[xmlsec] xmlsec-nss patches from Sun( 2003-07-22 )
Tejkumar Arora
tejbiz@aol.com
Tue, 22 Jul 2003 19:46:59 -0700
--------------070506040404000204050507
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Andrew Fan Wrote:
>>Why I add the new interfaces:
>>1. NSS' function "PK11_GetBestSlot ", which will load all of the
>>internal built-in slots or all of the actived pkcs11 module's slots;
>>2. Some time, end user hopes that a certain crypto operation act in a
>>certain crypto device, especially in multi-crypto-devices environment.
>>3. Some time, a key generated from a certain slot, it only work in >>that
>>slot( such as RSA private key ). PK11_GetBestSlot can not ensure this.
>>In the case, end user can assign the specific slot with the new
>interface.
Aleksey Sanin wrote:
> Well, I am not sure that "GetBestSlot" should be replaced on the xmlsec
> level. It seems to me that this is crypto library (NSS) job. I wonder
> what Tej
> thinks about that.
I'm not sure GetBestSlot needs to be replaced at all.
I recall we had a long discussion about your use case scenarios
Andrew, and my conclusion was that nothing needed to change.
On what basis will an application decide to use a slot
that is smarter than what PK11_GetBestSlot can do?. Can you
give a detailed use case scenario?
PK11_GetBestSlot is advisory. It is the crypto library's view
of the best slot for a cryptographic operation. It is not a
good idea to defeat that by creating your own.
If it turns out that a private key is on one slot, and the
data is in another, NSS automatically moves the key for you
(if possible), so if you're worried about this situation, then
it is already handled for you.
-Tej
>
> Anyway, it would be great if you prepare a full diff. Much more simple to
> understand what is going on and how you are going to use these functions.
> Also I would appreciate if you can put comments with function
> description.
> I use automated API docs generation tools and this is very helpfull.
> Look at any xmlsec source file for examples.
>
>
> Thanks,
> Aleksey
>
> >> Hi, Andrew!
> >>
> >> I got the new files but I think your forgot to attach diffs for
> >> existing files.
> >> Because right now these are just standalone files and nobody uses
> >> them :)
> >
> >
> > I want to patch the branch step by step. If you agree that the new
> > interfaces can take the place of "PK11_GetBestSlot" in other files.
> > I'll modify them like pkikeys.c. Because they're standalone files, so
> > I think there is no diffs. :-)
> >
> > Today, I'll patch other files and I'll provide the diffs. :-)
--------------070506040404000204050507
Content-Type: multipart/related;
boundary="------------090306010505040108010901"
--------------090306010505040108010901
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body>
<pre wrap="">Andrew Fan Wrote:
>>Why I add the new interfaces:
>>1. NSS' function "PK11_GetBestSlot ", which will load all of the
>>internal built-in slots or all of the actived pkcs11 module's slots;
>>2. Some time, end user hopes that a certain crypto operation act in a
>>certain crypto device, especially in multi-crypto-devices environment.
>>3. Some time, a key generated from a certain slot, it only work in >>that
>>slot( such as RSA private key ). PK11_GetBestSlot can not ensure this.
>>In the case, end user can assign the specific slot with the new
>interface.
Aleksey Sanin wrote:
> Well, I am not sure that "GetBestSlot" should be replaced on the xmlsec
> level. It seems to me that this is crypto library (NSS) job. I wonder
> what Tej
> thinks about that.
I'm not sure GetBestSlot needs to be replaced at all.
I recall we had a long discussion about your use case scenarios
Andrew, and my conclusion was that nothing needed to change.
On what basis will an application decide to use a slot
that is smarter than what PK11_GetBestSlot can do?. Can you
give a detailed use case scenario?
PK11_GetBestSlot is advisory. It is the crypto library's view
of the best slot for a cryptographic operation. It is not a
good idea to defeat that by creating your own.
If it turns out that a private key is on one slot, and the
data is in another, NSS automatically moves the key for you
(if possible), so if you're worried about this situation, then
it is already handled for you.
-Tej
>
> Anyway, it would be great if you prepare a full diff. Much more simple to
> understand what is going on and how you are going to use these functions.
> Also I would appreciate if you can put comments with function
> description.
> I use automated API docs generation tools and this is very helpfull.
> Look at any xmlsec source file for examples.
>
>
> Thanks,
> Aleksey
>
> >> Hi, Andrew!
> >>
> >> I got the new files but I think your forgot to attach diffs for
> >> existing files.
> >> Because right now these are just standalone files and nobody uses
> >> them <img
src="chrome://editor/content/images/smile_n.gif" alt=":)"
class="moz-txt-smily" height="19" width="19" align="middle">
> >
> >
> > I want to patch the branch step by step. If you agree that the new
> > interfaces can take the place of "PK11_GetBestSlot" in other files.
> > I'll modify them like pkikeys.c. Because they're standalone files, so
> > I think there is no diffs. <img
src="chrome://editor/content/images/smile_n.gif" alt=":-)"
class="moz-txt-smily" height="19" width="19" align="middle">
> >
> > Today, I'll patch other files and I'll provide the diffs. <img
src="chrome://editor/content/images/smile_n.gif" alt=":-)"
class="moz-txt-smily" height="19" width="19" align="middle">
</pre>
</body>
</html>
--------------090306010505040108010901--
--------------070506040404000204050507--