diff options
Diffstat (limited to 'libxmlsec/xmlsec1-customkeymanage.patch')
| -rw-r--r-- | libxmlsec/xmlsec1-customkeymanage.patch | 6065 |
1 files changed, 6065 insertions, 0 deletions
diff --git a/libxmlsec/xmlsec1-customkeymanage.patch b/libxmlsec/xmlsec1-customkeymanage.patch new file mode 100644 index 000000000000..8bc97c474d56 --- /dev/null +++ b/libxmlsec/xmlsec1-customkeymanage.patch @@ -0,0 +1,6065 @@ +--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.am 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.am 2009-09-21 14:02:48.563253008 +0200 +@@ -3,6 +3,7 @@ + xmlsecmscryptoincdir = $(includedir)/xmlsec1/xmlsec/mscrypto + + xmlsecmscryptoinc_HEADERS = \ ++akmngr.h \ + app.h \ + certkeys.h \ + crypto.h \ +--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.in 2009-06-25 22:53:30.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.in 2009-09-21 14:02:48.571021349 +0200 +@@ -281,6 +281,7 @@ + NULL = + xmlsecmscryptoincdir = $(includedir)/xmlsec1/xmlsec/mscrypto + xmlsecmscryptoinc_HEADERS = \ ++akmngr.h \ + app.h \ + certkeys.h \ + crypto.h \ +--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/akmngr.h 2009-09-21 14:07:19.052318336 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/akmngr.h 2009-09-21 14:02:48.504966762 +0200 +@@ -1 +1,71 @@ +-dummy ++/** ++ * XMLSec library ++ * ++ * This is free software; see Copyright file in the source ++ * distribution for preciese wording. ++ * ++ * Copyright .......................... ++ */ ++#ifndef __XMLSEC_MSCRYPTO_AKMNGR_H__ ++#define __XMLSEC_MSCRYPTO_AKMNGR_H__ ++ ++#include <windows.h> ++#include <wincrypt.h> ++ ++#include <xmlsec/xmlsec.h> ++#include <xmlsec/keys.h> ++#include <xmlsec/transforms.h> ++ ++#ifdef __cplusplus ++extern "C" { ++#endif /* __cplusplus */ ++ ++XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr ++xmlSecMSCryptoAppliedKeysMngrCreate( ++ HCERTSTORE keyStore , ++ HCERTSTORE certStore ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecMSCryptoAppliedKeysMngrSymKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ HCRYPTKEY symKey ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecMSCryptoAppliedKeysMngrPubKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ HCRYPTKEY pubKey ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecMSCryptoAppliedKeysMngrPriKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ HCRYPTKEY priKey ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore ( ++ xmlSecKeysMngrPtr mngr , ++ HCERTSTORE keyStore ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore ( ++ xmlSecKeysMngrPtr mngr , ++ HCERTSTORE trustedStore ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore ( ++ xmlSecKeysMngrPtr mngr , ++ HCERTSTORE untrustedStore ++) ; ++ ++#ifdef __cplusplus ++} ++#endif /* __cplusplus */ ++ ++#endif /* __XMLSEC_MSCRYPTO_AKMNGR_H__ */ ++ ++ +--- misc/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.am 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.am 2009-09-21 14:02:48.577933031 +0200 +@@ -10,6 +10,9 @@ + keysstore.h \ + pkikeys.h \ + x509.h \ ++akmngr.h \ ++tokens.h \ ++ciphers.h \ + $(NULL) + + install-exec-hook: +--- misc/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.in 2009-06-25 22:53:31.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.in 2009-09-21 14:02:48.585376325 +0200 +@@ -288,6 +288,9 @@ + keysstore.h \ + pkikeys.h \ + x509.h \ ++akmngr.h \ ++tokens.h \ ++ciphers.h \ + $(NULL) + + all: all-am +--- misc/xmlsec1-1.2.14/include/xmlsec/nss/akmngr.h 2009-09-21 14:07:19.105517659 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/akmngr.h 2009-09-21 14:02:48.510978278 +0200 +@@ -1 +1,56 @@ +-dummy ++/** ++ * XMLSec library ++ * ++ * This is free software; see Copyright file in the source ++ * distribution for preciese wording. ++ * ++ * Copyright .......................... ++ */ ++#ifndef __XMLSEC_NSS_AKMNGR_H__ ++#define __XMLSEC_NSS_AKMNGR_H__ ++ ++#include <nss.h> ++#include <nspr.h> ++#include <pk11func.h> ++#include <cert.h> ++ ++#include <xmlsec/xmlsec.h> ++#include <xmlsec/keys.h> ++#include <xmlsec/transforms.h> ++ ++#ifdef __cplusplus ++extern "C" { ++#endif /* __cplusplus */ ++ ++XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr ++xmlSecNssAppliedKeysMngrCreate( ++ PK11SlotInfo** slots, ++ int cSlots, ++ CERTCertDBHandle* handler ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssAppliedKeysMngrSymKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ PK11SymKey* symKey ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssAppliedKeysMngrPubKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ SECKEYPublicKey* pubKey ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssAppliedKeysMngrPriKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ SECKEYPrivateKey* priKey ++) ; ++ ++#ifdef __cplusplus ++} ++#endif /* __cplusplus */ ++ ++#endif /* __XMLSEC_NSS_AKMNGR_H__ */ ++ ++ +--- misc/xmlsec1-1.2.14/include/xmlsec/nss/app.h 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/app.h 2009-09-21 14:02:48.612847068 +0200 +@@ -22,6 +22,9 @@ + #include <xmlsec/keysmngr.h> + #include <xmlsec/transforms.h> + ++#include <xmlsec/nss/tokens.h> ++#include <xmlsec/nss/akmngr.h> ++ + /** + * Init/shutdown + */ +@@ -36,6 +39,8 @@ + xmlSecKeyPtr key); + XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrLoad (xmlSecKeysMngrPtr mngr, + const char* uri); ++XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrAdoptKeySlot(xmlSecKeysMngrPtr mngr, ++ xmlSecNssKeySlotPtr keySlot); + XMLSEC_CRYPTO_EXPORT int xmlSecNssAppDefaultKeysMngrSave (xmlSecKeysMngrPtr mngr, + const char* filename, + xmlSecKeyDataType type); +--- misc/xmlsec1-1.2.14/include/xmlsec/nss/ciphers.h 2009-09-21 14:07:19.146496548 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/ciphers.h 2009-09-21 14:02:48.516689712 +0200 +@@ -1 +1,35 @@ +-dummy ++/** ++ * XMLSec library ++ * ++ * This is free software; see Copyright file in the source ++ * distribution for preciese wording. ++ * ++ * Copyright .......................... ++ */ ++#ifndef __XMLSEC_NSS_CIPHERS_H__ ++#define __XMLSEC_NSS_CIPHERS_H__ ++ ++#ifdef __cplusplus ++extern "C" { ++#endif /* __cplusplus */ ++ ++#include <xmlsec/xmlsec.h> ++#include <xmlsec/keys.h> ++#include <xmlsec/transforms.h> ++ ++ ++XMLSEC_CRYPTO_EXPORT int xmlSecNssSymKeyDataAdoptKey( xmlSecKeyDataPtr data, ++ PK11SymKey* symkey ) ; ++ ++XMLSEC_CRYPTO_EXPORT xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt( PK11SymKey* symKey ) ; ++ ++XMLSEC_CRYPTO_EXPORT PK11SymKey* xmlSecNssSymKeyDataGetKey(xmlSecKeyDataPtr data); ++ ++ ++#ifdef __cplusplus ++} ++#endif /* __cplusplus */ ++ ++#endif /* __XMLSEC_NSS_CIPHERS_H__ */ ++ ++ +--- misc/xmlsec1-1.2.14/include/xmlsec/nss/keysstore.h 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/keysstore.h 2009-09-21 14:02:48.626261748 +0200 +@@ -16,6 +16,8 @@ + #endif /* __cplusplus */ + + #include <xmlsec/xmlsec.h> ++#include <xmlsec/keysmngr.h> ++#include <xmlsec/nss/tokens.h> + + /**************************************************************************** + * +@@ -31,6 +33,8 @@ + XMLSEC_CRYPTO_EXPORT xmlSecKeyStoreId xmlSecNssKeysStoreGetKlass (void); + XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreAdoptKey (xmlSecKeyStorePtr store, + xmlSecKeyPtr key); ++XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreAdoptKeySlot(xmlSecKeyStorePtr store, ++ xmlSecNssKeySlotPtr keySlot); + XMLSEC_CRYPTO_EXPORT int xmlSecNssKeysStoreLoad (xmlSecKeyStorePtr store, + const char *uri, + xmlSecKeysMngrPtr keysMngr); +--- misc/xmlsec1-1.2.14/include/xmlsec/nss/tokens.h 2009-09-21 14:07:19.172421448 +0200 ++++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/tokens.h 2009-09-21 14:02:48.522913605 +0200 +@@ -1 +1,182 @@ +-dummy ++/** ++ * XMLSec library ++ * ++ * This is free software; see Copyright file in the source ++ * distribution for preciese wording. ++ * ++ * Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved. ++ * ++ * Contributor(s): _____________________________ ++ * ++ */ ++#ifndef __XMLSEC_NSS_TOKENS_H__ ++#define __XMLSEC_NSS_TOKENS_H__ ++ ++#include <string.h> ++ ++#include <nss.h> ++#include <pk11func.h> ++ ++#include <xmlsec/xmlsec.h> ++#include <xmlsec/list.h> ++ ++#ifdef __cplusplus ++extern "C" { ++#endif /* __cplusplus */ ++ ++/** ++ * xmlSecNssKeySlotListId ++ * ++ * The crypto mechanism list klass ++ */ ++#define xmlSecNssKeySlotListId xmlSecNssKeySlotListGetKlass() ++XMLSEC_CRYPTO_EXPORT xmlSecPtrListId xmlSecNssKeySlotListGetKlass( void ) ; ++ ++/******************************************* ++ * KeySlot interfaces ++ *******************************************/ ++/** ++ * Internal NSS key slot data ++ * @mechanismList: the mechanisms that the slot bound with. ++ * @slot: the pkcs slot ++ * ++ * This context is located after xmlSecPtrList ++ */ ++typedef struct _xmlSecNssKeySlot xmlSecNssKeySlot ; ++typedef struct _xmlSecNssKeySlot* xmlSecNssKeySlotPtr ; ++ ++struct _xmlSecNssKeySlot { ++ CK_MECHANISM_TYPE_PTR mechanismList ; /* mech. array, NULL ternimated */ ++ PK11SlotInfo* slot ; ++} ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssKeySlotSetMechList( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE_PTR mechanismList ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssKeySlotEnableMech( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE mechanism ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssKeySlotDisableMech( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE mechanism ++) ; ++ ++XMLSEC_CRYPTO_EXPORT CK_MECHANISM_TYPE_PTR ++xmlSecNssKeySlotGetMechList( ++ xmlSecNssKeySlotPtr keySlot ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssKeySlotSetSlot( ++ xmlSecNssKeySlotPtr keySlot , ++ PK11SlotInfo* slot ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssKeySlotInitialize( ++ xmlSecNssKeySlotPtr keySlot , ++ PK11SlotInfo* slot ++) ; ++ ++XMLSEC_CRYPTO_EXPORT void ++xmlSecNssKeySlotFinalize( ++ xmlSecNssKeySlotPtr keySlot ++) ; ++ ++XMLSEC_CRYPTO_EXPORT PK11SlotInfo* ++xmlSecNssKeySlotGetSlot( ++ xmlSecNssKeySlotPtr keySlot ++) ; ++ ++XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr ++xmlSecNssKeySlotCreate() ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssKeySlotCopy( ++ xmlSecNssKeySlotPtr newKeySlot , ++ xmlSecNssKeySlotPtr keySlot ++) ; ++ ++XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr ++xmlSecNssKeySlotDuplicate( ++ xmlSecNssKeySlotPtr keySlot ++) ; ++ ++XMLSEC_CRYPTO_EXPORT void ++xmlSecNssKeySlotDestroy( ++ xmlSecNssKeySlotPtr keySlot ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssKeySlotBindMech( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE type ++) ; ++ ++XMLSEC_CRYPTO_EXPORT int ++xmlSecNssKeySlotSupportMech( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE type ++) ; ++ ++ ++/************************************************************************ ++ * PKCS#11 crypto token interfaces ++ * ++ * A PKCS#11 slot repository will be defined internally. From the ++ * repository, a user can specify a particular slot for a certain crypto ++ * mechanism. ++ * ++ * In some situation, some cryptographic operation should act in a user ++ * designated devices. The interfaces defined here provide the way. If ++ * the user do not initialize the repository distinctly, the interfaces ++ * use the default functions provided by NSS itself. ++ * ++ ************************************************************************/ ++/** ++ * Initialize NSS pkcs#11 slot repository ++ * ++ * Returns 0 if success or -1 if an error occurs. ++ */ ++XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotInitialize( void ) ; ++ ++/** ++ * Shutdown and destroy NSS pkcs#11 slot repository ++ */ ++XMLSEC_CRYPTO_EXPORT void xmlSecNssSlotShutdown() ; ++ ++/** ++ * Get PKCS#11 slot handler ++ * @type the mechanism that the slot must support. ++ * ++ * Returns a pointer to PKCS#11 slot or NULL if an error occurs. ++ * ++ * Notes: The returned handler must be destroied distinctly. ++ */ ++XMLSEC_CRYPTO_EXPORT PK11SlotInfo* xmlSecNssSlotGet( CK_MECHANISM_TYPE type ) ; ++ ++/** ++ * Adopt a pkcs#11 slot with a mechanism into the repository ++ * @slot: the pkcs#11 slot. ++ * @mech: the mechanism. ++ * ++ * If @mech is available( @mech != CKM_INVALID_MECHANISM ), every operation with ++ * this mechanism only can perform on the @slot. ++ * ++ * Returns 0 if success or -1 if an error occurs. ++ */ ++XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotAdopt( PK11SlotInfo* slot, CK_MECHANISM_TYPE mech ) ; ++ ++#ifdef __cplusplus ++} ++#endif /* __cplusplus */ ++ ++#endif /* __XMLSEC_NSS_TOKENS_H__ */ ++ +--- misc/xmlsec1-1.2.14/src/mscrypto/akmngr.c 2009-09-21 14:07:19.078910929 +0200 ++++ misc/build/xmlsec1-1.2.14/src/mscrypto/akmngr.c 2009-09-21 14:02:48.531281225 +0200 +@@ -1 +1,236 @@ +-dummy ++/** ++ * XMLSec library ++ * ++ * This is free software; see Copyright file in the source ++ * distribution for preciese wording. ++ * ++ * Copyright......................... ++ */ ++#include "globals.h" ++ ++#include <xmlsec/xmlsec.h> ++#include <xmlsec/keys.h> ++#include <xmlsec/keysmngr.h> ++#include <xmlsec/transforms.h> ++#include <xmlsec/errors.h> ++ ++#include <xmlsec/mscrypto/crypto.h> ++#include <xmlsec/mscrypto/keysstore.h> ++#include <xmlsec/mscrypto/akmngr.h> ++#include <xmlsec/mscrypto/x509.h> ++ ++/** ++ * xmlSecMSCryptoAppliedKeysMngrCreate: ++ * @hKeyStore: the pointer to key store. ++ * @hCertStore: the pointer to certificate database. ++ * ++ * Create and load key store and certificate database into keys manager ++ * ++ * Returns keys manager pointer on success or NULL otherwise. ++ */ ++xmlSecKeysMngrPtr ++xmlSecMSCryptoAppliedKeysMngrCreate( ++ HCERTSTORE hKeyStore , ++ HCERTSTORE hCertStore ++) { ++ xmlSecKeyDataStorePtr certStore = NULL ; ++ xmlSecKeysMngrPtr keyMngr = NULL ; ++ xmlSecKeyStorePtr keyStore = NULL ; ++ ++ keyStore = xmlSecKeyStoreCreate( xmlSecMSCryptoKeysStoreId ) ; ++ if( keyStore == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeyStoreCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return NULL ; ++ } ++ ++ /*- ++ * At present, MS Crypto engine do not provide a way to setup a key store. ++ */ ++ if( keyStore != NULL ) { ++ /*TODO: binding key store.*/ ++ } ++ ++ keyMngr = xmlSecKeysMngrCreate() ; ++ if( keyMngr == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyStoreDestroy( keyStore ) ; ++ return NULL ; ++ } ++ ++ /*- ++ * Add key store to manager, from now on keys manager destroys the store if ++ * needed ++ */ ++ if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , ++ "xmlSecKeysMngrAdoptKeyStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyStoreDestroy( keyStore ) ; ++ xmlSecKeysMngrDestroy( keyMngr ) ; ++ return NULL ; ++ } ++ ++ /*- ++ * Initialize crypto library specific data in keys manager ++ */ ++ if( xmlSecMSCryptoKeysMngrInit( keyMngr ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecMSCryptoKeysMngrInit" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeysMngrDestroy( keyMngr ) ; ++ return NULL ; ++ } ++ ++ /*- ++ * Set certificate databse to X509 key data store ++ */ ++ /*- ++ * At present, MS Crypto engine do not provide a way to setup a cert store. ++ */ ++ ++ /*- ++ * Set the getKey callback ++ */ ++ keyMngr->getKey = xmlSecKeysMngrGetKey ; ++ ++ return keyMngr ; ++} ++ ++int ++xmlSecMSCryptoAppliedKeysMngrSymKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ HCRYPTKEY symKey ++) { ++ /*TODO: import the key into keys manager.*/ ++ return(0) ; ++} ++ ++int ++xmlSecMSCryptoAppliedKeysMngrPubKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ HCRYPTKEY pubKey ++) { ++ /*TODO: import the key into keys manager.*/ ++ return(0) ; ++} ++ ++int ++xmlSecMSCryptoAppliedKeysMngrPriKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ HCRYPTKEY priKey ++) { ++ /*TODO: import the key into keys manager.*/ ++ return(0) ; ++} ++ ++int ++xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore ( ++ xmlSecKeysMngrPtr mngr , ++ HCERTSTORE keyStore ++) { ++ xmlSecKeyDataStorePtr x509Store ; ++ ++ xmlSecAssert2( mngr != NULL, -1 ) ; ++ xmlSecAssert2( keyStore != NULL, -1 ) ; ++ ++ x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; ++ if( x509Store == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrGetDataStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ) ; ++ } ++ ++ if( xmlSecMSCryptoX509StoreAdoptKeyStore( x509Store, keyStore ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , ++ "xmlSecMSCryptoX509StoreAdoptKeyStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ) ; ++ } ++ ++ return( 0 ) ; ++} ++ ++int ++xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore ( ++ xmlSecKeysMngrPtr mngr , ++ HCERTSTORE trustedStore ++) { ++ xmlSecKeyDataStorePtr x509Store ; ++ ++ xmlSecAssert2( mngr != NULL, -1 ) ; ++ xmlSecAssert2( trustedStore != NULL, -1 ) ; ++ ++ x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; ++ if( x509Store == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrGetDataStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ) ; ++ } ++ ++ if( xmlSecMSCryptoX509StoreAdoptTrustedStore( x509Store, trustedStore ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , ++ "xmlSecMSCryptoX509StoreAdoptKeyStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ) ; ++ } ++ ++ return( 0 ) ; ++} ++ ++int ++xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore ( ++ xmlSecKeysMngrPtr mngr , ++ HCERTSTORE untrustedStore ++) { ++ xmlSecKeyDataStorePtr x509Store ; ++ ++ xmlSecAssert2( mngr != NULL, -1 ) ; ++ xmlSecAssert2( untrustedStore != NULL, -1 ) ; ++ ++ x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ; ++ if( x509Store == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrGetDataStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ) ; ++ } ++ ++ if( xmlSecMSCryptoX509StoreAdoptUntrustedStore( x509Store, untrustedStore ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) , ++ "xmlSecMSCryptoX509StoreAdoptKeyStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ) ; ++ } ++ ++ return( 0 ) ; ++} ++ +--- misc/xmlsec1-1.2.14/src/nss/Makefile.am 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/Makefile.am 2009-09-21 14:02:48.591560472 +0200 +@@ -35,6 +35,9 @@ + kw_des.c \ + kw_aes.c \ + globals.h \ ++ akmngr.c \ ++ keywrapers.c \ ++ tokens.c \ + $(NULL) + + if SHAREDLIB_HACK +--- misc/xmlsec1-1.2.14/src/nss/Makefile.in 2009-06-25 22:53:33.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/Makefile.in 2009-09-21 14:02:48.599339718 +0200 +@@ -72,7 +72,8 @@ + am__libxmlsec1_nss_la_SOURCES_DIST = app.c bignum.c ciphers.c crypto.c \ + digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \ + x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \ +- ../strings.c ++ ../strings.c \ ++ akmngr.c keywrapers.c tokens.c + am__objects_1 = + @SHAREDLIB_HACK_TRUE@am__objects_2 = libxmlsec1_nss_la-strings.lo + am_libxmlsec1_nss_la_OBJECTS = libxmlsec1_nss_la-app.lo \ +@@ -83,6 +84,8 @@ + libxmlsec1_nss_la-x509.lo libxmlsec1_nss_la-x509vfy.lo \ + libxmlsec1_nss_la-keysstore.lo libxmlsec1_nss_la-keytrans.lo \ + libxmlsec1_nss_la-kw_des.lo libxmlsec1_nss_la-kw_aes.lo \ ++ libxmlsec1_nss_la-akmngr.lo libxmlsec1_nss_la-keywrapers.lo \ ++ libxmlsec1_nss_la-tokens.lo \ + $(am__objects_1) $(am__objects_2) + libxmlsec1_nss_la_OBJECTS = $(am_libxmlsec1_nss_la_OBJECTS) + libxmlsec1_nss_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ +@@ -333,6 +336,7 @@ + libxmlsec1_nss_la_SOURCES = app.c bignum.c ciphers.c crypto.c \ + digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \ + x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \ ++ akmngr.c keywrapers.c tokens.c \ + $(NULL) $(am__append_1) + libxmlsec1_nss_la_LIBADD = \ + ../libxmlsec1.la \ +@@ -439,6 +443,9 @@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-symkeys.