[xmlsec] another nss patch

Tejkumar Arora tejbiz at aol.com
Tue Jul 22 20:05:33 PDT 2003


Hi Aleksey,

This patch has the following changes

1. does not need certutil (sample db files are in tests/nssdb directory)
2. pkcs12 init is moved to the appropriate init function
3. add implementation of key wrap transforms (aes, des)

There are some failures in the test harness run. Some are due to lack of
support in NSS yet (ripemd160, rsa-oaep...) or due to NSS bugs
(finding cert by issuer&sn, or by ski...); some are bugs I have to
investigate; some are probably due to incorrect crls or expired certs.

Specifically:
1. --------- Negative Testing: next test MUST FAIL ----------
merlin-xmldsig-twenty-three/signature-x509-crt-crl
    Verify existing signature                               OK

/u/tej/xmlsec.linux/work/xmlsec/./apps/xmlsec1 verify --crypto-config 
./tests --X509-skip-strict-checks --trusted-der 
./tests/merlin-xmldsig-twenty-three/certs/ca.der 
./tests/merlin-xmldsig-twenty-three/signature-x509-crt-crl.xml

This succeeded because the CRL in signature-x509-crt-crl.xml does not
revoke ca.der - it revokes something else (different serial #)

2. merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5
    Decrypt existing document                             Error

/u/tej/xmlsec.linux/work/xmlsec/apps/xmlsec1 decrypt --crypto-config 
./tests --pkcs12 ./tests/merlin-xmlenc-five/rsapriv.p12 --pwd secret 
./tests/merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5.xml
func=xmlSecNssX509StoreVerify:file=x509vfy.c:line=228:obj=x509-store:subj=unknown:error=76:certificate 
has expirred:cert with subject name CN=Merlin Hughes, OU=X/Secure, 
O=Baltimore Technologies Ltd., ST=Dublin, C=IE has expired

The cert for Merlin Hughes is in the 
encrypt-element-aes128-cbc-rsa-1_5.xml file.


I'll be walking down the remaining error list to resolve the problems
one by one....

thanks,

-Tej





-------------- next part --------------
A non-text attachment was scrubbed...
Name: nsschanges.tar.gz
Type: application/x-gzip
Size: 9605 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20030722/2ee94dc8/nsschanges.tar.bin


More information about the xmlsec mailing list