[xmlsec] xmlsec-nss patches from Sun( 2003-07-22 )

Andrew Fan Andrew.Fan at sun.com
Wed Jul 23 22:23:34 PDT 2003


Aleksey Sanin wrote:

> From what I am reading, you want to have *context* based list of
> allowed slots. I am not sure what are you requirements thus I really
> don't understand what are you trying to achieve.  And I don't understand
> how this list would help ( again, my example with two slots A and B
> that both can do, say, RSA and DES).

Indeed, in my implementaion, "GetSlot" only when generating a new key( 
such as: xmlSecNssKeyDataDsaGenerate ) and importing a raw key( such as 
xmlSecNssKeyDataRsaXmlRead ). I also think there are only the two cases.

>
> AFAIK, the NSS determines the slot for performing particular crypto
> operation by looking at the key (i.e. key has pointer to slot and if
> I want to do RSA encryption with *given* key then it would always
> happen on the same slot).

Yes.

>
> IMHO, we have two different scenarios:
>    1) Application signs or encrypts something. In this case, application
>    creates (loads, etc.) keys *before* calling xmlsec function. Then
>    xmlsec selects the key and perform crypto operation on the slot
>    specified by the key. I don't see any problem here because application
>    may select any slot for particular key, add the key to keys manager
>    and everything would work fine today.

Yes, for these cases, "getSlot" must not work, because user has assigned 
the slot with the key.

>
>    2) Application decrypts data or verifies signature. In this case it 
> is possible
>    that application creates key in advance (and selects it for 
> performing operation
>    by key name, etc.) or it needs to adopt key dynamicaly (for 
> example, extracts
>    from x509 cert, decrypts encrypted session key, etc.). The 
> situation when
>    key is created by application in advance is not different from case 
> 1). It would
>    work as desired with current code.

Agree.

> The situation with "dynamicaly loaded key" is
>    different and this is the case when we use PK11_GetBestSlot()) 
> function today.

>
> From now on lets talk only about the second case: using "dynamic" keys
> created/loaded while application is processing *current* signature or 
> encrypted
> data.
>
> > And this case: based on thr first, your application wants to use 
> slot A for RSA
> > encryption and slot B for DSA signatures in a wile, in another wile 
> slot a for
> > DSA encryption and slot B for RSA signature is required.
>
> My solution with mapping algorithm-->slot works here. The only thing 
> it misses is
> the multithreading case when apps wants to use different slots in 
> different way
> in two threads. The only solution I can suggest for this is that the 
> map algorithm-->slot
> is changed from global to be xmlSecNssKeysManager specific.

Good suggestion, we have the same options some sense. When I implement 
the demo, I do not want to introduce the "getSlot" functions, I think 
that I can get everything from keys manager. When I read a raw key from 
a xml document, the "xmlSecNssKeyDataRsaXmlRead" interface, for example, 
has a xmlSecKeyInfoCtxPtr parameter, from where I can get the 
xmlSecNssKeysManger. But for the "xmlSecNssKeyDataRsaGenerate" 
interfaces, I have no such a goog luck. So the 'getSlot' is designed 
only for "KeyDataXXXGenerate" functions.

Can we design that we specify a deault xmlSecNssKeysManager, and every 
loaded keys ( read from xml document ) bind with the slot that enabled 
in the manager? That one things I want to do.

So if we provide such a keys manager, "getSlot" only work for key data 
generator. When we will use the "KeyDataXXXGenerate" functions?

>
> >  Think about another cases: Slot A and B both support RSA encrytion, 
> > an operation want to transport a RSA key ( in A ) with another RSA 
> key( in B ),
> > which is a very common case in key management  system.
>
> I don't think that I want to solve a problem when application wants to 
> perform
> two, say, RSA encryptions one after another while processing *one* 
> <enc:EncryptedData/>
> node (for example, one RSA session key encrypts data and another RSA key
> encrypts RSA session key in key transport). And application wants to 
> do these
> two RSA decryptions on *different* slots. IMHO, this is a corner case.

:-(

>
>
> I think this discussion goes wild :) I don't understand the benefits 
> of using slots list
> instead of alg->slot map. But since nobody else besides you wants this 
> feature,
> I would not object if your patch will do whatever works best for you 
> with one
> restriction: "by default" (i.e. if application does nothing) the code 
> should just
> simply call GetBestSlot. Thus your changes would not affect others. 
> Also it would be
> great to have this limited to xmlSecKeysManager (i.e. no global static 
> objects/variables).

Now, maybe we have agreed where and when "getSlot" works, Only in the 
"KeyDataXXXGenerate" interfaces. And I do not stick to my design. Wait a 
while......! First, I think we need a example: how to initialize the 
alg->slot map or slot list.
alg-slot:
{
PK11SlotInfo* slot ;
PK11SlotInfo* slot2 ;

if( PK11_DoesMechanism( slot , CKM_RSA_X509 ) ) {
    xmlSecNssSlotAdopt( CKM_RSA_X509, slot ) ;
} else if( PK11_DoesMechanism( slot , CKM_RSA_PKCS ) ) {
    xmlSecNssSlotAdopt( CKM_RSA_PKCS, slot ) ;
} else if( PK11_DoesMechanism( slot , CKM_RSA_PKCS_KEY_PAIR_GEN ) ) {
    xmlSecNssSlotAdopt(  CKM_RSA_PKCS_KEY_PAIR_GEN, slot ) ;
} else if( PK11_DoesMechanism( slot , CKM_RSA_9796 ) ) {
    xmlSecNssSlotAdopt(  CKM_RSA_9796, slot ) ;
} else if( PK11_DoesMechanism( slot , CKM_DSA ) ) {
    xmlSecNssSlotAdopt(  CKM_DSA, slot ) ;
} else if{
......
}
......

xmlSecNssSlotRemove( CKM_RSA_PKCS_KEY_PAIR_GEN, slot ) ;
......

}

slot list:
{
PK11SlotInfo* slot ;
PK11SlotInfo* slot2 ;
PK11SlotList* slist ;
......
slist = xmlSecNssSlotInit( slist ) ;

PK11_AddSlotToList( slist, slot ) ;
PK11_AddSlotToList( slist, slot2 ) ;
......
PK11_DeleteSlotList( slist, PK11_FindSlotElement( slist, slot2 ) ) ;
......
}

Because all of above two seems work for me, if we can assure only 
"KeysDataXXXGenerate" depends on the "getSlot", I can accept either.




More information about the xmlsec mailing list