[xmlsec] xmlsec-nss patches from Sun( 2003-07-22 )

Andrew Fan Andrew.Fan at sun.com
Tue Jul 22 02:39:45 PDT 2003


Hi,

This xmlsec-nss patch is based on the XMLSEC_NSS_030714 branch. It add 
two new files in order to support end-user designated PKCS#11 slot 
instead of useing the default NSS built-in ones( PK11_GetBestSlot ).

Why I add the new interfaces:
1. NSS' function "PK11_GetBestSlot ", which will load all of the 
internal built-in slots or all of the actived pkcs11 module's slots;
2. Some time, end user hopes that a certain crypto operation act in a 
certain crypto device, especially in multi-crypto-devices environment.
3. Some time, a key generated from a certain slot, it only work in that 
slot( such as RSA private key ). PK11_GetBestSlot can not ensure this. 
In the case, end user can assign the specific slot with the new interface.

Here's the usage of the interfaces:
1. "xmlSecSetSlotList" is used to set the user designated slot list.
2. "xmlSecFreeSlot" is used to destroy the slot list repository.
3. When generate a new key, "xmlSecGetSlot" gives the user designated slot;
4. If end user want to maintain the slot list repository, he can access 
the repository with "xmlSecGetSlotList".

Andrew
-------------- next part --------------
/**
 * XMLSec library
 *
 * This is free software; see Copyright file in the source
 * distribution for preciese wording.
 * 
 * Copyright (c) 2003 Sun Microsystems, Inc.  All rights reserved.
 * 
 * Contributor(s): _____________________________
 * 
 */
#ifndef __XMLSEC_NSS_TOKENS_H__
#define __XMLSEC_NSS_TOKENS_H__

#include "globals.h"
#include <string.h>

#include <nss.h>
#include <pk11func.h>

#include <xmlsec/xmlsec.h>

#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */ 

/************************************************************************
 * PKCS#11 crypto token interfaces
 *
 * A PKCS#11 slot repository will be defined internally. From the
 * repository, a user can specify a particular slot for a certain crypto
 * mechanism.
 *
 * In some situation, some cryptographic operation should act in a user
 * designated devices. The interfaces defined here provide the way. If 
 * the user do not initialize the repository distinctly, the interfaces
 * use the default functions provided by NSS itself.
 *
 ************************************************************************/
/**
 * Get PKCS#11 slot handler
 * @type	the mechanism that the slot must support.
 *
 * Returns a pointer to PKCS#11 slot or NULL if an error occurs.
 *
 * Notes: The returned handler should be destroied distinctly.
 */
XMLSEC_CRYPTO_EXPORT PK11SlotInfo* xmlSecGetSlot( CK_MECHANISM_TYPE type ) ;

/**
 * Free NSS crypto engine PKCS#11 slot repository
 */
XMLSEC_CRYPTO_EXPORT void xmlSecFreeSlot( void ) ;

/**
 * Set NSS crypto engine PKCS11 slots
 * @list	the PKCS#11 slot list that the crypto engine should work with.
 *
 * Returns a pointer to PKCS#11 slot list or NULL if an error occurs.
 */
XMLSEC_CRYPTO_EXPORT PK11SlotList* xmlSecSetSlotList( PK11SlotList* list ) ;

/**
 * Get NSS crypto engine PKCS#11 slot list
 *
 * Returns a pointer to PKCS#11 slot list or NULL if an error occurs.
 */
XMLSEC_CRYPTO_EXPORT PK11SlotList* xmlSecGetSlotList( void ) ;

#ifdef __cplusplus
}
#endif /* __cplusplus */

#endif	/* __XMLSEC_NSS_TOKENS_H__ */

-------------- next part --------------
/**
 * XMLSec library
 *
 * This is free software; see Copyright file in the source
 * distribution for preciese wording.
 *
 * Copyright (c) 2003 Sun Microsystems, Inc.  All rights reserved.
 *
 * Contributor(s): _____________________________
 *
 */
#include "globals.h"
#include <string.h>

#include <xmlsec/nss/tokens.h>

/*-
 * Global PKCS#11 crypto token repository
 */
static PK11SlotList* _xmlSecSlotList = NULL ;

/**
 * Get PKCS#11 slot handler
 * @type	the mechanism that the slot must support.
 *
 * Returns a pointer to PKCS#11 slot or NULL if an error occurs.
 *
 * Notes: The returned handler should be destroied distinctly.
 */
PK11SlotInfo*
xmlSecGetSlot(
	CK_MECHANISM_TYPE type
) {
	PK11SlotInfo*			slot = NULL ;

	if( _xmlSecSlotList == NULL ) {
		slot = PK11_GetBestSlot( type , NULL ) ;
	} else {
		PK11SlotListElement*	sle = NULL ;

		for( sle = PK11_GetFirstSafe( _xmlSecSlotList ) ; sle != NULL ; PK11_GetNextSafe( _xmlSecSlotList , sle , PR_TRUE ) ) {
			if( !PK11_IsPresent( sle->slot ) )
				continue ;

			if( !PK11_DoesMechanism( sle->slot , type ) )
				continue ;

			if( PK11_NeedLogin( sle->slot ) ) {
				if( PK11_Authenticate( sle->slot , PR_TRUE , NULL ) != SECSuccess )
					continue ;
			}

			slot = PK11_ReferenceSlot( sle->slot ) ;
			break ;
		}

		//Shall I destroy the non-null PK11SlotListElement?
	}

	return slot ;
}

/**
 * Free NSS crypto engine PKCS#11 slot repository
 */
void
xmlSecFreeSlot(
	void
) {
	if( _xmlSecSlotList != NULL ) {
		PK11_FreeSlotList( _xmlSecSlotList ) ;
		_xmlSecSlotList = NULL ;
	}
}

/**
 * Set NSS crypto engine PKCS11 slots
 * @list	the PKCS#11 slot list that the crypto engine should work with.
 *
 * Returns a pointer to PKCS#11 slot list or NULL if an error occurs.
 */
PK11SlotList*
xmlSecSetSlotList(
	PK11SlotList* list
) {
	if( _xmlSecSlotList != NULL ) {
		PK11_FreeSlotList( _xmlSecSlotList ) ;
		_xmlSecSlotList = NULL ;
	}

	_xmlSecSlotList = list ;

	return _xmlSecSlotList ;
}

/**
 * Get NSS crypto engine PKCS#11 slot list
 *
 * Returns a pointer to PKCS#11 slot list or NULL if an error occurs.
 */
PK11SlotList*
xmlSecGetSlotList(
	void
) {
	return _xmlSecSlotList ;
}



More information about the xmlsec mailing list