18 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapPrivWithSym
     keyType = PK11_GetKeyType(keyTypeMech, 0);
 
     /* figure out which operations to enable for this key */
-    switch (keyType) {
+    if( keyType == CKK_RSA ) {
-    case CKK_RSA:
         attribs[0] = CKA_SIGN;
         attribs[1] = CKA_DECRYPT;
         attribs[2] = CKA_SIGN_RECOVER;
         attribs[3] = CKA_UNWRAP;
         numAttribs = 4;
-	break;
+    } else if(keyType == CKK_DSA) {
-    case CKK_DSA:
         attribs[0] = CKA_SIGN;
         numAttribs = 1;
-	break;
+    } else {
-    case CKK_KEA:
-    case CKK_DH:
-    case CKK_X9_42_DH:
-        attribs[0] = CKA_DERIVE;
-        numAttribs = 1;
-	break;
-    case CKK_EC:
-        attribs[0] = CKA_SIGN;
-        attribs[1] = CKA_DERIVE;
-        numAttribs = 2;
-	break;
-    default:
         /* unknown key type */
         PR_ASSERT(PR_FALSE);
-	attribs[0] = CKA_SIGN;
-	numAttribs = 1;
-	break;
     }
 
     /* perform the unwrap */

security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java

@@ -45,8 +45,6 @@ import org.mozilla.jss.util.Assert;
 import java.security.PublicKey;
 import java.security.interfaces.RSAPublicKey;
 import java.security.interfaces.DSAPublicKey;
-//requires JAVA 1.5
-//import java.security.interfaces.ECPublicKey;
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.RC2ParameterSpec;
 
@@ -170,8 +168,6 @@ final class PK11KeyWrapper implements KeyWrapper {
         try {
             KeyType type = KeyType.getKeyTypeFromAlgorithm(algorithm);
             if( (type == KeyType.RSA && !(key instanceof RSAPublicKey)) ||
-		// requires JAVA 1.5
-                // (type == KeyType.EC && !(key instanceof ECPublicKey)) ||
                 (type == KeyType.DSA && !(key instanceof DSAPublicKey)) ) {
                 throw new InvalidKeyException("Key is not the right type for "+
                     "this algorithm");
@@ -437,14 +433,12 @@ final class PK11KeyWrapper implements KeyWrapper {
     /**
      * Extracts the "public value" from a public key.  The public value is
      *  used to construct the key identifier (CKA_ID). Also, the internal token
-     *  stores the EC DSA and EC public value along with the private key.
+     *  stores the DSA public value along with the private key.
      */
     private static byte[]
     extractPublicValue(PublicKey publicKey, PrivateKey.Type type)
         throws InvalidKeyException
     {
-        /* this code should call a generic function wich returns the
-         * proper public value. */
         if( publicKey == null ) {
             throw new InvalidKeyException("publicKey is null");
         }
@@ -523,14 +517,12 @@ final class PK11KeyWrapper implements KeyWrapper {
 
     private static Algorithm
     algFromType(PrivateKey.Type type) {
-        if (type == PrivateKey.RSA) {
+        if(type == PrivateKey.RSA) {
             return KeyPairAlgorithm.RSAFamily;
-        } else if (type == PrivateKey.DSA) {
-            return KeyPairAlgorithm.DSAFamily;
         } else {
-            Assert._assert( type == PrivateKey.EC);
+            Assert._assert(type == PrivateKey.DSA);
-            return KeyPairAlgorithm.ECFamily;
+            return KeyPairAlgorithm.DSAFamily;
-	}
+        }
     }
 
     private static Algorithm

security/jss/org/mozilla/jss/pkcs11/PK11ParameterSpec.java

@@ -1,50 +0,0 @@
-/* 
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- * 
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- * 
- * The Original Code is the Netscape Security Services for Java.
- * 
- * The Initial Developer of the Original Code is Red Hat, Inc.
- * Portions created by Red Hat are 
- * Copyright (C) 2005,2006 Red Hat, Inc.  All
- * Rights Reserved.
- * 
- * Contributor(s):
- * 
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable 
- * instead of those above.  If you wish to allow use of your 
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL.  If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-package org.mozilla.jss.pkcs11;
-import java.security.spec.AlgorithmParameterSpec;
-
-public final class PK11ParameterSpec implements AlgorithmParameterSpec 
-{
-   public PK11ParameterSpec(byte [] derBlob)
-   {
-      blob = derBlob;
-   }
-
-   public byte [] getEncoded()
-   {
-     return blob;
-   }
-   private byte [] blob;
-
-}

