[xmlsec] Re: using IC card token with xmlsec

[Aleksey Sanin]

Hi, Naoto!

I am really pleased to hear about your descision :) For a moment, it 
makes me feel
that I am doing something usefull :) From your message I assume that you 
decided
to go with 1.x.x version and this is absolutely right descision. Since I 
don't
have much details about your project I could not tell you exactly what 
is the best option
for you (NSS or MS CAPI or something else). However, I would not expect 
that you'll
need to change much of the core xmlsec source code. You probably might 
already
read in the documentation that xmlsec 1.x.x has a modular structure where
cryptographic library specific code was separated from core "xmlsec" 
library to the
"xmlsec-<crypto>" libraries ("xmlsec-openssl", "xmlsec-nss", 
"xmlsec-gnutls",...).
As you can see, if you need to change core "xmlsec" library in order to 
implement
support for a new crypto library (say, MS CAPI) would be a major break 
in the library
design. I am not saying that it's not possible but right now I hope that 
it's not the case.
On the other hand, if you decide to use NSS, for example, you might need 
to modify
xmlsec-nss library because the current code implements only a small part 
of the required
functionality (compared with xmlsec-openssl, for example). This is 
expected and
should not cause any problem. Also I accept contributions: if you will 
implement new
functionality or support for a new library and decide to share it with 
others I would be
glad to put your work in the main xmlsec source code tree. The advantage 
for you is that
you'll be able to easily get any improvements or bug fixes that might be 
done by myself
or other people who'll use your code. The situation with MS CAPI support 
is even worse
(as far as I know, Olger Warnier is trying to code something but it's 
the earlier stage
of the project and there are no deadlines, etc.; check the mailing list 
for details).

As usual, I would be happy to answer your questions in xmlsec mailing list.


With best regards,
Aleksey



Naoto Kamouchi wrote:

>Dear Aleksey Sanin
>
>I am currently involved in a project to build a crypto engine with xml
>signature capability. 
>
>In this, we would have to support IC card token, which is used for
>private key operation as well as for storing certificates. 
>
>We have chosen xmlsec for the xml signature processing, and I would like
>to seek your advice on how the recommended implementation should look
>like. 
>
>I suspect that choosing NSS as crypto would give us the ability to
>access Cryptoki (pkcs#11) directly from the xmlsec api interface, but so
>far haven't been able to confirm this.
>
>However, the most likely token interface we will have to settle down is
>MS CAPI (cryptoapi) and for this, we are afraid that we will have to
>risk altering the core source code of the xmlsec. 
>
>I would like to thank you in advance for whatever little comment you
>will be able to provide us with.
>
>Yours sincerely, 
>Naoto 
>
>Naoto Kamouchi PhD
>CIJ (Computer Institute of Japan)
>tel: 090-9967-9122
>