[xmlsec] xmlsec-nss patches from Sun( 2003-07-22 )
aleksey at aleksey.com
Wed Jul 23 01:20:27 PDT 2003
As far as I can understand Andrew's concerns, he wants to make sure
that particular crypto operation is performed on particular crypto device.
Since nobody (except NSS developers :) ) knows how PK11_GetBestSlot()
function selects the crypto device (slot) his point is perfectly valid:
Suppose we have slots A and B that both perform RSA encryption.
How to ensure that we always do it on slot A and not on slot B?
Again, IMHO this should be done on NSS level. I.e. there should be
an NSS function that would say: if slot A supports RSA encryption then
always do it on slot A. However, it does not look like NSS guys want or can
do it in NSS level (correct me if I am wrong and there is such a function
already :) ). Thus Andrew wants to have this in xmlsec-nss and personaly
I don't have any objections.
How about this: xmlsec-nss would have following functions:
int xmlSecNssBestSlotInit(void) :
Initializes whatever is needed.
void xmlSecNssBestSlotShutdown(void) :
Shuts down whatever is needed.
int xmlSecNssBestSlotAdopt(CK_MECHANISM_TYPE alg, PK11SlotInfo* slot) :
Sets "slot" to be used for "alg" (global inside xmlsec).
PK11SlotInfo* xmlSecNssBestSlotGet(CK_MECHANISM_TYPE* alg):
Returns the slot for "alg" by first looking thru the list of
set with xmlSecNssBestSlotSet() function and if matching slot
is not found then it simply calls NSS PK11_GetBestSlot() function
and hopes for the best.
Finally we replace PK11_GetBestSlot() with xmlSecNssBestSlotGet()
By default if user does nothing (i.e. user does not call
function) we have xmlSecNssBestSlotGet() function that simply calls
function with a little overhead to check that something is NULL (or not
Andrew's patch does more or less the same thing but it operates with
which seems less intuitive to me (I might be wrong). As I wrote,
(API docs) would help. Any approach is good for me. In the outlined
I would use subclass of xmlSecList to store the slots and algorithms.
problem I have is that xmlSecNssBestSlotGet() would need to "duplicate"
slot because code always frees returned slot with PK11_FreeSlot(). I am
sure it is possible, \
I just dn't know how to do this. PK11SlotList might do it as well, I
just don't know enough
To Andrew: I missed this when I looked at your patch first time but you
have to rename
you functions from xmlSec* to xmlSecNss* (the functions are NSS
specific). Also having
an init function (even if it does nothing) is a good idea: you may
visually check your
xmlSecNssInit/xmlSecNssShutdown functions to make sure all inits and
are done in correct order. Also probably it's worth it to have a
fallback to PK11_GetBestSlot()
in the xmlSecNssGetSlot() function even if there is PK11SlotList
has other ways to control which algorithms are allowed.
More information about the xmlsec