[webmasters] Re: [xmlsec] Big patch to xmlsec in recent OpenOffice.org sources

Chandler Peng Chuandong.Peng at sun.com
Sat Feb 5 22:43:11 PST 2005


Aleksey Sanin wrote:

> Thanks, Chandler and Andrew!
>
> I'l review these files during next week. But will you mind to re-send
> them to xmlsec at aleksey.com mailing list, please? There are more folks
> who can help me with review.
>
OK , no problem :-)

> Thanks!
> Aleksey
>
> Chandler Peng wrote:
>
>> Andrew ,
>> I have created a new diff file with "diff -uN" on xmlsec_1.2.6. This 
>> diff file only include the difference on the source and the related 
>> makefile . Our new source file need add to xmlsec is in the xmlsec.zip .
>>
>> Chandler Peng..
>>
>>
>> Andrew Fan wrote:
>>
>>> Hi Aleksey,
>>>
>>> I have to say sorry to you and all of others about the mail thread. 
>>> The e-mailed are filtered into aother folder in my email, and I have 
>>> not read it for a very long time. So sorry.
>>>
>>> But I never forgot to contribute the patches back into the main 
>>> track from the very beginning. And now, it seems that I have got the 
>>> permission from my bosses. :-)  Michael Mi and Chandler Peng will 
>>> work on the integration, I will help them during the integrating 
>>> process.
>>>
>>> About the patch, why is it so big? what had happened at the patch? I 
>>> try to illustrate it in some very simple words.
>>> 1. I only made some changes over nss and ms crypto enginers;
>>> 2. For ms crypto enginer, I did some changes over keystore mainly, 
>>> the patch is quite smalll;
>>> 3. For nss enginer, the patch shows a big difference about how to 
>>> find keys and personal certificates from key store and certificate 
>>> store.
>>>
>>> Detailed infomation, I'll try to explain during the integration.
>>>
>>> Thanks & Regards,
>>> Andrew Fan
>>>
>>> Chandler, would you please create a new diff according with "diff 
>>> -uN". Thanks.
>>>
>>> Aleksey Sanin wrote:
>>>
>>>> Andrew,
>>>>
>>>> I would appreciate if you can generate a new "diff -uN" patch against
>>>> the current xmlsec CVS trunk because it is pretty hard to read the
>>>> patch at
>>>>
>>>> http://external.openoffice.org/source/browse/external/libxmlsec/xmlsec1-1.2.4.patch 
>>>>
>>>>
>>>> Plus I have some problems applying the current patch (mainly with new
>>>> files you've added).
>>>>
>>>> Also it is a pretty big patch and I would really appreciate if you
>>>> can write up some comments about it (something like "the change on
>>>> lines AAA-BBB, file CCC, lines DDD-EEE, file FFF, ... fixes bug
>>>> ZZZ" will do).
>>>>
>>>> Thanks,
>>>> Aleksey
>>>>
>>>> Malte Timmermann wrote:
>>>>
>>>>> Andrew,
>>>>>
>>>>> can you please work with Aleksey to get all your changes into xmlsec?
>>>>>
>>>>> Would be great if we could get rid of our patch :)
>>>>>
>>>>> Malte.
>>>>>
>>>
>>

