summaryrefslogtreecommitdiff
path: root/external/libxmlsec
diff options
context:
space:
mode:
authorMiklos Vajna <vmiklos@collabora.co.uk>2016-03-22 20:52:15 +0100
committerMiklos Vajna <vmiklos@collabora.co.uk>2016-03-23 08:04:55 +0000
commit5de18e6a1fe643f1cf15b8456587208ecb11e1c5 (patch)
treebca3c1c1645dd70ea508a5abe5a5a90ff4da95bd /external/libxmlsec
parent8383055a258676726b589c8c912c19b30addbedc (diff)
xmlsec: clean up the nss keywrapper part of xmlsec1-customkeymanage.patch.1
All of this is already provided by src/nss/kw_*.c. If I build xmlsec as a shared lib, I even get linker errors due to duplicated symbols. For some reason that does not show up in our situation where we build nss as a static lib and link to it in xmlsecurity. Change-Id: If6e00bf3a818a0146c9c30c51174d8e0acab43a9 Reviewed-on: https://gerrit.libreoffice.org/23443 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Diffstat (limited to 'external/libxmlsec')
-rw-r--r--external/libxmlsec/xmlsec1-customkeymanage.patch.11292
1 files changed, 31 insertions, 1261 deletions
diff --git a/external/libxmlsec/xmlsec1-customkeymanage.patch.1 b/external/libxmlsec/xmlsec1-customkeymanage.patch.1
index 82e6b4366d1a..30ecfe0b5f4d 100644
--- a/external/libxmlsec/xmlsec1-customkeymanage.patch.1
+++ b/external/libxmlsec/xmlsec1-customkeymanage.patch.1
@@ -13,37 +13,35 @@ Conflicts:
src/nss/x509.c
src/nss/x509vfy.c
---
- include/xmlsec/mscrypto/Makefile.am | 1 +
- include/xmlsec/mscrypto/Makefile.in | 1 +
- include/xmlsec/mscrypto/akmngr.h | 71 ++
- include/xmlsec/nss/Makefile.am | 3 +
- include/xmlsec/nss/Makefile.in | 3 +
- include/xmlsec/nss/akmngr.h | 56 ++
- include/xmlsec/nss/app.h | 5 +
- include/xmlsec/nss/ciphers.h | 35 +
- include/xmlsec/nss/keysstore.h | 4 +
- include/xmlsec/nss/tokens.h | 182 ++++++
- src/mscrypto/akmngr.c | 236 +++++++
- src/nss/Makefile.am | 3 +
- src/nss/Makefile.in | 30 +-
- src/nss/akmngr.c | 384 +++++++++++
- src/nss/hmac.c | 8 +-
- src/nss/keysstore.c | 826 ++++++++++++++++--------
- src/nss/keywrapers.c | 1213 +++++++++++++++++++++++++++++++++++
- src/nss/pkikeys.c | 51 +-
- src/nss/symkeys.c | 705 +++++++++++++++++++-
- src/nss/tokens.c | 548 ++++++++++++++++
- src/nss/x509.c | 565 ++++------------
- src/nss/x509vfy.c | 292 +++------
- win32/Makefile.msvc | 4 +
- 23 files changed, 4256 insertions(+), 970 deletions(-)
+ include/xmlsec/mscrypto/Makefile.am | 1 +
+ include/xmlsec/mscrypto/Makefile.in | 1 +
+ include/xmlsec/mscrypto/akmngr.h | 71 ++++
+ include/xmlsec/nss/Makefile.am | 3 +
+ include/xmlsec/nss/Makefile.in | 3 +
+ include/xmlsec/nss/akmngr.h | 56 +++
+ include/xmlsec/nss/app.h | 5 +
+ include/xmlsec/nss/ciphers.h | 35 ++
+ include/xmlsec/nss/keysstore.h | 4 +
+ include/xmlsec/nss/tokens.h | 182 ++++++++
+ src/mscrypto/akmngr.c | 236 +++++++++++
+ src/nss/Makefile.am | 2 +
+ src/nss/Makefile.in | 22 +-
+ src/nss/akmngr.c | 384 +++++++++++++++++
+ src/nss/hmac.c | 8 +-
+ src/nss/keysstore.c | 826 +++++++++++++++++++++++++-----------
+ src/nss/pkikeys.c | 51 ++-
+ src/nss/symkeys.c | 705 ++++++++++++++++++++++++++++--
+ src/nss/tokens.c | 548 ++++++++++++++++++++++++
+ src/nss/x509.c | 565 +++++-------------------
+ src/nss/x509vfy.c | 292 ++++---------
+ win32/Makefile.msvc | 4 +
+ 22 files changed, 3034 insertions(+), 970 deletions(-)
create mode 100644 include/xmlsec/mscrypto/akmngr.h
create mode 100644 include/xmlsec/nss/akmngr.h
create mode 100644 include/xmlsec/nss/ciphers.h
create mode 100644 include/xmlsec/nss/tokens.h
create mode 100644 src/mscrypto/akmngr.c
create mode 100644 src/nss/akmngr.c
- create mode 100644 src/nss/keywrapers.c
