<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Thank for a prompt reply Aleksey.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On 24 January 2014 17:55, Aleksey Sanin <span dir="ltr"><<a href="mailto:aleksey@aleksey.com" target="_blank">aleksey@aleksey.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi Krzysztof,<br>
<br>
Let me try to answer your questions one-by-one<br>
<br>
* IO handlers<br>
<br>
To handle the context, you can use a trick with thread local storage:<br>
you can set your data in TLS before calling XMLSec, then use this<br>
data in the context, and cleanup after XMLSec is done.<br></blockquote><div><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Um, sounds like a thread-specific global variable. This answers my question that there's no way to pass any context to IO callbacks nor replace the IO transformation :)</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif">It's a bit nasty hack which may make it hard to justify transitioning to xmlsec but I'll probably give it a go anyway.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
* additional certificate/key checks<br>
<br>
You can also look at implementing a custom keys store<br>
<br>
<a href="http://www.aleksey.com/xmlsec/api/xmlsec-keysmngr.html#XMLSECKEYSTOREKLASS" target="_blank">http://www.aleksey.com/xmlsec/api/xmlsec-keysmngr.html#XMLSECKEYSTOREKLASS</a><br>
<br>
The findKey method is the one you need.<br></blockquote><div><br></div><div class="gmail_default"><font face="arial, helvetica, sans-serif">Yes, I looked at it initially at the example [1]. But I couldn't see how it'd help me hook in with my additional `</font><span style="font-size:13px;font-family:arial,helvetica,sans-serif">X509_VERIFY_PARAM` settings. Now I can see that by making all plumbing through xmlsec key related structs (similarly to what happens in `</span><font color="#000000" face="arial, helvetica, sans-serif">src/openssl/x509vfy.c`) I can provide my own certificate verification procedure.</font></div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
* registering transformation URIs<br>
<br>
Easy one :)<br>
<br>
<a href="http://www.aleksey.com/xmlsec/api/xmlsec-transforms.html#XMLSECTRANSFORMIDSREGISTER" target="_blank">http://www.aleksey.com/xmlsec/api/xmlsec-transforms.html#XMLSECTRANSFORMIDSREGISTER</a><br>
<br></blockquote><div><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Ah, right. Just find the standard transformation equivalent for my legacy URI, "copy" it, replace its `href` and re-register.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Cheers,</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">
Kris</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">[1] <a href="http://www.aleksey.com/xmlsec/api/xmlsec-custom-keys-manager.html" target="_blank">http://www.aleksey.com/xmlsec/api/xmlsec-custom-keys-manager.html</a></div>
</div></div></div>