-------------- next part --------------
cvs diff -uN (in directory D:\My_work\SRC680\o_libxmlsec)
? xmlsec/include/xmlsec/mscrypto/akmngr.h
? xmlsec/include/xmlsec/nss/akmngr.h
? xmlsec/include/xmlsec/nss/ciphers.h
? xmlsec/include/xmlsec/nss/tokens.h
? xmlsec/src/mscrypto/akmngr.c
? xmlsec/src/nss/akmngr.c
? xmlsec/src/nss/keytrans.c
? xmlsec/src/nss/keywrapers.c
? xmlsec/src/nss/tokens.c
cvs server: Diffing xmlsec
cvs server: Diffing xmlsec/apps
cvs server: Diffing xmlsec/docs
cvs server: Diffing xmlsec/docs/api
cvs server: Diffing xmlsec/docs/api/chapters
cvs server: Diffing xmlsec/docs/api/images
cvs server: Diffing xmlsec/docs/api/sgml
cvs server: Diffing xmlsec/docs/api/sgml/gnutls
cvs server: Diffing xmlsec/docs/api/sgml/mscrypto
cvs server: Diffing xmlsec/docs/api/sgml/nss
cvs server: Diffing xmlsec/docs/api/sgml/openssl
cvs server: Diffing xmlsec/docs/api/tmpl
cvs server: Diffing xmlsec/docs/api/tmpl/gnutls
cvs server: Diffing xmlsec/docs/api/tmpl/mscrypto
cvs server: Diffing xmlsec/docs/api/tmpl/nss
cvs server: Diffing xmlsec/docs/api/tmpl/openssl
cvs server: Diffing xmlsec/docs/api-0.0.x
cvs server: Diffing xmlsec/docs/api-0.0.x/examples
cvs server: Diffing xmlsec/docs/api-0.0.x/examples/dsig1
cvs server: Diffing xmlsec/docs/api-0.0.x/examples/dsig2
cvs server: Diffing xmlsec/docs/api-0.0.x/examples/dsig3
cvs server: Diffing xmlsec/docs/api-0.0.x/examples/dsig4
cvs server: Diffing xmlsec/docs/api-0.0.x/examples/dsig5
cvs server: Diffing xmlsec/docs/api-0.0.x/examples/enc1
cvs server: Diffing xmlsec/docs/api-0.0.x/examples/enc2
cvs server: Diffing xmlsec/docs/api-0.0.x/sgml
cvs server: Diffing xmlsec/docs/api-0.0.x/tmpl
cvs server: Diffing xmlsec/docs/extra
cvs server: Diffing xmlsec/docs/images
cvs server: Diffing xmlsec/docs/tests
cvs server: Diffing xmlsec/docs/tests/aleksey-xmldsig-01
cvs server: Diffing xmlsec/docs/tests/keys-certs
cvs server: Diffing xmlsec/docs/tests/merlin-exc-c14n-one
cvs server: Diffing xmlsec/docs/tests/merlin-xmldsig-twenty-three
cvs server: Diffing xmlsec/docs/tests/merlin-xmldsig-twenty-three/certs
cvs server: Diffing xmlsec/docs/tests/merlin-xmlenc-five
cvs server: Diffing xmlsec/examples
cvs server: Diffing xmlsec/include
cvs server: Diffing xmlsec/include/xmlsec
cvs server: Diffing xmlsec/include/xmlsec/gnutls
cvs server: Diffing xmlsec/include/xmlsec/mscrypto
Index: xmlsec/include/xmlsec/mscrypto/x509.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/mscrypto/x509.h,v
retrieving revision 1.3
diff -u -r1.3 x509.h
--- xmlsec/include/xmlsec/mscrypto/x509.h	26 Sep 2003 06:12:46 -0000	1.3
+++ xmlsec/include/xmlsec/mscrypto/x509.h	6 Feb 2005 03:53:15 -0000
@@ -77,6 +77,21 @@
 										 PCCERT_CONTEXT cert,
 										 xmlSecKeyDataType type);
 
+XMLSEC_CRYPTO_EXPORT int		xmlSecMSCryptoX509StoreAdoptKeyStore (
+										xmlSecKeyDataStorePtr store,
+										HCERTSTORE keyStore
+								) ;
+
+XMLSEC_CRYPTO_EXPORT int		xmlSecMSCryptoX509StoreAdoptTrustedStore (
+										xmlSecKeyDataStorePtr store,
+										HCERTSTORE trustedStore
+								) ;
+
+XMLSEC_CRYPTO_EXPORT int		xmlSecMSCryptoX509StoreAdoptUntrustedStore (
+										xmlSecKeyDataStorePtr store,
+										HCERTSTORE untrustedStore
+								) ;
+
 