create mode 100644 src/nss/tokens.c
diff --git a/include/xmlsec/mscrypto/Makefile.am b/include/xmlsec/mscrypto/Makefile.am
@@ -754,21 +752,20 @@ index 0000000..3bbd124
+}
+
diff --git a/src/nss/Makefile.am b/src/nss/Makefile.am
-index 8cd8586..48a6bf9 100644
+index 8cd8586..a14199e 100644
--- a/src/nss/Makefile.am
+++ b/src/nss/Makefile.am
-@@ -35,6 +35,9 @@ libxmlsec1_nss_la_SOURCES =\
+@@ -35,6 +35,8 @@ libxmlsec1_nss_la_SOURCES =\
kw_des.c \
kw_aes.c \
globals.h \
+ akmngr.c \
-+ keywrapers.c \
+ tokens.c \
$(NULL)
if SHAREDLIB_HACK
diff --git a/src/nss/Makefile.in b/src/nss/Makefile.in
-index 0003297..3b53588 100644
+index 0003297..8179e59 100644
--- a/src/nss/Makefile.in
+++ b/src/nss/Makefile.in
@@ -72,7 +72,8 @@ am__DEPENDENCIES_1 =
@@ -777,7 +774,7 @@ index 0003297..3b53588 100644
x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \
- ../strings.c
+ ../strings.c \
-+ akmngr.c keywrapers.c tokens.c
++ akmngr.c tokens.c
am__objects_1 =
@SHAREDLIB_HACK_TRUE@am__objects_2 = libxmlsec1_nss_la-strings.lo
am_libxmlsec1_nss_la_OBJECTS = libxmlsec1_nss_la-app.lo \
@@ -785,7 +782,7 @@ index 0003297..3b53588 100644
libxmlsec1_nss_la-x509.lo libxmlsec1_nss_la-x509vfy.lo \
libxmlsec1_nss_la-keysstore.lo libxmlsec1_nss_la-keytrans.lo \
libxmlsec1_nss_la-kw_des.lo libxmlsec1_nss_la-kw_aes.lo \
-+ libxmlsec1_nss_la-akmngr.lo libxmlsec1_nss_la-keywrapers.lo \
++ libxmlsec1_nss_la-akmngr.lo \
+ libxmlsec1_nss_la-tokens.lo \
$(am__objects_1) $(am__objects_2)
libxmlsec1_nss_la_OBJECTS = $(am_libxmlsec1_nss_la_OBJECTS)
@@ -794,21 +791,20 @@ index 0003297..3b53588 100644
libxmlsec1_nss_la_SOURCES = app.c bignum.c ciphers.c crypto.c \
digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \
x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \
-+ akmngr.c keywrapers.c tokens.c \
++ akmngr.c tokens.c \
$(NULL) $(am__append_1)
libxmlsec1_nss_la_LIBADD = \
$(NSS_LIBS) \
-@@ -446,6 +450,9 @@ distclean-compile:
+@@ -446,6 +450,8 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-symkeys.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509vfy.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo@am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@@ -475,6 +482,27 @@ libxmlsec1_nss_la-app.lo: app.c
+@@ -475,6 +481,20 @@ libxmlsec1_nss_la-app.lo: app.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-app.lo `test -f 'app.c' || echo '$(srcdir)/'`app.c
@@ -819,13 +815,6 @@ index 0003297..3b53588 100644
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c
+
-+libxmlsec1_nss_la-keywrapers.lo: keywrapers.c
-+@am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-keywrapers.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c; \
-+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo"; exit 1; fi
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keywrapers.c' object='libxmlsec1_nss_la-keywrapers.lo' libtool=yes @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c
-+
+libxmlsec1_nss_la-tokens.lo: tokens.c
+@am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-tokens.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo"; exit 1; fi
@@ -2185,1225 +2174,6 @@ index f07e44b..e4cb0f1 100644
+ xmlFreeDoc(doc);
+ return(0);
}
-diff --git a/src/nss/keywrapers.c b/src/nss/keywrapers.c
-new file mode 100644
-index 0000000..ab91f2c
---- /dev/null
-+++ b/src/nss/keywrapers.c
-@@ -0,0 +1,1213 @@
-+/**
-+ *
-+ * XMLSec library
-+ *
-+ * AES Algorithm support
-+ *
-+ * This is free software; see Copyright file in the source
-+ * distribution for preciese wording.
-+ *
-+ * Copyright .................................
