[xmlsec] MS crypto key integration with xmlsec
Aleksey Sanin
aleksey@aleksey.com
Fri, 01 Aug 2003 09:46:22 -0700
Hi, Wouter!
First of all, I am glad that someone is looking into xmlsec-mscrypto.
Many people
have asked about this. If you and your company are ok with sharing your
work,
I would be happy to include this into main xmlsec CVS/distribution. This
is really
important stuff!
Your questions about keys and keys manager seem to have the same foundation.
The xmlSecKey/xmlSecKeyData and xmlSecKeysManager are not real objects that
do some important job but interfaces to crypto specific implementation.
The core
xmlsec library uses these interfaces to call low level crypto api. For
example, in OpenSSL
case there is no keys storage provided by crypto library. Thus
xmlSecOpenSSLKeysManager
implements one. On the other hand, NSS does provide a keys and
certificates storage
(known as NSS keys db). And xmlSecNssKeysManager is just an interface to
that
keys storage. If xmlsec core library needs to find a key, say with given
name, it calls
xmlSecNssKeysManager. The xmlSecNssKeysManager searches NSS keys db and
returns a key wrapped in xmlSecKey/xmlSecKeyData to xmlsec-core. As you
can see,
the xmlSecKey/xmlSecKeyData wrapper shows up *only* as the result of the
keys search!
Another scenario is when an application wants to specify a key for
performing particular
xmlsec operation (signature or encryption). In this case, application
should be able to
create or get xmlSecKey/xmlSecKeyData wrappers and give it to xmlsec.
Please note
that in any case, core xmlsec functions deal *only* with
xmlSecKey/xmlSecKeyData
wrappers. However, you can find xmlSecNss* and xmlSecOpenSSL* functions that
work with low level crypto primitives (for example, convert OpenSSL key
handle to
xmlSecKeyData). It's ok to have such functions and I doubt that one can
avoid this :)
I would guess that in MS Crypto API you have a situation very similar to
one we have
in NSS. Tej did a great implemention xmlsec-nss which was checked in CVS
trunk
recently. I would suggest you to take a look.
I am not sure but I hope that I did answer your questions. Anyway, I
would be happy to
answer more if you have some :)
With best regards,
Aleksey Sanin