 #endif /* XMLSEC_NO_X509 */
 
cvs server: Diffing xmlsec/include/xmlsec/nss
Index: xmlsec/include/xmlsec/nss/Makefile.am
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/nss/Makefile.am,v
retrieving revision 1.5
diff -u -r1.5 Makefile.am
--- xmlsec/include/xmlsec/nss/Makefile.am	30 Jul 2003 02:46:35 -0000	1.5
+++ xmlsec/include/xmlsec/nss/Makefile.am	6 Feb 2005 03:53:16 -0000
@@ -3,6 +3,7 @@
 xmlsecnssincdir = $(includedir)/xmlsec1/xmlsec/nss
 
 xmlsecnssinc_HEADERS = \
+akmngr.h \
 app.h \
 crypto.h \
 symbols.h \
@@ -10,6 +11,8 @@
 keysstore.h \
 pkikeys.h \
 x509.h \
+tokens.h \
+ciphers.h \
 $(NULL)
 
 install-exec-hook:
Index: xmlsec/include/xmlsec/nss/app.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/nss/app.h,v
retrieving revision 1.16
diff -u -r1.16 app.h
--- xmlsec/include/xmlsec/nss/app.h	12 Jan 2004 21:06:14 -0000	1.16
+++ xmlsec/include/xmlsec/nss/app.h	6 Feb 2005 03:53:16 -0000
@@ -22,6 +22,9 @@
 #include <xmlsec/keysmngr.h>
 #include <xmlsec/transforms.h>
 
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/akmngr.h>
+
 /**
  * Init/shutdown
  */
@@ -34,6 +37,8 @@
 XMLSEC_CRYPTO_EXPORT int		xmlSecNssAppDefaultKeysMngrInit	(xmlSecKeysMngrPtr mngr);
 XMLSEC_CRYPTO_EXPORT int 		xmlSecNssAppDefaultKeysMngrAdoptKey(xmlSecKeysMngrPtr mngr,
 									    xmlSecKeyPtr key);
+XMLSEC_CRYPTO_EXPORT int 		xmlSecNssAppDefaultKeysMngrAdoptKeySlot(xmlSecKeysMngrPtr mngr,
+									    xmlSecNssKeySlotPtr keySlot);
 XMLSEC_CRYPTO_EXPORT int 		xmlSecNssAppDefaultKeysMngrLoad	(xmlSecKeysMngrPtr mngr,
 									 const char* uri);
 XMLSEC_CRYPTO_EXPORT int 		xmlSecNssAppDefaultKeysMngrSave	(xmlSecKeysMngrPtr mngr,
Index: xmlsec/include/xmlsec/nss/crypto.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/nss/crypto.h,v
retrieving revision 1.19
diff -u -r1.19 crypto.h
--- xmlsec/include/xmlsec/nss/crypto.h	12 Jan 2004 21:06:14 -0000	1.19
+++ xmlsec/include/xmlsec/nss/crypto.h	6 Feb 2005 03:53:16 -0000
@@ -264,6 +264,15 @@
         xmlSecNssTransformRsaPkcs1GetKlass()
 XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformRsaPkcs1GetKlass(void);
 
+/**
+ * xmlSecNssTransformRsaOaepId:
+ * 
+ * The RSA OAEP key transport transform klass.
+ */
+#define xmlSecNssTransformRsaOaepId \
+        xmlSecNssTransformRsaOaepGetKlass()
+XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformRsaOaepGetKlass(void);
+
 #endif /* XMLSEC_NO_RSA */
 
 
Index: xmlsec/include/xmlsec/nss/keysstore.h
===================================================================
RCS file: /cvs/gnome/xmlsec/include/xmlsec/nss/keysstore.h,v
retrieving revision 1.2
diff -u -r1.2 keysstore.h
--- xmlsec/include/xmlsec/nss/keysstore.h	30 Jul 2003 02:46:35 -0000	1.2
+++ xmlsec/include/xmlsec/nss/keysstore.h	6 Feb 2005 03:53:16 -0000
@@ -16,6 +16,8 @@
 #endif /* __cplusplus */ 
 