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509vfy.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo@am__quote@ + + .c.o: + @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@@ -468,6 +475,27 @@ + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-app.lo `test -f 'app.c' || echo '$(srcdir)/'`app.c + ++libxmlsec1_nss_la-akmngr.lo: akmngr.c ++@am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-akmngr.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo" -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c; \ ++@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo"; exit 1; fi ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='akmngr.c' object='libxmlsec1_nss_la-akmngr.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c ++ ++libxmlsec1_nss_la-keywrapers.lo: keywrapers.c ++@am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-keywrapers.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c; \ ++@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo"; exit 1; fi ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='keywrapers.c' object='libxmlsec1_nss_la-keywrapers.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c ++ ++libxmlsec1_nss_la-tokens.lo: tokens.c ++@am__fastdepCC_TRUE@ if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-tokens.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c; \ ++@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo"; exit 1; fi ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tokens.c' object='libxmlsec1_nss_la-tokens.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c ++ + libxmlsec1_nss_la-bignum.lo: bignum.c + @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-bignum.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo -c -o libxmlsec1_nss_la-bignum.lo `test -f 'bignum.c' || echo '$(srcdir)/'`bignum.c + @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo $(DEPDIR)/libxmlsec1_nss_la-bignum.Plo +--- misc/xmlsec1-1.2.14/src/nss/akmngr.c 2009-09-21 14:07:19.197249962 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/akmngr.c 2009-09-21 14:02:48.539616129 +0200 +@@ -1 +1,384 @@ +-dummy ++/** ++ * XMLSec library ++ * ++ * This is free software; see Copyright file in the source ++ * distribution for preciese wording. ++ * ++ * Copyright......................... ++ */ ++#include "globals.h" ++ ++#include <nspr.h> ++#include <nss.h> ++#include <pk11func.h> ++#include <cert.h> ++#include <keyhi.h> ++ ++#include <xmlsec/xmlsec.h> ++#include <xmlsec/keys.h> ++#include <xmlsec/transforms.h> ++#include <xmlsec/errors.h> ++ ++#include <xmlsec/nss/crypto.h> ++#include <xmlsec/nss/tokens.h> ++#include <xmlsec/nss/akmngr.h> ++#include <xmlsec/nss/pkikeys.h> ++#include <xmlsec/nss/ciphers.h> ++#include <xmlsec/nss/keysstore.h> ++ ++/** ++ * xmlSecNssAppliedKeysMngrCreate: ++ * @slot: array of pointers to NSS PKCS#11 slot infomation. ++ * @cSlots: number of slots in the array ++ * @handler: the pointer to NSS certificate database. ++ * ++ * Create and load NSS crypto slot and certificate database into keys manager ++ * ++ * Returns keys manager pointer on success or NULL otherwise. ++ */ ++xmlSecKeysMngrPtr ++xmlSecNssAppliedKeysMngrCreate( ++ PK11SlotInfo** slots, ++ int cSlots, ++ CERTCertDBHandle* handler ++) { ++ xmlSecKeyDataStorePtr certStore = NULL ; ++ xmlSecKeysMngrPtr keyMngr = NULL ; ++ xmlSecKeyStorePtr keyStore = NULL ; ++ int islot = 0; ++ keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ; ++ if( keyStore == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeyStoreCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return NULL ; ++ } ++ ++ for (islot = 0; islot < cSlots; islot++) ++ { ++ xmlSecNssKeySlotPtr keySlot ; ++ ++ /* Create a key slot */ ++ keySlot = xmlSecNssKeySlotCreate() ; ++ if( keySlot == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , ++ "xmlSecNssKeySlotCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyStoreDestroy( keyStore ) ; ++ return NULL ; ++ } ++ ++ /* Set slot */ ++ if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , ++ "xmlSecNssKeySlotSetSlot" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyStoreDestroy( keyStore ) ; ++ xmlSecNssKeySlotDestroy( keySlot ) ; ++ return NULL ; ++ } ++ ++ /* Adopt keySlot */ ++ if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , ++ "xmlSecNssKeysStoreAdoptKeySlot" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyStoreDestroy( keyStore ) ; ++ xmlSecNssKeySlotDestroy( keySlot ) ; ++ return NULL ; ++ } ++ } ++ ++ keyMngr = xmlSecKeysMngrCreate() ; ++ if( keyMngr == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyStoreDestroy( keyStore ) ; ++ return NULL ; ++ } ++ ++ /*- ++ * Add key store to manager, from now on keys manager destroys the store if ++ * needed ++ */ ++ if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , ++ "xmlSecKeysMngrAdoptKeyStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyStoreDestroy( keyStore ) ; ++ xmlSecKeysMngrDestroy( keyMngr ) ; ++ return NULL ; ++ } ++ ++ /*- ++ * Initialize crypto library specific data in keys manager ++ */ ++ if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeysMngrDestroy( keyMngr ) ; ++ return NULL ; ++ } ++ ++ /*- ++ * Set certificate databse to X509 key data store ++ */ ++ /** ++ * Because Tej's implementation of certDB use the default DB, so I ignore ++ * the certDB handler at present. I'll modify the cert store sources to ++ * accept particular certDB instead of default ones. ++ certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ; ++ if( certStore == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , ++ "xmlSecKeysMngrGetDataStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeysMngrDestroy( keyMngr ) ; ++ return NULL ; ++ } ++ ++ if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) , ++ "xmlSecNssKeyDataStoreX509SetCertDb" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeysMngrDestroy( keyMngr ) ; ++ return NULL ; ++ } ++ */ ++ ++ /*- ++ * Set the getKey callback ++ */ ++ keyMngr->getKey = xmlSecKeysMngrGetKey ; ++ ++ return keyMngr ; ++} ++ ++int ++xmlSecNssAppliedKeysMngrSymKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ PK11SymKey* symKey ++) { ++ xmlSecKeyPtr key ; ++ xmlSecKeyDataPtr data ; ++ xmlSecKeyStorePtr keyStore ; ++ ++ xmlSecAssert2( mngr != NULL , -1 ) ; ++ xmlSecAssert2( symKey != NULL , -1 ) ; ++ ++ keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; ++ if( keyStore == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrGetKeysStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1) ; ++ } ++ xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; ++ ++ data = xmlSecNssSymKeyDataKeyAdopt( symKey ) ; ++ if( data == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1) ; ++ } ++ ++ key = xmlSecKeyCreate() ; ++ if( key == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ if( xmlSecKeySetValue( key , data ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDestroy( key ) ; ++ return(-1) ; ++ } ++ ++ return(0) ; ++} ++ ++int ++xmlSecNssAppliedKeysMngrPubKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ SECKEYPublicKey* pubKey ++) { ++ xmlSecKeyPtr key ; ++ xmlSecKeyDataPtr data ; ++ xmlSecKeyStorePtr keyStore ; ++ ++ xmlSecAssert2( mngr != NULL , -1 ) ; ++ xmlSecAssert2( pubKey != NULL , -1 ) ; ++ ++ keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; ++ if( keyStore == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrGetKeysStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1) ; ++ } ++ xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; ++ ++ data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ; ++ if( data == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssPKIAdoptKey" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1) ; ++ } ++ ++ key = xmlSecKeyCreate() ; ++ if( key == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ if( xmlSecKeySetValue( key , data ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDestroy( key ) ; ++ return(-1) ; ++ } ++ ++ return(0) ; ++} ++ ++int ++xmlSecNssAppliedKeysMngrPriKeyLoad( ++ xmlSecKeysMngrPtr mngr , ++ SECKEYPrivateKey* priKey ++) { ++ xmlSecKeyPtr key ; ++ xmlSecKeyDataPtr data ; ++ xmlSecKeyStorePtr keyStore ; ++ ++ xmlSecAssert2( mngr != NULL , -1 ) ; ++ xmlSecAssert2( priKey != NULL , -1 ) ; ++ ++ keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ; ++ if( keyStore == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeysMngrGetKeysStore" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1) ; ++ } ++ xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ; ++ ++ data = xmlSecNssPKIAdoptKey( priKey, NULL ) ; ++ if( data == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssPKIAdoptKey" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1) ; ++ } ++ ++ key = xmlSecKeyCreate() ; ++ if( key == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ if( xmlSecKeySetValue( key , data ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataKeyAdopt" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDestroy( key ) ; ++ return(-1) ; ++ } ++ ++ return(0) ; ++} ++ +--- misc/xmlsec1-1.2.14/src/nss/hmac.c 2009-06-26 06:18:13.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/hmac.c 2009-09-21 14:02:48.649065288 +0200 +@@ -23,8 +23,8 @@ + #include <xmlsec/transforms.h> + #include <xmlsec/errors.h> + +-#include <xmlsec/nss/app.h> + #include <xmlsec/nss/crypto.h> ++#include <xmlsec/nss/tokens.h> + + /* sizes in bits */ + #define XMLSEC_NSS_MIN_HMAC_SIZE 80 +@@ -286,13 +286,13 @@ + keyItem.data = xmlSecBufferGetData(buffer); + keyItem.len = xmlSecBufferGetSize(buffer); + +- slot = PK11_GetBestSlot(ctx->digestType, NULL); ++ slot = xmlSecNssSlotGet(ctx->digestType); + if(slot == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), +- "PK11_GetBestSlot", ++ "xmlSecNssSlotGet", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + return(-1); + } + +--- misc/xmlsec1-1.2.14/src/nss/keysstore.c 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/keysstore.c 2009-09-21 14:02:48.633533885 +0200 +@@ -1,36 +1,56 @@ + /** + * XMLSec library + * +- * Nss keys store that uses Simple Keys Store under the hood. Uses the +- * Nss DB as a backing store for the finding keys, but the NSS DB is +- * not written to by the keys store. +- * So, if store->findkey is done and the key is not found in the simple +- * keys store, the NSS DB is looked up. +- * If store is called to adopt a key, that key is not written to the NSS +- * DB. +- * Thus, the NSS DB can be used to pre-load keys and becomes an alternate +- * source of keys for xmlsec +- * + * This is free software; see Copyright file in the source + * distribution for precise wording. + * + * Copyright (c) 2003 America Online, Inc. All rights reserved. + */ ++ ++/** ++ * NSS key store uses a key list and a slot list as the key repository. NSS slot ++ * list is a backup repository for the finding keys. If a key is not found from ++ * the key list, the NSS slot list is looked up. ++ * ++ * Any key in the key list will not save to pkcs11 slot. When a store to called ++ * to adopt a key, the key is resident in the key list; While a store to called ++ * to set a is resident in the key list; While a store to called to set a slot ++ * list, which means that the keys in the listed slot can be used for xml sign- ++ * nature or encryption. ++ * ++ * Then, a user can adjust slot list to effect the crypto behaviors of xmlSec. ++ * ++ * The framework will decrease the user interfaces to administrate xmlSec crypto ++ * engine. He can only focus on NSS layer functions. For examples, after the ++ * user set up a slot list handler to the keys store, he do not need to do any ++ * other work atop xmlSec interfaces, his action on the slot list handler, such ++ * as add a token to, delete a token from the list, will directly effect the key ++ * store behaviors. ++ * ++ * For example, a scenariio: ++ * 0. Create a slot list;( NSS interfaces ) ++ * 1. Create a keys store;( xmlSec interfaces ) ++ * 2. Set slot list with the keys store;( xmlSec Interfaces ) ++ * 3. Add a slot to the slot list;( NSS interfaces ) ++ * 4. Perform xml signature; ( xmlSec Interfaces ) ++ * 5. Deleter a slot from the slot list;( NSS interfaces ) ++ * 6. Perform xml encryption; ( xmlSec Interfaces ) ++ * 7. Perform xml signature;( xmlSec Interfaces ) ++ * 8. Destroy the keys store;( xmlSec Interfaces ) ++ * 8. Destroy the slot list.( NSS Interfaces ) ++ */ + #include "globals.h" + + #include <stdlib.h> + #include <string.h> + + #include <nss.h> +-#include <cert.h> + #include <pk11func.h> ++#include <prinit.h> + #include <keyhi.h> + +-#include <libxml/tree.h> +- + #include <xmlsec/xmlsec.h> +-#include <xmlsec/buffer.h> +-#include <xmlsec/base64.h> ++#include <xmlsec/keys.h> + #include <xmlsec/errors.h> + #include <xmlsec/xmltree.h> + +@@ -38,82 +58,461 @@ + + #include <xmlsec/nss/crypto.h> + #include <xmlsec/nss/keysstore.h> +-#include <xmlsec/nss/x509.h> ++#include <xmlsec/nss/tokens.h> ++#include <xmlsec/nss/ciphers.h> + #include <xmlsec/nss/pkikeys.h> + + /**************************************************************************** + * +- * Nss Keys Store. Uses Simple Keys Store under the hood ++ * Internal NSS key store context + * +- * Simple Keys Store ptr is located after xmlSecKeyStore ++ * This context is located after xmlSecKeyStore + * + ***************************************************************************/ ++typedef struct _xmlSecNssKeysStoreCtx xmlSecNssKeysStoreCtx ; ++typedef struct _xmlSecNssKeysStoreCtx* xmlSecNssKeysStoreCtxPtr ; ++ ++struct _xmlSecNssKeysStoreCtx { ++ xmlSecPtrListPtr keyList ; ++ xmlSecPtrListPtr slotList ; ++} ; ++ + #define xmlSecNssKeysStoreSize \ +- (sizeof(xmlSecKeyStore) + sizeof(xmlSecKeyStorePtr)) ++ ( sizeof( xmlSecKeyStore ) + sizeof( xmlSecNssKeysStoreCtx ) ) + +-#define xmlSecNssKeysStoreGetSS(store) \ +- ((xmlSecKeyStoreCheckSize((store), xmlSecNssKeysStoreSize)) ? \ +- (xmlSecKeyStorePtr*)(((xmlSecByte*)(store)) + sizeof(xmlSecKeyStore)) : \ +- (xmlSecKeyStorePtr*)NULL) +- +-static int xmlSecNssKeysStoreInitialize (xmlSecKeyStorePtr store); +-static void xmlSecNssKeysStoreFinalize (xmlSecKeyStorePtr store); +-static xmlSecKeyPtr xmlSecNssKeysStoreFindKey (xmlSecKeyStorePtr store, +- const xmlChar* name, +- xmlSecKeyInfoCtxPtr keyInfoCtx); ++#define xmlSecNssKeysStoreGetCtx( data ) \ ++ ( ( xmlSecNssKeysStoreCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyStore ) ) ) + +-static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = { +- sizeof(xmlSecKeyStoreKlass), +- xmlSecNssKeysStoreSize, ++int xmlSecNssKeysStoreAdoptKeySlot( ++ xmlSecKeyStorePtr store , ++ xmlSecNssKeySlotPtr keySlot ++) { ++ xmlSecNssKeysStoreCtxPtr context = NULL ; ++ ++ xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ; ++ xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ; ++ context = xmlSecNssKeysStoreGetCtx( store ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecNssKeysStoreGetCtx" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ if( context->slotList == NULL ) { ++ if( ( context->slotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecPtrListCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ } ++ ++ if( !xmlSecPtrListCheckId( context->slotList , xmlSecNssKeySlotListId ) ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecPtrListCheckId" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ if( xmlSecPtrListAdd( context->slotList , keySlot ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecPtrListAdd" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ return 0 ; ++} + +- /* data */ +- BAD_CAST "NSS-keys-store", /* const xmlChar* name; */ +- +- /* constructors/destructor */ +- xmlSecNssKeysStoreInitialize, /* xmlSecKeyStoreInitializeMethod initialize; */ +- xmlSecNssKeysStoreFinalize, /* xmlSecKeyStoreFinalizeMethod finalize; */ +- xmlSecNssKeysStoreFindKey, /* xmlSecKeyStoreFindKeyMethod findKey; */ +- +- /* reserved for the future */ +- NULL, /* void* reserved0; */ +- NULL, /* void* reserved1; */ +-}; ++int xmlSecNssKeysStoreAdoptKey( ++ xmlSecKeyStorePtr store , ++ xmlSecKeyPtr key ++) { ++ xmlSecNssKeysStoreCtxPtr context = NULL ; ++ ++ xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ; ++ xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ; ++ ++ context = xmlSecNssKeysStoreGetCtx( store ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecNssKeysStoreGetCtx" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ if( context->keyList == NULL ) { ++ if( ( context->keyList = xmlSecPtrListCreate( xmlSecKeyPtrListId ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecPtrListCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ } ++ ++ if( !xmlSecPtrListCheckId( context->keyList , xmlSecKeyPtrListId ) ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecPtrListCheckId" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ if( xmlSecPtrListAdd( context->keyList , key ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecPtrListAdd" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } + +-/** +- * xmlSecNssKeysStoreGetKlass: +- * +- * The Nss list based keys store klass. ++ return 0 ; ++} ++ ++/* ++ * xmlSecKeyStoreInitializeMethod: ++ * @store: the store. ++ * ++ * Keys store specific initialization method. + * +- * Returns: Nss list based keys store klass. ++ * Returns 0 on success or a negative value if an error occurs. + */ +-xmlSecKeyStoreId +-xmlSecNssKeysStoreGetKlass(void) { +- return(&xmlSecNssKeysStoreKlass); ++static int ++xmlSecNssKeysStoreInitialize( ++ xmlSecKeyStorePtr store ++) { ++ xmlSecNssKeysStoreCtxPtr context = NULL ; ++ ++ xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ; ++ xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ; ++ ++ context = xmlSecNssKeysStoreGetCtx( store ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecNssKeysStoreGetCtx" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ ++ context->keyList = NULL ; ++ context->slotList = NULL ; ++ ++ return 0 ; + } + + /** +- * xmlSecNssKeysStoreAdoptKey: +- * @store: the pointer to Nss keys store. +- * @key: the pointer to key. +- * +- * Adds @key to the @store. + * +- * Returns: 0 on success or a negative value if an error occurs. ++ * xmlSecKeyStoreFinalizeMethod: ++ * @store: the store. ++ * ++ * Keys store specific finalization (destroy) method. + */ +-int +-xmlSecNssKeysStoreAdoptKey(xmlSecKeyStorePtr store, xmlSecKeyPtr key) { +- xmlSecKeyStorePtr *ss; +- +- xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1); +- xmlSecAssert2((key != NULL), -1); ++void ++xmlSecNssKeysStoreFinalize( ++ xmlSecKeyStorePtr store ++) { ++ xmlSecNssKeysStoreCtxPtr context = NULL ; ++ ++ xmlSecAssert( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) ) ; ++ xmlSecAssert( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) ) ; ++ ++ context = xmlSecNssKeysStoreGetCtx( store ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecNssKeysStoreGetCtx" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return ; ++ } ++ ++ if( context->keyList != NULL ) { ++ xmlSecPtrListDestroy( context->keyList ) ; ++ context->keyList = NULL ; ++ } ++ ++ if( context->slotList != NULL ) { ++ xmlSecPtrListDestroy( context->slotList ) ; ++ context->slotList = NULL ; ++ } ++} ++ ++xmlSecKeyPtr ++xmlSecNssKeysStoreFindKeyFromSlot( ++ PK11SlotInfo* slot, ++ const xmlChar* name, ++ xmlSecKeyInfoCtxPtr keyInfoCtx ++) { ++ xmlSecKeyPtr key = NULL ; ++ xmlSecKeyDataPtr data = NULL ; ++ int length ; ++ ++ xmlSecAssert2( slot != NULL , NULL ) ; ++ xmlSecAssert2( name != NULL , NULL ) ; ++ xmlSecAssert2( keyInfoCtx != NULL , NULL ) ; ++ ++ if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSymmetric ) == xmlSecKeyDataTypeSymmetric ) { ++ PK11SymKey* symKey ; ++ PK11SymKey* curKey ; ++ ++ /* Find symmetric key from the slot by name */ ++ symKey = PK11_ListFixedKeysInSlot( slot , ( char* )name , NULL ) ; ++ for( curKey = symKey ; curKey != NULL ; curKey = PK11_GetNextSymKey( curKey ) ) { ++ /* Check the key request */ ++ length = PK11_GetKeyLength( curKey ) ; ++ length *= 8 ; ++ if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) && ++ ( length > 0 ) && ++ ( length < keyInfoCtx->keyReq.keyBitsSize ) ) ++ continue ; ++ ++ /* We find a eligible key */ ++ data = xmlSecNssSymKeyDataKeyAdopt( curKey ) ; ++ if( data == NULL ) { ++ /* Do nothing */ ++ } ++ break ; ++ } ++ ++ /* Destroy the sym key list */ ++ for( curKey = symKey ; curKey != NULL ; ) { ++ symKey = curKey ; ++ curKey = PK11_GetNextSymKey( symKey ) ; ++ PK11_FreeSymKey( symKey ) ; ++ } ++ } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) { ++ SECKEYPublicKeyList* pubKeyList ; ++ SECKEYPublicKey* pubKey ; ++ SECKEYPublicKeyListNode* curPub ; ++ ++ /* Find asymmetric key from the slot by name */ ++ pubKeyList = PK11_ListPublicKeysInSlot( slot , ( char* )name ) ; ++ pubKey = NULL ; ++ curPub = PUBKEY_LIST_HEAD(pubKeyList); ++ for( ; !PUBKEY_LIST_END(curPub, pubKeyList) ; curPub = PUBKEY_LIST_NEXT( curPub ) ) { ++ /* Check the key request */ ++ length = SECKEY_PublicKeyStrength( curPub->key ) ; ++ length *= 8 ; ++ if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) && ++ ( length > 0 ) && ++ ( length < keyInfoCtx->keyReq.keyBitsSize ) ) ++ continue ; ++ ++ /* We find a eligible key */ ++ pubKey = curPub->key ; ++ break ; ++ } ++ ++ if( pubKey != NULL ) { ++ data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ; ++ if( data == NULL ) { ++ /* Do nothing */ ++ } ++ } ++ ++ /* Destroy the public key list */ ++ SECKEY_DestroyPublicKeyList( pubKeyList ) ; ++ } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) { ++ SECKEYPrivateKeyList* priKeyList = NULL ; ++ SECKEYPrivateKey* priKey = NULL ; ++ SECKEYPrivateKeyListNode* curPri ; ++ ++ /* Find asymmetric key from the slot by name */ ++ priKeyList = PK11_ListPrivKeysInSlot( slot , ( char* )name , NULL ) ; ++ priKey = NULL ; ++ curPri = PRIVKEY_LIST_HEAD(priKeyList); ++ for( ; !PRIVKEY_LIST_END(curPri, priKeyList) ; curPri = PRIVKEY_LIST_NEXT( curPri ) ) { ++ /* Check the key request */ ++ length = PK11_SignatureLen( curPri->key ) ; ++ length *= 8 ; ++ if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) && ++ ( length > 0 ) && ++ ( length < keyInfoCtx->keyReq.keyBitsSize ) ) ++ continue ; ++ ++ /* We find a eligible key */ ++ priKey = curPri->key ; ++ break ; ++ } ++ ++ if( priKey != NULL ) { ++ data = xmlSecNssPKIAdoptKey( priKey, NULL ) ; ++ if( data == NULL ) { ++ /* Do nothing */ ++ } ++ } ++ ++ /* Destroy the private key list */ ++ SECKEY_DestroyPrivateKeyList( priKeyList ) ; ++ } ++ ++ /* If we have gotten the key value */ ++ if( data != NULL ) { ++ if( ( key = xmlSecKeyCreate() ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeyCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyDataDestroy( data ) ; ++ return NULL ; ++ } ++ ++ if( xmlSecKeySetValue( key , data ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeySetValue" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyDestroy( key ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return NULL ; ++ } ++ } + +- ss = xmlSecNssKeysStoreGetSS(store); +- xmlSecAssert2(((ss != NULL) && (*ss != NULL) && +- (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1); ++ return(key); ++} ++ ++/** ++ * xmlSecKeyStoreFindKeyMethod: ++ * @store: the store. ++ * @name: the desired key name. ++ * @keyInfoCtx: the pointer to key info context. ++ * ++ * Keys store specific find method. The caller is responsible for destroying ++ * the returned key using #xmlSecKeyDestroy method. ++ * ++ * Returns the pointer to a key or NULL if key is not found or an error occurs. ++ */ ++static xmlSecKeyPtr ++xmlSecNssKeysStoreFindKey( ++ xmlSecKeyStorePtr store , ++ const xmlChar* name , ++ xmlSecKeyInfoCtxPtr keyInfoCtx ++) { ++ xmlSecNssKeysStoreCtxPtr context = NULL ; ++ xmlSecKeyPtr key = NULL ; ++ xmlSecNssKeySlotPtr keySlot = NULL ; ++ xmlSecSize pos ; ++ xmlSecSize size ; ++ ++ xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , NULL ) ; ++ xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , NULL ) ; ++ xmlSecAssert2( keyInfoCtx != NULL , NULL ) ; ++ ++ context = xmlSecNssKeysStoreGetCtx( store ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecNssKeysStoreGetCtx" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return NULL ; ++ } ++ ++ /*- ++ * Look for key at keyList at first. ++ */ ++ if( context->keyList != NULL ) { ++ size = xmlSecPtrListGetSize( context->keyList ) ; ++ for( pos = 0 ; pos < size ; pos ++ ) { ++ key = ( xmlSecKeyPtr )xmlSecPtrListGetItem( context->keyList , pos ) ; ++ if( key != NULL && xmlSecKeyMatch( key , name , &( keyInfoCtx->keyReq ) ) ) { ++ return xmlSecKeyDuplicate( key ) ; ++ } ++ } ++ } ++ ++ /*- ++ * Find the key from slotList ++ */ ++ if( context->slotList != NULL ) { ++ PK11SlotInfo* slot = NULL ; ++ ++ size = xmlSecPtrListGetSize( context->slotList ) ; ++ for( pos = 0 ; pos < size ; pos ++ ) { ++ keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( context->slotList , pos ) ; ++ slot = xmlSecNssKeySlotGetSlot( keySlot ) ; ++ if( slot == NULL ) { ++ continue ; ++ } else { ++ key = xmlSecNssKeysStoreFindKeyFromSlot( slot, name, keyInfoCtx ) ; ++ if( key == NULL ) { ++ continue ; ++ } else { ++ return( key ) ; ++ } ++ } ++ } ++ } ++ ++ /*- ++ * Create a session key if we can not find the key from keyList and slotList ++ */ ++ if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSession ) == xmlSecKeyDataTypeSession ) { ++ key = xmlSecKeyGenerate( keyInfoCtx->keyReq.keyId , keyInfoCtx->keyReq.keyBitsSize , xmlSecKeyDataTypeSession ) ; ++ if( key == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) , ++ "xmlSecKeySetValue" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return NULL ; ++ } ++ ++ return key ; ++ } ++ ++ /** ++ * We have no way to find the key any more. ++ */ ++ return NULL ; ++} ++ ++static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = { ++ sizeof( xmlSecKeyStoreKlass ) , ++ xmlSecNssKeysStoreSize , ++ BAD_CAST "implicit_nss_keys_store" , ++ xmlSecNssKeysStoreInitialize , ++ xmlSecNssKeysStoreFinalize , ++ xmlSecNssKeysStoreFindKey , ++ NULL , ++ NULL ++} ; + +- return (xmlSecSimpleKeysStoreAdoptKey(*ss, key)); ++/** ++ * xmlSecNssKeysStoreGetKlass: ++ * ++ * The simple list based keys store klass. ++ * ++ */ ++xmlSecKeyStoreId ++xmlSecNssKeysStoreGetKlass( void ) { ++ return &xmlSecNssKeysStoreKlass ; + } + ++/************************** ++ * Application routines ++ */ ++ + /** + * xmlSecNssKeysStoreLoad: + * @store: the pointer to Nss keys store. +@@ -252,234 +651,147 @@ + */ + int + xmlSecNssKeysStoreSave(xmlSecKeyStorePtr store, const char *filename, xmlSecKeyDataType type) { +- xmlSecKeyStorePtr *ss; ++ xmlSecKeyInfoCtx keyInfoCtx; ++ xmlSecNssKeysStoreCtxPtr context ; ++ xmlSecPtrListPtr list; ++ xmlSecKeyPtr key; ++ xmlSecSize i, keysSize; ++ xmlDocPtr doc; ++ xmlNodePtr cur; ++ xmlSecKeyDataPtr data; ++ xmlSecPtrListPtr idsList; ++ xmlSecKeyDataId dataId; ++ xmlSecSize idsSize, j; ++ int ret; + + xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1); +- xmlSecAssert2((filename != NULL), -1); +- +- ss = xmlSecNssKeysStoreGetSS(store); +- xmlSecAssert2(((ss != NULL) && (*ss != NULL) && +- (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1); +- +- return (xmlSecSimpleKeysStoreSave(*ss, filename, type)); +-} +- +-static int +-xmlSecNssKeysStoreInitialize(xmlSecKeyStorePtr store) { +- xmlSecKeyStorePtr *ss; ++ xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ), -1 ) ; ++ xmlSecAssert2(filename != NULL, -1); + +- xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1); ++ context = xmlSecNssKeysStoreGetCtx( store ) ; ++ xmlSecAssert2( context != NULL, -1 ); + +- ss = xmlSecNssKeysStoreGetSS(store); +- xmlSecAssert2((*ss == NULL), -1); ++ list = context->keyList ; ++ xmlSecAssert2( list != NULL, -1 ); ++ xmlSecAssert2(xmlSecPtrListCheckId(list, xmlSecKeyPtrListId), -1); + +- *ss = xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId); +- if(*ss == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, ++ /* create doc */ ++ doc = xmlSecCreateTree(BAD_CAST "Keys", xmlSecNs); ++ if(doc == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), +- "xmlSecKeyStoreCreate", ++ "xmlSecCreateTree", + XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "xmlSecSimpleKeysStoreId"); ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + +- return(0); +-} +- +-static void +-xmlSecNssKeysStoreFinalize(xmlSecKeyStorePtr store) { +- xmlSecKeyStorePtr *ss; +- +- xmlSecAssert(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId)); +- +- ss = xmlSecNssKeysStoreGetSS(store); +- xmlSecAssert((ss != NULL) && (*ss != NULL)); +- +- xmlSecKeyStoreDestroy(*ss); +-} +- +-static xmlSecKeyPtr +-xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name, +- xmlSecKeyInfoCtxPtr keyInfoCtx) { +- xmlSecKeyStorePtr* ss; +- xmlSecKeyPtr key = NULL; +- xmlSecKeyPtr retval = NULL; +- xmlSecKeyReqPtr keyReq = NULL; +- CERTCertificate *cert = NULL; +- SECKEYPublicKey *pubkey = NULL; +- SECKEYPrivateKey *privkey = NULL; +- xmlSecKeyDataPtr data = NULL; +- xmlSecKeyDataPtr x509Data = NULL; +- int ret; +- +- xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), NULL); +- xmlSecAssert2(keyInfoCtx != NULL, NULL); +- +- ss = xmlSecNssKeysStoreGetSS(store); +- xmlSecAssert2(((ss != NULL) && (*ss != NULL)), NULL); +- +- key = xmlSecKeyStoreFindKey(*ss, name, keyInfoCtx); +- if (key != NULL) { +- return (key); +- } +- +- /* Try to find the key in the NSS DB, and construct an xmlSecKey. +- * we must have a name to lookup keys in NSS DB. +- */ +- if (name == NULL) { +- goto done; +- } ++ idsList = xmlSecKeyDataIdsGet(); ++ xmlSecAssert2(idsList != NULL, -1); + +- /* what type of key are we looking for? +- * TBD: For now, we'll look only for public/private keys using the +- * name as a cert nickname. Later on, we can attempt to find +- * symmetric keys using PK11_FindFixedKey +- */ +- keyReq = &(keyInfoCtx->keyReq); +- if (keyReq->keyType & +- (xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate)) { +- cert = CERT_FindCertByNickname (CERT_GetDefaultCertDB(), (char *)name); +- if (cert == NULL) { +- goto done; +- } ++ keysSize = xmlSecPtrListGetSize(list); ++ idsSize = xmlSecPtrListGetSize(idsList); ++ for(i = 0; i < keysSize; ++i) { ++ key = (xmlSecKeyPtr)xmlSecPtrListGetItem(list, i); ++ xmlSecAssert2(key != NULL, -1); + +- if (keyReq->keyType & xmlSecKeyDataTypePublic) { +- pubkey = CERT_ExtractPublicKey(cert); +- if (pubkey == NULL) { ++ cur = xmlSecAddChild(xmlDocGetRootElement(doc), xmlSecNodeKeyInfo, xmlSecDSigNs); ++ if(cur == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "CERT_ExtractPublicKey", +- XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- goto done; +- } ++ xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), ++ "xmlSecAddChild", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ "node=%s", ++ xmlSecErrorsSafeString(xmlSecNodeKeyInfo)); ++ xmlFreeDoc(doc); ++ return(-1); + } + +- if (keyReq->keyType & xmlSecKeyDataTypePrivate) { +- privkey = PK11_FindKeyByAnyCert(cert, NULL); +- if (privkey == NULL) { ++ /* special data key name */ ++ if(xmlSecKeyGetName(key) != NULL) { ++ if(xmlSecAddChild(cur, xmlSecNodeKeyName, xmlSecDSigNs) == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "PK11_FindKeyByAnyCert", +- XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- goto done; ++ xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), ++ "xmlSecAddChild", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ "node=%s", ++ xmlSecErrorsSafeString(xmlSecNodeKeyName)); ++ xmlFreeDoc(doc); ++ return(-1); + } + } + +- data = xmlSecNssPKIAdoptKey(privkey, pubkey); +- if(data == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssPKIAdoptKey", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- goto done; +- } +- privkey = NULL; +- pubkey = NULL; +- +- key = xmlSecKeyCreate(); +- if (key == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecKeyCreate", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return (NULL); +- } +- +- x509Data = xmlSecKeyDataCreate(xmlSecNssKeyDataX509Id); +- if(x509Data == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecKeyDataCreate", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "transform=%s", +- xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecNssKeyDataX509Id))); +- goto done; +- } ++ /* create nodes for other keys data */ ++ for(j = 0; j < idsSize; ++j) { ++ dataId = (xmlSecKeyDataId)xmlSecPtrListGetItem(idsList, j); ++ xmlSecAssert2(dataId != xmlSecKeyDataIdUnknown, -1); ++ ++ if(dataId->dataNodeName == NULL) { ++ continue; ++ } ++ ++ data = xmlSecKeyGetData(key, dataId); ++ if(data == NULL) { ++ continue; ++ } + +- ret = xmlSecNssKeyDataX509AdoptKeyCert(x509Data, cert); +- if (ret < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssKeyDataX509AdoptKeyCert", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "data=%s", +- xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data))); +- goto done; +- } +- cert = CERT_DupCertificate(cert); +- if (cert == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "CERT_DupCertificate", +- XMLSEC_ERRORS_R_CRYPTO_FAILED, +- "data=%s", +- xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data))); +- goto done; ++ if(xmlSecAddChild(cur, dataId->dataNodeName, dataId->dataNodeNs) == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), ++ "xmlSecAddChild", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ "node=%s", ++ xmlSecErrorsSafeString(dataId->dataNodeName)); ++ xmlFreeDoc(doc); ++ return(-1); ++ } + } + +- ret = xmlSecNssKeyDataX509AdoptCert(x509Data, cert); ++ ret = xmlSecKeyInfoCtxInitialize(&keyInfoCtx, NULL); + if (ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssKeyDataX509AdoptCert", ++ xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), ++ "xmlSecKeyInfoCtxInitialize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "data=%s", +- xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data))); +- goto done; ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlFreeDoc(doc); ++ return(-1); + } +- cert = NULL; + +- ret = xmlSecKeySetValue(key, data); +- if (ret < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecKeySetValue", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "data=%s", +- xmlSecErrorsSafeString(xmlSecKeyDataGetName(data))); +- goto done; +- } +- data = NULL; ++ keyInfoCtx.mode = xmlSecKeyInfoModeWrite; ++ keyInfoCtx.keyReq.keyId = xmlSecKeyDataIdUnknown; ++ keyInfoCtx.keyReq.keyType = type; ++ keyInfoCtx.keyReq.keyUsage = xmlSecKeyDataUsageAny; + +- ret = xmlSecKeyAdoptData(key, x509Data); ++ /* finally write key in the node */ ++ ret = xmlSecKeyInfoNodeWrite(cur, key, &keyInfoCtx); + if (ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecKeyAdoptData", ++ xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), ++ "xmlSecKeyInfoNodeWrite", + XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "data=%s", +- xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data))); +- goto done; +- } +- x509Data = NULL; ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecKeyInfoCtxFinalize(&keyInfoCtx); ++ xmlFreeDoc(doc); ++ return(-1); ++ } + +- retval = key; +- key = NULL; ++ xmlSecKeyInfoCtxFinalize(&keyInfoCtx); + } + +-done: +- if (cert != NULL) { +- CERT_DestroyCertificate(cert); +- } +- if (pubkey != NULL) { +- SECKEY_DestroyPublicKey(pubkey); +- } +- if (privkey != NULL) { +- SECKEY_DestroyPrivateKey(privkey); +- } +- if (data != NULL) { +- xmlSecKeyDataDestroy(data); +- } +- if (x509Data != NULL) { +- xmlSecKeyDataDestroy(x509Data); +- } +- if (key != NULL) { +- xmlSecKeyDestroy(key); ++ /* now write result */ ++ ret = xmlSaveFormatFile(filename, doc, 1); ++ if (ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)), ++ "xmlSaveFormatFile", ++ XMLSEC_ERRORS_R_XML_FAILED, ++ "filename=%s", ++ xmlSecErrorsSafeString(filename)); ++ xmlFreeDoc(doc); ++ return(-1); + } + +- return (retval); ++ xmlFreeDoc(doc); ++ return(0); + } +--- misc/xmlsec1-1.2.14/src/nss/keywrapers.c 2009-09-21 14:07:19.223802688 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/keywrapers.c 2009-09-21 14:02:48.548869372 +0200 +@@ -1 +1,1213 @@ +-dummy ++/** ++ * ++ * XMLSec library ++ * ++ * AES Algorithm support ++ * ++ * This is free software; see Copyright file in the source ++ * distribution for preciese wording. ++ * ++ * Copyright ................................. ++ */ ++#include "globals.h" ++ ++#include <stdlib.h> ++#include <stdio.h> ++#include <string.h> ++ ++#include <nss.h> ++#include <pk11func.h> ++#include <hasht.h> ++ ++#include <xmlsec/xmlsec.h> ++#include <xmlsec/xmltree.h> ++#include <xmlsec/keys.h> ++#include <xmlsec/transforms.h> ++#include <xmlsec/errors.h> ++ ++#include <xmlsec/nss/crypto.h> ++#include <xmlsec/nss/ciphers.h> ++ ++#define XMLSEC_NSS_AES128_KEY_SIZE 16 ++#define XMLSEC_NSS_AES192_KEY_SIZE 24 ++#define XMLSEC_NSS_AES256_KEY_SIZE 32 ++#define XMLSEC_NSS_DES3_KEY_SIZE 24 ++#define XMLSEC_NSS_DES3_KEY_LENGTH 24 ++#define XMLSEC_NSS_DES3_IV_LENGTH 8 ++#define XMLSEC_NSS_DES3_BLOCK_LENGTH 8 ++ ++static xmlSecByte xmlSecNssKWDes3Iv[XMLSEC_NSS_DES3_IV_LENGTH] = { ++ 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 ++}; ++ ++/********************************************************************* ++ * ++ * key wrap transforms ++ * ++ ********************************************************************/ ++typedef struct _xmlSecNssKeyWrapCtx xmlSecNssKeyWrapCtx ; ++typedef struct _xmlSecNssKeyWrapCtx* xmlSecNssKeyWrapCtxPtr ; ++ ++#define xmlSecNssKeyWrapSize \ ++ ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssKeyWrapCtx ) ) ++ ++#define xmlSecNssKeyWrapGetCtx( transform ) \ ++ ( ( xmlSecNssKeyWrapCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) ) ++ ++struct _xmlSecNssKeyWrapCtx { ++ CK_MECHANISM_TYPE cipher ; ++ PK11SymKey* symkey ; ++ xmlSecKeyDataId keyId ; ++ xmlSecBufferPtr material ; /* to be encrypted/decrypted key material */ ++} ; ++ ++static int xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform); ++static void xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform); ++static int xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, ++ xmlSecKeyReqPtr keyReq); ++static int xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, ++ xmlSecKeyPtr key); ++static int xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, ++ int last, ++ xmlSecTransformCtxPtr transformCtx); ++static xmlSecSize xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform); ++ ++static int ++xmlSecNssKeyWrapCheckId( ++ xmlSecTransformPtr transform ++) { ++ #ifndef XMLSEC_NO_DES ++ if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) { ++ return(1); ++ } ++ #endif /* XMLSEC_NO_DES */ ++ ++ #ifndef XMLSEC_NO_AES ++ if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes128Id ) || ++ xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes192Id ) || ++ xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes256Id ) ) { ++ ++ return(1); ++ } ++ #endif /* XMLSEC_NO_AES */ ++ ++ return(0); ++} ++ ++static xmlSecSize ++xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform) { ++#ifndef XMLSEC_NO_DES ++ if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) { ++ return(XMLSEC_NSS_DES3_KEY_SIZE); ++ } else ++#endif /* XMLSEC_NO_DES */ ++ ++#ifndef XMLSEC_NO_AES ++ if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes128Id)) { ++ return(XMLSEC_NSS_AES128_KEY_SIZE); ++ } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes192Id)) { ++ return(XMLSEC_NSS_AES192_KEY_SIZE); ++ } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) { ++ return(XMLSEC_NSS_AES256_KEY_SIZE); ++ } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) { ++ return(XMLSEC_NSS_AES256_KEY_SIZE); ++ } else ++#endif /* XMLSEC_NO_AES */ ++ ++ if(1) ++ return(0); ++} ++ ++ ++static int ++xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform) { ++ xmlSecNssKeyWrapCtxPtr context ; ++ int ret; ++ ++ xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); ++ xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); ++ ++ context = xmlSecNssKeyWrapGetCtx( transform ) ; ++ xmlSecAssert2( context != NULL , -1 ) ; ++ ++ #ifndef XMLSEC_NO_DES ++ if( transform->id == xmlSecNssTransformKWDes3Id ) { ++ context->cipher = CKM_DES3_CBC ; ++ context->keyId = xmlSecNssKeyDataDesId ; ++ } else ++ #endif /* XMLSEC_NO_DES */ ++ ++ #ifndef XMLSEC_NO_AES ++ if( transform->id == xmlSecNssTransformKWAes128Id ) { ++ /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ ++ context->cipher = CKM_AES_CBC ; ++ context->keyId = xmlSecNssKeyDataAesId ; ++ } else ++ if( transform->id == xmlSecNssTransformKWAes192Id ) { ++ /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ ++ context->cipher = CKM_AES_CBC ; ++ context->keyId = xmlSecNssKeyDataAesId ; ++ } else ++ if( transform->id == xmlSecNssTransformKWAes256Id ) { ++ /* context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/ ++ context->cipher = CKM_AES_CBC ; ++ context->keyId = xmlSecNssKeyDataAesId ; ++ } else ++ #endif /* XMLSEC_NO_AES */ ++ ++ ++ if( 1 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), ++ NULL , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ context->symkey = NULL ; ++ context->material = NULL ; ++ ++ return(0); ++} ++ ++static void ++xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform) { ++ xmlSecNssKeyWrapCtxPtr context ; ++ ++ xmlSecAssert(xmlSecNssKeyWrapCheckId(transform)); ++ xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize)); ++ ++ context = xmlSecNssKeyWrapGetCtx( transform ) ; ++ xmlSecAssert( context != NULL ) ; ++ ++ if( context->symkey != NULL ) { ++ PK11_FreeSymKey( context->symkey ) ; ++ context->symkey = NULL ; ++ } ++ ++ if( context->material != NULL ) { ++ xmlSecBufferDestroy(context->material); ++ context->material = NULL ; ++ } ++} ++ ++static int ++xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) { ++ xmlSecNssKeyWrapCtxPtr context ; ++ xmlSecSize cipherSize = 0 ; ++ ++ ++ xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); ++ xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); ++ xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); ++ xmlSecAssert2(keyReq != NULL, -1); ++ ++ context = xmlSecNssKeyWrapGetCtx( transform ) ; ++ xmlSecAssert2( context != NULL , -1 ) ; ++ ++ keyReq->keyId = context->keyId; ++ keyReq->keyType = xmlSecKeyDataTypeSymmetric; ++ if(transform->operation == xmlSecTransformOperationEncrypt) { ++ keyReq->keyUsage = xmlSecKeyUsageEncrypt; ++ } else { ++ keyReq->keyUsage = xmlSecKeyUsageDecrypt; ++ } ++ ++ keyReq->keyBitsSize = xmlSecNssKeyWrapGetKeySize( transform ) ; ++ ++ return(0); ++} ++ ++static int ++xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { ++ xmlSecNssKeyWrapCtxPtr context = NULL ; ++ xmlSecKeyDataPtr keyData = NULL ; ++ PK11SymKey* symkey = NULL ; ++ ++ xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1); ++ xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1); ++ xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); ++ xmlSecAssert2(key != NULL, -1); ++ ++ context = xmlSecNssKeyWrapGetCtx( transform ) ; ++ if( context == NULL || context->keyId == NULL || context->symkey != NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssKeyWrapGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ; ++ ++ keyData = xmlSecKeyGetValue( key ) ; ++ if( keyData == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) , ++ "xmlSecKeyGetValue" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) , ++ "xmlSecNssSymKeyDataGetKey" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ context->symkey = symkey ; ++ ++ return(0) ; ++} ++ ++/** ++ * key wrap transform ++ */ ++static int ++xmlSecNssKeyWrapCtxInit( ++ xmlSecNssKeyWrapCtxPtr ctx , ++ xmlSecBufferPtr in , ++ xmlSecBufferPtr out , ++ int encrypt , ++ xmlSecTransformCtxPtr transformCtx ++) { ++ xmlSecSize blockSize ; ++ ++ xmlSecAssert2( ctx != NULL , -1 ) ; ++ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( ctx->symkey != NULL , -1 ) ; ++ xmlSecAssert2( ctx->keyId != NULL , -1 ) ; ++ xmlSecAssert2( in != NULL , -1 ) ; ++ xmlSecAssert2( out != NULL , -1 ) ; ++ xmlSecAssert2( transformCtx != NULL , -1 ) ; ++ ++ if( ctx->material != NULL ) { ++ xmlSecBufferDestroy( ctx->material ) ; ++ ctx->material = NULL ; ++ } ++ ++ if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "PK11_GetBlockSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ ctx->material = xmlSecBufferCreate( blockSize ) ; ++ if( ctx->material == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferCreate" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ /* read raw key material into context */ ++ if( xmlSecBufferSetData( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferSetData" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferRemoveHead" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ return(0); ++} ++ ++/** ++ * key wrap transform update ++ */ ++static int ++xmlSecNssKeyWrapCtxUpdate( ++ xmlSecNssKeyWrapCtxPtr ctx , ++ xmlSecBufferPtr in , ++ xmlSecBufferPtr out , ++ int encrypt , ++ xmlSecTransformCtxPtr transformCtx ++) { ++ xmlSecAssert2( ctx != NULL , -1 ) ; ++ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( ctx->symkey != NULL , -1 ) ; ++ xmlSecAssert2( ctx->keyId != NULL , -1 ) ; ++ xmlSecAssert2( ctx->material != NULL , -1 ) ; ++ xmlSecAssert2( in != NULL , -1 ) ; ++ xmlSecAssert2( out != NULL , -1 ) ; ++ xmlSecAssert2( transformCtx != NULL , -1 ) ; ++ ++ /* read raw key material and append into context */ ++ if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferAppend" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferRemoveHead" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ return(0); ++} ++ ++static int ++xmlSecNssKWDes3BufferReverse(xmlSecByte *buf, xmlSecSize size) { ++ xmlSecSize s; ++ xmlSecSize i; ++ xmlSecByte c; ++ ++ xmlSecAssert2(buf != NULL, -1); ++ ++ s = size / 2; ++ --size; ++ for(i = 0; i < s; ++i) { ++ c = buf[i]; ++ buf[i] = buf[size - i]; ++ buf[size - i] = c; ++ } ++ return(0); ++} ++ ++static xmlSecByte * ++xmlSecNssComputeSHA1(const xmlSecByte *in, xmlSecSize inSize, ++ xmlSecByte *out, xmlSecSize outSize) ++{ ++ PK11Context *context = NULL; ++ SECStatus s; ++ xmlSecByte *digest = NULL; ++ unsigned int len; ++ ++ xmlSecAssert2(in != NULL, NULL); ++ xmlSecAssert2(out != NULL, NULL); ++ xmlSecAssert2(outSize >= SHA1_LENGTH, NULL); ++ ++ /* Create a context for hashing (digesting) */ ++ context = PK11_CreateDigestContext(SEC_OID_SHA1); ++ if (context == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_CreateDigestContext", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "error code = %d", PORT_GetError()); ++ goto done; ++ } ++ ++ s = PK11_DigestBegin(context); ++ if (s != SECSuccess) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_DigestBegin", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "error code = %d", PORT_GetError()); ++ goto done; ++ } ++ ++ s = PK11_DigestOp(context, in, inSize); ++ if (s != SECSuccess) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_DigestOp", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "error code = %d", PORT_GetError()); ++ goto done; ++ } ++ ++ s = PK11_DigestFinal(context, out, &len, outSize); ++ if (s != SECSuccess) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_DigestFinal", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "error code = %d", PORT_GetError()); ++ goto done; ++ } ++ xmlSecAssert2(len == SHA1_LENGTH, NULL); ++ ++ digest = out; ++ ++done: ++ if (context != NULL) { ++ PK11_DestroyContext(context, PR_TRUE); ++ } ++ return (digest); ++} ++ ++static int ++xmlSecNssKWDes3Encrypt( ++ PK11SymKey* symKey , ++ CK_MECHANISM_TYPE cipherMech , ++ const xmlSecByte* iv , ++ xmlSecSize ivSize , ++ const xmlSecByte* in , ++ xmlSecSize inSize , ++ xmlSecByte* out , ++ xmlSecSize outSize , ++ int enc ++) { ++ PK11Context* EncContext = NULL; ++ SECItem ivItem ; ++ SECItem* secParam = NULL ; ++ int tmp1_outlen; ++ unsigned int tmp2_outlen; ++ int result_len = -1; ++ SECStatus rv; ++ ++ xmlSecAssert2( cipherMech != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( symKey != NULL , -1 ) ; ++ xmlSecAssert2(iv != NULL, -1); ++ xmlSecAssert2(ivSize == XMLSEC_NSS_DES3_IV_LENGTH, -1); ++ xmlSecAssert2(in != NULL, -1); ++ xmlSecAssert2(inSize > 0, -1); ++ xmlSecAssert2(out != NULL, -1); ++ xmlSecAssert2(outSize >= inSize, -1); ++ ++ /* Prepare IV */ ++ ivItem.data = ( unsigned char* )iv ; ++ ivItem.len = ivSize ; ++ ++ secParam = PK11_ParamFromIV(cipherMech, &ivItem); ++ if (secParam == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_ParamFromIV", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "Error code = %d", PORT_GetError()); ++ goto done; ++ } ++ ++ EncContext = PK11_CreateContextBySymKey(cipherMech, ++ enc ? CKA_ENCRYPT : CKA_DECRYPT, ++ symKey, secParam); ++ if (EncContext == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_CreateContextBySymKey", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "Error code = %d", PORT_GetError()); ++ goto done; ++ } ++ ++ tmp1_outlen = tmp2_outlen = 0; ++ rv = PK11_CipherOp(EncContext, out, &tmp1_outlen, outSize, ++ (unsigned char *)in, inSize); ++ if (rv != SECSuccess) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_CipherOp", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "Error code = %d", PORT_GetError()); ++ goto done; ++ } ++ ++ rv = PK11_DigestFinal(EncContext, out+tmp1_outlen, ++ &tmp2_outlen, outSize-tmp1_outlen); ++ if (rv != SECSuccess) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_DigestFinal", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "Error code = %d", PORT_GetError()); ++ goto done; ++ } ++ ++ result_len = tmp1_outlen + tmp2_outlen; ++ ++done: ++ if (secParam) { ++ SECITEM_FreeItem(secParam, PR_TRUE); ++ } ++ if (EncContext) { ++ PK11_DestroyContext(EncContext, PR_TRUE); ++ } ++ ++ return(result_len); ++} ++ ++static int ++xmlSecNssKeyWrapDesOp( ++ xmlSecNssKeyWrapCtxPtr ctx , ++ int encrypt , ++ xmlSecBufferPtr result ++) { ++ xmlSecByte sha1[SHA1_LENGTH]; ++ xmlSecByte iv[XMLSEC_NSS_DES3_IV_LENGTH]; ++ xmlSecByte* in; ++ xmlSecSize inSize; ++ xmlSecByte* out; ++ xmlSecSize outSize; ++ xmlSecSize s; ++ int ret; ++ SECStatus status; ++ ++ xmlSecAssert2( ctx != NULL , -1 ) ; ++ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( ctx->symkey != NULL , -1 ) ; ++ xmlSecAssert2( ctx->keyId != NULL , -1 ) ; ++ xmlSecAssert2( ctx->material != NULL , -1 ) ; ++ xmlSecAssert2( result != NULL , -1 ) ; ++ ++ in = xmlSecBufferGetData(ctx->material); ++ inSize = xmlSecBufferGetSize(ctx->material) ; ++ out = xmlSecBufferGetData(result); ++ outSize = xmlSecBufferGetMaxSize(result) ; ++ if( encrypt ) { ++ /* step 2: calculate sha1 and CMS */ ++ if(xmlSecNssComputeSHA1(in, inSize, sha1, SHA1_LENGTH) == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssComputeSHA1", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ ++ /* step 3: construct WKCKS */ ++ memcpy(out, in, inSize); ++ memcpy(out + inSize, sha1, XMLSEC_NSS_DES3_BLOCK_LENGTH); ++ ++ /* step 4: generate random iv */ ++ status = PK11_GenerateRandom(iv, XMLSEC_NSS_DES3_IV_LENGTH); ++ if(status != SECSuccess) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PK11_GenerateRandom", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ "error code = %d", PORT_GetError()); ++ return(-1); ++ } ++ ++ /* step 5: first encryption, result is TEMP1 */ ++ ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, ++ iv, XMLSEC_NSS_DES3_IV_LENGTH, ++ out, inSize + XMLSEC_NSS_DES3_IV_LENGTH, ++ out, outSize, 1); ++ if(ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssKWDes3Encrypt", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ ++ /* step 6: construct TEMP2=IV || TEMP1 */ ++ memmove(out + XMLSEC_NSS_DES3_IV_LENGTH, out, ++ inSize + XMLSEC_NSS_DES3_IV_LENGTH); ++ memcpy(out, iv, XMLSEC_NSS_DES3_IV_LENGTH); ++ s = ret + XMLSEC_NSS_DES3_IV_LENGTH; ++ ++ /* step 7: reverse octets order, result is TEMP3 */ ++ ret = xmlSecNssKWDes3BufferReverse(out, s); ++ if(ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssKWDes3BufferReverse", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ ++ /* step 8: second encryption with static IV */ ++ ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, ++ xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, ++ out, s, ++ out, outSize, 1); ++ if(ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssKWDes3Encrypt", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ s = ret; ++ ++ if( xmlSecBufferSetSize( result , s ) < 0 ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecBufferSetSize", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ } else { ++ /* step 2: first decryption with static IV, result is TEMP3 */ ++ ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, ++ xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, ++ in, inSize, ++ out, outSize, 0); ++ if((ret < 0) || (ret < XMLSEC_NSS_DES3_IV_LENGTH)) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssKWDes3Encrypt", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ s = ret; ++ ++ /* step 3: reverse octets order in TEMP3, result is TEMP2 */ ++ ret = xmlSecNssKWDes3BufferReverse(out, s); ++ if(ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssKWDes3BufferReverse", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ ++ /* steps 4 and 5: get IV and decrypt second time, result is WKCKS */ ++ ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher, ++ out, XMLSEC_NSS_DES3_IV_LENGTH, ++ out+XMLSEC_NSS_DES3_IV_LENGTH, s-XMLSEC_NSS_DES3_IV_LENGTH, ++ out, outSize, 0); ++ if((ret < 0) || (ret < XMLSEC_NSS_DES3_BLOCK_LENGTH)) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssKWDes3Encrypt", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ s = ret - XMLSEC_NSS_DES3_IV_LENGTH; ++ ++ /* steps 6 and 7: calculate SHA1 and validate it */ ++ if(xmlSecNssComputeSHA1(out, s, sha1, SHA1_LENGTH) == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssComputeSHA1", ++ XMLSEC_ERRORS_R_CRYPTO_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ ++ if(memcmp(sha1, out + s, XMLSEC_NSS_DES3_BLOCK_LENGTH) != 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ NULL, ++ XMLSEC_ERRORS_R_INVALID_DATA, ++ "SHA1 does not match"); ++ return(-1); ++ } ++ ++ if( xmlSecBufferSetSize( result , s ) < 0 ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecBufferSetSize", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ } ++ ++ return(0); ++} ++ ++static int ++xmlSecNssKeyWrapAesOp( ++ xmlSecNssKeyWrapCtxPtr ctx , ++ int encrypt , ++ xmlSecBufferPtr result ++) { ++ PK11Context* cipherCtx = NULL; ++ SECItem ivItem ; ++ SECItem* secParam = NULL ; ++ xmlSecSize inSize ; ++ xmlSecSize inBlocks ; ++ int blockSize ; ++ int midSize ; ++ int finSize ; ++ xmlSecByte* out ; ++ xmlSecSize outSize; ++ ++ xmlSecAssert2( ctx != NULL , -1 ) ; ++ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( ctx->symkey != NULL , -1 ) ; ++ xmlSecAssert2( ctx->keyId != NULL , -1 ) ; ++ xmlSecAssert2( ctx->material != NULL , -1 ) ; ++ xmlSecAssert2( result != NULL , -1 ) ; ++ ++ /* Do not set any IV */ ++ memset(&ivItem, 0, sizeof(ivItem)); ++ ++ /* Get block size */ ++ if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "PK11_GetBlockSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ inSize = xmlSecBufferGetSize( ctx->material ) ; ++ if( xmlSecBufferSetMaxSize( result , inSize + blockSize ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferSetMaxSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ /* Get Param for context initialization */ ++ if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "PK11_ParamFromIV" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ; ++ if( cipherCtx == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "PK11_CreateContextBySymKey" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ SECITEM_FreeItem( secParam , PR_TRUE ) ; ++ return(-1); ++ } ++ ++ out = xmlSecBufferGetData(result) ; ++ outSize = xmlSecBufferGetMaxSize(result) ; ++ if( PK11_CipherOp( cipherCtx , out, &midSize , outSize , xmlSecBufferGetData( ctx->material ) , inSize ) != SECSuccess ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "PK11_CipherOp" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ if( PK11_DigestFinal( cipherCtx , out + midSize , &finSize , outSize - midSize ) != SECSuccess ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "PK11_DigestFinal" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ if( xmlSecBufferSetSize( result , midSize + finSize ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferSetSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ return 0 ; ++} ++ ++/** ++ * Block cipher transform final ++ */ ++static int ++xmlSecNssKeyWrapCtxFinal( ++ xmlSecNssKeyWrapCtxPtr ctx , ++ xmlSecBufferPtr in , ++ xmlSecBufferPtr out , ++ int encrypt , ++ xmlSecTransformCtxPtr transformCtx ++) { ++ PK11SymKey* targetKey ; ++ xmlSecSize blockSize ; ++ xmlSecBufferPtr result ; ++ ++ xmlSecAssert2( ctx != NULL , -1 ) ; ++ xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ; ++ xmlSecAssert2( ctx->symkey != NULL , -1 ) ; ++ xmlSecAssert2( ctx->keyId != NULL , -1 ) ; ++ xmlSecAssert2( ctx->material != NULL , -1 ) ; ++ xmlSecAssert2( in != NULL , -1 ) ; ++ xmlSecAssert2( out != NULL , -1 ) ; ++ xmlSecAssert2( transformCtx != NULL , -1 ) ; ++ ++ /* read raw key material and append into context */ ++ if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferAppend" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferRemoveHead" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ /* Now we get all of the key materail */ ++ /* from now on we will wrap or unwrap the key */ ++ if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "PK11_GetBlockSize" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ result = xmlSecBufferCreate( blockSize ) ; ++ if( result == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferCreate" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ switch( ctx->cipher ) { ++ case CKM_DES3_CBC : ++ if( xmlSecNssKeyWrapDesOp(ctx, encrypt, result) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssKeyWrapDesOp" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecBufferDestroy(result); ++ return(-1); ++ } ++ break ; ++ /* case CKM_NETSCAPE_AES_KEY_WRAP :*/ ++ case CKM_AES_CBC : ++ if( xmlSecNssKeyWrapAesOp(ctx, encrypt, result) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssKeyWrapAesOp" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecBufferDestroy(result); ++ return(-1); ++ } ++ break ; ++ } ++ ++ /* Write output */ ++ if( xmlSecBufferAppend( out, xmlSecBufferGetData(result), xmlSecBufferGetSize(result) ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecBufferAppend" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecBufferDestroy(result); ++ return(-1); ++ } ++ xmlSecBufferDestroy(result); ++ ++ return(0); ++} ++ ++static int ++xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) { ++ xmlSecNssKeyWrapCtxPtr context = NULL ; ++ xmlSecBufferPtr inBuf, outBuf ; ++ int operation ; ++ int rtv ; ++ ++ xmlSecAssert2( xmlSecNssKeyWrapCheckId( transform ), -1 ) ; ++ xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssKeyWrapSize ), -1 ) ; ++ xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ; ++ xmlSecAssert2( transformCtx != NULL , -1 ) ; ++ ++ context = xmlSecNssKeyWrapGetCtx( transform ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssKeyWrapGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ inBuf = &( transform->inBuf ) ; ++ outBuf = &( transform->outBuf ) ; ++ ++ if( transform->status == xmlSecTransformStatusNone ) { ++ transform->status = xmlSecTransformStatusWorking ; ++ } ++ ++ operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ; ++ if( transform->status == xmlSecTransformStatusWorking ) { ++ if( context->material == NULL ) { ++ rtv = xmlSecNssKeyWrapCtxInit( context, inBuf , outBuf , operation , transformCtx ) ; ++ if( rtv < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssKeyWrapCtxInit" , ++ XMLSEC_ERRORS_R_INVALID_STATUS , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ } ++ ++ if( context->material == NULL && last != 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ NULL , ++ XMLSEC_ERRORS_R_INVALID_STATUS , ++ "No enough data to intialize transform" ) ; ++ return(-1); ++ } ++ ++ if( context->material != NULL ) { ++ rtv = xmlSecNssKeyWrapCtxUpdate( context, inBuf , outBuf , operation , transformCtx ) ; ++ if( rtv < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssKeyWrapCtxUpdate" , ++ XMLSEC_ERRORS_R_INVALID_STATUS , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ } ++ ++ if( last ) { ++ rtv = xmlSecNssKeyWrapCtxFinal( context, inBuf , outBuf , operation , transformCtx ) ; ++ if( rtv < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ "xmlSecNssKeyWrapCtxFinal" , ++ XMLSEC_ERRORS_R_INVALID_STATUS , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ transform->status = xmlSecTransformStatusFinished ; ++ } ++ } else if( transform->status == xmlSecTransformStatusFinished ) { ++ if( xmlSecBufferGetSize( inBuf ) != 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ NULL , ++ XMLSEC_ERRORS_R_INVALID_STATUS , ++ "status=%d", transform->status ) ; ++ return(-1); ++ } ++ } else { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) , ++ NULL , ++ XMLSEC_ERRORS_R_INVALID_STATUS , ++ "status=%d", transform->status ) ; ++ return(-1); ++ } ++ ++ return(0); ++} ++ ++#ifndef XMLSEC_NO_AES ++ ++ ++#ifdef __MINGW32__ // for runtime-pseudo-reloc ++static struct _xmlSecTransformKlass xmlSecNssKWAes128Klass = { ++#else ++static xmlSecTransformKlass xmlSecNssKWAes128Klass = { ++#endif ++ /* klass/object sizes */ ++ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ ++ xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ ++ ++ xmlSecNameKWAes128, /* const xmlChar* name; */ ++ xmlSecHrefKWAes128, /* const xmlChar* href; */ ++ xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ ++ ++ xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ ++ xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ ++ NULL, /* xmlSecTransformNodeReadMethod readNode; */ ++ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ ++ xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ ++ xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ ++ NULL, /* xmlSecTransformValidateMethod validate; */ ++ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ ++ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ ++ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ ++ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ ++ NULL, /* xmlSecTransformPopXmlMethod popXml; */ ++ xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ ++ ++ NULL, /* void* reserved0; */ ++ NULL, /* void* reserved1; */ ++}; ++ ++#ifdef __MINGW32__ // for runtime-pseudo-reloc ++static struct _xmlSecTransformKlass xmlSecNssKWAes192Klass = { ++#else ++static xmlSecTransformKlass xmlSecNssKWAes192Klass = { ++#endif ++ /* klass/object sizes */ ++ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ ++ xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ ++ ++ xmlSecNameKWAes192, /* const xmlChar* name; */ ++ xmlSecHrefKWAes192, /* const xmlChar* href; */ ++ xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ ++ ++ xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ ++ xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ ++ NULL, /* xmlSecTransformNodeReadMethod readNode; */ ++ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ ++ xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ ++ xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ ++ NULL, /* xmlSecTransformValidateMethod validate; */ ++ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ ++ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ ++ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ ++ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ ++ NULL, /* xmlSecTransformPopXmlMethod popXml; */ ++ xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ ++ ++ NULL, /* void* reserved0; */ ++ NULL, /* void* reserved1; */ ++}; ++ ++#ifdef __MINGW32__ // for runtime-pseudo-reloc ++static struct _xmlSecTransformKlass xmlSecNssKWAes256Klass = { ++#else ++static xmlSecTransformKlass xmlSecNssKWAes256Klass = { ++#endif ++ /* klass/object sizes */ ++ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ ++ xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ ++ ++ xmlSecNameKWAes256, /* const xmlChar* name; */ ++ xmlSecHrefKWAes256, /* const xmlChar* href; */ ++ xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ ++ ++ xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ ++ xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ ++ NULL, /* xmlSecTransformNodeReadMethod readNode; */ ++ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ ++ xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ ++ xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ ++ NULL, /* xmlSecTransformValidateMethod validate; */ ++ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ ++ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ ++ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ ++ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ ++ NULL, /* xmlSecTransformPopXmlMethod popXml; */ ++ xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ ++ ++ NULL, /* void* reserved0; */ ++ NULL, /* void* reserved1; */ ++}; ++ ++/** ++ * xmlSecNssTransformKWAes128GetKlass: ++ * ++ * The AES-128 key wrapper transform klass. ++ * ++ * Returns AES-128 key wrapper transform klass. ++ */ ++xmlSecTransformId ++xmlSecNssTransformKWAes128GetKlass(void) { ++ return(&xmlSecNssKWAes128Klass); ++} ++ ++/** ++ * xmlSecNssTransformKWAes192GetKlass: ++ * ++ * The AES-192 key wrapper transform klass. ++ * ++ * Returns AES-192 key wrapper transform klass. ++ */ ++xmlSecTransformId ++xmlSecNssTransformKWAes192GetKlass(void) { ++ return(&xmlSecNssKWAes192Klass); ++} ++ ++/** ++ * ++ * The AES-256 key wrapper transform klass. ++ * ++ * Returns AES-256 key wrapper transform klass. ++ */ ++xmlSecTransformId ++xmlSecNssTransformKWAes256GetKlass(void) { ++ return(&xmlSecNssKWAes256Klass); ++} ++ ++#endif /* XMLSEC_NO_AES */ ++ ++ ++#ifndef XMLSEC_NO_DES ++ ++#ifdef __MINGW32__ // for runtime-pseudo-reloc ++static struct _xmlSecTransformKlass xmlSecNssKWDes3Klass = { ++#else ++static xmlSecTransformKlass xmlSecNssKWDes3Klass = { ++#endif ++ /* klass/object sizes */ ++ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ ++ xmlSecNssKeyWrapSize, /* xmlSecSize objSize */ ++ ++ xmlSecNameKWDes3, /* const xmlChar* name; */ ++ xmlSecHrefKWDes3, /* const xmlChar* href; */ ++ xmlSecTransformUsageEncryptionMethod, /* xmlSecAlgorithmUsage usage; */ ++ ++ xmlSecNssKeyWrapInitialize, /* xmlSecTransformInitializeMethod initialize; */ ++ xmlSecNssKeyWrapFinalize, /* xmlSecTransformFinalizeMethod finalize; */ ++ NULL, /* xmlSecTransformNodeReadMethod readNode; */ ++ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ ++ xmlSecNssKeyWrapSetKeyReq, /* xmlSecTransformSetKeyMethod setKeyReq; */ ++ xmlSecNssKeyWrapSetKey, /* xmlSecTransformSetKeyMethod setKey; */ ++ NULL, /* xmlSecTransformValidateMethod validate; */ ++ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ ++ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ ++ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ ++ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ ++ NULL, /* xmlSecTransformPopXmlMethod popXml; */ ++ xmlSecNssKeyWrapExecute, /* xmlSecTransformExecuteMethod execute; */ ++ ++ NULL, /* void* reserved0; */ ++ NULL, /* void* reserved1; */ ++}; ++ ++/** ++ * xmlSecNssTransformKWDes3GetKlass: ++ * ++ * The Triple DES key wrapper transform klass. ++ * ++ * Returns Triple DES key wrapper transform klass. ++ */ ++xmlSecTransformId ++xmlSecNssTransformKWDes3GetKlass(void) { ++ return(&xmlSecNssKWDes3Klass); ++} ++ ++#endif /* XMLSEC_NO_DES */ ++ +--- misc/xmlsec1-1.2.14/src/nss/pkikeys.c 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/pkikeys.c 2009-09-21 14:02:48.657352624 +0200 +@@ -24,6 +24,7 @@ + #include <xmlsec/nss/crypto.h> + #include <xmlsec/nss/bignum.h> + #include <xmlsec/nss/pkikeys.h> ++#include <xmlsec/nss/tokens.h> + + /************************************************************************** + * +@@ -115,6 +116,8 @@ + xmlSecNssPKIKeyDataCtxPtr ctxSrc) + { + xmlSecNSSPKIKeyDataCtxFree(ctxDst); ++ ctxDst->privkey = NULL ; ++ ctxDst->pubkey = NULL ; + if (ctxSrc->privkey != NULL) { + ctxDst->privkey = SECKEY_CopyPrivateKey(ctxSrc->privkey); + if(ctxDst->privkey == NULL) { +@@ -588,13 +591,13 @@ + goto done; + } + +- slot = PK11_GetBestSlot(CKM_DSA, NULL); ++ slot = xmlSecNssSlotGet(CKM_DSA); + if(slot == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "PK11_GetBestSlot", ++ "xmlSecNssSlotGet", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + ret = -1; + goto done; + } +@@ -792,14 +795,14 @@ + if (slot != NULL) { + PK11_FreeSlot(slot); + } +- if (ret != 0) { ++ + if (pubkey != NULL) { + SECKEY_DestroyPublicKey(pubkey); + } + if (data != NULL) { + xmlSecKeyDataDestroy(data); + } +- } ++ + return(ret); + } + +@@ -818,7 +821,7 @@ + + ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key)); + xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1); ++/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/ + + if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) { + /* we can have only private key or public key */ +@@ -940,7 +943,8 @@ + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "PK11_PQG_ParamGen", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- "size=%d", sizeBits); ++ "size=%d, error code=%d", sizeBits, PORT_GetError()); ++ ret = -1; + goto done; + } + +@@ -950,11 +954,12 @@ + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "PK11_PQG_VerifyParams", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- "size=%d", sizeBits); ++ "size=%d, error code=%d", sizeBits, PORT_GetError()); ++ ret = -1; + goto done; + } + +- slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL); ++ slot = xmlSecNssSlotGet(CKM_DSA_KEY_PAIR_GEN); + PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */); + privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, pqgParams, + &pubkey, PR_FALSE, PR_TRUE, NULL); +@@ -964,8 +969,9 @@ + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "PK11_GenerateKeyPair", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + ++ ret = -1; + goto done; + } + +@@ -979,6 +985,8 @@ + goto done; + } + ++ privkey = NULL ; ++ pubkey = NULL ; + ret = 0; + + done: +@@ -991,16 +999,13 @@ + if (pqgVerify != NULL) { + PK11_PQG_DestroyVerify(pqgVerify); + } +- if (ret == 0) { +- return (0); +- } + if (pubkey != NULL) { + SECKEY_DestroyPublicKey(pubkey); + } + if (privkey != NULL) { + SECKEY_DestroyPrivateKey(privkey); + } +- return(-1); ++ return(ret); + } + + static xmlSecKeyDataType +@@ -1010,10 +1015,10 @@ + xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), xmlSecKeyDataTypeUnknown); + ctx = xmlSecNssPKIKeyDataGetCtx(data); + xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1); ++/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/ + if (ctx->privkey != NULL) { + return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic); +- } else { ++ } else if( ctx->pubkey != NULL ) { + return(xmlSecKeyDataTypePublic); + } + +@@ -1027,7 +1032,7 @@ + xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), 0); + ctx = xmlSecNssPKIKeyDataGetCtx(data); + xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1); ++/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/ + + return(8 * SECKEY_PublicKeyStrength(ctx->pubkey)); + } +@@ -1216,13 +1221,13 @@ + goto done; + } + +- slot = PK11_GetBestSlot(CKM_RSA_PKCS, NULL); ++ slot = xmlSecNssSlotGet(CKM_RSA_PKCS); + if(slot == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "PK11_GetBestSlot", ++ "xmlSecNssSlotGet", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + ret = -1; + goto done; + } +@@ -1384,7 +1389,7 @@ + + ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key)); + xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1); ++/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/ + + + if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) { +@@ -1455,7 +1460,7 @@ + params.keySizeInBits = sizeBits; + params.pe = 65537; + +- slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, NULL); ++ slot = xmlSecNssSlotGet(CKM_RSA_PKCS_KEY_PAIR_GEN); + PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */); + privkey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, ¶ms, + &pubkey, PR_FALSE, PR_TRUE, NULL); +@@ -1525,7 +1530,7 @@ + + ctx = xmlSecNssPKIKeyDataGetCtx(data); + xmlSecAssert2(ctx != NULL, -1); +- xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1); ++/* xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/ + + return(8 * SECKEY_PublicKeyStrength(ctx->pubkey)); + } +--- misc/xmlsec1-1.2.14/src/nss/symkeys.c 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/symkeys.c 2009-09-21 14:02:48.620574832 +0200 +@@ -15,20 +15,41 @@ + #include <stdio.h> + #include <string.h> + ++#include <pk11func.h> ++#include <nss.h> ++ + #include <xmlsec/xmlsec.h> + #include <xmlsec/xmltree.h> ++#include <xmlsec/base64.h> + #include <xmlsec/keys.h> + #include <xmlsec/keyinfo.h> + #include <xmlsec/transforms.h> + #include <xmlsec/errors.h> + + #include <xmlsec/nss/crypto.h> ++#include <xmlsec/nss/ciphers.h> ++#include <xmlsec/nss/tokens.h> + + /***************************************************************************** + * +- * Symmetic (binary) keys - just a wrapper for xmlSecKeyDataBinary ++ * Symmetic (binary) keys - a wrapper over slot information and PK11SymKey + * + ****************************************************************************/ ++typedef struct _xmlSecNssSymKeyDataCtx xmlSecNssSymKeyDataCtx ; ++typedef struct _xmlSecNssSymKeyDataCtx* xmlSecNssSymKeyDataCtxPtr ; ++ ++struct _xmlSecNssSymKeyDataCtx { ++ CK_MECHANISM_TYPE cipher ; /* the symmetic key mechanism */ ++ PK11SlotInfo* slot ; /* the key resident slot */ ++ PK11SymKey* symkey ; /* the symmetic key */ ++} ; ++ ++#define xmlSecNssSymKeyDataSize \ ++ ( sizeof( xmlSecKeyData ) + sizeof( xmlSecNssSymKeyDataCtx ) ) ++ ++#define xmlSecNssSymKeyDataGetCtx( data ) \ ++ ( ( xmlSecNssSymKeyDataCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyData ) ) ) ++ + static int xmlSecNssSymKeyDataInitialize (xmlSecKeyDataPtr data); + static int xmlSecNssSymKeyDataDuplicate (xmlSecKeyDataPtr dst, + xmlSecKeyDataPtr src); +@@ -67,107 +88,743 @@ + (xmlSecKeyDataIsValid((data)) && \ + xmlSecNssSymKeyDataKlassCheck((data)->id)) + ++/** ++ * xmlSecNssSymKeyDataAdoptKey: ++ * @data: the pointer to symmetric key data. ++ * @symkey: the symmetric key ++ * ++ * Set the value of symmetric key data. ++ * ++ * Returns 0 on success or a negative value if an error occurs. ++ */ ++int ++xmlSecNssSymKeyDataAdoptKey( ++ xmlSecKeyDataPtr data , ++ PK11SymKey* symkey ++) { ++ xmlSecNssSymKeyDataCtxPtr context = NULL ; ++ ++ xmlSecAssert2( xmlSecNssSymKeyDataCheckId( data ), -1 ) ; ++ xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), -1 ) ; ++ xmlSecAssert2( symkey != NULL, -1 ) ; ++ ++ context = xmlSecNssSymKeyDataGetCtx( data ) ; ++ xmlSecAssert2(context != NULL, -1); ++ ++ context->cipher = PK11_GetMechanism( symkey ) ; ++ ++ if( context->slot != NULL ) { ++ PK11_FreeSlot( context->slot ) ; ++ context->slot = NULL ; ++ } ++ context->slot = PK11_GetSlotFromKey( symkey ) ; ++ ++ if( context->symkey != NULL ) { ++ PK11_FreeSymKey( context->symkey ) ; ++ context->symkey = NULL ; ++ } ++ context->symkey = PK11_ReferenceSymKey( symkey ) ; ++ ++ return 0 ; ++} ++ ++xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt( ++ PK11SymKey* symKey ++) { ++ xmlSecKeyDataPtr data = NULL ; ++ CK_MECHANISM_TYPE mechanism = CKM_INVALID_MECHANISM ; ++ ++ xmlSecAssert2( symKey != NULL , NULL ) ; ++ ++ mechanism = PK11_GetMechanism( symKey ) ; ++ switch( mechanism ) { ++ case CKM_DES3_KEY_GEN : ++ case CKM_DES3_CBC : ++ case CKM_DES3_MAC : ++ data = xmlSecKeyDataCreate( xmlSecNssKeyDataDesId ) ; ++ if( data == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeyDataCreate" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ "xmlSecNssKeyDataDesId" ) ; ++ return NULL ; ++ } ++ break ; ++ case CKM_AES_KEY_GEN : ++ case CKM_AES_CBC : ++ case CKM_AES_MAC : ++ data = xmlSecKeyDataCreate( xmlSecNssKeyDataAesId ) ; ++ if( data == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecKeyDataCreate" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ "xmlSecNssKeyDataDesId" ) ; ++ return NULL ; ++ } ++ break ; ++ default : ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ "Unsupported mechanism" ) ; ++ return NULL ; ++ } ++ ++ if( xmlSecNssSymKeyDataAdoptKey( data , symKey ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ "xmlSecNssSymKeyDataAdoptKey" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecKeyDataDestroy( data ) ; ++ return NULL ; ++ } ++ ++ return data ; ++} ++ ++ ++PK11SymKey* ++xmlSecNssSymKeyDataGetKey( ++ xmlSecKeyDataPtr data ++) { ++ xmlSecNssSymKeyDataCtxPtr ctx; ++ PK11SymKey* symkey ; ++ ++ xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), NULL); ++ xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), NULL); ++ ++ ctx = xmlSecNssSymKeyDataGetCtx(data); ++ xmlSecAssert2(ctx != NULL, NULL); ++ ++ if( ctx->symkey != NULL ) { ++ symkey = PK11_ReferenceSymKey( ctx->symkey ) ; ++ } else { ++ symkey = NULL ; ++ } ++ ++ return(symkey); ++} ++ + static int + xmlSecNssSymKeyDataInitialize(xmlSecKeyDataPtr data) { ++ xmlSecNssSymKeyDataCtxPtr ctx; ++ + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1); +- +- return(xmlSecKeyDataBinaryValueInitialize(data)); ++ xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), -1); ++ ++ ctx = xmlSecNssSymKeyDataGetCtx(data); ++ xmlSecAssert2(ctx != NULL, -1); ++ ++ memset( ctx, 0, sizeof(xmlSecNssSymKeyDataCtx)); ++ ++ /* Set the block cipher mechanism */ ++#ifndef XMLSEC_NO_DES ++ if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) { ++ ctx->cipher = CKM_DES3_KEY_GEN; ++ } else ++#endif /* XMLSEC_NO_DES */ ++ ++#ifndef XMLSEC_NO_AES ++ if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) { ++ ctx->cipher = CKM_AES_KEY_GEN; ++ } else ++#endif /* XMLSEC_NO_AES */ ++ ++ if(1) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ "Unsupported block cipher" ) ; ++ return(-1) ; ++ } ++ ++ return(0); + } + + static int + xmlSecNssSymKeyDataDuplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) { ++ xmlSecNssSymKeyDataCtxPtr ctxDst; ++ xmlSecNssSymKeyDataCtxPtr ctxSrc; ++ + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(dst), -1); ++ xmlSecAssert2(xmlSecKeyDataCheckSize(dst, xmlSecNssSymKeyDataSize), -1); + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(src), -1); ++ xmlSecAssert2(xmlSecKeyDataCheckSize(src, xmlSecNssSymKeyDataSize), -1); + xmlSecAssert2(dst->id == src->id, -1); +- +- return(xmlSecKeyDataBinaryValueDuplicate(dst, src)); ++ ++ ctxDst = xmlSecNssSymKeyDataGetCtx(dst); ++ xmlSecAssert2(ctxDst != NULL, -1); ++ ++ ctxSrc = xmlSecNssSymKeyDataGetCtx(src); ++ xmlSecAssert2(ctxSrc != NULL, -1); ++ ++ ctxDst->cipher = ctxSrc->cipher ; ++ ++ if( ctxSrc->slot != NULL ) { ++ if( ctxDst->slot != NULL && ctxDst->slot != ctxSrc->slot ) { ++ PK11_FreeSlot( ctxDst->slot ) ; ++ ctxDst->slot = NULL ; ++ } ++ ++ if( ctxDst->slot == NULL && ctxSrc->slot != NULL ) ++ ctxDst->slot = PK11_ReferenceSlot( ctxSrc->slot ) ; ++ } else { ++ if( ctxDst->slot != NULL ) { ++ PK11_FreeSlot( ctxDst->slot ) ; ++ ctxDst->slot = NULL ; ++ } ++ } ++ ++ if( ctxSrc->symkey != NULL ) { ++ if( ctxDst->symkey != NULL && ctxDst->symkey != ctxSrc->symkey ) { ++ PK11_FreeSymKey( ctxDst->symkey ) ; ++ ctxDst->symkey = NULL ; ++ } ++ ++ if( ctxDst->symkey == NULL && ctxSrc->symkey != NULL ) ++ ctxDst->symkey = PK11_ReferenceSymKey( ctxSrc->symkey ) ; ++ } else { ++ if( ctxDst->symkey != NULL ) { ++ PK11_FreeSymKey( ctxDst->symkey ) ; ++ ctxDst->symkey = NULL ; ++ } ++ } ++ ++ return(0); + } + + static void + xmlSecNssSymKeyDataFinalize(xmlSecKeyDataPtr data) { ++ xmlSecNssSymKeyDataCtxPtr ctx; ++ + xmlSecAssert(xmlSecNssSymKeyDataCheckId(data)); +- +- xmlSecKeyDataBinaryValueFinalize(data); ++ xmlSecAssert(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize)); ++ ++ ctx = xmlSecNssSymKeyDataGetCtx(data); ++ xmlSecAssert(ctx != NULL); ++ ++ if( ctx->slot != NULL ) { ++ PK11_FreeSlot( ctx->slot ) ; ++ ctx->slot = NULL ; ++ } ++ ++ if( ctx->symkey != NULL ) { ++ PK11_FreeSymKey( ctx->symkey ) ; ++ ctx->symkey = NULL ; ++ } ++ ++ ctx->cipher = CKM_INVALID_MECHANISM ; + } + + static int + xmlSecNssSymKeyDataXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, + xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { +- xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1); ++ PK11SymKey* symKey ; ++ PK11SlotInfo* slot ; ++ xmlSecBufferPtr keyBuf; ++ xmlSecSize len; ++ xmlSecKeyDataPtr data; ++ xmlSecNssSymKeyDataCtxPtr ctx; ++ SECItem keyItem ; ++ int ret; ++ ++ xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1); ++ xmlSecAssert2(key != NULL, -1); ++ xmlSecAssert2(node != NULL, -1); ++ xmlSecAssert2(keyInfoCtx != NULL, -1); ++ ++ /* Create a new KeyData from a id */ ++ data = xmlSecKeyDataCreate(id); ++ if(data == NULL ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecKeyDataCreate", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ ++ ctx = xmlSecNssSymKeyDataGetCtx(data); ++ xmlSecAssert2(ctx != NULL, -1); ++ ++ /* Create a buffer for raw symmetric key value */ ++ if( ( keyBuf = xmlSecBufferCreate( 128 ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecBufferCreate" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ /* Read the raw key value */ ++ if( xmlSecBufferBase64NodeContentRead( keyBuf , node ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ xmlSecErrorsSafeString(xmlSecNodeGetName(node)), ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecBufferDestroy( keyBuf ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ /* Get slot */ ++ slot = xmlSecNssSlotGet(ctx->cipher); ++ if( slot == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecNssSlotGet" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ xmlSecBufferDestroy( keyBuf ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ /* Wrap the raw key value SECItem */ ++ keyItem.type = siBuffer ; ++ keyItem.data = xmlSecBufferGetData( keyBuf ) ; ++ keyItem.len = xmlSecBufferGetSize( keyBuf ) ; ++ ++ /* Import the raw key into slot temporalily and get the key handler*/ ++ symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ; ++ if( symKey == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "PK11_ImportSymKey" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ PK11_FreeSlot( slot ) ; ++ xmlSecBufferDestroy( keyBuf ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ PK11_FreeSlot( slot ) ; ++ ++ /* raw key material has been copied into symKey, it isn't used any more */ ++ xmlSecBufferDestroy( keyBuf ) ; ++ ++ /* Adopt the symmetric key into key data */ ++ ret = xmlSecNssSymKeyDataAdoptKey(data, symKey); ++ if(ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecKeyDataBinaryValueSetBuffer", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ PK11_FreeSymKey( symKey ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1); ++ } ++ /* symKey has been duplicated into data, it isn't used any more */ ++ PK11_FreeSymKey( symKey ) ; ++ ++ /* Check value */ ++ if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecKeyReqMatchKeyValue", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecKeyDataDestroy( data ) ; ++ return(0); ++ } + +- return(xmlSecKeyDataBinaryValueXmlRead(id, key, node, keyInfoCtx)); ++ ret = xmlSecKeySetValue(key, data); ++ if(ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecKeySetValue", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1); ++ } ++ ++ return(0); + } + + static int + xmlSecNssSymKeyDataXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, + xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { ++ PK11SymKey* symKey ; ++ + xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1); +- +- return(xmlSecKeyDataBinaryValueXmlWrite(id, key, node, keyInfoCtx)); ++ xmlSecAssert2(key != NULL, -1); ++ xmlSecAssert2(node != NULL, -1); ++ xmlSecAssert2(keyInfoCtx != NULL, -1); ++ ++ /* Get symmetric key from "key" */ ++ symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); ++ if( symKey != NULL ) { ++ SECItem* keyItem ; ++ xmlSecBufferPtr keyBuf ; ++ ++ /* Extract raw key data from symmetric key */ ++ if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "PK11_ExtractKeyValue", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ PK11_FreeSymKey( symKey ) ; ++ return(-1); ++ } ++ ++ /* Get raw key data from "symKey" */ ++ keyItem = PK11_GetKeyData( symKey ) ; ++ if(keyItem == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "PK11_GetKeyData", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ PK11_FreeSymKey( symKey ) ; ++ return(-1); ++ } ++ ++ /* Create key data buffer with raw kwy material */ ++ keyBuf = xmlSecBufferCreate(keyItem->len) ; ++ if(keyBuf == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecBufferCreate", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ PK11_FreeSymKey( symKey ) ; ++ return(-1); ++ } ++ ++ xmlSecBufferSetData( keyBuf , keyItem->data , keyItem->len ) ; ++ ++ /* Write raw key material into current xml node */ ++ if( xmlSecBufferBase64NodeContentWrite( keyBuf, node, XMLSEC_BASE64_LINESIZE ) < 0 ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecBufferBase64NodeContentWrite", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecBufferDestroy(keyBuf); ++ PK11_FreeSymKey( symKey ) ; ++ return(-1); ++ } ++ xmlSecBufferDestroy(keyBuf); ++ PK11_FreeSymKey( symKey ) ; ++ } ++ ++ return 0 ; + } + + static int + xmlSecNssSymKeyDataBinRead(xmlSecKeyDataId id, xmlSecKeyPtr key, + const xmlSecByte* buf, xmlSecSize bufSize, + xmlSecKeyInfoCtxPtr keyInfoCtx) { +- xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1); ++ PK11SymKey* symKey ; ++ PK11SlotInfo* slot ; ++ xmlSecKeyDataPtr data; ++ xmlSecNssSymKeyDataCtxPtr ctx; ++ SECItem keyItem ; ++ int ret; ++ ++ xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1); ++ xmlSecAssert2(key != NULL, -1); ++ xmlSecAssert2(buf != NULL, -1); ++ xmlSecAssert2(bufSize != 0, -1); ++ xmlSecAssert2(keyInfoCtx != NULL, -1); ++ ++ /* Create a new KeyData from a id */ ++ data = xmlSecKeyDataCreate(id); ++ if(data == NULL ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecKeyDataCreate", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); ++ } ++ ++ ctx = xmlSecNssSymKeyDataGetCtx(data); ++ xmlSecAssert2(ctx != NULL, -1); ++ ++ /* Get slot */ ++ slot = xmlSecNssSlotGet(ctx->cipher); ++ if( slot == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecNssSlotGet" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ /* Wrap the raw key value SECItem */ ++ keyItem.type = siBuffer ; ++ keyItem.data = buf ; ++ keyItem.len = bufSize ; ++ ++ /* Import the raw key into slot temporalily and get the key handler*/ ++ symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ; ++ if( symKey == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "PK11_ImportSymKey" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ PK11_FreeSlot( slot ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1) ; ++ } ++ ++ /* Adopt the symmetric key into key data */ ++ ret = xmlSecNssSymKeyDataAdoptKey(data, symKey); ++ if(ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecKeyDataBinaryValueSetBuffer", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ PK11_FreeSymKey( symKey ) ; ++ PK11_FreeSlot( slot ) ; ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1); ++ } ++ /* symKey has been duplicated into data, it isn't used any more */ ++ PK11_FreeSymKey( symKey ) ; ++ PK11_FreeSlot( slot ) ; ++ ++ /* Check value */ ++ if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecKeyReqMatchKeyValue", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecKeyDataDestroy( data ) ; ++ return(0); ++ } + +- return(xmlSecKeyDataBinaryValueBinRead(id, key, buf, bufSize, keyInfoCtx)); ++ ret = xmlSecKeySetValue(key, data); ++ if(ret < 0) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecKeySetValue", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecKeyDataDestroy( data ) ; ++ return(-1); ++ } ++ ++ return(0); + } + + static int + xmlSecNssSymKeyDataBinWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, + xmlSecByte** buf, xmlSecSize* bufSize, + xmlSecKeyInfoCtxPtr keyInfoCtx) { ++ PK11SymKey* symKey ; ++ + xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1); ++ xmlSecAssert2(key != NULL, -1); ++ xmlSecAssert2(buf != NULL, -1); ++ xmlSecAssert2(bufSize != 0, -1); ++ xmlSecAssert2(keyInfoCtx != NULL, -1); ++ ++ /* Get symmetric key from "key" */ ++ symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); ++ if( symKey != NULL ) { ++ SECItem* keyItem ; ++ ++ /* Extract raw key data from symmetric key */ ++ if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "PK11_ExtractKeyValue", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ PK11_FreeSymKey( symKey ) ; ++ return(-1); ++ } ++ ++ /* Get raw key data from "symKey" */ ++ keyItem = PK11_GetKeyData( symKey ) ; ++ if(keyItem == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "PK11_GetKeyData", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ PK11_FreeSymKey( symKey ) ; ++ return(-1); ++ } ++ ++ *bufSize = keyItem->len; ++ *buf = ( xmlSecByte* )xmlMalloc( *bufSize ); ++ if( *buf == NULL ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ NULL, ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ PK11_FreeSymKey( symKey ) ; ++ return(-1); ++ } ++ ++ memcpy((*buf), keyItem->data, (*bufSize)); ++ PK11_FreeSymKey( symKey ) ; ++ } + +- return(xmlSecKeyDataBinaryValueBinWrite(id, key, buf, bufSize, keyInfoCtx)); ++ return 0 ; + } + + static int + xmlSecNssSymKeyDataGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlSecKeyDataType type ATTRIBUTE_UNUSED) { +- xmlSecBufferPtr buffer; ++ PK11SymKey* symkey ; ++ PK11SlotInfo* slot ; ++ xmlSecNssSymKeyDataCtxPtr ctx; ++ int ret; + + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1); + xmlSecAssert2(sizeBits > 0, -1); + +- buffer = xmlSecKeyDataBinaryValueGetBuffer(data); +- xmlSecAssert2(buffer != NULL, -1); +- +- return(xmlSecNssGenerateRandom(buffer, (sizeBits + 7) / 8)); ++ ctx = xmlSecNssSymKeyDataGetCtx(data); ++ xmlSecAssert2(ctx != NULL, -1); ++ ++ if( sizeBits % 8 != 0 ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), ++ NULL, ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ "Symmetric key size must be octuple"); ++ return(-1); ++ } ++ ++ /* Get slot */ ++ slot = xmlSecNssSlotGet(ctx->cipher); ++ if( slot == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), ++ "xmlSecNssSlotGet" , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1) ; ++ } ++ ++ if( PK11_Authenticate( slot, PR_FALSE , NULL ) != SECSuccess ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , ++ "PK11_Authenticate" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ PK11_FreeSlot( slot ) ; ++ return -1 ; ++ } ++ ++ symkey = PK11_KeyGen( slot , ctx->cipher , NULL , sizeBits/8 , NULL ) ; ++ if( symkey == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , ++ "PK11_KeyGen" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ PK11_FreeSlot( slot ) ; ++ return -1 ; ++ } ++ ++ if( ctx->slot != NULL ) { ++ PK11_FreeSlot( ctx->slot ) ; ++ ctx->slot = NULL ; ++ } ++ ctx->slot = slot ; ++ ++ if( ctx->symkey != NULL ) { ++ PK11_FreeSymKey( ctx->symkey ) ; ++ ctx->symkey = NULL ; ++ } ++ ctx->symkey = symkey ; ++ ++ return 0; + } + + static xmlSecKeyDataType + xmlSecNssSymKeyDataGetType(xmlSecKeyDataPtr data) { +- xmlSecBufferPtr buffer; ++ xmlSecNssSymKeyDataCtxPtr context = NULL ; ++ xmlSecKeyDataType type = xmlSecKeyDataTypeUnknown ; + + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), xmlSecKeyDataTypeUnknown); ++ xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), xmlSecKeyDataTypeUnknown ) ; + +- buffer = xmlSecKeyDataBinaryValueGetBuffer(data); +- xmlSecAssert2(buffer != NULL, xmlSecKeyDataTypeUnknown); ++ context = xmlSecNssSymKeyDataGetCtx( data ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , ++ "xmlSecNssSymKeyDataGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return xmlSecKeyDataTypeUnknown ; ++ } + +- return((xmlSecBufferGetSize(buffer) > 0) ? xmlSecKeyDataTypeSymmetric : xmlSecKeyDataTypeUnknown); ++ if( context->symkey != NULL ) { ++ type |= xmlSecKeyDataTypeSymmetric ; ++ } else { ++ type |= xmlSecKeyDataTypeUnknown ; ++ } ++ ++ return type ; + } + + static xmlSecSize + xmlSecNssSymKeyDataGetSize(xmlSecKeyDataPtr data) { ++ xmlSecNssSymKeyDataCtxPtr context ; ++ unsigned int length = 0 ; ++ + xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), 0); ++ xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), 0 ) ; ++ context = xmlSecNssSymKeyDataGetCtx( data ) ; ++ if( context == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , ++ "xmlSecNssSymKeyDataGetCtx" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return 0 ; ++ } ++ ++ if( context->symkey != NULL ) { ++ length = PK11_GetKeyLength( context->symkey ) ; ++ length *= 8 ; ++ } + +- return(xmlSecKeyDataBinaryValueGetSize(data)); ++ return length ; + } + + static void + xmlSecNssSymKeyDataDebugDump(xmlSecKeyDataPtr data, FILE* output) { + xmlSecAssert(xmlSecNssSymKeyDataCheckId(data)); + +- xmlSecKeyDataBinaryValueDebugDump(data, output); ++ /* print only size, everything else is sensitive */ ++ fprintf( output , "=== %s: size=%d\n" , data->id->dataNodeName , ++ xmlSecKeyDataGetSize(data)) ; + } + + static void + xmlSecNssSymKeyDataDebugXmlDump(xmlSecKeyDataPtr data, FILE* output) { + xmlSecAssert(xmlSecNssSymKeyDataCheckId(data)); +- +- xmlSecKeyDataBinaryValueDebugXmlDump(data, output); ++ ++ /* print only size, everything else is sensitive */ ++ fprintf( output , "<%s size=\"%d\" />\n" , data->id->dataNodeName , ++ xmlSecKeyDataGetSize(data)) ; + } + + static int +@@ -201,7 +858,7 @@ + *************************************************************************/ + static xmlSecKeyDataKlass xmlSecNssKeyDataAesKlass = { + sizeof(xmlSecKeyDataKlass), +- xmlSecKeyDataBinarySize, ++ xmlSecNssSymKeyDataSize, + + /* data */ + xmlSecNameAESKeyValue, +@@ -282,7 +939,7 @@ + *************************************************************************/ + static xmlSecKeyDataKlass xmlSecNssKeyDataDesKlass = { + sizeof(xmlSecKeyDataKlass), +- xmlSecKeyDataBinarySize, ++ xmlSecNssSymKeyDataSize, + + /* data */ + xmlSecNameDESKeyValue, +@@ -364,7 +1021,7 @@ + *************************************************************************/ + static xmlSecKeyDataKlass xmlSecNssKeyDataHmacKlass = { + sizeof(xmlSecKeyDataKlass), +- xmlSecKeyDataBinarySize, ++ xmlSecNssSymKeyDataSize, + + /* data */ + xmlSecNameHMACKeyValue, +--- misc/xmlsec1-1.2.14/src/nss/tokens.c 2009-09-21 14:07:19.249145861 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/tokens.c 2009-09-21 14:02:48.556772442 +0200 +@@ -1 +1,548 @@ +-dummy ++/** ++ * XMLSec library ++ * ++ * This is free software; see Copyright file in the source ++ * distribution for preciese wording. ++ * ++ * Copyright.................................. ++ * ++ * Contributor(s): _____________________________ ++ * ++ */ ++ ++/** ++ * In order to ensure that particular crypto operation is performed on ++ * particular crypto device, a subclass of xmlSecList is used to store slot and ++ * mechanism information. ++ * ++ * In the list, a slot is bound with a mechanism. If the mechanism is available, ++ * this mechanism only can perform on the slot; otherwise, it can perform on ++ * every eligibl slot in the list. ++ * ++ * When try to find a slot for a particular mechanism, the slot bound with ++ * avaliable mechanism will be looked up firstly. ++ */ ++#include "globals.h" ++#include <string.h> ++ ++#include <xmlsec/xmlsec.h> ++#include <xmlsec/errors.h> ++#include <xmlsec/list.h> ++ ++#include <xmlsec/nss/tokens.h> ++ ++int ++xmlSecNssKeySlotSetMechList( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE_PTR mechanismList ++) { ++ int counter ; ++ ++ xmlSecAssert2( keySlot != NULL , -1 ) ; ++ ++ if( keySlot->mechanismList != CK_NULL_PTR ) { ++ xmlFree( keySlot->mechanismList ) ; ++ ++ for( counter = 0 ; *( mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; ++ keySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; ++ if( keySlot->mechanismList == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ); ++ } ++ for( ; counter >= 0 ; counter -- ) ++ *( keySlot->mechanismList + counter ) = *( mechanismList + counter ) ; ++ } ++ ++ return( 0 ); ++} ++ ++int ++xmlSecNssKeySlotEnableMech( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE mechanism ++) { ++ int counter ; ++ CK_MECHANISM_TYPE_PTR newList ; ++ ++ xmlSecAssert2( keySlot != NULL , -1 ) ; ++ ++ if( mechanism != CKM_INVALID_MECHANISM ) { ++ for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; ++ newList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; ++ if( newList == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ); ++ } ++ *( newList + counter + 1 ) = CKM_INVALID_MECHANISM ; ++ *( newList + counter ) = mechanism ; ++ for( counter -= 1 ; counter >= 0 ; counter -- ) ++ *( newList + counter ) = *( keySlot->mechanismList + counter ) ; ++ ++ xmlFree( keySlot->mechanismList ) ; ++ keySlot->mechanismList = newList ; ++ } ++ ++ return(0); ++} ++ ++int ++xmlSecNssKeySlotDisableMech( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE mechanism ++) { ++ int counter ; ++ ++ xmlSecAssert2( keySlot != NULL , -1 ) ; ++ ++ for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { ++ if( *( keySlot->mechanismList + counter ) == mechanism ) { ++ for( ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { ++ *( keySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter + 1 ) ; ++ } ++ ++ break ; ++ } ++ } ++ ++ return(0); ++} ++ ++CK_MECHANISM_TYPE_PTR ++xmlSecNssKeySlotGetMechList( ++ xmlSecNssKeySlotPtr keySlot ++) { ++ if( keySlot != NULL ) ++ return keySlot->mechanismList ; ++ else ++ return NULL ; ++} ++ ++int ++xmlSecNssKeySlotSetSlot( ++ xmlSecNssKeySlotPtr keySlot , ++ PK11SlotInfo* slot ++) { ++ xmlSecAssert2( keySlot != NULL , -1 ) ; ++ ++ if( slot != NULL && keySlot->slot != slot ) { ++ if( keySlot->slot != NULL ) ++ PK11_FreeSlot( keySlot->slot ) ; ++ ++ if( keySlot->mechanismList != NULL ) { ++ xmlFree( keySlot->mechanismList ) ; ++ keySlot->mechanismList = NULL ; ++ } ++ ++ keySlot->slot = PK11_ReferenceSlot( slot ) ; ++ } ++ ++ return(0); ++} ++ ++int ++xmlSecNssKeySlotInitialize( ++ xmlSecNssKeySlotPtr keySlot , ++ PK11SlotInfo* slot ++) { ++ xmlSecAssert2( keySlot != NULL , -1 ) ; ++ xmlSecAssert2( keySlot->slot == NULL , -1 ) ; ++ xmlSecAssert2( keySlot->mechanismList == NULL , -1 ) ; ++ ++ if( slot != NULL ) { ++ keySlot->slot = PK11_ReferenceSlot( slot ) ; ++ } ++ ++ return(0); ++} ++ ++void ++xmlSecNssKeySlotFinalize( ++ xmlSecNssKeySlotPtr keySlot ++) { ++ xmlSecAssert( keySlot != NULL ) ; ++ ++ if( keySlot->mechanismList != NULL ) { ++ xmlFree( keySlot->mechanismList ) ; ++ keySlot->mechanismList = NULL ; ++ } ++ ++ if( keySlot->slot != NULL ) { ++ PK11_FreeSlot( keySlot->slot ) ; ++ keySlot->slot = NULL ; ++ } ++ ++} ++ ++PK11SlotInfo* ++xmlSecNssKeySlotGetSlot( ++ xmlSecNssKeySlotPtr keySlot ++) { ++ if( keySlot != NULL ) ++ return keySlot->slot ; ++ else ++ return NULL ; ++} ++ ++xmlSecNssKeySlotPtr ++xmlSecNssKeySlotCreate() { ++ xmlSecNssKeySlotPtr keySlot ; ++ ++ /* Allocates a new xmlSecNssKeySlot and fill the fields */ ++ keySlot = ( xmlSecNssKeySlotPtr )xmlMalloc( sizeof( xmlSecNssKeySlot ) ) ; ++ if( keySlot == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( NULL ); ++ } ++ memset( keySlot, 0, sizeof( xmlSecNssKeySlot ) ) ; ++ ++ return( keySlot ) ; ++} ++ ++int ++xmlSecNssKeySlotCopy( ++ xmlSecNssKeySlotPtr newKeySlot , ++ xmlSecNssKeySlotPtr keySlot ++) { ++ CK_MECHANISM_TYPE_PTR mech ; ++ int counter ; ++ ++ xmlSecAssert2( newKeySlot != NULL , -1 ) ; ++ xmlSecAssert2( keySlot != NULL , -1 ) ; ++ ++ if( keySlot->slot != NULL && newKeySlot->slot != keySlot->slot ) { ++ if( newKeySlot->slot != NULL ) ++ PK11_FreeSlot( newKeySlot->slot ) ; ++ ++ newKeySlot->slot = PK11_ReferenceSlot( keySlot->slot ) ; ++ } ++ ++ if( keySlot->mechanismList != CK_NULL_PTR ) { ++ xmlFree( newKeySlot->mechanismList ) ; ++ ++ for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ; ++ newKeySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ; ++ if( newKeySlot->mechanismList == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ); ++ } ++ for( ; counter >= 0 ; counter -- ) ++ *( newKeySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter ) ; ++ } ++ ++ return( 0 ); ++} ++ ++xmlSecNssKeySlotPtr ++xmlSecNssKeySlotDuplicate( ++ xmlSecNssKeySlotPtr keySlot ++) { ++ xmlSecNssKeySlotPtr newKeySlot ; ++ int ret ; ++ ++ xmlSecAssert2( keySlot != NULL , NULL ) ; ++ ++ newKeySlot = xmlSecNssKeySlotCreate() ; ++ if( newKeySlot == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( NULL ); ++ } ++ ++ if( xmlSecNssKeySlotCopy( newKeySlot, keySlot ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( NULL ); ++ } ++ ++ return( newKeySlot ); ++} ++ ++void ++xmlSecNssKeySlotDestroy( ++ xmlSecNssKeySlotPtr keySlot ++) { ++ xmlSecAssert( keySlot != NULL ) ; ++ ++ if( keySlot->mechanismList != NULL ) ++ xmlFree( keySlot->mechanismList ) ; ++ ++ if( keySlot->slot != NULL ) ++ PK11_FreeSlot( keySlot->slot ) ; ++ ++ xmlFree( keySlot ) ; ++} ++ ++int ++xmlSecNssKeySlotBindMech( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE type ++) { ++ int counter ; ++ ++ xmlSecAssert2( keySlot != NULL , 0 ) ; ++ xmlSecAssert2( keySlot->slot != NULL , 0 ) ; ++ xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ; ++ ++ for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) { ++ if( *( keySlot->mechanismList + counter ) == type ) ++ return(1) ; ++ } ++ ++ return( 0 ) ; ++} ++ ++int ++xmlSecNssKeySlotSupportMech( ++ xmlSecNssKeySlotPtr keySlot , ++ CK_MECHANISM_TYPE type ++) { ++ xmlSecAssert2( keySlot != NULL , 0 ) ; ++ xmlSecAssert2( keySlot->slot != NULL , 0 ) ; ++ xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ; ++ ++ if( PK11_DoesMechanism( keySlot->slot , type ) == PR_TRUE ) { ++ return(1); ++ } else ++ return(0); ++} ++ ++void ++xmlSecNssKeySlotDebugDump( ++ xmlSecNssKeySlotPtr keySlot , ++ FILE* output ++) { ++ xmlSecAssert( keySlot != NULL ) ; ++ xmlSecAssert( output != NULL ) ; ++ ++ fprintf( output, "== KEY SLOT\n" ); ++} ++ ++void ++xmlSecNssKeySlotDebugXmlDump( ++ xmlSecNssKeySlotPtr keySlot , ++ FILE* output ++) { ++} ++ ++/** ++ * Key Slot List ++ */ ++#ifdef __MINGW32__ // for runtime-pseudo-reloc ++static struct _xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = { ++#else ++static xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = { ++#endif ++ BAD_CAST "mechanism-list", ++ (xmlSecPtrDuplicateItemMethod)xmlSecNssKeySlotDuplicate, ++ (xmlSecPtrDestroyItemMethod)xmlSecNssKeySlotDestroy, ++ (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugDump, ++ (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugXmlDump, ++}; ++ ++xmlSecPtrListId ++xmlSecNssKeySlotListGetKlass(void) { ++ return(&xmlSecNssKeySlotPtrListKlass); ++} ++ ++ ++/*- ++ * Global PKCS#11 crypto token repository -- Key slot list ++ */ ++static xmlSecPtrListPtr _xmlSecNssKeySlotList = NULL ; ++ ++PK11SlotInfo* ++xmlSecNssSlotGet( ++ CK_MECHANISM_TYPE type ++) { ++ PK11SlotInfo* slot = NULL ; ++ xmlSecNssKeySlotPtr keySlot ; ++ xmlSecSize ksSize ; ++ xmlSecSize ksPos ; ++ char flag ; ++ ++ if( _xmlSecNssKeySlotList == NULL ) { ++ slot = PK11_GetBestSlot( type , NULL ) ; ++ } else { ++ ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ; ++ ++ /*- ++ * Firstly, checking whether the mechanism is bound with a special slot. ++ * If no bound slot, we try to find the first eligible slot in the list. ++ */ ++ for( flag = 0, ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) { ++ keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ; ++ if( keySlot != NULL && xmlSecNssKeySlotBindMech( keySlot, type ) ) { ++ slot = xmlSecNssKeySlotGetSlot( keySlot ) ; ++ flag = 2 ; ++ } else if( flag == 0 && xmlSecNssKeySlotSupportMech( keySlot, type ) ) { ++ slot = xmlSecNssKeySlotGetSlot( keySlot ) ; ++ flag = 1 ; ++ } ++ ++ if( flag == 2 ) ++ break ; ++ } ++ if( slot != NULL ) ++ slot = PK11_ReferenceSlot( slot ) ; ++ } ++ ++ if( slot != NULL && PK11_NeedLogin( slot ) ) { ++ if( PK11_Authenticate( slot , PR_TRUE , NULL ) != SECSuccess ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ PK11_FreeSlot( slot ) ; ++ return( NULL ); ++ } ++ } ++ ++ return slot ; ++} ++ ++int ++xmlSecNssSlotInitialize( ++ void ++) { ++ if( _xmlSecNssKeySlotList != NULL ) { ++ xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ; ++ _xmlSecNssKeySlotList = NULL ; ++ } ++ ++ _xmlSecNssKeySlotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ; ++ if( _xmlSecNssKeySlotList == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return( -1 ); ++ } ++ ++ return(0); ++} ++ ++void ++xmlSecNssSlotShutdown( ++ void ++) { ++ if( _xmlSecNssKeySlotList != NULL ) { ++ xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ; ++ _xmlSecNssKeySlotList = NULL ; ++ } ++} ++ ++int ++xmlSecNssSlotAdopt( ++ PK11SlotInfo* slot, ++ CK_MECHANISM_TYPE type ++) { ++ xmlSecNssKeySlotPtr keySlot ; ++ xmlSecSize ksSize ; ++ xmlSecSize ksPos ; ++ char flag ; ++ ++ xmlSecAssert2( _xmlSecNssKeySlotList != NULL, -1 ) ; ++ xmlSecAssert2( slot != NULL, -1 ) ; ++ ++ ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ; ++ ++ /*- ++ * Firstly, checking whether the slot is in the repository already. ++ */ ++ flag = 0 ; ++ for( ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) { ++ keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ; ++ /* If find the slot in the list */ ++ if( keySlot != NULL && xmlSecNssKeySlotGetSlot( keySlot ) == slot ) { ++ /* If mechnism type is valid, bind the slot with the mechanism */ ++ if( type != CKM_INVALID_MECHANISM ) { ++ if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ } ++ ++ flag = 1 ; ++ } ++ } ++ ++ /* If the slot do not in the list, add a new item to the list */ ++ if( flag == 0 ) { ++ /* Create a new KeySlot */ ++ keySlot = xmlSecNssKeySlotCreate() ; ++ if( keySlot == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return(-1); ++ } ++ ++ /* Initialize the keySlot with a slot */ ++ if( xmlSecNssKeySlotInitialize( keySlot, slot ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecNssKeySlotDestroy( keySlot ) ; ++ return(-1); ++ } ++ ++ /* If mechnism type is valid, bind the slot with the mechanism */ ++ if( type != CKM_INVALID_MECHANISM ) { ++ if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecNssKeySlotDestroy( keySlot ) ; ++ return(-1); ++ } ++ } ++ ++ /* Add keySlot into the list */ ++ if( xmlSecPtrListAdd( _xmlSecNssKeySlotList, keySlot ) < 0 ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ NULL , ++ NULL , ++ XMLSEC_ERRORS_R_XMLSEC_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecNssKeySlotDestroy( keySlot ) ; ++ return(-1); ++ } ++ } ++ ++ return(0); ++} ++ +--- misc/xmlsec1-1.2.14/src/nss/x509.c 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/x509.c 2009-09-21 14:02:48.642312431 +0200 +@@ -34,7 +34,6 @@ + #include <xmlsec/keys.h> + #include <xmlsec/keyinfo.h> + #include <xmlsec/keysmngr.h> +-#include <xmlsec/x509.h> + #include <xmlsec/base64.h> + #include <xmlsec/errors.h> + +@@ -61,33 +60,18 @@ + static int xmlSecNssX509CertificateNodeRead (xmlSecKeyDataPtr data, + xmlNodePtr node, + xmlSecKeyInfoCtxPtr keyInfoCtx); +-static int xmlSecNssX509CertificateNodeWrite (CERTCertificate* cert, +- xmlNodePtr node, +- xmlSecKeyInfoCtxPtr keyInfoCtx); + static int xmlSecNssX509SubjectNameNodeRead (xmlSecKeyDataPtr data, + xmlNodePtr node, + xmlSecKeyInfoCtxPtr keyInfoCtx); +-static int xmlSecNssX509SubjectNameNodeWrite (CERTCertificate* cert, +- xmlNodePtr node, +- xmlSecKeyInfoCtxPtr keyInfoCtx); + static int xmlSecNssX509IssuerSerialNodeRead (xmlSecKeyDataPtr data, + xmlNodePtr node, + xmlSecKeyInfoCtxPtr keyInfoCtx); +-static int xmlSecNssX509IssuerSerialNodeWrite (CERTCertificate* cert, +- xmlNodePtr node, +- xmlSecKeyInfoCtxPtr keyInfoCtx); + static int xmlSecNssX509SKINodeRead (xmlSecKeyDataPtr data, + xmlNodePtr node, + xmlSecKeyInfoCtxPtr keyInfoCtx); +-static int xmlSecNssX509SKINodeWrite (CERTCertificate* cert, +- xmlNodePtr node, +- xmlSecKeyInfoCtxPtr keyInfoCtx); + static int xmlSecNssX509CRLNodeRead (xmlSecKeyDataPtr data, + xmlNodePtr node, + xmlSecKeyInfoCtxPtr keyInfoCtx); +-static int xmlSecNssX509CRLNodeWrite (CERTSignedCrl* crl, +- xmlNodePtr node, +- xmlSecKeyInfoCtxPtr keyInfoCtx); + static int xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, + xmlSecKeyPtr key, + xmlSecKeyInfoCtxPtr keyInfoCtx); +@@ -104,9 +88,6 @@ + xmlSecKeyInfoCtxPtr keyInfoCtx); + static xmlChar* xmlSecNssX509CrlBase64DerWrite (CERTSignedCrl* crl, + int base64LineWrap); +-static xmlChar* xmlSecNssX509NameWrite (CERTName* nm); +-static xmlChar* xmlSecNssASN1IntegerWrite (SECItem *num); +-static xmlChar* xmlSecNssX509SKIWrite (CERTCertificate* cert); + static void xmlSecNssX509CertDebugDump (CERTCertificate* cert, + FILE* output); + static void xmlSecNssX509CertDebugXmlDump (CERTCertificate* cert, +@@ -752,31 +733,22 @@ + xmlSecNssKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, + xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { + xmlSecKeyDataPtr data; ++ xmlNodePtr cur; ++ xmlChar* buf; + CERTCertificate* cert; + CERTSignedCrl* crl; + xmlSecSize size, pos; +- int content = 0; +- int ret; + + xmlSecAssert2(id == xmlSecNssKeyDataX509Id, -1); + xmlSecAssert2(key != NULL, -1); + xmlSecAssert2(node != NULL, -1); + xmlSecAssert2(keyInfoCtx != NULL, -1); + +- content = xmlSecX509DataGetNodeContent (node, 1, keyInfoCtx); +- if (content < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "xmlSecX509DataGetNodeContent", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "content=%d", content); +- return(-1); +- } else if(content == 0) { +- /* by default we are writing certificates and crls */ +- content = XMLSEC_X509DATA_DEFAULT; ++ /* todo: flag in ctx remove all existing content */ ++ if(0) { ++ xmlNodeSetContent(node, NULL); + } + +- /* get x509 data */ + data = xmlSecKeyGetData(key, id); + if(data == NULL) { + /* no x509 data in the key */ +@@ -796,79 +768,74 @@ + return(-1); + } + +- if((content & XMLSEC_X509DATA_CERTIFICATE_NODE) != 0) { +- ret = xmlSecNssX509CertificateNodeWrite(cert, node, keyInfoCtx); +- if(ret < 0) { ++ /* set base64 lines size from context */ ++ buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); ++ if(buf == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "xmlSecNssX509CertificateNodeWrite", ++ "xmlSecNssX509CertBase64DerWrite", + XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "pos=%d", pos); ++ XMLSEC_ERRORS_NO_MESSAGE); + return(-1); +- } + } + +- if((content & XMLSEC_X509DATA_SUBJECTNAME_NODE) != 0) { +- ret = xmlSecNssX509SubjectNameNodeWrite(cert, node, keyInfoCtx); +- if(ret < 0) { ++ cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs); ++ if(cur == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "xmlSecNssX509SubjectNameNodeWrite", ++ "xmlSecAddChild", + XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "pos=%d", pos); ++ "node=%s", ++ xmlSecErrorsSafeString(xmlSecNodeX509Certificate)); ++ xmlFree(buf); + return(-1); +- } + } ++ /* todo: add \n around base64 data - from context */ ++ /* todo: add errors check */ ++ xmlNodeSetContent(cur, xmlSecStringCR); ++ xmlNodeSetContent(cur, buf); ++ xmlFree(buf); ++ } + +- if((content & XMLSEC_X509DATA_ISSUERSERIAL_NODE) != 0) { +- ret = xmlSecNssX509IssuerSerialNodeWrite(cert, node, keyInfoCtx); +- if(ret < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "xmlSecNssX509IssuerSerialNodeWrite", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "pos=%d", pos); +- return(-1); +- } ++ /* write crls */ ++ size = xmlSecNssKeyDataX509GetCrlsSize(data); ++ for(pos = 0; pos < size; ++pos) { ++ crl = xmlSecNssKeyDataX509GetCrl(data, pos); ++ if(crl == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecNssKeyDataX509GetCrl", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ "pos=%d", pos); ++ return(-1); + } + +- if((content & XMLSEC_X509DATA_SKI_NODE) != 0) { +- ret = xmlSecNssX509SKINodeWrite(cert, node, keyInfoCtx); +- if(ret < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "xmlSecNssX509SKINodeWrite", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "pos=%d", pos); +- return(-1); +- } ++ /* set base64 lines size from context */ ++ buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize); ++ if(buf == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecNssX509CrlBase64DerWrite", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return(-1); + } +- } + +- /* write crls if needed */ +- if((content & XMLSEC_X509DATA_CRL_NODE) != 0) { +- size = xmlSecNssKeyDataX509GetCrlsSize(data); +- for(pos = 0; pos < size; ++pos) { +- crl = xmlSecNssKeyDataX509GetCrl(data, pos); +- if(crl == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "xmlSecNssKeyDataX509GetCrl", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "pos=%d", pos); +- return(-1); +- } +- +- ret = xmlSecNssX509CRLNodeWrite(crl, node, keyInfoCtx); +- if(ret < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), +- "xmlSecNssX509CRLNodeWrite", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "pos=%d", pos); +- return(-1); +- } +- } ++ cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs); ++ if(cur == NULL) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), ++ "xmlSecAddChild", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ "new_node=%s", ++ xmlSecErrorsSafeString(xmlSecNodeX509CRL)); ++ xmlFree(buf); ++ return(-1); ++ } ++ /* todo: add \n around base64 data - from context */ ++ /* todo: add errors check */ ++ xmlNodeSetContent(cur, xmlSecStringCR); ++ xmlNodeSetContent(cur, buf); + } + + return(0); +@@ -1057,46 +1024,6 @@ + return(0); + } + +-static int +-xmlSecNssX509CertificateNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { +- xmlChar* buf; +- xmlNodePtr cur; +- +- xmlSecAssert2(cert != NULL, -1); +- xmlSecAssert2(node != NULL, -1); +- xmlSecAssert2(keyInfoCtx != NULL, -1); +- +- /* set base64 lines size from context */ +- buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); +- if(buf == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509CertBase64DerWrite", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return(-1); +- } +- +- cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs); +- if(cur == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecAddChild", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "node=%s", +- xmlSecErrorsSafeString(xmlSecNodeX509Certificate)); +- xmlFree(buf); +- return(-1); +- } +- +- /* todo: add \n around base64 data - from context */ +- /* todo: add errors check */ +- xmlNodeSetContent(cur, xmlSecStringCR); +- xmlNodeSetContent(cur, buf); +- xmlFree(buf); +- return(0); +-} +- + static int + xmlSecNssX509SubjectNameNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { + xmlSecKeyDataStorePtr x509Store; +@@ -1120,19 +1047,13 @@ + } + + subject = xmlNodeGetContent(node); +- if((subject == NULL) || (xmlSecIsEmptyString(subject) == 1)) { +- if(subject != NULL) { +- xmlFree(subject); +- } +- if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) { ++ if(subject == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + xmlSecErrorsSafeString(xmlSecNodeGetName(node)), + XMLSEC_ERRORS_R_INVALID_NODE_CONTENT, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); +- } +- return(0); + } + + cert = xmlSecNssX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx); +@@ -1169,40 +1090,6 @@ + return(0); + } + +-static int +-xmlSecNssX509SubjectNameNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) { +- xmlChar* buf = NULL; +- xmlNodePtr cur = NULL; +- +- xmlSecAssert2(cert != NULL, -1); +- xmlSecAssert2(node != NULL, -1); +- +- buf = xmlSecNssX509NameWrite(&(cert->subject)); +- if(buf == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509NameWrite(&(cert->subject))", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return(-1); +- } +- +- cur = xmlSecAddChild(node, xmlSecNodeX509SubjectName, xmlSecDSigNs); +- if(cur == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecAddChild", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "node=%s", +- xmlSecErrorsSafeString(xmlSecNodeX509SubjectName)); +- xmlFree(buf); +- return(-1); +- } +- xmlSecNodeEncodeAndSetContent(cur, buf); +- xmlFree(buf); +- return(0); +-} +- + static int + xmlSecNssX509IssuerSerialNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { + xmlSecKeyDataStorePtr x509Store; +@@ -1228,21 +1115,9 @@ + } + + cur = xmlSecGetNextElementNode(node->children); +- if(cur == NULL) { +- if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), +- xmlSecErrorsSafeString(xmlSecNodeX509IssuerName), +- XMLSEC_ERRORS_R_NODE_NOT_FOUND, +- "node=%s", +- xmlSecErrorsSafeString(xmlSecNodeGetName(cur))); +- return(-1); +- } +- return(0); +- } + + /* the first is required node X509IssuerName */ +- if(!xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) { ++ if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + xmlSecErrorsSafeString(xmlSecNodeX509IssuerName), +@@ -1336,78 +1211,6 @@ + return(0); + } + +-static int +-xmlSecNssX509IssuerSerialNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) { +- xmlNodePtr cur; +- xmlNodePtr issuerNameNode; +- xmlNodePtr issuerNumberNode; +- xmlChar* buf; +- +- xmlSecAssert2(cert != NULL, -1); +- xmlSecAssert2(node != NULL, -1); +- +- /* create xml nodes */ +- cur = xmlSecAddChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs); +- if(cur == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecAddChild", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "node=%s", +- xmlSecErrorsSafeString(xmlSecNodeX509IssuerSerial)); +- return(-1); +- } +- +- issuerNameNode = xmlSecAddChild(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs); +- if(issuerNameNode == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecAddChild", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "node=%s", +- xmlSecErrorsSafeString(xmlSecNodeX509IssuerName)); +- return(-1); +- } +- +- issuerNumberNode = xmlSecAddChild(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs); +- if(issuerNumberNode == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecAddChild", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "node=%s", +- xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber)); +- return(-1); +- } +- +- /* write data */ +- buf = xmlSecNssX509NameWrite(&(cert->issuer)); +- if(buf == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509NameWrite(&(cert->issuer))", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return(-1); +- } +- xmlSecNodeEncodeAndSetContent(issuerNameNode, buf); +- xmlFree(buf); +- +- buf = xmlSecNssASN1IntegerWrite(&(cert->serialNumber)); +- if(buf == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssASN1IntegerWrite(&(cert->serialNumber))", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return(-1); +- } +- xmlNodeSetContent(issuerNumberNode, buf); +- xmlFree(buf); +- +- return(0); +-} +- + static int + xmlSecNssX509SKINodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { + xmlSecKeyDataStorePtr x509Store; +@@ -1431,11 +1234,7 @@ + } + + ski = xmlNodeGetContent(node); +- if((ski == NULL) || (xmlSecIsEmptyString(ski) == 1)) { +- if(ski != NULL) { +- xmlFree(ski); +- } +- if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) { ++ if(ski == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + xmlSecErrorsSafeString(xmlSecNodeGetName(node)), +@@ -1443,8 +1242,6 @@ + "node=%s", + xmlSecErrorsSafeString(xmlSecNodeX509SKI)); + return(-1); +- } +- return(0); + } + + cert = xmlSecNssX509StoreFindCert(x509Store, NULL, NULL, NULL, ski, keyInfoCtx); +@@ -1479,41 +1276,6 @@ + return(0); + } + +-static int +-xmlSecNssX509SKINodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) { +- xmlChar *buf = NULL; +- xmlNodePtr cur = NULL; +- +- xmlSecAssert2(cert != NULL, -1); +- xmlSecAssert2(node != NULL, -1); +- +- buf = xmlSecNssX509SKIWrite(cert); +- if(buf == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509SKIWrite", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return(-1); +- } +- +- cur = xmlSecAddChild(node, xmlSecNodeX509SKI, xmlSecDSigNs); +- if(cur == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecAddChild", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "new_node=%s", +- xmlSecErrorsSafeString(xmlSecNodeX509SKI)); +- xmlFree(buf); +- return(-1); +- } +- xmlSecNodeEncodeAndSetContent(cur, buf); +- xmlFree(buf); +- +- return(0); +-} +- + static int + xmlSecNssX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { + xmlChar *content; +@@ -1524,19 +1286,13 @@ + xmlSecAssert2(keyInfoCtx != NULL, -1); + + content = xmlNodeGetContent(node); +- if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) { +- if(content != NULL) { +- xmlFree(content); +- } +- if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) { ++ if(content == NULL){ + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + xmlSecErrorsSafeString(xmlSecNodeGetName(node)), + XMLSEC_ERRORS_R_INVALID_NODE_CONTENT, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); +- } +- return(0); + } + + crl = xmlSecNssX509CrlBase64DerRead(content, keyInfoCtx); +@@ -1556,47 +1312,6 @@ + } + + static int +-xmlSecNssX509CRLNodeWrite(CERTSignedCrl* crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { +- xmlChar* buf = NULL; +- xmlNodePtr cur = NULL; +- +- xmlSecAssert2(crl != NULL, -1); +- xmlSecAssert2(node != NULL, -1); +- xmlSecAssert2(keyInfoCtx != NULL, -1); +- +- /* set base64 lines size from context */ +- buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize); +- if(buf == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509CrlBase64DerWrite", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return(-1); +- } +- +- cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs); +- if(cur == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecAddChild", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "new_node=%s", +- xmlSecErrorsSafeString(xmlSecNodeX509CRL)); +- xmlFree(buf); +- return(-1); +- } +- /* todo: add \n around base64 data - from context */ +- /* todo: add errors check */ +- xmlNodeSetContent(cur, xmlSecStringCR); +- xmlNodeSetContent(cur, buf); +- xmlFree(buf); +- +- return(0); +-} +- +- +-static int + xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key, + xmlSecKeyInfoCtxPtr keyInfoCtx) { + xmlSecNssX509DataCtxPtr ctx; +@@ -1604,6 +1319,10 @@ + int ret; + SECStatus status; + PRTime notBefore, notAfter; ++ ++ PK11SlotInfo* slot ; ++ SECKEYPublicKey *pubKey = NULL; ++ SECKEYPrivateKey *priKey = NULL; + + xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1); + xmlSecAssert2(key != NULL, -1); +@@ -1636,10 +1355,14 @@ + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "CERT_DupCertificate", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + return(-1); + } +- ++ ++ /*- ++ * Get Public key from cert, which does not always work for sign ++ * action. ++ * + keyValue = xmlSecNssX509CertGetKey(ctx->keyCert); + if(keyValue == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, +@@ -1649,6 +1372,54 @@ + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } ++ */ ++ /*- ++ * I'll search key according to KeyReq. ++ */ ++ slot = cert->slot ; ++ if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) { ++ if( ( priKey = PK11_FindPrivateKeyFromCert( slot , cert , NULL ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , ++ "PK11_FindPrivateKeyFromCert" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ return -1 ; ++ } ++ } ++ ++ if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) { ++ if( ( pubKey = CERT_ExtractPublicKey( cert ) ) == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , ++ "CERT_ExtractPublicKey" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ ++ if( priKey != NULL ) ++ SECKEY_DestroyPrivateKey( priKey ) ; ++ return -1 ; ++ } ++ } ++ ++ keyValue = xmlSecNssPKIAdoptKey(priKey, pubKey); ++ if( keyValue == NULL ) { ++ xmlSecError( XMLSEC_ERRORS_HERE , ++ xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) , ++ "xmlSecNssPKIAdoptKey" , ++ XMLSEC_ERRORS_R_CRYPTO_FAILED , ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ ++ if( priKey != NULL ) ++ SECKEY_DestroyPrivateKey( priKey ) ; ++ ++ if( pubKey != NULL ) ++ SECKEY_DestroyPublicKey( pubKey ) ; ++ ++ return -1 ; ++ } ++ /* Modify keyValue get Done */ + + /* verify that the key matches our expectations */ + if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) { +@@ -1950,86 +1721,6 @@ + return(res); + } + +-static xmlChar* +-xmlSecNssX509NameWrite(CERTName* nm) { +- xmlChar *res = NULL; +- char *str; +- +- xmlSecAssert2(nm != NULL, NULL); +- +- str = CERT_NameToAscii(nm); +- if (str == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "CERT_NameToAscii", +- XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return(NULL); +- } +- +- res = xmlStrdup(BAD_CAST str); +- if(res == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlStrdup", +- XMLSEC_ERRORS_R_MALLOC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- PORT_Free(str); +- return(NULL); +- } +- PORT_Free(str); +- return(res); +-} +- +-static xmlChar* +-xmlSecNssASN1IntegerWrite(SECItem *num) { +- xmlChar *res = NULL; +- +- xmlSecAssert2(num != NULL, NULL); +- +- /* TODO : to be implemented after +- * NSS bug http://bugzilla.mozilla.org/show_bug.cgi?id=212864 is fixed +- */ +- return(res); +-} +- +-static xmlChar* +-xmlSecNssX509SKIWrite(CERTCertificate* cert) { +- xmlChar *res = NULL; +- SECItem ski; +- SECStatus rv; +- +- xmlSecAssert2(cert != NULL, NULL); +- +- memset(&ski, 0, sizeof(ski)); +- +- rv = CERT_FindSubjectKeyIDExtension(cert, &ski); +- if (rv != SECSuccess) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "CERT_FindSubjectKeyIDExtension", +- XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- SECITEM_FreeItem(&ski, PR_FALSE); +- return(NULL); +- } +- +- res = xmlSecBase64Encode(ski.data, ski.len, 0); +- if(res == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecBase64Encode", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- SECITEM_FreeItem(&ski, PR_FALSE); +- return(NULL); +- } +- SECITEM_FreeItem(&ski, PR_FALSE); +- +- return(res); +-} +- +- + static void + xmlSecNssX509CertDebugDump(CERTCertificate* cert, FILE* output) { + SECItem *sn; +--- misc/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-09-21 14:02:48.669245207 +0200 +@@ -30,6 +30,7 @@ + #include <xmlsec/keyinfo.h> + #include <xmlsec/keysmngr.h> + #include <xmlsec/base64.h> ++#include <xmlsec/bn.h> + #include <xmlsec/errors.h> + + #include <xmlsec/nss/crypto.h> +@@ -61,17 +62,7 @@ + + static int xmlSecNssX509StoreInitialize (xmlSecKeyDataStorePtr store); + static void xmlSecNssX509StoreFinalize (xmlSecKeyDataStorePtr store); +-static int xmlSecNssX509NameStringRead (xmlSecByte **str, +- int *strLen, +- xmlSecByte *res, +- int resLen, +- xmlSecByte delim, +- int ingoreTrailingSpaces); +-static xmlSecByte * xmlSecNssX509NameRead (xmlSecByte *str, +- int len); +- +-static void xmlSecNssNumToItem(SECItem *it, unsigned long num); +- ++static int xmlSecNssIntegerToItem( const xmlChar* integer , SECItem *it ) ; + + static xmlSecKeyDataStoreKlass xmlSecNssX509StoreKlass = { + sizeof(xmlSecKeyDataStoreKlass), +@@ -339,40 +330,28 @@ + xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName, + xmlChar *issuerSerial, xmlChar *ski) { + CERTCertificate *cert = NULL; +- xmlChar *p = NULL; + CERTName *name = NULL; + SECItem *nameitem = NULL; + PRArenaPool *arena = NULL; + + if (subjectName != NULL) { +- p = xmlSecNssX509NameRead(subjectName, xmlStrlen(subjectName)); +- if (p == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509NameRead", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "subject=%s", +- xmlSecErrorsSafeString(subjectName)); +- goto done; +- } +- + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PORT_NewArena", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + goto done; + } + +- name = CERT_AsciiToName((char*)p); ++ name = CERT_AsciiToName((char*)subjectName); + if (name == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "CERT_AsciiToName", + XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + goto done; + } + +@@ -394,34 +373,23 @@ + if((issuerName != NULL) && (issuerSerial != NULL)) { + CERTIssuerAndSN issuerAndSN; + +- p = xmlSecNssX509NameRead(issuerName, xmlStrlen(issuerName)); +- if (p == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509NameRead", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- "issuer=%s", +- xmlSecErrorsSafeString(issuerName)); +- goto done; +- } +- + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "PORT_NewArena", + XMLSEC_ERRORS_R_CRYPTO_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + goto done; + } + +- name = CERT_AsciiToName((char*)p); ++ name = CERT_AsciiToName((char*)issuerName); + if (name == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "CERT_AsciiToName", + XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); ++ "error code=%d", PORT_GetError()); + goto done; + } + +@@ -441,8 +409,15 @@ + issuerAndSN.derIssuer.data = nameitem->data; + issuerAndSN.derIssuer.len = nameitem->len; + +- /* TBD: serial num can be arbitrarily long */ +- xmlSecNssNumToItem(&issuerAndSN.serialNumber, PORT_Atoi((char *)issuerSerial)); ++ if( xmlSecNssIntegerToItem( issuerSerial, &issuerAndSN.serialNumber ) < 0 ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecNssIntegerToItem", ++ XMLSEC_ERRORS_R_XMLSEC_FAILED, ++ "serial number=%s", ++ xmlSecErrorsSafeString(issuerSerial)); ++ goto done; ++ } + + cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), + &issuerAndSN); +@@ -473,9 +448,6 @@ + } + + done: +- if (p != NULL) { +- PORT_Free(p); +- } + if (arena != NULL) { + PORT_FreeArena(arena, PR_FALSE); + } +@@ -486,176 +458,6 @@ + return(cert); + } + +-static xmlSecByte * +-xmlSecNssX509NameRead(xmlSecByte *str, int len) { +- xmlSecByte name[256]; +- xmlSecByte value[256]; +- xmlSecByte *retval = NULL; +- xmlSecByte *p = NULL; +- int nameLen, valueLen; +- +- xmlSecAssert2(str != NULL, NULL); +- +- /* return string should be no longer than input string */ +- retval = (xmlSecByte *)PORT_Alloc(len+1); +- if(retval == NULL) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "PORT_Alloc", +- XMLSEC_ERRORS_R_MALLOC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- return(NULL); +- } +- p = retval; +- +- while(len > 0) { +- /* skip spaces after comma or semicolon */ +- while((len > 0) && isspace(*str)) { +- ++str; --len; +- } +- +- nameLen = xmlSecNssX509NameStringRead(&str, &len, name, sizeof(name), '=', 0); +- if(nameLen < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509NameStringRead", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- goto done; +- } +- memcpy(p, name, nameLen); +- p+=nameLen; +- *p++='='; +- if(len > 0) { +- ++str; --len; +- if((*str) == '\"') { +- valueLen = xmlSecNssX509NameStringRead(&str, &len, +- value, sizeof(value), '"', 1); +- if(valueLen < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509NameStringRead", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- goto done; +- } +- /* skip spaces before comma or semicolon */ +- while((len > 0) && isspace(*str)) { +- ++str; --len; +- } +- if((len > 0) && ((*str) != ',')) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- NULL, +- XMLSEC_ERRORS_R_INVALID_DATA, +- "comma is expected"); +- goto done; +- } +- if(len > 0) { +- ++str; --len; +- } +- *p++='\"'; +- memcpy(p, value, valueLen); +- p+=valueLen; +- *p++='\"'; +- } else if((*str) == '#') { +- /* TODO: read octect values */ +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- NULL, +- XMLSEC_ERRORS_R_INVALID_DATA, +- "reading octect values is not implemented yet"); +- goto done; +- } else { +- valueLen = xmlSecNssX509NameStringRead(&str, &len, +- value, sizeof(value), ',', 1); +- if(valueLen < 0) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- "xmlSecNssX509NameStringRead", +- XMLSEC_ERRORS_R_XMLSEC_FAILED, +- XMLSEC_ERRORS_NO_MESSAGE); +- goto done; +- } +- memcpy(p, value, valueLen); +- p+=valueLen; +- if (len > 0) +- *p++=','; +- } +- } else { +- valueLen = 0; +- } +- if(len > 0) { +- ++str; --len; +- } +- } +- +- *p = 0; +- return(retval); +- +-done: +- PORT_Free(retval); +- return (NULL); +-} +- +-static int +-xmlSecNssX509NameStringRead(xmlSecByte **str, int *strLen, +- xmlSecByte *res, int resLen, +- xmlSecByte delim, int ingoreTrailingSpaces) { +- xmlSecByte *p, *q, *nonSpace; +- +- xmlSecAssert2(str != NULL, -1); +- xmlSecAssert2(strLen != NULL, -1); +- xmlSecAssert2(res != NULL, -1); +- +- p = (*str); +- nonSpace = q = res; +- while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) { +- if((*p) != '\\') { +- if(ingoreTrailingSpaces && !isspace(*p)) { +- nonSpace = q; +- } +- *(q++) = *(p++); +- } else { +- ++p; +- nonSpace = q; +- if(xmlSecIsHex((*p))) { +- if((p - (*str) + 1) >= (*strLen)) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- NULL, +- XMLSEC_ERRORS_R_INVALID_DATA, +- "two hex digits expected"); +- return(-1); +- } +- *(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]); +- p += 2; +- } else { +- if(((++p) - (*str)) >= (*strLen)) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- NULL, +- XMLSEC_ERRORS_R_INVALID_DATA, +- "escaped symbol missed"); +- return(-1); +- } +- *(q++) = *(p++); +- } +- } +- } +- if(((p - (*str)) < (*strLen)) && ((*p) != delim)) { +- xmlSecError(XMLSEC_ERRORS_HERE, +- NULL, +- NULL, +- XMLSEC_ERRORS_R_INVALID_SIZE, +- "buffer is too small"); +- return(-1); +- } +- (*strLen) -= (p - (*str)); +- (*str) = p; +- return((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res); +-} +- + /* code lifted from NSS */ + static void + xmlSecNssNumToItem(SECItem *it, unsigned long ui) +@@ -699,6 +501,77 @@ + it->len = len; + PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len); + } ++ ++static int ++xmlSecNssIntegerToItem( ++ const xmlChar* integer , ++ SECItem *item ++) { ++ xmlSecBn bn ; ++ xmlSecSize i, length ; ++ const xmlSecByte* bnInteger ; ++ ++ xmlSecAssert2( integer != NULL, -1 ) ; ++ xmlSecAssert2( item != NULL, -1 ) ; ++ ++ if( xmlSecBnInitialize( &bn, 0 ) < 0 ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecBnInitialize", ++ XMLSEC_ERRORS_R_INVALID_DATA, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ return -1 ; ++ } ++ ++ if( xmlSecBnFromDecString( &bn, integer ) < 0 ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecBnFromDecString", ++ XMLSEC_ERRORS_R_INVALID_DATA, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ xmlSecBnFinalize( &bn ) ; ++ return -1 ; ++ } ++ ++ length = xmlSecBnGetSize( &bn ) ; ++ if( length <= 0 ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecBnGetSize", ++ XMLSEC_ERRORS_R_INVALID_DATA, ++ XMLSEC_ERRORS_NO_MESSAGE); ++ } ++ ++ bnInteger = xmlSecBnGetData( &bn ) ; ++ if( bnInteger == NULL ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "xmlSecBnGetData", ++ XMLSEC_ERRORS_R_INVALID_DATA, ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecBnFinalize( &bn ) ; ++ return -1 ; ++ } ++ ++ item->data = ( unsigned char * )PORT_Alloc( length ); ++ if( item->data == NULL ) { ++ xmlSecError(XMLSEC_ERRORS_HERE, ++ NULL, ++ "PORT_Alloc", ++ XMLSEC_ERRORS_R_INVALID_DATA, ++ XMLSEC_ERRORS_NO_MESSAGE ) ; ++ xmlSecBnFinalize( &bn ) ; ++ return -1 ; ++ } ++ ++ item->len = length; ++ for( i = 0 ; i < length ; i ++ ) ++ item->data[i] = *( bnInteger + i ) ; ++ ++ xmlSecBnFinalize( &bn ) ; ++ ++ return 0 ; ++} + #endif /* XMLSEC_NO_X509 */ + + +--- misc/xmlsec1-1.2.14/win32/Makefile.msvc 2009-06-25 22:53:18.000000000 +0200 ++++ misc/build/xmlsec1-1.2.14/win32/Makefile.msvc 2009-09-21 14:02:48.607277908 +0200 +@@ -218,6 +218,9 @@ + $(XMLSEC_OPENSSL_INTDIR_A)\x509vfy.obj + + XMLSEC_NSS_OBJS = \ ++ $(XMLSEC_NSS_INTDIR)\akmngr.obj\ ++ $(XMLSEC_NSS_INTDIR)\keywrapers.obj\ ++ $(XMLSEC_NSS_INTDIR)\tokens.obj\ + $(XMLSEC_NSS_INTDIR)\app.obj\ + $(XMLSEC_NSS_INTDIR)\bignum.obj\ + $(XMLSEC_NSS_INTDIR)\ciphers.obj \ +@@ -253,6 +256,7 @@ + $(XMLSEC_NSS_INTDIR_A)\strings.obj + + XMLSEC_MSCRYPTO_OBJS = \ ++ $(XMLSEC_MSCRYPTO_INTDIR)\akmngr.obj\ + $(XMLSEC_MSCRYPTO_INTDIR)\app.obj\ + $(XMLSEC_MSCRYPTO_INTDIR)\crypto.obj \ + $(XMLSEC_MSCRYPTO_INTDIR)\ciphers.obj \ |