-+ */
-+#include "globals.h"
-+
-+#include <stdlib.h>
-+#include <stdio.h>
-+#include <string.h>
-+
-+#include <nss.h>
-+#include <pk11func.h>
-+#include <hasht.h>
-+
-+#include <xmlsec/xmlsec.h>
-+#include <xmlsec/xmltree.h>
-+#include <xmlsec/keys.h>
-+#include <xmlsec/transforms.h>
-+#include <xmlsec/errors.h>
-+
-+#include <xmlsec/nss/crypto.h>
-+#include <xmlsec/nss/ciphers.h>
-+
-+#define XMLSEC_NSS_AES128_KEY_SIZE 16
-+#define XMLSEC_NSS_AES192_KEY_SIZE 24
-+#define XMLSEC_NSS_AES256_KEY_SIZE 32
-+#define XMLSEC_NSS_DES3_KEY_SIZE 24
-+#define XMLSEC_NSS_DES3_KEY_LENGTH 24
-+#define XMLSEC_NSS_DES3_IV_LENGTH 8
-+#define XMLSEC_NSS_DES3_BLOCK_LENGTH 8
-+
-+static xmlSecByte xmlSecNssKWDes3Iv[XMLSEC_NSS_DES3_IV_LENGTH] = {
-+ 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05
-+};
-+
-+/*********************************************************************
-+ *
-+ * key wrap transforms
-+ *
-+ ********************************************************************/
-+typedef struct _xmlSecNssKeyWrapCtx xmlSecNssKeyWrapCtx ;
-+typedef struct _xmlSecNssKeyWrapCtx* xmlSecNssKeyWrapCtxPtr ;
-+
-+#define xmlSecNssKeyWrapSize \
-+ ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssKeyWrapCtx ) )
-+
-+#define xmlSecNssKeyWrapGetCtx( transform ) \
-+ ( ( xmlSecNssKeyWrapCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) )
-+
-+struct _xmlSecNssKeyWrapCtx {
-+ CK_MECHANISM_TYPE cipher ;
-+ PK11SymKey* symkey ;
-+ xmlSecKeyDataId keyId ;
-+ xmlSecBufferPtr material ; /* to be encrypted/decrypted key material */
-+} ;
-+
-+static int xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform);
-+static void xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform);
-+static int xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform,
-+ xmlSecKeyReqPtr keyReq);
-+static int xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform,
-+ xmlSecKeyPtr key);
-+static int xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform,
-+ int last,
-+ xmlSecTransformCtxPtr transformCtx);
-+static xmlSecSize xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform);
-+
-+static int
-+xmlSecNssKeyWrapCheckId(
-+ xmlSecTransformPtr transform
-+) {
-+ #ifndef XMLSEC_NO_DES
-+ if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) {
-+ return(1);
-+ }
-+ #endif /* XMLSEC_NO_DES */
-+
-+ #ifndef XMLSEC_NO_AES
-+ if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes128Id ) ||
-+ xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes192Id ) ||
-+ xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes256Id ) ) {
-+
-+ return(1);
-+ }
-+ #endif /* XMLSEC_NO_AES */
-+
-+ return(0);
-+}
-+
-+static xmlSecSize
-+xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform) {
-+#ifndef XMLSEC_NO_DES
-+ if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) {
-+ return(XMLSEC_NSS_DES3_KEY_SIZE);
-+ } else
-+#endif /* XMLSEC_NO_DES */
-+
-+#ifndef XMLSEC_NO_AES
-+ if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes128Id)) {
-+ return(XMLSEC_NSS_AES128_KEY_SIZE);
-+ } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes192Id)) {
-+ return(XMLSEC_NSS_AES192_KEY_SIZE);
-+ } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) {
-+ return(XMLSEC_NSS_AES256_KEY_SIZE);
-+ } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) {
-+ return(XMLSEC_NSS_AES256_KEY_SIZE);
-+ } else
-+#endif /* XMLSEC_NO_AES */
-+
-+ if(1)
-+ return(0);
-+}
-+
-+
-+static int
-+xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform) {
-+ xmlSecNssKeyWrapCtxPtr context ;
-+ int ret;
-+
-+ xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
-+ xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
-+
-+ context = xmlSecNssKeyWrapGetCtx( transform ) ;
-+ xmlSecAssert2( context != NULL , -1 ) ;
-+
-+ #ifndef XMLSEC_NO_DES
-+ if( transform->id == xmlSecNssTransformKWDes3Id ) {
-+ context->cipher = CKM_DES3_CBC ;
-+ context->keyId = xmlSecNssKeyDataDesId ;
-+ } else
-+ #endif /* XMLSEC_NO_DES */
-+
-+ #ifndef XMLSEC_NO_AES
-+ if( transform->id == xmlSecNssTransformKWAes128Id ) {
-+ /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
-+ context->cipher = CKM_AES_CBC ;
-+ context->keyId = xmlSecNssKeyDataAesId ;
-+ } else
-+ if( transform->id == xmlSecNssTransformKWAes192Id ) {
-+ /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
-+ context->cipher = CKM_AES_CBC ;
-+ context->keyId = xmlSecNssKeyDataAesId ;
-+ } else
-+ if( transform->id == xmlSecNssTransformKWAes256Id ) {
-+ /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
-+ context->cipher = CKM_AES_CBC ;
-+ context->keyId = xmlSecNssKeyDataAesId ;
-+ } else
-+ #endif /* XMLSEC_NO_AES */
-+
-+
-+ if( 1 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-+ NULL ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ context->symkey = NULL ;
-+ context->material = NULL ;
-+
-+ return(0);
-+}
-+
-+static void
-+xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform) {
-+ xmlSecNssKeyWrapCtxPtr context ;
-+
-+ xmlSecAssert(xmlSecNssKeyWrapCheckId(transform));
-+ xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize));
-+
-+ context = xmlSecNssKeyWrapGetCtx( transform ) ;
-+ xmlSecAssert( context != NULL ) ;
-+
-+ if( context->symkey != NULL ) {
-+ PK11_FreeSymKey( context->symkey ) ;
-+ context->symkey = NULL ;
-+ }
-+
