Comment 23 for bug 392104

oic. After looking some at sun/security/tools/KeyTool.java and sun/security/pkcs11/SunPKCS11.java, I agree that changes to KeyTool would not be the best approach here. There are a number of provider types in the JDK, they are not given any special treatment by KeyTool. Similary not all providers are known in java.security.

A couple of questions come to mind about the possibility of generating a NSS config file (depending on detection of nss library). First: how would we know whether the local library is built with ECC support? It is not afaik a default build option, Fedora may not be the only distro not building with that option. Second: folks wishing to use this provider would need to know the location of the config file to pass as an arg when specifying this provider to keytool. Either that or we need to patch SunPKCS11.java so that default constructor looks to some location for config file rather than failing. Do other providers require config files, and is there already some location where such files are put by default?