[xmlsec] Re: using IC card token with xmlsec
Aleksey Sanin
aleksey at aleksey.com
Wed Apr 30 19:52:36 PDT 2003
Hi, Naoto!
I am really pleased to hear about your descision :) For a moment, it
makes me feel
that I am doing something usefull :) From your message I assume that you
decided
to go with 1.x.x version and this is absolutely right descision. Since I
don't
have much details about your project I could not tell you exactly what
is the best option
for you (NSS or MS CAPI or something else). However, I would not expect
that you'll
need to change much of the core xmlsec source code. You probably might
already
read in the documentation that xmlsec 1.x.x has a modular structure where
cryptographic library specific code was separated from core "xmlsec"
library to the
"xmlsec-<crypto>" libraries ("xmlsec-openssl", "xmlsec-nss",
"xmlsec-gnutls",...).
As you can see, if you need to change core "xmlsec" library in order to
implement
support for a new crypto library (say, MS CAPI) would be a major break
in the library
design. I am not saying that it's not possible but right now I hope that
it's not the case.
On the other hand, if you decide to use NSS, for example, you might need
to modify
xmlsec-nss library because the current code implements only a small part
of the required
functionality (compared with xmlsec-openssl, for example). This is
expected and
should not cause any problem. Also I accept contributions: if you will
implement new
functionality or support for a new library and decide to share it with
others I would be
glad to put your work in the main xmlsec source code tree. The advantage
for you is that
you'll be able to easily get any improvements or bug fixes that might be
done by myself
or other people who'll use your code. The situation with MS CAPI support
is even worse
(as far as I know, Olger Warnier is trying to code something but it's
the earlier stage
of the project and there are no deadlines, etc.; check the mailing list
for details).
As usual, I would be happy to answer your questions in xmlsec mailing list.
With best regards,
Aleksey
Naoto Kamouchi wrote:
>Dear Aleksey Sanin
>
>I am currently involved in a project to build a crypto engine with xml
>signature capability.
>
>In this, we would have to support IC card token, which is used for
>private key operation as well as for storing certificates.
>
>We have chosen xmlsec for the xml signature processing, and I would like
>to seek your advice on how the recommended implementation should look
>like.
>
>I suspect that choosing NSS as crypto would give us the ability to
>access Cryptoki (pkcs#11) directly from the xmlsec api interface, but so
>far haven't been able to confirm this.
>
>However, the most likely token interface we will have to settle down is
>MS CAPI (cryptoapi) and for this, we are afraid that we will have to
>risk altering the core source code of the xmlsec.
>
>I would like to thank you in advance for whatever little comment you
>will be able to provide us with.
>
>Yours sincerely,
>Naoto
>
>Naoto Kamouchi PhD
>CIJ (Computer Institute of Japan)
>tel: 090-9967-9122
>
More information about the xmlsec
mailing list