-+ if( context->material != NULL ) {
-+ xmlSecBufferDestroy(context->material);
-+ context->material = NULL ;
-+ }
-+}
-+
-+static int
-+xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) {
-+ xmlSecNssKeyWrapCtxPtr context ;
-+ xmlSecSize cipherSize = 0 ;
-+
-+
-+ xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
-+ xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
-+ xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-+ xmlSecAssert2(keyReq != NULL, -1);
-+
-+ context = xmlSecNssKeyWrapGetCtx( transform ) ;
-+ xmlSecAssert2( context != NULL , -1 ) ;
-+
-+ keyReq->keyId = context->keyId;
-+ keyReq->keyType = xmlSecKeyDataTypeSymmetric;
-+ if(transform->operation == xmlSecTransformOperationEncrypt) {
-+ keyReq->keyUsage = xmlSecKeyUsageEncrypt;
-+ } else {
-+ keyReq->keyUsage = xmlSecKeyUsageDecrypt;
-+ }
-+
-+ keyReq->keyBitsSize = xmlSecNssKeyWrapGetKeySize( transform ) ;
-+
-+ return(0);
-+}
-+
-+static int
-+xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
-+ xmlSecNssKeyWrapCtxPtr context = NULL ;
-+ xmlSecKeyDataPtr keyData = NULL ;
-+ PK11SymKey* symkey = NULL ;
-+
-+ xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
-+ xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
-+ xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-+ xmlSecAssert2(key != NULL, -1);
-+
-+ context = xmlSecNssKeyWrapGetCtx( transform ) ;
-+ if( context == NULL || context->keyId == NULL || context->symkey != NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
-+ "xmlSecNssKeyWrapGetCtx" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+ xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ;
-+
-+ keyData = xmlSecKeyGetValue( key ) ;
-+ if( keyData == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) ,
-+ "xmlSecKeyGetValue" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
-+ "xmlSecNssSymKeyDataGetKey" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ context->symkey = symkey ;
-+
-+ return(0) ;
-+}
-+
-+/**
-+ * key wrap transform
-+ */
-+static int
-+xmlSecNssKeyWrapCtxInit(
-+ xmlSecNssKeyWrapCtxPtr ctx ,
-+ xmlSecBufferPtr in ,
-+ xmlSecBufferPtr out ,
-+ int encrypt ,
-+ xmlSecTransformCtxPtr transformCtx
-+) {
-+ xmlSecSize blockSize ;
-+
-+ xmlSecAssert2( ctx != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
-+ xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
-+ xmlSecAssert2( in != NULL , -1 ) ;
-+ xmlSecAssert2( out != NULL , -1 ) ;
-+ xmlSecAssert2( transformCtx != NULL , -1 ) ;
-+
-+ if( ctx->material != NULL ) {
-+ xmlSecBufferDestroy( ctx->material ) ;
-+ ctx->material = NULL ;
-+ }
-+
-+ if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "PK11_GetBlockSize" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ ctx->material = xmlSecBufferCreate( blockSize ) ;
-+ if( ctx->material == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferCreate" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ /* read raw key material into context */
-+ if( xmlSecBufferSetData( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferSetData" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferRemoveHead" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ return(0);
-+}
-+
-+/**
-+ * key wrap transform update
-+ */
-+static int
-+xmlSecNssKeyWrapCtxUpdate(
-+ xmlSecNssKeyWrapCtxPtr ctx ,
-+ xmlSecBufferPtr in ,
-+ xmlSecBufferPtr out ,
-+ int encrypt ,
-+ xmlSecTransformCtxPtr transformCtx
-+) {
-+ xmlSecAssert2( ctx != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
-+ xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->material != NULL , -1 ) ;
-+ xmlSecAssert2( in != NULL , -1 ) ;
-+ xmlSecAssert2( out != NULL , -1 ) ;
-+ xmlSecAssert2( transformCtx != NULL , -1 ) ;
-+
-+ /* read raw key material and append into context */
-+ if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferAppend" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferRemoveHead" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ return(0);
-+}
-+
-+static int
-+xmlSecNssKWDes3BufferReverse(xmlSecByte *buf, xmlSecSize size) {
-+ xmlSecSize s;
-+ xmlSecSize i;
-+ xmlSecByte c;
-+
-+ xmlSecAssert2(buf != NULL, -1);
-+
-+ s = size / 2;
-+ --size;
-+ for(i = 0; i < s; ++i) {
-+ c = buf[i];
-+ buf[i] = buf[size - i];
-+ buf[size - i] = c;
-+ }
-+ return(0);
-+}
-+
-+static xmlSecByte *
-+xmlSecNssComputeSHA1(const xmlSecByte *in, xmlSecSize inSize,
-+ xmlSecByte *out, xmlSecSize outSize)
-+{
-+ PK11Context *context = NULL;
-+ SECStatus s;
-+ xmlSecByte *digest = NULL;
-+ unsigned int len;
-+
-+ xmlSecAssert2(in != NULL, NULL);
-+ xmlSecAssert2(out != NULL, NULL);
-+ xmlSecAssert2(outSize >= SHA1_LENGTH, NULL);
-+
-+ /* Create a context for hashing (digesting) */
-+ context = PK11_CreateDigestContext(SEC_OID_SHA1);
-+ if (context == NULL) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_CreateDigestContext",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "error code = %d", PORT_GetError());
-+ goto done;
-+ }
-+
-+ s = PK11_DigestBegin(context);
-+ if (s != SECSuccess) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_DigestBegin",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "error code = %d", PORT_GetError());
-+ goto done;
-+ }
-+
-+ s = PK11_DigestOp(context, in, inSize);