security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c

@@ -76,9 +76,6 @@ JSS_PK11_wrapPrivKey(JNIEnv *env, SECKEYPrivateKey **privk)
       case dsaKey:
         className = "org/mozilla/jss/pkcs11/PK11DSAPrivateKey";
         break;
-      case ecKey:
-        className = "org/mozilla/jss/pkcs11/PK11ECPrivateKey";
-        break;
       default:
         className = "org/mozilla/jss/pkcs11/PK11PrivKey";
         break;
@@ -123,8 +120,6 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_verifyKeyIsOnToken
 	SECKEYPrivateKey *key = NULL;
 	PK11SlotInfo *slot = NULL;
 	PK11SlotInfo *keySlot = NULL;
-	PK11SlotInfo *dbSlot = NULL;
-	PK11SlotInfo *cryptoSlot = NULL;
 
 	if( JSS_PK11_getPrivKeyPtr(env, this, &key) != PR_SUCCESS) {
 		PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
@@ -137,11 +132,9 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_verifyKeyIsOnToken
 	}
 
 	keySlot = PK11_GetSlotFromPrivateKey(key);
-	dbSlot = PK11_GetInternalKeySlot();
+	if(keySlot == PK11_GetInternalKeySlot()) {
-	if(keySlot == dbSlot) {
-		cryptoSlot = PK11_GetInternalSlot();
 		/* hack for internal module */
-		if(slot != keySlot && slot != cryptoSlot) {
+		if(slot != keySlot && slot != PK11_GetInternalSlot()) {
 			JSS_throwMsg(env, NO_SUCH_ITEM_ON_TOKEN_EXCEPTION,
 				"Key is not present on this token");
 			goto finish;
@@ -156,12 +149,6 @@ finish:
 	if(keySlot != NULL) {
 		PK11_FreeSlot(keySlot);
 	}
-        if(dbSlot != NULL) {
-		PK11_FreeSlot(dbSlot);
-	}
-        if(cryptoSlot != NULL) {
-		PK11_FreeSlot(cryptoSlot);
-	}
 }
 
 /*
@@ -212,10 +199,6 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_getKeyType
         break;
     case keaKey:
         keyTypeFieldName = KEA_KEYTYPE_FIELD;
-        break;
-    case ecKey:
-        keyTypeFieldName = EC_KEYTYPE_FIELD;
-        break;
     default:
         PR_ASSERT(PR_FALSE);
         keyTypeFieldName = NULL_KEYTYPE_FIELD;
@@ -463,19 +446,11 @@ JSS_PK11_getKeyType(JNIEnv *env, jobject keyTypeObj)
     jfieldID fieldID;
     char *fieldNames[] = {
         RSA_PRIVKEYTYPE_FIELD,
-        DSA_PRIVKEYTYPE_FIELD,
+        DSA_PRIVKEYTYPE_FIELD };
-        FORTEZZA_KEYTYPE_FIELD,
+    int numTypes = 2;
-        DH_KEYTYPE_FIELD,
-        KEA_KEYTYPE_FIELD,
-	EC_KEYTYPE_FIELD };
-    int numTypes = 6;
     KeyType keyTypes[] = {
         rsaKey,
-        dsaKey,
+        dsaKey };
-	fortezzaKey,
-	dhKey,
-	keaKey,
-	ecKey };
     jobject field;
     int i;
 

security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.java

@@ -78,12 +78,10 @@ public class PK11PrivKey extends org.mozilla.jss.pkcs11.PK11Key
 
         if( kt == KeyType.RSA ) {
             return PrivateKey.Type.RSA;
-        } else if (kt == KeyType.DSA) {
-            return PrivateKey.Type.DSA;
         } else {
-            Assert._assert(kt == KeyType.EC);
+            Assert._assert(kt == KeyType.DSA);
-            return PrivateKey.Type.EC;
+            return PrivateKey.Type.DSA;
-	}
+        }
     }
 
     public String getAlgorithm() {

security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c

@@ -37,7 +37,6 @@
 #include "_jni/org_mozilla_jss_pkcs11_PublicKeyProxy.h"
 #include "_jni/org_mozilla_jss_pkcs11_PK11RSAPublicKey.h"
 #include "_jni/org_mozilla_jss_pkcs11_PK11DSAPublicKey.h"
-#include "_jni/org_mozilla_jss_pkcs11_PK11ECPublicKey.h"
 
 #include <plarena.h>
 #include <secmodt.h>
@@ -107,9 +106,6 @@ JSS_PK11_wrapPubKey(JNIEnv *env, SECKEYPublicKey **pKey)
       case dsaKey:
         keyClassName = PK11_DSA_PUBKEY_CLASS_NAME;
         break;
-      case ecKey:
-        keyClassName = PK11_EC_PUBKEY_CLASS_NAME;
-        break;
       default:
         keyClassName = PK11PUBKEY_CLASS_NAME;
         break;
@@ -262,9 +258,6 @@ Java_org_mozilla_jss_pkcs11_PK11PubKey_getKeyType
     case dsaKey:
         keyTypeFieldName = DSA_KEYTYPE_FIELD;
         break;
-    case ecKey:
-        keyTypeFieldName = EC_KEYTYPE_FIELD;
-        break;
     case fortezzaKey:
         keyTypeFieldName = FORTEZZA_KEYTYPE_FIELD;
         break;
@@ -312,9 +305,7 @@ typedef enum {
     DSA_G,
     DSA_PUBLIC,
     RSA_MODULUS,
-    RSA_PUBLIC_EXPONENT,
+    RSA_PUBLIC_EXPONENT
-    EC_CURVE,
-    EC_W
 } PublicKeyField;
 
 static jbyteArray
@@ -411,36 +402,6 @@ Java_org_mozilla_jss_pkcs11_PK11DSAPublicKey_getYByteArray
     return get_public_key_info(env, this, DSA_PUBLIC);
 }
 