 #include <xmlsec/xmlsec.h>
+#include <xmlsec/keysmngr.h>
+#include <xmlsec/nss/tokens.h>
 
 /****************************************************************************
  *
@@ -31,6 +33,8 @@
 XMLSEC_CRYPTO_EXPORT xmlSecKeyStoreId	xmlSecNssKeysStoreGetKlass	(void);
 XMLSEC_CRYPTO_EXPORT int		xmlSecNssKeysStoreAdoptKey	(xmlSecKeyStorePtr store,
 									 xmlSecKeyPtr key);
+XMLSEC_CRYPTO_EXPORT int		xmlSecNssKeysStoreAdoptKeySlot(xmlSecKeyStorePtr store,
+									 xmlSecNssKeySlotPtr keySlot);
 XMLSEC_CRYPTO_EXPORT int		xmlSecNssKeysStoreLoad 	(xmlSecKeyStorePtr store,
 								 const char *uri,
 								 xmlSecKeysMngrPtr keysMngr);
cvs server: Diffing xmlsec/include/xmlsec/openssl
cvs server: Diffing xmlsec/include/xmlsec/private
cvs server: Diffing xmlsec/include/xmlsec/skeleton
cvs server: Diffing xmlsec/man
cvs server: Diffing xmlsec/scripts
cvs server: Diffing xmlsec/src
Index: xmlsec/src/bn.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/bn.c,v
retrieving revision 1.12
diff -u -r1.12 bn.c
--- xmlsec/src/bn.c	21 Jun 2004 18:33:27 -0000	1.12
+++ xmlsec/src/bn.c	6 Feb 2005 03:53:16 -0000
@@ -175,6 +175,11 @@
     int nn;
     int ret;
 
+	/*
+	 * mmi : added for adding prefix 00
+	 */
+	xmlSecByte* data;
+
     xmlSecAssert2(bn != NULL, -1);
     xmlSecAssert2(str != NULL, -1);
     xmlSecAssert2(base > 1, -1);
@@ -192,7 +197,10 @@
      * because each byte is represented by 2 chars. If needed, 
      * buffer size would be increased by Mul/Add functions.
      */
-    ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 1);
+	/*
+	 * mmi:add one byte to hold the 00 prefix
+	 */
+    ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 2);
     if(ret < 0) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    NULL,
@@ -239,6 +247,25 @@
 			"base=%d", base);
 	    return (-1);
 	}	
+
+    }
+
+	/*
+	 * mmi : check whether need to add 00 prefix
+	 */
+	data = xmlSecBufferGetData(bn);
+	if (data[0]>127)
+	{
+	    ch = 0;
+        ret = xmlSecBufferPrepend(bn, &ch, 1);
+		if(ret < 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+				NULL,
+				"xmlSecBufferPrepend",
+				XMLSEC_ERRORS_R_XMLSEC_FAILED,
+				"base=%d", base);
+			return (-1);
+		}
     }
 
     return(0);
Index: xmlsec/src/dl.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/dl.c,v
retrieving revision 1.9
diff -u -r1.9 dl.c
--- xmlsec/src/dl.c	29 Oct 2003 15:57:20 -0000	1.9
+++ xmlsec/src/dl.c	6 Feb 2005 03:53:17 -0000
@@ -329,6 +329,10 @@
 xmlSecCryptoDLInit(void) {
     int ret;
     
+    /* use xmlMalloc/xmlFree */
+    xmlsec_lt_dlmalloc	= xmlSecCryptoDLMalloc;
+    xmlsec_lt_dlfree	= xmlSecCryptoDLFree;
+
     ret = xmlSecPtrListInitialize(&gXmlSecCryptoDLLibraries, xmlSecCryptoDLLibrariesListGetKlass());
     if(ret < 0) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
@@ -350,9 +354,6 @@
     }
     /* TODO: LTDL_SET_PRELOADED_SYMBOLS(); */
     
