Thanks a lot for the work you are doing! I did a quick look other your
patch and it looks pretty good and I'll try to review it other weekend.
However, I've already spotted one big problem: the new files you've
wrote still have my copyright string :) Probably it's a good idea to
change it :) Also this is a large patch and I have to ask you the usual
question: are you and your company OK with releasing this code
under MIT license as part of XMLSec library? I would appreciate
if you can send a patch to AUTHORS and/or Copyright files (if needed).
I also would like to post to the list the issues and questions for your patch
you've sent to me this morning. Also please find my comments interlaced
with your text.
Aleksey
Tejkumar Arora wrote:
There are some hurdles to cross before I can submitFine with me. I think it's a right approach to use NSS keysdb
some more work:
1) ability to import private key in p8 file. I've had very
lengthy discussions on this with the NSS team. I'm currently
trying a workaround. If the workaround fails, the backup
plan is to use a pre-populated NSS db, and make changes to
the test scripts for NSS. For appls that import CRLs,
it looks like I might be forced to use a NSS db anyway
(i.e. NSS_NoDB_Init isn't working).
for default NSS keys manager (see also 5c) from your list :) ).
Thought I think that an ability to import PKCS#8 file would be nice.
2) NSS needs to expose a function to convert an arbitrarily longSure, this is a right thing to do :)
decimal string to a DER integer (for finding certs by Issuer &
cert serial number)
3) RSAOAEP support needs to be implemented in NSS
4) Finding a cert by subject key id needs to be fixed in NSS
5) I need to finish up
a) pkcs12 file loading - I'll need help from NSS team on this.
This isn't used by test harness now but need to do it.
b) custom key store for NSS crypto lib (which will allow finding
keys/certs loaded from files, or pre-existing in NSS db
c) sort out the issue of multiple token passwords, besides
key file passwords
d) finish up (except for rsa-oaep) key transport support (equivalent of kt* kw* in src/openssl).
Aleksey, For your particular attention:
1) I made some gratuitous changes (e.g. remove "Evp" from NSS function
names)
Also a very good idea :)
2) added error code to several error messages
Ha! I spent some time thinking why it does not work :)
3) you had a comment about not being able to make PK11_GetBestSlot work.
Turns out that RIPEMD160-HMAC is not supported in NSS - there
are symbols in the headers, but no code... that's when
PK11_GetBestSlot returned NULL
4) The CRL you have in the example file (signature-x509-crt-crl.xml)It's more difficult than it sounds. I got this file from Merlin and I don't have
is signed by a CA cert, whose x509v3 extensions indicate that the
cert is not to be used for CRL signing. NSS does strict checking,
and importing the CRL failed. I had to get around it by passing a
flag to bypass strict checks. It is probably a good idea to
change your test harness to use a proper cert.
private key or the signer cert/private key. Thus I doubt I can do something abou this.
Can you do following:
- add XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS to keyinfo.h
- add a command line option to the xmlsec command line tool to set this flag
in the xmlSecKeyInfoCtx for reading
_______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
