[Pki-devel] Newbie Getting Started with JSS
Alexander Scheel
ascheel at redhat.com
Mon Sep 16 12:30:24 UTC 2019
Hello Magnus,
Replies inline.
----- Original Message -----
> From: "Magnus K Karlsson" <magnus.r.karlsson at gmail.com>
> To: pki-devel at redhat.com
> Sent: Saturday, September 14, 2019 4:15:49 AM
> Subject: [Pki-devel] Newbie Getting Started with JSS
>
> Hi,
>
> I'm new to JSS and have a getting started question. I'm trying to run the
> KeyStoreTest
Cool, good luck! As an aside, we've started hosting Javadocs on
GitHub pages for a little better searching/usage. Though, they aren't
yet automatically rebuilt.
https://dogtagpki.github.io/jss/
> https://github.com/dogtagpki/jss/blob/master/org/mozilla/jss/tests/KeyStoreTest.java
Ah, the first problem... :-) That test isn't actually being run, and
thus is likely broken. Here's a list of all tests we're currently running:
https://github.com/dogtagpki/jss/blob/master/cmake/JSSTests.cmake
(ctrl+f "jss_test_java")
~snip~
> Exception in thread "main" java.security.KeyStoreException: Mozilla-JSS not
> found
> at java.security.KeyStore.getInstance(KeyStore.java:851)
> at se.magnuskkarlsson.example.nssdb.NSSJSSTool.main(NSSJSSTool.java:43)
> Caused by: java.security.NoSuchAlgorithmException: Mozilla-JSS KeyStore not
> available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
> at java.security.Security.getImpl(Security.java:730)
> at java.security.KeyStore.getInstance(KeyStore.java:848)
> ... 1 more
~snip~
> KeyStore ks = KeyStore.getInstance("Mozilla-JSS");
So the problem is that this is always going to fail. The Java interfaces
which utilize provider always takes one of the two forms:
Class.getInstance(type_of_class);
Class.getInstance(type_of_class, provider_of_class);
(type_of_class is always a String, latter can either be a String name
or an instance of the Provider class).
E.g., if you're doing say, an HMAC and don't care which provider:
Mac.getInstance("HmacSHA1");
Otherwise, if you explicitly want it from JSS:
Mac.getInstance("HmacSHA1", "Mozilla-JSS");
Outside of the provider calling and explicitly setting a default,
there is no well, "global" default instance to get. And, to get the default
instance, you have to call getDefaultType(), not getInstance(...).
For some things this makes sense (e.g., KeyStore you usually care less
about than a HMAC where you usually have a very specific algorithm
in mind).
See: https://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html
So, same thing applies here with the KeyStore. JSS's provider
defines one type of KeyStore instance, PKCS11:
https://github.com/dogtagpki/jss/blob/master/org/mozilla/jss/JSSProvider.java#L145-L149
To get it, you'd call it like so:
KeyStore ks = KeyStore.getInstance("PKCS11", "Mozilla-JSS");
Hope that helps,
Alex
More information about the Pki-devel
mailing list