[xmlsec] xmlsec-nss patch

Aleksey Sanin aleksey at aleksey.com
Sun Jul 20 20:45:16 PDT 2003 

Tej,

It took less time than I expected to look at your changes :) Almost 
everything looks
great except few minor things listed bellow. I have checked in your 
patch into
the same XMLSEC_NSS_030714 with only one change (item 0) bellow).
However, there are a couple items (1) and 2)) that needs to be resolved
before we can put this code into the trunk.

BTW, I  can't run the xmlsec-nss tests because of certutiland I could 
not test xmlsec-nss
with valgrind :(

Aleksey



0) I have moved the NSS DB reset code from test*.sh scripts to the top level
Makefile.am. No need to repeat it again and again. This allowed me to 
remove
xmlsec-config option from the test*.sh scripts. Also I don't think that 
we want
to pass crypto_config to these scripts because nobody else should use it
anyway (it is also removed).
1) As I mentioned before, I don't have "cryptoutil" installed. Thus 
other users
might miss it too :) We need to find a way to avoid using this tool in 
the tests scripts.
Is it possible to initializa the nss db from xmlSecNssAppInit() instead 
(if config is not
NULL and NSS DB does not exist there, create it)?
2) xmlSecNssAppPkcs12Load(): why do you do these initializations in this 
function?
    PORT_SetUCS2_ASCIIConversionFunction(xmlSecNssAppAscii2UCS2Conv);
    SEC_PKCS12EnableCipher(...)
    SEC_PKCS12EnableCipher(...)
It seems to me that it's a wrong idea. These initializations are global. 
The function
can be called many times from multiple threads. IMO, these 
initialization calls
need to be done once in applicaiton init function (xmlSecNssAppInit?).
Please take a look at it.
3) keysstore.c: I wonder why do you need to have simple keys store in 
default nss
keys manager? Why you could not use only NSS keydb?
4) warnings about __CERT_NewTempCertificate function:
    src/nss/app.c:847: warning: implicit declaration of function 
`__CERT_NewTempCertificate'
    x509.c:1494: warning: implicit declaration of function 
`__CERT_NewTempCertificate'
Is it worth it to put a declaration somewhere in xmlsec-nss headers if 
it does not exist in NSS?

More information about the xmlsec mailing list