============== JSS *PK11KeyWrapper.java - The original unwrapSymmetric) assumes temporary true, and you want to have a function that treats it as false. You made a copy of the original and named it unwrapSymmetricPerm() and set the temporary to false. - I think it'd be better if you just add a "temporary" param to the original function, and add the function with original signature to call into the one with temporary true; Then you call into the new signature with temporary false (instead of adding this extra unwrapSymmetricPerm() ========================================= I did this for a couple of reasons: 1. There is already a call called importCertToPerm, so this lead me to do this out of convention. 2. I felt doing it this way resulted in the smallest impact. I had to make one minor change to a lower level call in the JNI to do this. I wanted to make the mininal impact on existing code. If you really think we need this, I suggest a future ticket, since I would have to change my current code in TKS now. ========================================= * Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector This function gets a list of sym keys from a token and put them into a vector. It seems more appropriate to be called getSymKeysInVector() ("put" made me think initially that you are putting keys into the token) ======================================= I did this because the current JSS has something call putKeysInVector and putCertsInVector. I wanted to preserve the current convention. ======================================= * PK11SymKey.c: JSS_PK11_wrapSymKey - Are we sure that all sym keys have nicknames? Should we maintain the original "no nickname" code path by checking if nickname is null and call original calls? =========================== This should be fine, because in the no nickname case, we just push null for the nickname, which then acts just like the constuctor with no nickname. ============================ * in Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative /* name the key */ status = PK11_SetSymKeyNickname( key, keyname ); if( status != SECSuccess ) { JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Failed to name symmetric key"); - is there not an error code that you can get and throw back to make it more useful? I noticed this applies to many other areas as well. it's a good idea to get errorcode to throw back ================================== JSS_throwMsgPrErr is a define that actually calls PR_GetError and calls another function that takes this error. So this should be ok. I did make the check for a null nickname in C as well. ======================================================================== * setNickName - you might want to check if nickname is null before passing it down to C ===================== Done ====================== * might want to check if new JSS files created should bear the same Netscape etc. license =================================== Should be fine, fix later if need be. ==================================== * PK11SymmetricKeyDeriver.c : bestSlot = PK11_GetBestSlot(deriveMechanism, NULL); should test it out on hsm (already communicated to jack... item here to track) - suggest if issues found, revert to old code (or code similar to old code) and create a separate ticket to tackle - new code should test to work on both nethsm and lunasa ================================================ Done already, more code written to make sure the proper slot is used before giving up. ================================================ * the test SymKeyDeriving seems to fail at NSS init (Jack found the hard coded lib): tracking here ================================================= Fixed already, will be in next patch =================================================