-+ if (s != SECSuccess) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_DigestOp",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "error code = %d", PORT_GetError());
-+ goto done;
-+ }
-+
-+ s = PK11_DigestFinal(context, out, &len, outSize);
-+ if (s != SECSuccess) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_DigestFinal",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "error code = %d", PORT_GetError());
-+ goto done;
-+ }
-+ xmlSecAssert2(len == SHA1_LENGTH, NULL);
-+
-+ digest = out;
-+
-+done:
-+ if (context != NULL) {
-+ PK11_DestroyContext(context, PR_TRUE);
-+ }
-+ return (digest);
-+}
-+
-+static int
-+xmlSecNssKWDes3Encrypt(
-+ PK11SymKey* symKey ,
-+ CK_MECHANISM_TYPE cipherMech ,
-+ const xmlSecByte* iv ,
-+ xmlSecSize ivSize ,
-+ const xmlSecByte* in ,
-+ xmlSecSize inSize ,
-+ xmlSecByte* out ,
-+ xmlSecSize outSize ,
-+ int enc
-+) {
-+ PK11Context* EncContext = NULL;
-+ SECItem ivItem ;
-+ SECItem* secParam = NULL ;
-+ int tmp1_outlen;
-+ unsigned int tmp2_outlen;
-+ int result_len = -1;
-+ SECStatus rv;
-+
-+ xmlSecAssert2( cipherMech != CKM_INVALID_MECHANISM , -1 ) ;
-+ xmlSecAssert2( symKey != NULL , -1 ) ;
-+ xmlSecAssert2(iv != NULL, -1);
-+ xmlSecAssert2(ivSize == XMLSEC_NSS_DES3_IV_LENGTH, -1);
-+ xmlSecAssert2(in != NULL, -1);
-+ xmlSecAssert2(inSize > 0, -1);
-+ xmlSecAssert2(out != NULL, -1);
-+ xmlSecAssert2(outSize >= inSize, -1);
-+
-+ /* Prepare IV */
-+ ivItem.data = ( unsigned char* )iv ;
-+ ivItem.len = ivSize ;
-+
-+ secParam = PK11_ParamFromIV(cipherMech, &ivItem);
-+ if (secParam == NULL) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_ParamFromIV",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "Error code = %d", PORT_GetError());
-+ goto done;
-+ }
-+
-+ EncContext = PK11_CreateContextBySymKey(cipherMech,
-+ enc ? CKA_ENCRYPT : CKA_DECRYPT,
-+ symKey, secParam);
-+ if (EncContext == NULL) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_CreateContextBySymKey",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "Error code = %d", PORT_GetError());
-+ goto done;
-+ }
-+
-+ tmp1_outlen = tmp2_outlen = 0;
-+ rv = PK11_CipherOp(EncContext, out, &tmp1_outlen, outSize,
-+ (unsigned char *)in, inSize);
-+ if (rv != SECSuccess) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_CipherOp",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "Error code = %d", PORT_GetError());
-+ goto done;
-+ }
-+
-+ rv = PK11_DigestFinal(EncContext, out+tmp1_outlen,
-+ &tmp2_outlen, outSize-tmp1_outlen);
-+ if (rv != SECSuccess) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_DigestFinal",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "Error code = %d", PORT_GetError());
-+ goto done;
-+ }
-+
-+ result_len = tmp1_outlen + tmp2_outlen;
-+
-+done:
-+ if (secParam) {
-+ SECITEM_FreeItem(secParam, PR_TRUE);
-+ }
-+ if (EncContext) {
-+ PK11_DestroyContext(EncContext, PR_TRUE);
-+ }
-+
-+ return(result_len);
-+}
-+
-+static int
-+xmlSecNssKeyWrapDesOp(
-+ xmlSecNssKeyWrapCtxPtr ctx ,
-+ int encrypt ,
-+ xmlSecBufferPtr result
-+) {
-+ xmlSecByte sha1[SHA1_LENGTH];
-+ xmlSecByte iv[XMLSEC_NSS_DES3_IV_LENGTH];
-+ xmlSecByte* in;
-+ xmlSecSize inSize;
-+ xmlSecByte* out;
-+ xmlSecSize outSize;
-+ xmlSecSize s;
-+ int ret;
-+ SECStatus status;
-+
-+ xmlSecAssert2( ctx != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
-+ xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->material != NULL , -1 ) ;
-+ xmlSecAssert2( result != NULL , -1 ) ;
-+
-+ in = xmlSecBufferGetData(ctx->material);
-+ inSize = xmlSecBufferGetSize(ctx->material) ;
-+ out = xmlSecBufferGetData(result);
-+ outSize = xmlSecBufferGetMaxSize(result) ;
-+ if( encrypt ) {
-+ /* step 2: calculate sha1 and CMS */
-+ if(xmlSecNssComputeSHA1(in, inSize, sha1, SHA1_LENGTH) == NULL) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecNssComputeSHA1",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+
-+ /* step 3: construct WKCKS */
-+ memcpy(out, in, inSize);
-+ memcpy(out + inSize, sha1, XMLSEC_NSS_DES3_BLOCK_LENGTH);
-+
-+ /* step 4: generate random iv */
-+ status = PK11_GenerateRandom(iv, XMLSEC_NSS_DES3_IV_LENGTH);
-+ if(status != SECSuccess) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "PK11_GenerateRandom",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ "error code = %d", PORT_GetError());
-+ return(-1);
-+ }
-+
-+ /* step 5: first encryption, result is TEMP1 */
-+ ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
-+ iv, XMLSEC_NSS_DES3_IV_LENGTH,
-+ out, inSize + XMLSEC_NSS_DES3_IV_LENGTH,
-+ out, outSize, 1);
-+ if(ret < 0) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecNssKWDes3Encrypt",
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+
-+ /* step 6: construct TEMP2=IV || TEMP1 */
-+ memmove(out + XMLSEC_NSS_DES3_IV_LENGTH, out,
-+ inSize + XMLSEC_NSS_DES3_IV_LENGTH);
-+ memcpy(out, iv, XMLSEC_NSS_DES3_IV_LENGTH);
-+ s = ret + XMLSEC_NSS_DES3_IV_LENGTH;
-+
-+ /* step 7: reverse octets order, result is TEMP3 */
-+ ret = xmlSecNssKWDes3BufferReverse(out, s);
-+ if(ret < 0) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecNssKWDes3BufferReverse",
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+
-+ /* step 8: second encryption with static IV */
-+ ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
-+ xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH,
