OK, I've filed http://bugzilla.mozilla.org/show_bug.cgi?id=138273.
Getting back to my original question, what's the rationale for having the database token support as little as possible? Is this a FIPS requirement? It is a hassle to unwrap a key on one token, then transfer it to the other token in order to decrypt something. Robert Relyea wrote: > Short answer: the database token tries to support as little as > possible to get it's job done. Most of the operations should fall to > the crypto token. > > Long answer: the particular case you are talking about looks like a > bug. The database token should support all the _PAD functions because > they are needed to unwrap keys. I suspect the database token doesn't > support DES_CBC_PAD because we have either never tested against a key > wrapped in DES, or some other feature of the code masks this fact > (keys getting unwrapped in the crypto token then imported into the > database token. > > bob > > Jamie Nicolson wrote: > >> The NSS software PKCS #11 provider has two tokens, a "crypto" token >> and a "database" token. Some algorithms that are supported by the >> crypto token are not supported by the database token. This is >> determined by the list of algorithms in >> http://lxr.mozilla.org/mozilla/source/security/nss/lib/softoken/pkcs11.c >> . >> >> For example, DES3_CBC_PAD is supported by the database token, but >> DES_CBC_PAD is not. >> >> Why are not all algorithms supported by the database token? >> >
