I'm implementing JCA compliance for JSS, and I'm trying to figure out all the ways I need to export private keys. Why not just support exactly those ways that the JCA supports? Because we would have to change NSS in order to implement some of them. For example, exporting raw private keys is currently not supported by NSS.
I am planning to support two means of extraction: wrapping with a key, and exporting an EncryptedPrivateKeyInfo (which is an elaborate form of wrapping). Does anyone need something else? Anyone need to export a plain PrivateKeyInfo? Can anyone make a case for exporting raw private key data? Keep in mind that most PKCS #11 tokens don't allow raw key data export for security reasons, and that's not going to change. The NSS token only allows it if it was explicitly allowed when the key was created.