-+ out, s,
-+ out, outSize, 1);
-+ if(ret < 0) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecNssKWDes3Encrypt",
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+ s = ret;
-+
-+ if( xmlSecBufferSetSize( result , s ) < 0 ) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecBufferSetSize",
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+ } else {
-+ /* step 2: first decryption with static IV, result is TEMP3 */
-+ ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
-+ xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH,
-+ in, inSize,
-+ out, outSize, 0);
-+ if((ret < 0) || (ret < XMLSEC_NSS_DES3_IV_LENGTH)) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecNssKWDes3Encrypt",
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+ s = ret;
-+
-+ /* step 3: reverse octets order in TEMP3, result is TEMP2 */
-+ ret = xmlSecNssKWDes3BufferReverse(out, s);
-+ if(ret < 0) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecNssKWDes3BufferReverse",
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+
-+ /* steps 4 and 5: get IV and decrypt second time, result is WKCKS */
-+ ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
-+ out, XMLSEC_NSS_DES3_IV_LENGTH,
-+ out+XMLSEC_NSS_DES3_IV_LENGTH, s-XMLSEC_NSS_DES3_IV_LENGTH,
-+ out, outSize, 0);
-+ if((ret < 0) || (ret < XMLSEC_NSS_DES3_BLOCK_LENGTH)) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecNssKWDes3Encrypt",
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+ s = ret - XMLSEC_NSS_DES3_IV_LENGTH;
-+
-+ /* steps 6 and 7: calculate SHA1 and validate it */
-+ if(xmlSecNssComputeSHA1(out, s, sha1, SHA1_LENGTH) == NULL) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecNssComputeSHA1",
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+
-+ if(memcmp(sha1, out + s, XMLSEC_NSS_DES3_BLOCK_LENGTH) != 0) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ NULL,
-+ XMLSEC_ERRORS_R_INVALID_DATA,
-+ "SHA1 does not match");
-+ return(-1);
-+ }
-+
-+ if( xmlSecBufferSetSize( result , s ) < 0 ) {
-+ xmlSecError(XMLSEC_ERRORS_HERE,
-+ NULL,
-+ "xmlSecBufferSetSize",
-+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
-+ XMLSEC_ERRORS_NO_MESSAGE);
-+ return(-1);
-+ }
-+ }
-+
-+ return(0);
-+}
-+
-+static int
-+xmlSecNssKeyWrapAesOp(
-+ xmlSecNssKeyWrapCtxPtr ctx ,
-+ int encrypt ,
-+ xmlSecBufferPtr result
-+) {
-+ PK11Context* cipherCtx = NULL;
-+ SECItem ivItem ;
-+ SECItem* secParam = NULL ;
-+ xmlSecSize inSize ;
-+ xmlSecSize inBlocks ;
-+ int blockSize ;
-+ int midSize ;
-+ int finSize ;
-+ xmlSecByte* out ;
-+ xmlSecSize outSize;
-+
-+ xmlSecAssert2( ctx != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
-+ xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->material != NULL , -1 ) ;
-+ xmlSecAssert2( result != NULL , -1 ) ;
-+
-+ /* Do not set any IV */
-+ memset(&ivItem, 0, sizeof(ivItem));
-+
-+ /* Get block size */
-+ if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "PK11_GetBlockSize" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ inSize = xmlSecBufferGetSize( ctx->material ) ;
-+ if( xmlSecBufferSetMaxSize( result , inSize + blockSize ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferSetMaxSize" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ /* Get Param for context initialization */
-+ if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "PK11_ParamFromIV" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ;
-+ if( cipherCtx == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "PK11_CreateContextBySymKey" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ SECITEM_FreeItem( secParam , PR_TRUE ) ;
-+ return(-1);
-+ }
-+
-+ out = xmlSecBufferGetData(result) ;
-+ outSize = xmlSecBufferGetMaxSize(result) ;
-+ if( PK11_CipherOp( cipherCtx , out, &midSize , outSize , xmlSecBufferGetData( ctx->material ) , inSize ) != SECSuccess ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "PK11_CipherOp" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ if( PK11_DigestFinal( cipherCtx , out + midSize , &finSize , outSize - midSize ) != SECSuccess ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "PK11_DigestFinal" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ if( xmlSecBufferSetSize( result , midSize + finSize ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferSetSize" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ return 0 ;
-+}
-+
-+/**
-+ * Block cipher transform final
-+ */
-+static int
-+xmlSecNssKeyWrapCtxFinal(
-+ xmlSecNssKeyWrapCtxPtr ctx ,
-+ xmlSecBufferPtr in ,
-+ xmlSecBufferPtr out ,
-+ int encrypt ,
-+ xmlSecTransformCtxPtr transformCtx
-+) {
-+ PK11SymKey* targetKey ;
-+ xmlSecSize blockSize ;
-+ xmlSecBufferPtr result ;
-+
-+ xmlSecAssert2( ctx != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
-+ xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
-+ xmlSecAssert2( ctx->material != NULL , -1 ) ;
-+ xmlSecAssert2( in != NULL , -1 ) ;
-+ xmlSecAssert2( out != NULL , -1 ) ;
-+ xmlSecAssert2( transformCtx != NULL , -1 ) ;
-+
-+ /* read raw key material and append into context */
-+ if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferAppend" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferRemoveHead" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ /* Now we get all of the key materail */