-/**********************************************************************
- *
- * PK11ECPublicKey.getParamByteArray
- *
- * Returns the curve of this EC Public Key.  The format is a DER encoded
- * octet string in a byte array.
- *
- */
-JNIEXPORT jbyteArray JNICALL
-Java_org_mozilla_jss_pkcs11_PK11ECPublicKey_getCurveByteArray
-    (JNIEnv *env, jobject this)
-{
-    return get_public_key_info(env, this, EC_CURVE);
-}
-
-/**********************************************************************
- *
- * PK11ECPublicKey.getWByteArray
- *
- * Returns the public value (W) of this EC Public Key.  
- * The format is a 1 byte to indicate compression followed by points
- * Wx and Wy unsigned and connatonatted.
- *
- */
-JNIEXPORT jbyteArray JNICALL
-Java_org_mozilla_jss_pkcs11_PK11ECPublicKey_getWByteArray
-    (JNIEnv *env, jobject this)
-{
-    return get_public_key_info(env, this, EC_W);
-}
 /**********************************************************************
  * g e t _ p u b l i c _ k e y _ i n f o 
  *
@@ -488,14 +449,6 @@ get_public_key_info
         PR_ASSERT(pubk->keyType == rsaKey);
         item = &pubk->u.rsa.publicExponent;
         break;
-    case EC_CURVE:
-        PR_ASSERT(pubk->keyType == ecKey);
-        item = &pubk->u.ec.DEREncodedParams;
-        break;
-    case EC_W:
-        PR_ASSERT(pubk->keyType == ecKey);
-        item = &pubk->u.ec.publicValue;
-        break;
     default:
         PR_ASSERT(PR_FALSE);
         break;

security/jss/org/mozilla/jss/pkcs11/PK11PubKey.java

@@ -70,14 +70,14 @@ public class PK11PubKey extends org.mozilla.jss.pkcs11.PK11Key
      * @param rawKey The bytes of the raw key.
      * @exception InvalidKeyFormatException If the raw key could not be
      *      decoded.
-     * @deprecated This method works for RSA keys but not DSA or EC keys. Use
+     * @deprecated This method works for RSA keys but not DSA keys. Use
      *      fromSPKI() instead.
      * @see #fromSPKI(byte[])
      */
     public static PK11PubKey fromRaw(PrivateKey.Type type, byte[] rawKey)
         throws InvalidKeyFormatException
     {
-        if( type != PrivateKey.Type.RSA ) {
+        if( type == PrivateKey.Type.DSA ) {
             throw new InvalidKeyFormatException(
                 "fromRaw() is broken for DSA keys. Use fromSPKI() instead.");
         }

security/jss/org/mozilla/jss/pkcs11/PK11Token.c

@@ -62,14 +62,18 @@
 #define ERRX 1
 #define KEYTYPE_DSA_STRING "dsa"
 #define KEYTYPE_RSA_STRING "rsa"
-#define KEYTYPE_EC_STRING "ec"
+#define KEYTYPE_DSA 1
+#define KEYTYPE_RSA 2
 
 static CERTCertificateRequest* make_cert_request(JNIEnv *env, 
 			 const char *subject, SECKEYPublicKey *pubk);
-
+void GenerateCertRequest(JNIEnv *env, unsigned int ktype, const char *subject,
-void GenerateCertRequest(JNIEnv *env, SECOidTag ktype, const char *subject,
+			 int keysize, PK11SlotInfo *slot,
-			 PK11SlotInfo *slot,  unsigned char **b64request, 
+			 unsigned char **b64request, PQGParams *dsaParams);
-                         void *params);
+static SECStatus GenerateKeyPair(JNIEnv *env, unsigned int ktype,
+				 PK11SlotInfo *slot,
+			 SECKEYPublicKey **pubk,
+			 SECKEYPrivateKey **privk, int keysize, PQGParams *dsaParams);
 
