Supported algorithms:
AES
DES
DESede (DES3)
PBAHmacSHA1
PBEWithMD5AndDES
PBEWithSHA1AndDES
PBEWithSHA1AndDESede (PBEWithSHA1AndDES3)
PBEWithSHA1And128RC4
RC4
generateSecret supports the following transformations:
KeySpec Class |
Key Algorithm |
|---|---|
PBEKeySpec org.m ozilla.jss.crypto.PBEKeyGenParams |
Using the appropriate PBE algorithm:
|
DESedeKeySpec |
DESede |
DESKeySpec |
DES |
SecretKeySpec |
|
getKeySpec supports the following transformations:
Key Algorithm |
KeySpec Class |
|---|---|
DESede |
DESedeKeySpec |
DES |
DESKeySpec |
|
SecretKeySpec |
Notes:
For increased security, some SecretKeys may not be extractable from their PKCS #11 token. In this case, the key should be wrapped (encrypted with another key), and then the encrypted key might be extractable from the token. This policy varies across PKCS #11 tokens.
translateKey tries two approaches to copying keys. First, it tries to copy the key material directly using NSS calls to PKCS #11. If that fails, it calls getEncoded() on the source key, and then tries to create a new key on the target token from the encoded bits. Both of these operations will fail if the source key is not extractable.
The class java.security.spec.PBEKeySpec in JDK versions earlier than 1.4 does not contain the salt and iteration fields, which are necessary for PBE key generation. These fields were added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you cannot use class java.security.spec.PBEKeySpec. Instead, you can use org.mozilla.jss.crypto.PBEKeyGenParams. If you are using JDK (or JRE) 1.4 or later, you can use java.security.spec.PBEKeySpec or org.mozilla.jss.crypto.PBEKeyGenParams.