Short answer: the database token tries to support as little as possible to get it's job done. Most of the operations should fall to the crypto token.
Long answer: the particular case you are talking about looks like a bug. The database token should support all the _PAD functions because they are needed to unwrap keys. I suspect the database token doesn't support DES_CBC_PAD because we have either never tested against a key wrapped in DES, or some other feature of the code masks this fact (keys getting unwrapped in the crypto token then imported into the database token. bob Jamie Nicolson wrote: > The NSS software PKCS #11 provider has two tokens, a "crypto" token and > a "database" token. Some algorithms that are supported by the crypto > token are not supported by the database token. This is determined by the > list of algorithms in > http://lxr.mozilla.org/mozilla/source/security/nss/lib/softoken/pkcs11.c . > > For example, DES3_CBC_PAD is supported by the database token, but > DES_CBC_PAD is not. > > Why are not all algorithms supported by the database token? >