 /* these values are taken from PK11KeyPairGenerator.java */
 #define DEFAULT_RSA_KEY_SIZE 2048
@@ -912,9 +916,7 @@ Java_org_mozilla_jss_pkcs11_PK11Token_doesAlgorithm
 	PR_ASSERT(slot != NULL);
 
     mech = JSS_getPK11MechFromAlg(env, alg);
-
+    PR_ASSERT( mech != CKM_INVALID_MECHANISM );
-    /* not an assertion, some algorithms don't have Mechanism yet */
-    /*PR_ASSERT( mech != CKM_INVALID_MECHANISM ); */
 
 	if( PK11_DoesMechanism(slot, mech) == PR_TRUE) {
 		doesMech = JNI_TRUE;
@@ -969,25 +971,21 @@ JNIEXPORT jstring JNICALL Java_org_mozilla_jss_pkcs11_PK11Token_generatePK10
     PQGParams *dsaParams=NULL;
     const char* c_keyType;
     jboolean k_isCopy;
-    SECOidTag signType = SEC_OID_UNKNOWN;
+    unsigned int ktype = 0;
-    PK11RSAGenParams rsaParams;
-    void *params = NULL;
 
     PR_ASSERT(env!=NULL && this!=NULL);
     /* get keytype */
     c_keyType = (*env)->GetStringUTFChars(env, keyType, &k_isCopy);
 
-    if (0 == PL_strcasecmp(c_keyType, KEYTYPE_RSA_STRING)) {
+    if (0 == PL_strcasecmp(c_keyType, KEYTYPE_DSA_STRING)) {
-      signType = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
+      ktype = KEYTYPE_DSA;
-      if( keysize == -1 ) {
+    } else if (0 == PL_strcasecmp(c_keyType, KEYTYPE_RSA_STRING)) {
-	rsaParams.keySizeInBits = DEFAULT_RSA_KEY_SIZE;
+      ktype = KEYTYPE_RSA;
-      } else {
+    } else {
-	rsaParams.keySizeInBits = keysize;
+      JSS_throw(env, INVALID_PARAMETER_EXCEPTION);
-      }
+    }
-      rsaParams.pe = DEFAULT_RSA_PUBLIC_EXPONENT;
+
-      params = (void *)&rsaParams;
+    if (ktype == KEYTYPE_DSA) {
-    } else if (0 == PL_strcasecmp(c_keyType, KEYTYPE_DSA_STRING)) {
-      signType = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
       if (P==NULL || Q==NULL || G ==NULL) {
 	/* shouldn't happen */
 	JSS_throw(env, INVALID_PARAMETER_EXCEPTION);
@@ -1001,23 +999,18 @@ JNIEXPORT jstring JNICALL Java_org_mozilla_jss_pkcs11_PK11Token_generatePK10
 	if( JSS_ByteArrayToOctetString(env, P, &p) ||
 	    JSS_ByteArrayToOctetString(env, Q, &q) ||
 	    JSS_ByteArrayToOctetString(env, G, &g) )
-	{
+	  {
-	  PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
+	    PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
-	  goto finish;
+	    goto finish;
-	}
+	  }
 	dsaParams = PK11_PQG_NewParams(&p, &q, &g);
 	if(dsaParams == NULL) {
 	  JSS_throw(env, OUT_OF_MEMORY_ERROR);
 	  goto finish;
 	}
+	
       }
-      params = (void *)dsaParams;
+    } /* end ktype == KEYTYPE_DSA */
-    } else if (0 == PL_strcasecmp(c_keyType, KEYTYPE_EC_STRING)) {
-      signType = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
-      /* get ec param */
-    } else {
-      JSS_throw(env, INVALID_PARAMETER_EXCEPTION);
-    }
 
     if( JSS_PK11_getTokenSlotPtr(env, this, &slot) != PR_SUCCESS) {
         PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
@@ -1034,8 +1027,11 @@ JNIEXPORT jstring JNICALL Java_org_mozilla_jss_pkcs11_PK11Token_generatePK10
     /* get subject */
     c_subject = (*env)->GetStringUTFChars(env, subject, &isCopy);
 
+    /* get keysize */
+
     /* call GenerateCertRequest() */
-    GenerateCertRequest(env, signType, c_subject, slot, &b64request, params);
+    GenerateCertRequest(env, ktype, c_subject, (int) keysize, slot, &b64request,
+			dsaParams);
 
 finish:
     if (isCopy == JNI_TRUE) {
@@ -1048,7 +1044,7 @@ finish:
       (*env)->ReleaseStringUTFChars(env, keyType, c_keyType);
     }
 
-    if (signType == SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) {
+    if (ktype == KEYTYPE_DSA) {
       SECITEM_FreeItem(&p, PR_FALSE);
       SECITEM_FreeItem(&q, PR_FALSE);
       SECITEM_FreeItem(&g, PR_FALSE);
@@ -1069,10 +1065,10 @@ finish:
  */
 void
 GenerateCertRequest(JNIEnv *env, 
-		    SECOidTag signType, const char *subject,
+		    unsigned int ktype, const char *subject, int keysize,
 		    PK11SlotInfo *slot,
-		    unsigned char **b64request,
+		     unsigned char **b64request,
-		    void *params) {
+		    PQGParams *dsaParams) {
 