-+ /* from now on we will wrap or unwrap the key */
-+ if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "PK11_GetBlockSize" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ result = xmlSecBufferCreate( blockSize ) ;
-+ if( result == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferCreate" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ switch( ctx->cipher ) {
-+ case CKM_DES3_CBC :
-+ if( xmlSecNssKeyWrapDesOp(ctx, encrypt, result) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecNssKeyWrapDesOp" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ xmlSecBufferDestroy(result);
-+ return(-1);
-+ }
-+ break ;
-+ /* case CKM_NETSCAPE_AES_KEY_WRAP :*/
-+ case CKM_AES_CBC :
-+ if( xmlSecNssKeyWrapAesOp(ctx, encrypt, result) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecNssKeyWrapAesOp" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ xmlSecBufferDestroy(result);
-+ return(-1);
-+ }
-+ break ;
-+ }
-+
-+ /* Write output */
-+ if( xmlSecBufferAppend( out, xmlSecBufferGetData(result), xmlSecBufferGetSize(result) ) < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ NULL ,
-+ "xmlSecBufferAppend" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ xmlSecBufferDestroy(result);
-+ return(-1);
-+ }
-+ xmlSecBufferDestroy(result);
-+
-+ return(0);
-+}
-+
-+static int
-+xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) {
-+ xmlSecNssKeyWrapCtxPtr context = NULL ;
-+ xmlSecBufferPtr inBuf, outBuf ;
-+ int operation ;
-+ int rtv ;
-+
-+ xmlSecAssert2( xmlSecNssKeyWrapCheckId( transform ), -1 ) ;
-+ xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssKeyWrapSize ), -1 ) ;
-+ xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
-+ xmlSecAssert2( transformCtx != NULL , -1 ) ;
-+
-+ context = xmlSecNssKeyWrapGetCtx( transform ) ;
-+ if( context == NULL ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
-+ "xmlSecNssKeyWrapGetCtx" ,
-+ XMLSEC_ERRORS_R_CRYPTO_FAILED ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+
-+ inBuf = &( transform->inBuf ) ;
-+ outBuf = &( transform->outBuf ) ;
-+
-+ if( transform->status == xmlSecTransformStatusNone ) {
-+ transform->status = xmlSecTransformStatusWorking ;
-+ }
-+
-+ operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ;
-+ if( transform->status == xmlSecTransformStatusWorking ) {
-+ if( context->material == NULL ) {
-+ rtv = xmlSecNssKeyWrapCtxInit( context, inBuf , outBuf , operation , transformCtx ) ;
-+ if( rtv < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
-+ "xmlSecNssKeyWrapCtxInit" ,
-+ XMLSEC_ERRORS_R_INVALID_STATUS ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+ }
-+
-+ if( context->material == NULL && last != 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
-+ NULL ,
-+ XMLSEC_ERRORS_R_INVALID_STATUS ,
-+ "No enough data to intialize transform" ) ;
-+ return(-1);
-+ }
-+
-+ if( context->material != NULL ) {
-+ rtv = xmlSecNssKeyWrapCtxUpdate( context, inBuf , outBuf , operation , transformCtx ) ;
-+ if( rtv < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
-+ "xmlSecNssKeyWrapCtxUpdate" ,
-+ XMLSEC_ERRORS_R_INVALID_STATUS ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+ }
-+
-+ if( last ) {
-+ rtv = xmlSecNssKeyWrapCtxFinal( context, inBuf , outBuf , operation , transformCtx ) ;
-+ if( rtv < 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
-+ "xmlSecNssKeyWrapCtxFinal" ,
-+ XMLSEC_ERRORS_R_INVALID_STATUS ,
-+ XMLSEC_ERRORS_NO_MESSAGE ) ;
-+ return(-1);
-+ }
-+ transform->status = xmlSecTransformStatusFinished ;
-+ }
-+ } else if( transform->status == xmlSecTransformStatusFinished ) {
-+ if( xmlSecBufferGetSize( inBuf ) != 0 ) {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
-+ NULL ,
-+ XMLSEC_ERRORS_R_INVALID_STATUS ,
-+ "status=%d", transform->status ) ;
-+ return(-1);
-+ }
-+ } else {
-+ xmlSecError( XMLSEC_ERRORS_HERE ,
-+ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
-+ NULL ,
-+ XMLSEC_ERRORS_R_INVALID_STATUS ,
-+ "status=%d", transform->status ) ;
-+ return(-1);
-+ }
-+
-+ return(0);
-+}
-+
-+#ifndef XMLSEC_NO_AES
-+
-+
-+#ifdef __MINGW32__ // for runtime-pseudo-reloc
-+static struct _xmlSecTransformKlass xmlSecNssKWAes128Klass = {
-+#else
-+static xmlSecTransformKlass xmlSecNssKWAes128Klass = {
-+#endif
-+ /* klass/object sizes */
-+ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */
-+ xmlSecNssKeyWrapSize, /* xmlSecSize objSize */
-+
-+ xmlSecNameKWAes128, /* const xmlChar* name; */
-+ xmlSecHrefKWAes128, /* const xmlChar* href; */
-+ xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */
-+
-+ xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */
-+ xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */
-+ NULL, /* xmlSecTransformNodeReadMethod readNode; */
-+ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */
-+ xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */
-+ xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */
-+ NULL, /* xmlSecTransformValidateMethod validate; */
-+ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */
-+ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */
-+ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */
-+ NULL, /* xmlSecTransformPushXmlMethod pushXml; */
-+ NULL, /* xmlSecTransformPopXmlMethod popXml; */
