AW: [xmlsec] problem with nss pkcs12
Aleksey Sanin
aleksey at aleksey.com
Sun Mar 6 21:07:56 PST 2005
Hi, Gabor!
Sorry for delay with response but since you have sent this message
to me directly instead of xmlsec mailing list, it ended up in the
Trash folder and I discovered it only few days ago :(
Anyway, I found and fixed the problem you've reported (see attached
patch). It turns out that nss has slightly changed internal slot
initialization procedure around 3.8 and xmlsec was not ready for this.
Aleksey
Molnar Gabor wrote:
>
> > Von: Aleksey Sanin [mailto:aleksey at aleksey.com]
> >
> > > Have you any idea about the problem?
> > > How can I use private key from the NSS keystore?
> > Can you try to read the pkcs12 file using NSPR or openssl utilities?
> > These tests (and private key from NSS keystore) work just fine for
> > me and other people. May be you just have damaged pkcs12 file?
> >
> > Aleksey
> >
>
> Thank you for the response, the pkcs12 file is OK, I can import it.
> I've tried with more files too.
> I've got the same error both on win32 and on linux.
> I did not install mozilla, I use only the nss-3.9.2 package.
> Do you need any NSS specific configuration to run xmlsec check?
>
> Gabor
>
-------------- next part --------------
Index: include/xmlsec/nss/crypto.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/nss/crypto.h,v
retrieving revision 1.19
diff -u -r1.19 crypto.h
--- include/xmlsec/nss/crypto.h 12 Jan 2004 21:06:14 -0000 1.19
+++ include/xmlsec/nss/crypto.h 7 Mar 2005 05:03:13 -0000
@@ -42,6 +42,8 @@
int reason,
const char* msg);
+XMLSEC_CRYPTO_EXPORT PK11SlotInfo * xmlSecNssGetInternalKeySlot(void);
+
/********************************************************************
*
* AES transforms
Index: src/nss/app.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/app.c,v
retrieving revision 1.23
diff -u -r1.23 app.c
--- src/nss/app.c 26 Sep 2003 03:53:09 -0000 1.23
+++ src/nss/app.c 7 Mar 2005 05:03:15 -0000
@@ -447,11 +447,11 @@
/* we're importing a key about which we know nothing yet, just use the
* internal slot
*/
- slot = PK11_GetInternalKeySlot();
+ slot = xmlSecNssGetInternalKeySlot();
if (slot == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- "PK11_GetInternalKeySlot",
+ "xmlSecNssGetInternalKeySlot",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
@@ -862,12 +862,12 @@
/* we're importing a key about which we know nothing yet, just use the
* internal slot. We have no criteria to choose a slot.
*/
- slot = PK11_GetInternalKeySlot();
+ slot = xmlSecNssGetInternalKeySlot();
if (slot == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- "PK11_GetInternalKeySlot",
- XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ "xmlSecNssGetInternalKeySlot",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
Index: src/nss/crypto.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/crypto.c,v
retrieving revision 1.27
diff -u -r1.27 crypto.c
--- src/nss/crypto.c 29 Oct 2003 15:57:25 -0000 1.27
+++ src/nss/crypto.c 7 Mar 2005 05:03:15 -0000
@@ -244,6 +244,54 @@
}
/**
+ * xmlSecNssGetInternalKeySlot:
+ *
+ * Returns internal key slot and initializes it if needed.
+ */
+PK11SlotInfo *
+xmlSecNssGetInternalKeySlot()
+{
+ PK11SlotInfo *slot = NULL;
+ SECStatus rv;
+
+ slot = PK11_GetInternalKeySlot();
+ if (slot == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "PK11_GetInternalKeySlot",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ "error code=%d", PORT_GetError());
+ return NULL;
+ }
+
+ if (PK11_NeedUserInit(slot)) {
+ rv = PK11_InitPin(slot, NULL, NULL);
+ if (rv != SECSuccess) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "PK11_Authenticate",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ return NULL;
+ }
+ }
+
+ if(PK11_IsLoggedIn(slot, NULL) != PR_TRUE) {
+ rv = PK11_Authenticate(slot, PR_TRUE, NULL);
+ if (rv != SECSuccess) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "PK11_Authenticate",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ return NULL;
+ }
+ }
+
+ return(slot);
+}
+
+/**
* xmlSecNssGenerateRandom:
* @buffer: the destination buffer.
* @size: the numer of bytes to generate.
Index: src/nss/x509.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/x509.c,v
retrieving revision 1.6
diff -u -r1.6 x509.c
--- src/nss/x509.c 6 Mar 2005 02:41:58 -0000 1.6
+++ src/nss/x509.c 7 Mar 2005 05:03:17 -0000
@@ -1884,14 +1884,14 @@
/* we're importing a CRL, it is ok to use the internal slot.
* crlutil does it :)
*/
- slot = PK11_GetInternalKeySlot();
+ slot = xmlSecNssGetInternalKeySlot();
if (slot == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- "PK11_GetInternalKeySlot",
- XMLSEC_ERRORS_R_CRYPTO_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- return NULL;
+ "xmlSecNssGetInternalKeySlot",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ return NULL;
}
if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0)
More information about the xmlsec
mailing list