 	CERTCertificateRequest *req;
 
@@ -1082,28 +1078,14 @@ GenerateCertRequest(JNIEnv *env,
 	PRArenaPool *arena;
 	SECItem result_der, result;
 	SECItem *blob;
-	CK_MECHANISM_TYPE signMech;
-	CK_MECHANISM_TYPE keygenMech;
 
 #ifdef DEBUG      
-	printf("in GenerateCertRequest(), subject=%s, ",
+	printf("in GenerateCertRequest(), subject=%s, keysize = %d",
-	       subject);
+	       subject, keysize);
 #endif
 
-	/*
+	if( GenerateKeyPair(env, ktype, slot, &pubk, &privk, keysize,
-	 * Use the tables to reduce the code of adding new
+			    dsaParams) != SECSuccess) {
-	 * types of keys.
-	 */
-	signMech = PK11_AlgtagToMechanism(signType);
-	if (signMech == CKM_INVALID_MECHANISM) {
-#ifdef DEBUG      
-		printf("Error getting KEYGEN Mechanism.");
-#endif
-	}
-	keygenMech = PK11_GetKeyGen(signMech);
-
-	if( JSS_PK11_generateKeyPair(env, keygenMech, slot, &pubk, &privk, 
-		params, PR_FALSE, -1, -1) != SECSuccess) {
 #ifdef DEBUG      
 		printf("Error generating keypair.");
 #endif
@@ -1139,7 +1121,8 @@ GenerateCertRequest(JNIEnv *env,
 	}
 
 	rv = SEC_DerSignData(arena, &result, result_der.data, result_der.len,
-			     privk, signType);
+			     privk,
+                         (ktype==KEYTYPE_RSA)? SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST);
 	if (rv) {
 	  JSS_nativeThrowMsg(env, TOKEN_EXCEPTION,
 			     "signing of data failed");
@@ -1194,3 +1177,87 @@ make_cert_request(JNIEnv *env, const char *subject, SECKEYPublicKey *pubk)
 
 	return req;
 }
+
+
+/******************************************************************
+ *
+ * G e n e r a t e K e y P a i r
+ */
+static SECStatus
+GenerateKeyPair(JNIEnv *env, unsigned int ktype, PK11SlotInfo *slot, SECKEYPublicKey **pubk,
+	SECKEYPrivateKey **privk, int keysize, PQGParams *dsaParams)
+{
+
+  PK11RSAGenParams rsaParams;
+
+  if (ktype == KEYTYPE_RSA) {
+    if( keysize == -1 ) {
+      rsaParams.keySizeInBits = DEFAULT_RSA_KEY_SIZE;
+    } else {
+      rsaParams.keySizeInBits = keysize;
+    }
+    rsaParams.pe = DEFAULT_RSA_PUBLIC_EXPONENT;
+  }
+  if(PK11_Authenticate( slot, PR_FALSE /*loadCerts*/, NULL /*wincx*/)
+     != SECSuccess) {
+    JSS_nativeThrowMsg(env, TOKEN_EXCEPTION,
+		       "failure authenticating to key database");
+    return SECFailure;
+  }
+
+  if(PK11_NeedUserInit(slot)) {
+    JSS_nativeThrowMsg(env, TOKEN_EXCEPTION,
+		       "token not initialized with password");
+    return SECFailure;
+  }
+
+#ifdef DEBUG      
+  printf("key type == %d", ktype);
+#endif
+  if (ktype == KEYTYPE_RSA) {
+    *privk = PK11_GenerateKeyPair (slot,
+		   CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, 
+				   pubk, PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, NULL);
+  } else { /* dsa */
+    *privk = PK11_GenerateKeyPair (slot,
+		   CKM_DSA_KEY_PAIR_GEN, (void *)dsaParams, 
+		   pubk, PR_TRUE /*isPerm*/, PR_TRUE /*isSensitive*/, NULL);
+    }
+    if( *privk == NULL ) {
+      int errLength;
+      char *errBuf;
+      char *msgBuf;
+
+      errLength = PR_GetErrorTextLength();
+      if(errLength > 0) {
+	errBuf = PR_Malloc(errLength);
+	if(errBuf == NULL) {
+	  JSS_throw(env, OUT_OF_MEMORY_ERROR);
+	  return SECFailure;
+	}
+	PR_GetErrorText(errBuf);
+      }
+      msgBuf = PR_smprintf("Keypair Generation failed on token: %s",
+			   errLength>0? errBuf : "");
+      if(errLength>0) {
+	PR_Free(errBuf);
+      }
+
+      JSS_throwMsg(env, TOKEN_EXCEPTION, msgBuf);
+      PR_Free(msgBuf);
+      return SECFailure;
+    }
+
+
+    if (*privk != NULL && *pubk != NULL) {
+#ifdef DEBUG      
+      printf("generated public/private key pair\n");
+#endif
+    } else {
+      JSS_nativeThrowMsg(env, TOKEN_EXCEPTION,
+			 "failure generating key pair");
+      return SECFailure;
+    }
+    
+    return SECSuccess;
+}

