[xmlsec] nss Support in pyxmlsec
Hi Aleksey and Valery, Apart from the xmlSecCryptoDLLoadLibrary call, how transparent is the xmlsec API when using nss versus openssl ? The API reference has a huge set of nss specific functions, must they be used when running the nss engine ? If one wants to load keys from the mozilla/nss keys.db and certs.db must the xmlSecNssKeysStoreAdoptKey, xmlSecNssKeysStoreLoad, xmlSecNssKeysStoreSave be implemented in Valery's python bindings ? Can we get away with just xmlSecCryptoDLLoadLibrary and the rest is the same ? Or if only nss is compiled will pyxmlsec run without having implemented any nss-specific calls ? Thanks for your help, Ed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nss crypto and test suite
Yes I had discoverd that, was just about to inform you. Evertything working fine now. nss is much more picky about things than openssl ; ) Thanks again, Ed Aleksey Sanin wrote: You MUST use 'der' format for keys because nss does not understand 'pem' ./testDSig.sh nss /usr/local/src/xmlsec1-1.2.9/tests xmlsec1 der Aleksey Edward Shallow wrote: Aleksey Sanin wrote: Can you try to run testKeys.sh for nss first, please? It will create necessary keys in NSS keys storage. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec Yes I do not get the init failure, all keys created in /tmp/xmlsec-crypto-config. I am running following command line ... ./testDSig.sh nss /usr/local/src/xmlsec1-1.2.9/tests xmlsec1 pem ... and received following --- testDSig started for xmlsec-nss library (20050918_182358) --- LD_LIBRARY_PATH=/usr/local/src/xmlsec1-1.2.9/src/nss/.libs:/usr/local/src/xmlsec1-1.2.9/src/openssl/.libs:/usr/lib Test: /aleksey-xmldsig-01/enveloping-dsa-x509chain xmlsec1 verify --crypto nss --crypto-config /tmp/xmlsec-crypto-config --trusted-pem /usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem --enabled-key-data x509 /usr/local/src/xmlsec1-1.2.9/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml func=xmlSecNssAppKeysMngrCertLoadSECItem:file=app.c:line=1389:obj=unknown:subj=unknown:error=17:invalid format:format=2;last nss error=-5977 (0xE8A7) func=xmlSecNssAppKeysMngrCertLoad:file=app.c:line=1278:obj=unknown:subj=xmlSecNssAppKeysMngrCertLoadSECItem:error=1:xmlsec library function failed: ;last nss error=-5977 (0xE8A7) Error: failed to load trusted cert from "/usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem". Error: keys manager creation failed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nss crypto and test suite
You MUST use 'der' format for keys because nss does not understand 'pem' ./testDSig.sh nss /usr/local/src/xmlsec1-1.2.9/tests xmlsec1 der Aleksey Edward Shallow wrote: Aleksey Sanin wrote: Can you try to run testKeys.sh for nss first, please? It will create necessary keys in NSS keys storage. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec Yes I do not get the init failure, all keys created in /tmp/xmlsec-crypto-config. I am running following command line ... ./testDSig.sh nss /usr/local/src/xmlsec1-1.2.9/tests xmlsec1 pem ... and received following --- testDSig started for xmlsec-nss library (20050918_182358) --- LD_LIBRARY_PATH=/usr/local/src/xmlsec1-1.2.9/src/nss/.libs:/usr/local/src/xmlsec1-1.2.9/src/openssl/.libs:/usr/lib Test: /aleksey-xmldsig-01/enveloping-dsa-x509chain xmlsec1 verify --crypto nss --crypto-config /tmp/xmlsec-crypto-config --trusted-pem /usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem --enabled-key-data x509 /usr/local/src/xmlsec1-1.2.9/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml func=xmlSecNssAppKeysMngrCertLoadSECItem:file=app.c:line=1389:obj=unknown:subj=unknown:error=17:invalid format:format=2;last nss error=-5977 (0xE8A7) func=xmlSecNssAppKeysMngrCertLoad:file=app.c:line=1278:obj=unknown:subj=xmlSecNssAppKeysMngrCertLoadSECItem:error=1:xmlsec library function failed: ;last nss error=-5977 (0xE8A7) Error: failed to load trusted cert from "/usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem". Error: keys manager creation failed ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nss crypto and test suite
Can you try to run testKeys.sh for nss first, please? It will create necessary keys in NSS keys storage. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nss crypto and test suite
PostScript ... Actually they don't affect /usr/lib so I doubt that would cause it. Any other ideas ? On Sun, 2005-09-18 at 15:13 -0400, Edward Shallow wrote: > Would an installation of Firefox or Thunderbird after xmlsec compilation > screw things up perhaps ? > > Ed > > On Sun, 2005-09-18 at 11:20 -0700, Aleksey Sanin wrote: > > Did you recompile xmlsec on the same box? I've seen a similar > > error when NSS/NSPR versions on the box did not match ones > > used during xmlsec compilation. > > > > Aleksey > > ___ > > xmlsec mailing list > > xmlsec@aleksey.com > > http://www.aleksey.com/mailman/listinfo/xmlsec > ___ > xmlsec mailing list > xmlsec@aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec smime.p7s Description: S/MIME cryptographic signature ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nss crypto and test suite
Would an installation of Firefox or Thunderbird after xmlsec compilation screw things up perhaps ? Ed On Sun, 2005-09-18 at 11:20 -0700, Aleksey Sanin wrote: > Did you recompile xmlsec on the same box? I've seen a similar > error when NSS/NSPR versions on the box did not match ones > used during xmlsec compilation. > > Aleksey > ___ > xmlsec mailing list > xmlsec@aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec smime.p7s Description: S/MIME cryptographic signature ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] nss crypto and test suite
Did you recompile xmlsec on the same box? I've seen a similar error when NSS/NSPR versions on the box did not match ones used during xmlsec compilation. Aleksey ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
[xmlsec] nss crypto and test suite
Hi Aleksey, Trying out nss crypto after much success with openssl. nss tests from the install worked fine, yet when I try to run testDSig.sh it works for openssl but not for nss. Here is nss run ... --- testDSig started for xmlsec-nss library (20050918_134319) --- LD_LIBRARY_PATH= Test: /aleksey-xmldsig-01/enveloping-dsa-x509chain xmlsec1 verify --crypto nss --crypto-config /tmp/xmlsec-crypto-config --trusted-pem /usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem --enabled-key-data x509 /usr/local/src/xmlsec1-1.2.9/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml func=xmlSecNssAppInit:file=app.c:line=76:obj=unknown:subj=NSS_InitReadWrite:error=4:crypto library function failed:config=/tmp/xmlsec-crypto-config func=xmlSecAppCryptoInit:file=crypto.c:line=26:obj=unknown:subj=xmlSecCryptoAppInit:error=1:xmlsec library function failed: Error: xmlsec crypto intialization failed. Error: initialization faile Here is openssl run ... --- testDSig started for xmlsec-openssl library (20050918_134200) --- LD_LIBRARY_PATH= Test: /aleksey-xmldsig-01/enveloping-dsa-x509chain xmlsec1 verify --crypto openssl --crypto-config /tmp/xmlsec-crypto-config --trusted-pem /usr/local/src/xmlsec1-1.2.9/tests/keys/cacert.pem --enabled-key-data x509 /usr/local/src/xmlsec1-1.2.9/tests/aleksey-xmldsig-01/enveloping-dsa-x509chain.xml OK SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Thought it was unset LD-LIBRARY_PATH, but it works fine that way for openssl. Thanks, Ed smime.p7s Description: S/MIME cryptographic signature ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec