[xmlsec] pkcs12

Tejkumar Arora tej at netscape.com
Thu Jul 10 18:36:16 PDT 2003


Since NSS doesn't let me import private keys from the existing p8
and der files in xmlsec, I have written code for 2 other mechanisms
to get private keys into NSS:

1. PKCS12 file
2. custom keys store: keys can be pre-loaded into NSS db

I'll talk about (1) now.

xmlsec test harness does not use pkcs12 at all. I made some changes
to use pkcs12 files. I'll send the changes later with more description.
BTW, openssl "make check" results are identical before and after these
changes. NSS test results are better with the changes :).

The changes in a nutshell:

1. I converted the existing der/p8 formatted private keys
into a pkcs12 file containing (pvt key + a generated self-signed cert
containing the corresponding pub key).

2. I modified xmlsec command to allow this:
      --pkcs12[:name] <p12file>[,<cafile>[,<cafile>...]]]
     (this is mainly to support existing test harness as seamlessly
      as possible.... Ideally the p12 file can contain all the certs
     needed.... long story... I'll talk to you when I'm in mtn view
     next week...

3. I modified tests/*.sh scripts to now understand pkcs12 option.
     Also modified Makefile to use pkcs12 by default.

4. I also added --crypto-config option to the tests/*.sh scripts.
     This is needed for NSS - should be harmless for Openssl which
     ignores it.

What I'm looking for is a way to do some nss-specific stuff
as part of the test harness, i.e. create NSS db at beginning
of the test, and remove it at the end of the test...
#if's in the Makefile would be best. The test scripts can be
invoked with some parameter indicating which crypto engine....
What do you recommend?.


thanks,

-Tej







More information about the xmlsec mailing list