Aleksey Sanin wrote: > Since NSS does not have an ability to load private keys from clear form, > then probably the right approach for tests suite would be to just use > keys > from key db. Probably this means that xmlsec-nss should just ignore > private keys from xml keys file. For example, there would be one more > command line parameter for xmlsec utility: > --crypto-config <path> > with path to crypto config folder. For NSS that would be path to keys and > certs db. You will prepare keys/certs db with same keys as keys and certs > in tests/keys/* and in other subfolders test/*. > > I don't like this approach but it seems natural for NSS world. The only > thing I would like to think of is how to generalize it to make it less > NSS specific. > > > Aleksey > It would be a good idea to always use PKCS8 format for private keys. This will then not be any crypto engine specific, and allows for encrypting the private key. Avoid private key components in xml.
To make this happen for xmlsec/openssl, some simple changes are needed: 1. in src/openssl/app.c, replace pKey = d2i_PrivateKey_bio(...) with pKey = d2i_PKCS8PrivateKey_bio(bio, NULL, pwdCallback, (void*)pwd); 2. replace the current <pvtkey>.der & <pvtkey>.pem unencrypted private key files with <pvtkey>.der & <pvtkey>.pem that contains an encrypted private key. This can be done with the "openssl pkcs8" utility. Use some password "foo". 3. Edit the *.sh test scripts to add "--pwd foo" option wherever we have "--privkey....." Do you want me to make these changes?. -Tej _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