-+ xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */
-+
-+ NULL, /* void* reserved0; */
-+ NULL, /* void* reserved1; */
-+};
-+
-+#ifdef __MINGW32__ // for runtime-pseudo-reloc
-+static struct _xmlSecTransformKlass xmlSecNssKWAes192Klass = {
-+#else
-+static xmlSecTransformKlass xmlSecNssKWAes192Klass = {
-+#endif
-+ /* klass/object sizes */
-+ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */
-+ xmlSecNssKeyWrapSize, /* xmlSecSize objSize */
-+
-+ xmlSecNameKWAes192, /* const xmlChar* name; */
-+ xmlSecHrefKWAes192, /* const xmlChar* href; */
-+ xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */
-+
-+ xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */
-+ xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */
-+ NULL, /* xmlSecTransformNodeReadMethod readNode; */
-+ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */
-+ xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */
-+ xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */
-+ NULL, /* xmlSecTransformValidateMethod validate; */
-+ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */
-+ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */
-+ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */
-+ NULL, /* xmlSecTransformPushXmlMethod pushXml; */
-+ NULL, /* xmlSecTransformPopXmlMethod popXml; */
-+ xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */
-+
-+ NULL, /* void* reserved0; */
-+ NULL, /* void* reserved1; */
-+};
-+
-+#ifdef __MINGW32__ // for runtime-pseudo-reloc
-+static struct _xmlSecTransformKlass xmlSecNssKWAes256Klass = {
-+#else
-+static xmlSecTransformKlass xmlSecNssKWAes256Klass = {
-+#endif
-+ /* klass/object sizes */
-+ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */
-+ xmlSecNssKeyWrapSize, /* xmlSecSize objSize */
-+
-+ xmlSecNameKWAes256, /* const xmlChar* name; */
-+ xmlSecHrefKWAes256, /* const xmlChar* href; */
-+ xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */
-+
-+ xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */
-+ xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */
-+ NULL, /* xmlSecTransformNodeReadMethod readNode; */
-+ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */
-+ xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */
-+ xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */
-+ NULL, /* xmlSecTransformValidateMethod validate; */
-+ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */
-+ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */
-+ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */
-+ NULL, /* xmlSecTransformPushXmlMethod pushXml; */
-+ NULL, /* xmlSecTransformPopXmlMethod popXml; */
-+ xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */
-+
-+ NULL, /* void* reserved0; */
-+ NULL, /* void* reserved1; */
-+};
-+
-+/**
-+ * xmlSecNssTransformKWAes128GetKlass:
-+ *
-+ * The AES-128 key wrapper transform klass.
-+ *
-+ * Returns AES-128 key wrapper transform klass.
-+ */
-+xmlSecTransformId
-+xmlSecNssTransformKWAes128GetKlass(void) {
-+ return(&xmlSecNssKWAes128Klass);
-+}
-+
-+/**
-+ * xmlSecNssTransformKWAes192GetKlass:
-+ *
-+ * The AES-192 key wrapper transform klass.
-+ *
-+ * Returns AES-192 key wrapper transform klass.
-+ */
-+xmlSecTransformId
-+xmlSecNssTransformKWAes192GetKlass(void) {
-+ return(&xmlSecNssKWAes192Klass);
-+}
-+
-+/**
-+ *
-+ * The AES-256 key wrapper transform klass.
-+ *
-+ * Returns AES-256 key wrapper transform klass.
-+ */
-+xmlSecTransformId
-+xmlSecNssTransformKWAes256GetKlass(void) {
-+ return(&xmlSecNssKWAes256Klass);
-+}
-+
-+#endif /* XMLSEC_NO_AES */
-+
-+
-+#ifndef XMLSEC_NO_DES
-+
-+#ifdef __MINGW32__ // for runtime-pseudo-reloc
-+static struct _xmlSecTransformKlass xmlSecNssKWDes3Klass = {
-+#else
-+static xmlSecTransformKlass xmlSecNssKWDes3Klass = {
-+#endif
-+ /* klass/object sizes */
-+ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */
-+ xmlSecNssKeyWrapSize, /* xmlSecSize objSize */
-+
-+ xmlSecNameKWDes3, /* const xmlChar* name; */
-+ xmlSecHrefKWDes3, /* const xmlChar* href; */
-+ xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */
-+
-+ xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */
-+ xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */
-+ NULL, /* xmlSecTransformNodeReadMethod readNode; */
-+ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */
-+ xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */
-+ xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */
-+ NULL, /* xmlSecTransformValidateMethod validate; */
-+ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */
-+ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */
-+ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */
-+ NULL, /* xmlSecTransformPushXmlMethod pushXml; */
-+ NULL, /* xmlSecTransformPopXmlMethod popXml; */
-+ xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */
-+
-+ NULL, /* void* reserved0; */
-+ NULL, /* void* reserved1; */
-+};
-+
-+/**
-+ * xmlSecNssTransformKWDes3GetKlass:
-+ *
-+ * The Triple DES key wrapper transform klass.
-+ *
-+ * Returns Triple DES key wrapper transform klass.
-+ */
-+xmlSecTransformId
-+xmlSecNssTransformKWDes3GetKlass(void) {
-+ return(&xmlSecNssKWDes3Klass);
-+}
-+
-+#endif /* XMLSEC_NO_DES */
-+
diff --git a/src/nss/pkikeys.c b/src/nss/pkikeys.c
index ae9e29b..9acd317 100644
--- a/src/nss/pkikeys.c