[xmlsec] xmlsec-nss patches from Sun( 2003-07-22 )
Aleksey Sanin
aleksey at aleksey.com
Wed Jul 23 21:06:28 PDT 2003
From what I am reading, you want to have *context* based list of
allowed slots. I am not sure what are you requirements thus I really
don't understand what are you trying to achieve. And I don't understand
how this list would help ( again, my example with two slots A and B
that both can do, say, RSA and DES).
AFAIK, the NSS determines the slot for performing particular crypto
operation by looking at the key (i.e. key has pointer to slot and if
I want to do RSA encryption with *given* key then it would always
happen on the same slot).
IMHO, we have two different scenarios:
1) Application signs or encrypts something. In this case, application
creates (loads, etc.) keys *before* calling xmlsec function. Then
xmlsec selects the key and perform crypto operation on the slot
specified by the key. I don't see any problem here because application
may select any slot for particular key, add the key to keys manager
and everything would work fine today.
2) Application decrypts data or verifies signature. In this case it
is possible
that application creates key in advance (and selects it for
performing operation
by key name, etc.) or it needs to adopt key dynamicaly (for example,
extracts
from x509 cert, decrypts encrypted session key, etc.). The situation
when
key is created by application in advance is not different from case
1). It would
work as desired with current code. The situation with "dynamicaly
loaded key" is
different and this is the case when we use PK11_GetBestSlot())
function today.
From now on lets talk only about the second case: using "dynamic" keys
created/loaded while application is processing *current* signature or
encrypted
data.
> And this case: based on thr first, your application wants to use slot
A for RSA
> encryption and slot B for DSA signatures in a wile, in another wile
slot a for
> DSA encryption and slot B for RSA signature is required.
My solution with mapping algorithm-->slot works here. The only thing it
misses is
the multithreading case when apps wants to use different slots in
different way
in two threads. The only solution I can suggest for this is that the map
algorithm-->slot
is changed from global to be xmlSecNssKeysManager specific.
> Think about another cases: Slot A and B both support RSA encrytion,
> an operation want to transport a RSA key ( in A ) with another RSA
key( in B ),
> which is a very common case in key management system.
I don't think that I want to solve a problem when application wants to
perform
two, say, RSA encryptions one after another while processing *one*
<enc:EncryptedData/>
node (for example, one RSA session key encrypts data and another RSA key
encrypts RSA session key in key transport). And application wants to do
these
two RSA decryptions on *different* slots. IMHO, this is a corner case.
I think this discussion goes wild :) I don't understand the benefits of
using slots list
instead of alg->slot map. But since nobody else besides you wants this
feature,
I would not object if your patch will do whatever works best for you
with one
restriction: "by default" (i.e. if application does nothing) the code
should just
simply call GetBestSlot. Thus your changes would not affect others. Also
it would be
great to have this limited to xmlSecKeysManager (i.e. no global static
objects/variables).
Hope this would work for you :)
Aleksey
More information about the xmlsec
mailing list