I have created a set of patch to build xml-security-c with Mozilla-NSS. The patches are for configure.ac and lib/Makefile.am. (Atcullay, it is just a hack to make the build work. Somebody knowledgable in autoconf/automake can build a proper patch.) I use Mozilla NSS that is part for Firefox/XULRunner source code. So If you are using Mozilla-NSS stand alone distribution, you have to make appropriate changes.
Also, there is a bug in verifictaion of signtuare in NSSCryptoKeyRSA.cpp. The Signtaure logic is changed (a disgest of hashbuffer is added) in 1.3.1 but the verification logic did not change in 1.3.1 or any subsequent versions. So I made a patch for the verification logic. My question is : How do I submit the patch? Can I make tar.z file and post in this mailing list? -- Subrata > -----Original Message----- > From: Scott Cantor [mailto:canto...@osu.edu] > Sent: Tuesday, July 27, 2010 2:08 PM > To: security-dev@xml.apache.org > Subject: RE: Using NSS as crypto-provider for xml-security-c > > > Thanks for this quick (and very clear) answer. > > Sure. I wish the answer didn't suck, but that's as it may be. > > > Well NSS is used at least by RedHat and Suse and is recommended by > > latest LSB to standardize on as Linux reference crypto library. > > I was aware of the former, though not the latter. > > > Consequently interested parties may evolve soon(or not). > > (ref: http://fedoraproject.org/wiki/FedoraCryptoConsolidation ) > > Yes, I'm aware. I think that's an absolutely terrible idea, > and they're breaking software in the process, including my > own, which relies on libcurl, which does not have the same > feature set when used with NSS. > > So, given that NSS is not capable of meeting my needs, it's > moot for me. > > > Is it interesting that I take a look at how to patch the configure > > process to use NSS, or am I the only person on Earth > concerned by this support ? > > I doubt you're the only one, but as I said, I can think of > maybe one person in the last 5 years that has mentioned it. > > I can definitely promise that before I do a release of 1.6, I > will get it building with NSS and get the makefile fixed. But > I can't spend time on it right now, so if you want it working > again soon, patching it yourself and submitting the patch to > bugzilla would be the best course. > > I don't think it's a major patch, especially given that you > don't need the make dist to work, just get the build to work. > There should be a conditional in the configure script being > set for NSS, should just be a matter of copying that in. > > -- Scott > > >
