On 2009-08-11 18:43 PDT, JamesH wrote: > I have some confusion with regard to JSS due to the lack of proper > documentation. Looks like JDK 6 can talk to NSS natively with this > configuration: > > http://java.sun.com/developer/technicalArticles/J2SE/security/#2 > > If that's the case, why do I need JSS? > > Your comments are appreciated.
The answer, of course, depends on entirely on what you're trying to accomplish and why you want to bridge Java to NSS. That's what JSS is: a bridge between Java and NSS. JSS has numerous components that can bridge Java to NSS at several different levels. JSS offers a implementation of Java SSL sockets that uses NSS's SSL/TLS implementation rather than Sun's JSSE implementation. You might want to use that if you want to use some of the capabilities found in NSS's SSL/TLS library but not found in JSSE. JSS offers a JCE provider that typically operates beneath JSSE, and interfaces to NSS at a layer above the PKCS#11 API, the so-called PKCS#11 wrapper layer. That wrapper layer is able to combine the capabilities of multiple PKCS#11 modules and slots. If you have (say) a hardware PKCS#11 module that does RSA crypto acceleration and also have NSS's FIPS validated software module that does symmetric encryption, you might use JSS's JCE provider to marry those together into a single JCE provider, If I'm not mistaken. Sun now has a JCE provider that is a direct bridge to PKCS#11, and (as I understand it) appears to be a JCE provider with the capabilities of any single PKCS#11 module, including NSS's FIPS-validated PKCS#11 module, with is very complete and "all inclusive". If you were just using JSS's JCE provider as a bridge to NSS's FIPS validated PKCS#11 module, then the JCE PKCS#11 provider may do all that you need, and you may indeed not need JSS any longer. I was under the impression that the PKCS#11 JCE provider was only part of JDK 1.6, but I may be mistaken about that. Also, there have been some bugs in that provider that have been problematic for some users, e.g. with AES 256. I'm sure they'll get fixed eventually. AFAIK, JSS just works. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
