[xmlsec] xmlsec tests use private keys in the clear

Aleksey Sanin aleksey@aleksey.com
Tue, 03 Jun 2003 20:40:06 -0700


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body>
The only test that *exports* private keys is the keys generation test
(testKeys.sh). <br>
I wouldn't mind if this test would be excluded from the test suite all
together<br>
because it is useless anyway. I would be really surprised if NSS has no
way <br>
to import private key in the keys db. At the end, there should be a way
to *put* keys<br>
in key db, shoudn't it? IMHO, the best way is to do read XML file with
keys in keys db<br>
and use keys manager based on keys db.<br>
<br>
Aleksey<br>
<br>
Tejkumar Arora wrote:<br>
<blockquote type="cite" cite="mid3EDD4278.8010806@netscape.com">
  <pre wrap="">Hi Aleksey,

The xmlsec test harness uses private keys in the clear in an xml
file, in  the form of key components.

NSS has no support for importing/exporting private keys in the clear,
which makes it impossible to use the full test harness without changes.
(see <a class="moz-txt-link-freetext" href="http://bugzilla.mozilla.org/show_bug.cgi?id=207033">http://bugzilla.mozilla.org/show_bug.cgi?id=207033</a> for more info).

Alternatives to cleartext pvt key components in a file are:
    - pkcs12 format
    - encryptedPrivateKeyInfo format  (PKCS8 spec, I haven't looked
      at the details of this yet, and I don't know for sure if
      other crypto engines have API for this).
    - generate, use and discard the private key in a single test instead
      of storing the private key in a file and then using it in
      multiple tests.

What are your thoughts?.

thanks,
-Tej


_______________________________________________
xmlsec mailing list
<a class="moz-txt-link-abbreviated" href="mailto:xmlsec@aleksey.com">xmlsec@aleksey.com</a>
<a class="moz-txt-link-freetext" href="http://www.aleksey.com/mailman/listinfo/xmlsec">http://www.aleksey.com/mailman/listinfo/xmlsec</a>
  </pre>
</blockquote>
</body>
</html>