security/jss/org/mozilla/jss/pkcs11/PK11Token.java

@@ -48,7 +48,7 @@ import java.security.InvalidParameterException;
  * CryptoManager class.
  *
  * @author nicolson
- * @version $Revision: 1.8 $ $Date: 2006-02-10 22:06:12 $ 
+ * @version $Revision: 1.9 $ $Date: 2006-02-14 23:52:54 $ 
  * @see org.mozilla.jss.CryptoManager
  */
 public final class PK11Token implements CryptoToken {
@@ -449,9 +449,9 @@ public final class PK11Token implements CryptoToken {
 	 * @param subject subject dn of the certificate
 	 * @param keysize size of the key
 	 * @param keyType "rsa" or "dsa"
-	 * @param P The DSA prime parameter
+     * @param P The DSA prime parameter
-	 * @param Q The DSA sub-prime parameter
+     * @param Q The DSA sub-prime parameter
-	 * @param G The DSA base parameter
+     * @param G The DSA base parameter
 	 * @return String that represents a PKCS#10 b64 encoded blob with
 	 * begin/end brackets
 	 */

security/jss/org/mozilla/jss/pkcs11/pk11util.h

@@ -127,35 +127,7 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11SymKey **symKey);
 KeyType
 JSS_PK11_getKeyType(JNIEnv *env, jobject keyTypeObj);
 
-/***********************************************************************
+
- * JSS_PK11_generateKeyPair
- *
- * Create a new key pair based on the passed in mechanism and parameters
- *
- * INPUTS
- *      mechanism
- *          A PKCS#11 KeyPair Mechanism
- *      slot
- *          Slot to generate the keypair in.
- *      pubk
- *          returned public key
- *      privk
- *          returned private key key
- *      param
- *          PKCS #11 mechanism parameters
- *      temporary
- *          boolean to say if the key is temporary or permanent
- *      sensitive
- *          int to say if the key should be sensitive or not (-1 is default)
- *      extractable
- *          int to say if the key should be extractable or not (-1 is default)
- * RETURNS
- *  The SECStatus, SECSuccess of success, SECFailure on failure
- */
-SECStatus
-JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
-    PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privK,
-    void *params, PRBool temporary, jint senstive, jint extractable);
 
 /*=====================================================================
                        C E R T I F I C A T E S

security/jss/org/mozilla/jss/provider/java/security/JSSKeyPairGeneratorSpi.java

@@ -78,7 +78,7 @@ class JSSKeyPairGeneratorSpi
         kpg.initialize(keysize, random);
     }
         
-    public KeyPair generateKeyPair()  {
+    public KeyPair generateKeyPair() {
       try {
         return kpg.genKeyPair();
       } catch(TokenException e) { 
@@ -96,9 +96,4 @@ class JSSKeyPairGeneratorSpi
             super(KeyPairAlgorithm.DSA);
         }
     }
-    public static class EC extends JSSKeyPairGeneratorSpi {
-        public EC() {
-            super(KeyPairAlgorithm.EC);
-        }
-    }
 }

security/jss/org/mozilla/jss/provider/java/security/JSSSignatureSpi.java

@@ -204,26 +204,6 @@ class JSSSignatureSpi extends java.security.SignatureSpi {
             super(SignatureAlgorithm.DSASignatureWithSHA1Digest);
         }
     }
-    public static class SHA1EC extends JSSSignatureSpi {
-        public SHA1EC() {
-            super(SignatureAlgorithm.ECSignatureWithSHA1Digest);
-        }
-    }
-    public static class SHA256EC extends JSSSignatureSpi {
-        public SHA256EC() {
-            super(SignatureAlgorithm.ECSignatureWithSHA256Digest);
-        }
-    }
-    public static class SHA384EC extends JSSSignatureSpi {
-        public SHA384EC() {
-            super(SignatureAlgorithm.ECSignatureWithSHA384Digest);
-        }
-    }
-    public static class SHA512EC extends JSSSignatureSpi {
-        public SHA512EC() {
-            super(SignatureAlgorithm.ECSignatureWithSHA512Digest);
-        }
-    }
     public static class MD2RSA extends JSSSignatureSpi {
         public MD2RSA() {
             super(SignatureAlgorithm.RSASignatureWithMD2Digest);

security/jss/org/mozilla/jss/provider/java/security/KeyFactorySpi1_2.java

@@ -71,9 +71,10 @@ public class KeyFactorySpi1_2 extends java.security.KeyFactorySpi
             return PK11PubKey.fromRaw( PrivateKey.RSA, ASN1Util.encode(seq) );
         } else if( keySpec instanceof DSAPublicKeySpec ) {
             // We need to import both the public value and the PQG parameters.
-            // The only way to get all that information in DER is to send 
+            // The only way to get all that information to NSS is through
-            // a full SubjectPublicKeyInfo. So we encode all the information
+            // a SubjectPublicKeyInfo. So we encode all the information
-            // into an SPKI.
+            // into an SPKI and then throw that down to NSS.
+            // This operation is very computationally expensive and wasteful.
 
