References

The component JSS grants access to the NSS security libraries through convenient Java code.

Debugging JSS using jdb done as follows:

Lets use a standalone java/JSS program called PKCS10ECC , written to demonstrate how to debug JSS.

[root@example test]# jdb -classpath /home/cfu/source/jss/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSSignatureSpi.class:/usr/share/rhpki/classes:/usr/share/java/rhpki/cstools.jar:/usr/share/java/rhpki/cmsutil.jar:/usr/share/java/rhpki/nsutil.jar:/usr/share/java/ldapjdk.jar:/usr/lib/java/dirsec/jss4.jar com.netscape.cmstools.PKCS10ECC -d . -n cfunn -r req.1009 -p netscape
Initializing jdb ...
> stop at netscape.security.pkcs.PKCS10:191
Deferring breakpoint netscape.security.pkcs.PKCS10:191.
It will be set after the class is loaded.
> use /home/cfu/dogtag_src/pki/util/src
> run
run com.netscape.cmstools.PKCS10ECC -d . -n cfunn -r req.1009 -p 1234
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
>
VM Started: cert/key prefix =
path = .
password = netscape
before BufferedReader
before calling getCMCBlob
in getCMCBlob
before b64 decode
after b64 decode
Set deferred breakpoint netscape.security.pkcs.PKCS10:191
Breakpoint hit: "thread=main", netscape.security.pkcs.PKCS10.(), line=191 bci=278
191         sig.initVerify (publicKey);
main[1] step
>
Step completed: "thread=main", org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineInitVerify(), line=99 bci=0
main[1] use /home/cfu/source/jss/mozilla/security/jss
main[1] list
95                throw new InvalidKeyException();
96            }
97            privk = (PrivateKey)privateKey;
98
99 =>         token = privk.getOwningToken();
100
101            return token.getSignatureContext(alg);
102        }
103
104        public void engineInitVerify(PublicKey publicKey)
main[1] n
Unrecognized command: 'n'.  Try help...
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineInitVerify(), line=101 bci=9
101            return token.getSignatureContext(alg);
main[1] step
>
Step completed: "thread=main", org.mozilla.jss.pkcs11.PK11Token.getSignatureContext(), line=77 bci=0
77            Assert._assert(algorithm!=null);
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.pkcs11.PK11Token.getSignatureContext(), line=78 bci=12
78              return Tunnel.constructSignature( algorithm,
main[1] step
>
Step completed: "thread=main", com.ibm.oti.vm.BootstrapClassLoader.loadClass(), line=66 bci=0
main[1] next
>
Step completed: "thread=main", com.ibm.oti.vm.BootstrapClassLoader.loadClass(), line=67 bci=6
main[1] next
>
Step completed: "thread=main", com.ibm.oti.vm.BootstrapClassLoader.loadClass(), line=68 bci=12
main[1] next
>
Step completed: "thread=main", com.ibm.oti.vm.BootstrapClassLoader.loadClass(), line=70 bci=24
main[1] next
>
Step completed: "thread=main", com.ibm.oti.vm.BootstrapClassLoader.loadClass(), line=84 bci=103
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.pkcs11.PK11Token.getSignatureContext(), line=78 bci=16
78              return Tunnel.constructSignature( algorithm,
main[1] step
>
Step completed: "thread=main", org.mozilla.jss.pkcs11.PK11Signature.(), line=51 bci=0
51      {
main[1] list
47    final class PK11Signature extends org.mozilla.jss.crypto.SignatureSpi {
48
49      public PK11Signature(PK11Token token, SignatureAlgorithm algorithm)
50              throws NoSuchAlgorithmException, TokenException
51 =>   {
52            Assert._assert(token!=null && algorithm!=null);
53
54            // Make sure this token supports this algorithm.  It's OK if
55            // it only supports the signing part; the hashing can be done
56            // on the internal module.
main[1] n
Unrecognized command: 'n'.  Try help...
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.pkcs11.PK11Signature.(), line=361 bci=4
361        protected boolean raw=false; // raw signing only, no hashing
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.pkcs11.PK11Signature.(), line=52 bci=9
52            Assert._assert(token!=null && algorithm!=null);
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.pkcs11.PK11Signature.(), line=57 bci=25
57              if( ! token.doesAlgorithm(algorithm)  &&
main[1] list
53
54            // Make sure this token supports this algorithm.  It's OK if
55            // it only supports the signing part; the hashing can be done
56            // on the internal module.
57 =>           if( ! token.doesAlgorithm(algorithm)  &&
58                ! token.doesAlgorithm(algorithm.getSigningAlg()) )
59            {
60                      throw new NoSuchAlgorithmException();
61              }
62
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.pkcs11.PK11Signature.(), line=60 bci=44
60                      throw new NoSuchAlgorithmException();
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineInitVerify(), line=124 bci=143
124                    X509EncodedKeySpec encodedKey =
main[1] next
>
Step completed: "thread=main", org.mozilla.jss.provider.java.security.JSSSignatureSpi.engineInitVerify(), line=125 bci=144
125                        new X509EncodedKeySpec(publicKey.getEncoded());
main[1] next
>
Step completed: "thread=main", netscape.security.pkcs.PKCS10.(), line=195 bci=314
main[1] next
>
Step completed: "thread=main", netscape.security.pkcs.PKCS10.(), line=196 bci=316
main[1] next
>
Step completed: "thread=main", com.netscape.cmstools.PKCS10ECC.getCMCBlob(), line=130 bci=119
main[1] quit

References#