[xmlsec] MS crypto key integration with xmlsec

Aleksey Sanin aleksey at aleksey.com
Fri Aug 1 09:46:22 PDT 2003

Hi, Wouter!

First of all, I am glad that someone is looking into xmlsec-mscrypto. 
Many people
have asked about this. If you and your company are ok with sharing your 
I would be happy to include this into main xmlsec CVS/distribution. This 
is really
important stuff!

Your questions about keys and keys manager seem to have the same foundation.
The xmlSecKey/xmlSecKeyData and xmlSecKeysManager are not real objects that
do some important job but interfaces to crypto specific implementation. 
The core
xmlsec library uses these interfaces to call low level crypto api. For 
example, in OpenSSL
case there is no keys storage provided by crypto library. Thus 
implements one. On the other hand, NSS does provide a keys and 
certificates storage
(known as NSS keys db). And xmlSecNssKeysManager is just an interface to 
keys storage. If xmlsec core library needs to find a key, say with given 
name, it calls
xmlSecNssKeysManager. The xmlSecNssKeysManager searches NSS keys db and
returns a key wrapped in xmlSecKey/xmlSecKeyData to xmlsec-core. As you 
can see,
the xmlSecKey/xmlSecKeyData wrapper shows up *only* as the result of the 
keys search!
Another scenario is when an application wants to specify a key for 
performing particular
xmlsec operation (signature or encryption). In this case, application 
should be able to
create or get xmlSecKey/xmlSecKeyData wrappers and give it to xmlsec. 
Please note
that in any case, core xmlsec functions  deal *only* with 
wrappers. However, you can find xmlSecNss* and xmlSecOpenSSL* functions that
work with low level crypto primitives (for example, convert OpenSSL key 
handle to
xmlSecKeyData). It's ok to have such functions and I doubt that one can 
avoid this :)

I would guess that in MS Crypto API you have a situation very similar to 
one we have
in NSS. Tej did a great implemention xmlsec-nss which was checked in CVS 
recently. I would suggest you to take a look.

I am not sure but I hope that I did answer your questions. Anyway, I 
would be happy to
answer more if you have some :)

With best regards,
Aleksey Sanin

More information about the xmlsec mailing list