             DSAPublicKeySpec spec = (DSAPublicKeySpec) keySpec;
 
@@ -94,41 +95,6 @@ public class KeyFactorySpi1_2 extends java.security.KeyFactorySpi
                 algID, new BIT_STRING(encodedPublicValue, 0) );
 
             return PK11PubKey.fromSPKI( ASN1Util.encode(spki) );
-  	//
-	// requires JAVA 1.5
-	//
-        //} else if( keySpec instanceof ECPublicKeySpec ) {
-        //   // We need to import both the public value and the curve.
-        //   // The only way to get all that information in DER is to send 
-        //   // a full SubjectPublicKeyInfo. So we encode all the information
-        //   // into an SPKI.
-        //
-        //  ECPublicKeySpec spec = (ECPublicKeySpec) keySpec;
-	//    AlgorithmParameters algParams = getInstance("ECParameters");
-        //
-        //    algParameters.init(spec.getECParameters());
-        //    OBJECT_IDENTIFIER oid = null;
-        //    try {
-        //        oid = SignatureAlgorithm.ECSignature.toOID();
-        //    } catch(NoSuchAlgorithmException ex ) {
-        //        Assert.notReached("no such algorithm as DSA?");
-        //    }
-        //    AlgorithmIdentifier algID = 
-        //                  new AlgorithmIdentifier(oid, ecParams.getParams() );
-        //    INTEGER publicValueX = new INTEGER(spec.getW().getAffineX());
-        //    INTEGER publicValueY = new INTEGER(spec.getW().getAffineY());
-        //    byte[] encodedPublicValue;
-        //    encodedPublicValue[0] = EC_UNCOMPRESSED_POINT;
-        //    encodedPublicValue += spec.getW().getAffineX().toByteArray();
-        //    encodedPublicValue += spec.getW().getAffineY().toByteArray();
-        //
-        //    byte[] encodedPublicValue = ASN1Util.encode(publicValue);
-        //    SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo(
-        //        algID, new BIT_STRING(encodedPublicValue, 0) );
-        //
-        //   return PK11PubKey.fromSPKI( ASN1Util.encode(spki) );
-        //
-        // use the following for EC keys in 1.4.2
         } else if( keySpec instanceof X509EncodedKeySpec ) {
             //
             // SubjectPublicKeyInfo

security/jss/org/mozilla/jss/tests/JCASigTest.java

@@ -140,25 +140,6 @@ public class JCASigTest {
             sigTest("SHA-384/RSA", keyPair);
             sigTest("SHA-512/RSA", keyPair);
 
-            kpgen = KeyPairGenerator.getInstance("EC");
-            kpgen.initialize(256);
-            keyPair = kpgen.generateKeyPair();
-            provider = kpgen.getProvider();
-
-            System.out.println("The provider used to Generate the Keys was " 
-                                + provider.getName() );
-            System.out.println("provider info " + provider.getInfo() );
-            
-            if (provider.getName().equalsIgnoreCase("Mozilla-JSS") == false) {
-                System.out.println("Mozilla-JSS is supposed to be the " +
-                    "default provider for JCASigTest");
-                System.exit(1);
-            }
-            sigTest("SHA-1/EC", keyPair);
-            sigTest("SHA-256/EC", keyPair);
-            sigTest("SHA-384/EC", keyPair);
-            sigTest("SHA-512/EC", keyPair);
-
         } catch ( Exception e ) {
             e.printStackTrace();
 	    System.exit(1);

security/jss/org/mozilla/jss/tests/TestKeyGen.java

@@ -210,20 +210,6 @@ public class TestKeyGen {
             }
         }
 
-        // 256-bit EC
-        kpg = java.security.KeyPairGenerator.getInstance("EC", "Mozilla-JSS");
-        kpg.initialize(256);
-        keyPair = kpg.genKeyPair();
-        System.out.println("Generated 256-bit EC KeyPair!");
-
-        kpg.initialize(384);
-        keyPair = kpg.genKeyPair();
-        System.out.println("Generated 384-bit EC KeyPair!");
-
-        kpg.initialize(521);
-        keyPair = kpg.genKeyPair();
-        System.out.println("Generated 521-bit EC KeyPair!");
-
         System.out.println("TestKeyGen passed");
         System.exit(0);
       } catch (Exception e) {

security/jss/org/mozilla/jss/tests/all.pl

@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#
 # ***** BEGIN LICENSE BLOCK *****
 # Version: MPL 1.1/GPL 2.0/LGPL 2.1
 #
@@ -39,14 +39,12 @@ my $java;
 
