diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix	2011-08-15 15:39:56.633158000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c	2011-08-15 20:43:34.947749000 -0700
@@ -239,40 +239,47 @@ print_secitem(SECItem *item) {
  *      TokenException if an error occurs.
  */
 static PK11SymKey*
-constructSHA1PBAKey(JNIEnv *env, SECItem *pwitem, SECItem *salt,
+constructSHA1PBAKey(JNIEnv *env, PK11SlotInfo *slot, SECItem *pwitem, SECItem *salt,
         int iterationCount)
 {
-    PBEBitGenContext* pbeCtxt=NULL;
-    SECItem *keyBits=NULL;
     PK11SymKey *key=NULL;
 
-    pbeCtxt = PBE_CreateContext( SEC_OID_SHA1, pbeBitGenIntegrityKey,
-                    pwitem, salt, 160 /* SHA1 key length */, iterationCount);
-    if( pbeCtxt == NULL ) {
-        JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to create PBE context");
+    unsigned char ivData[8];
+    SECItem mechItem;
+    CK_PBE_PARAMS pbe_params;
+
+    if( pwitem == NULL ) {
+        JSS_throwMsg(env, TOKEN_EXCEPTION,
+            "constructSHA1PAKey:"
+            " pwitem NULL");
         goto finish;
     }
-
-    keyBits = PBE_GenerateBits(pbeCtxt);
-    if( keyBits == NULL ) {
-        JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to generate bits from"
-                "PBE context");
+    if( salt == NULL ) {
+        JSS_throwMsg(env, TOKEN_EXCEPTION,
+            "constructSHA1PAKey:"
+            " salt NULL");
         goto finish;
     }
 
-    key = PK11_ImportSymKey( PK11_GetInternalSlot(), CKM_SHA_1,
-                PK11_OriginGenerated, CKA_SIGN, keyBits, NULL);
+    pbe_params.pInitVector = ivData;
+    pbe_params.pPassword = pwitem->data;
+    pbe_params.ulPasswordLen = pwitem->len;
+    pbe_params.pSalt = salt->data;
+    pbe_params.ulSaltLen = salt->len;
+    pbe_params.ulIteration = iterationCount;
+    mechItem.data = (unsigned char *) &pbe_params;
+    mechItem.len = sizeof(pbe_params);
+
+    key = PK11_RawPBEKeyGen(slot, CKM_PBA_SHA1_WITH_SHA1_HMAC, &mechItem, pwitem, PR_FALSE, NULL);
+
     if( key == NULL ) {
-        JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import PBA key from"
-            " PBA-generated bits");
+        JSS_throwMsg(env, TOKEN_EXCEPTION,
+            "PK11_RawPBEKeyGen:"
+            " failed to generate key");
         goto finish;
     }
 
 finish:
-    if( pbeCtxt ) {
-        PBE_DestroyContext(pbeCtxt);
-    }
-    /* keyBits == pbeCtxt, so we don't need to free it */
     return key;
 }
 
@@ -324,7 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
 
         /* special case, construct key by hand. Bug #336587 */
 
-        skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount);
+        skey = constructSHA1PBAKey(env, slot, pwitem, salt, iterationCount);
         if( skey==NULL ) {
             /* exception was thrown */
             goto finish;