[xmlsec] xmlsec-mscrypto code review (patch #5) and todo list

Wouter wsh@xs4all.nl
Tue, 23 Sep 2003 21:38:36 +0200


> B) Failing tests:
>     - merlin-xmldsig-twenty-three/signature-keyname
>       Something about loading some dll, looks like a problem 
>       with my "cursed" box and don't worry about it too much.

This test has never worked for me. MS Crypto API cannot handle the
certificate tests/merlin-xmldsig-twenty-three/certs/lugh.der. When
loading the following error occurs: ASN1 bad tag value met. (Aleksey:
beautiful error msg btw :) The test has never worked, and I don't think
this error can be fixed easily. I'll check the ASN.1 structure to see if
I can find anything wrong here.
   
>     - merlin-xmlenc-five/encrypt-data-aes128-cbc 
>       Very strange error with decrypting the file encrypted 
>       a minute ago.

This test works fine for me.
    
>     - 01-phaos-xmlenc-3/enc-element-3des-kt-rsa1_5 
>       01-phaos-xmlenc-3/enc-content-aes256-kt-rsa1_5 
>       01-phaos-xmlenc-3/enc-element-aes128-kt-rsa1_5 
>       01-phaos-xmlenc-3/enc-text-aes192-kt-rsa1_5 
>       Problems loading private key?

Yes, still the same problem. I tried to generate a new file with
openssl, since the xmlsec openssl code is able to load the private key.
However that still resulted in the same errors I got before, trying to
create a certificate with the openssl command line tool (bad ASN.1, and
missing data etc.). So the next idea I have is create the private key
from the data with another library (SSH), create a private key there and
the cert request. However it's been a while since I used that lib, and
diving into that just for getting these tests to work is not very
appealing... Possibly another appraoch is to create a 'better' rsa key
with openssl, then is done. So instead of just the modulus, exponent,
and private exponent, also generate the other values of the private key
(forgive me for not remembering the exact names of the other values)? If
I can, I'll spend some time to try something out getting the tests to
work.

> My nearest plans are:
> 0) Look into failing tests from section B) above;
> 1) Make a minor code cleanup in src/mscrypto/x509.c and 
> src/mscrypto/certkeys.c to improve maintanability.
> 2) Do one more code review pass (weekend?)
> 3) Think about running xmlsec-mscrypto with a memory 
> leak checker.
> 4) Test xmlsec-mscrypto on Windows 9x (?)
> 
> After that I would be ready to merge the mscrypto branch
> to the trunk, do documentation, file bugs for non-implemented
> things and release version 1.2 :)
> 
> Wouter, would do you think about that? What are your plans?

I'm not working or planning onto big changes at this moment. I'd rather
see the lib stabelize more and getting ready for a release :) 
One thing I would like to see happening is exposing the memory key
loading functions from OpenSSL and mscrypto to the main interface (like
we discussed before) This would mean in also adjusting the NSS port,
though it's not sure what the possibilities are with NSS.
Aleksey: I'm happy to make the functions available, though if you can do
it in 5 minutes, and are willing to do so, it is probably more
efficient. 

In the meantime I'll try to help in getting the tests to work properly
(see comments above).

Wouter