 # dist <dist_dir>
 # release <java release dir> <nss release dir> <nspr release dir>
-# auto   (test the current build directory)
 
 sub usage {
     print "Usage:\n";
     print "$0 dist <dist_dir>\n";
     print "$0 release <jss release dir> <nss release dir> "
         . "<nspr release dir>\n";
-    print "$0 auto\n";
     exit(1);
 }
 
@@ -117,24 +115,6 @@ sub setup_vars {
         # take the last part (can be overriden if not <OS><VERSION>_<OPT|DBG>.OBJ
         $testdir = `basename $testdir`;
         chomp $testdir;
-    } elsif( $$argv[0] eq "auto" ) {
-        my $dist_dir = `make dist_dir`;
-        my $obj_dir = `make obj_dir`;
-        chomp($dist_dir);
-        chomp($obj_dir);
-        chomp( $dist_dir = `(cd $dist_dir ; pwd)`);
-        chomp( $obj_dir = `(cd $obj_dir ; pwd)`);
-
-        $nss_lib_dir   = "$obj_dir/lib";
-        $jss_rel_dir   = "$dist_dir/classes$dbg_suffix/org";
-        $jss_classpath = "$dist_dir/xpclass$jar_dbg_suffix.jar";
-
-        $ENV{CLASSPATH} .= "$dist_dir/xpclass$jar_dbg_suffix.jar";
-        ( -f $ENV{CLASSPATH} ) or die "$ENV{CLASSPATH} does not exist";
-        #$ENV{$ld_lib_path} = $ENV{$ld_lib_path} . $pathsep . "$obj_dir/lib";
-        $ENV{$ld_lib_path} = "$obj_dir/lib";
-        $testdir = `basename $obj_dir`;
-        chomp $testdir;
     } elsif( $$argv[0] eq "release" ) {
         shift @$argv;
 
@@ -396,11 +376,11 @@ $result and print "JSSE servers returned $result\n";
 #
 # Test JSS client communication
 #
-#print "============= Start JSS client tests\n";
+print "============= Start JSS client tests\n";
-#$result = system("$java org.mozilla.jss.tests.JSS_SSLClient $testdir $pwfile $portJSSEServer bypassOff");
+$result = system("$java org.mozilla.jss.tests.JSS_SSLClient $testdir $pwfile $portJSSEServer bypassOff");
-#$result >>=8;
+$result >>=8;
-#$result and print "JSS client returned $result\n";
+$result and print "JSS client returned $result\n";
-#print_case_result ($result,"JSSE server / JSS client");
+print_case_result ($result,"JSSE server / JSS client");
 
 $portJSSServer=$portJSSServer+1;
 
@@ -415,11 +395,11 @@ $result and print "JSS servers returned $result\n";
 #
 # Test JSSE client communication
 #
-#print "============= Start JSSE client tests\n";
+print "============= Start JSSE client tests\n";
-#$result = system("$java org.mozilla.jss.tests.JSSE_SSLClient $testdir $portJSSServer");
+$result = system("$java org.mozilla.jss.tests.JSSE_SSLClient $testdir $portJSSServer");
-#$result >>=8;
+$result >>=8;
-#$result and print "JSSE client returned $result\n";
+$result and print "JSSE client returned $result\n";
-#print_case_result ($result,"JSS server / JSSE client");
+print_case_result ($result,"JSS server / JSSE client");
 
 #
 # Test Enable FIPSMODE 

security/jss/org/mozilla/jss/util/java_ids.h

@@ -108,7 +108,6 @@ PR_BEGIN_EXTERN_C
 #define NULL_KEYTYPE_FIELD "NULL"
 #define RSA_KEYTYPE_FIELD "RSA"
 #define DSA_KEYTYPE_FIELD "DSA"
-#define EC_KEYTYPE_FIELD "EC"
 #define FORTEZZA_KEYTYPE_FIELD "FORTEZZA"
 #define DH_KEYTYPE_FIELD "DH"
 #define KEA_KEYTYPE_FIELD "KEA"
@@ -187,11 +186,6 @@ PR_BEGIN_EXTERN_C
  */
 #define PK11_DSA_PUBKEY_CLASS_NAME "org/mozilla/jss/pkcs11/PK11DSAPublicKey"
 
-/*
- * PK11ECPublicKey
- */
-#define PK11_EC_PUBKEY_CLASS_NAME "org/mozilla/jss/pkcs11/PK11ECPublicKey"
-
 /*
  * PK11Module
  */
@@ -260,7 +254,6 @@ PR_BEGIN_EXTERN_C
 #define PRIVKEYTYPE_SIG "Lorg/mozilla/jss/crypto/PrivateKey$Type;"
 #define RSA_PRIVKEYTYPE_FIELD "RSA"
 #define DSA_PRIVKEYTYPE_FIELD "DSA"
-#define EC_PRIVKEYTYPE_FIELD "EC"
 
 /*
  * PQGParams