[xmlsec] nss updates

Tej Arora tejbiz@aol.com
Fri, 25 Jul 2003 17:34:08 -0700


Aleksey Sanin wrote:

 > Hi, Tej!
 >
 > Everything looks great and I have committed this patch to CVS. As I told
 > you
 > today, I have fixed Windows build and this is also checked in CVS. We are
 > gettnig very close :) The only thing that makes me worry is that all
 > RSA-1.5
 > tests from the tests suite are failing:
 >     merlin-xmlenc-five/encrypt-element-aes128-cbc-rsa-1_5
 >     01-phaos-xmlenc-3/enc-element-3des-kt-rsa1_5
 >     01-phaos-xmlenc-3/enc-content-aes256-kt-rsa1_5
 >     01-phaos-xmlenc-3/enc-element-aes128-kt-rsa1_5
 >     01-phaos-xmlenc-3/enc-text-aes192-kt-rsa1_5

I just took a look at the tests. All of these tests
are sourcing an RSA key components from an xml file,
including the PrivateExponent.

NSS does not support this. In general, NSS is very
unfriendly towards any private key material in the
clear, for good reason.

I will update the README with this information.

For any tests needing private keys, we should change
the tests to source the keys from PKCS12 files.
What do you think?

-Tej



 > The error is always the same: problems in decoding last block encrypted
 > with symetric chipher. This makes me think that actual problem is in
 > RSA1_5
 > key transport. Something goes wrong and the returned symetric key is
 > incorrect. I wonder if you have the same results running these tests
 > (I am using NSS from official Mozilla 1.4 rpms for RedHat).
 >
 > Thanks!
 > Aleksey
 >
 >
 > Tej Arora wrote:
 >
 > > Hello,
 > >
 > > The latest patch has the following changes:
 > >
 > > 1) bug fixes in xmlsec-nss. Now a lot more tests pass :).
 > > I have 1 more bug to fix (kt_rsa.c) which is causing several
 > > tests to fail.
 > >
 > > 2) src/nss/README with pending items & misc notes
 > >
 > > 3) updated interop matrix. I used netscape 7 composer to edit the
 > > files. Please make sure the files look ok in your editing tool and
 > > browser.
 > >
 > > 4) xmlSecCryptoAppKeyLoad : added a new format
 > xmlSecKeyDataFormatPkcs12
 > > and made this function handle it. This makes the function handle all
 > > possible private key formats instead of having a separate one for
 > pkcs12
 > > (xmlSecCryptoAppPkcs12Load - that function is still around for
 > > compatibility).
 > > I made changes in src/nss, src/openssl, src/skeleton, src/GnuTLS.
 > >
 > >
 > >
 > ------------------------------------------------------------------------
 > >
 > >
 > >
 > > -Tej
 > >
 > >
 >
 >
 > _______________________________________________
 > xmlsec mailing list
 > xmlsec@aleksey.com
 > http://www.aleksey.com/mailman/listinfo/xmlsec