[xmlsec] xmlsec-nss patches from Sun( 2003-07-22 )

Aleksey Sanin aleksey at aleksey.com
Wed Jul 23 01:20:27 PDT 2003

As far as I can understand Andrew's concerns, he wants to make sure
that particular crypto operation is performed on particular crypto device.
Since nobody (except NSS developers :) ) knows how PK11_GetBestSlot()
function selects the crypto device (slot) his point is perfectly valid:

    Suppose we have slots A and B that both perform RSA encryption.
    How to ensure that we always do it on slot A and not on slot B?

Again, IMHO this should be done on NSS level. I.e. there should be
an NSS function that would say: if slot A supports RSA encryption then
always do it on slot A. However, it does not look like NSS guys want or can
do it in NSS level (correct me if I am wrong and there is such a function
already :) ). Thus Andrew wants to have this in xmlsec-nss and personaly
I don't have any objections.
How about this: xmlsec-nss would have following functions:

    int xmlSecNssBestSlotInit(void) :
             Initializes whatever is needed.

    void xmlSecNssBestSlotShutdown(void) :
            Shuts down whatever is needed.

    int xmlSecNssBestSlotAdopt(CK_MECHANISM_TYPE alg, PK11SlotInfo* slot) :
           Sets "slot" to be used for "alg" (global inside xmlsec).

    PK11SlotInfo* xmlSecNssBestSlotGet(CK_MECHANISM_TYPE* alg):
           Returns the slot for "alg" by first looking thru the list of 
           set with xmlSecNssBestSlotSet() function and if matching slot
           is not found then it simply calls NSS PK11_GetBestSlot() function
           and hopes for the best.

Finally we replace PK11_GetBestSlot() with xmlSecNssBestSlotGet() 
inside xmlsec-nss.

By default if user does nothing (i.e. user does not call 
function) we have xmlSecNssBestSlotGet() function that simply calls 
function with a little overhead to check that something is NULL (or not 

Andrew's patch does more or less the same thing but it operates with 
which seems less intuitive to me (I might be wrong). As I wrote, 
functions descriptions
(API docs) would help. Any approach is good for me. In the outlined 
above API
I would use subclass of xmlSecList to store the slots and algorithms. 
The only
problem  I have is that xmlSecNssBestSlotGet() would need to "duplicate" 
the returned
slot because code always frees returned slot with PK11_FreeSlot(). I am 
sure it is possible, \
I just dn't know how to do this. PK11SlotList might do it as well, I 
just don't know enough
about it.

To Andrew: I missed this when I looked at your patch first time but you 
have to rename
you functions from xmlSec* to xmlSecNss* (the functions are NSS 
specific). Also having
an init function (even if it does nothing) is a good idea: you may 
visually check your
xmlSecNssInit/xmlSecNssShutdown functions to make sure all inits and 
are done in correct order. Also probably it's worth it to have a 
fallback to PK11_GetBestSlot()
in the xmlSecNssGetSlot() function even if there is PK11SlotList 
initialized. xmlsec
has other ways to control which algorithms are allowed.


More information about the xmlsec mailing list