-    /* use xmlMalloc/xmlFree */
-    xmlsec_lt_dlmalloc	= xmlSecCryptoDLMalloc;
-    xmlsec_lt_dlfree	= xmlSecCryptoDLFree;
     return(0);
 }
 
cvs server: Diffing xmlsec/src/gnutls
cvs server: Diffing xmlsec/src/mscrypto
Index: xmlsec/src/mscrypto/certkeys.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/certkeys.c,v
retrieving revision 1.5
diff -u -r1.5 certkeys.c
--- xmlsec/src/mscrypto/certkeys.c	17 Mar 2004 05:06:43 -0000	1.5
+++ xmlsec/src/mscrypto/certkeys.c	6 Feb 2005 03:53:18 -0000
@@ -41,6 +41,7 @@
  * a public key from xml document is provided, we need HCRYPTKEY.... The focus
  * now is however directed to certificates.  Wouter
  */
+/** replaced by a wrapper style for WINNT 4.0
 struct _xmlSecMSCryptoKeyDataCtx {
     HCRYPTPROV		hProv;
     BOOL		fCallerFreeProv;
@@ -51,6 +52,124 @@
     HCRYPTKEY		hKey;
     xmlSecKeyDataType	type;
 };	    
+*/
+/*-
+ * A wrapper of HCRYPTKEY, a reference countor is introduced, the function is
+ * the same as CryptDuplicateKey. Because the CryptDuplicateKey is not support
+ * by WINNT 4.0, the wrapper will enable the library work on WINNT 4.0
+ */
+struct _mscrypt_key {
+	HCRYPTKEY hKey ;
+	int	refcnt ;
+} ;
+
+/*-
+ * A wrapper of HCRYPTPROV, a reference countor is introduced, the function is
+ * the same as CryptContextAddRef. Because the CryptContextAddRef is not support
+ * by WINNT 4.0, the wrapper will enable the library work on WINNT 4.0
+ */
+struct _mscrypt_prov {
+	HCRYPTPROV hProv ;
+    BOOL freeprov ;
+	int	refcnt ;
+} ;
+
+struct _xmlSecMSCryptoKeyDataCtx {
+	struct _mscrypt_prov*	p_prov ;
+    LPCTSTR		providerName;
+    DWORD		providerType;
+    PCCERT_CONTEXT	pCert;
+    DWORD		dwKeySpec;
+	struct _mscrypt_key* p_key ;
+    xmlSecKeyDataType	type;
+};	    
+
+struct _mscrypt_key* mscrypt_create_key( HCRYPTKEY key ) {
+	struct _mscrypt_key* pkey ;
+
+	pkey = ( struct _mscrypt_key* )xmlMalloc( sizeof( struct _mscrypt_key ) ) ;
+	if( pkey == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE,
+			"mscrypt_create_key" ,
+			NULL ,
+			XMLSEC_ERRORS_R_MALLOC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE
+		) ;
+	}
+
+	pkey->hKey = key ;
+	pkey->refcnt = 1 ;
+
+	return pkey ;
+}
+
+struct _mscrypt_key* mscrypt_acquire_key( struct _mscrypt_key* key ) {
+	if( key )
+		key->refcnt ++ ;
+
+	return key ;
+}
+
+int mscrypt_release_key( struct _mscrypt_key* key ) {
+	if( key ) {
+		key->refcnt -- ;
+		if( !key->refcnt ) {
+			if( key->hKey ) {
+				CryptDestroyKey( key->hKey ) ;
+				key->hKey = 0 ;
+			}
+			xmlFree( key ) ;
+		} else {
+			return key->refcnt ;
+		}
+	}
+
+	return 0 ;
+}
+
+struct _mscrypt_prov* mscrypt_create_prov( HCRYPTPROV prov, BOOL callerFree ) {
+	struct _mscrypt_prov* pprov ;
+
+	pprov = ( struct _mscrypt_prov* )xmlMalloc( sizeof( struct _mscrypt_prov ) ) ;
+	if( pprov == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE,
+			"mscrypt_create_prov" ,
+			NULL ,
+			XMLSEC_ERRORS_R_MALLOC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE
+		) ;
+	}
+
+	pprov->hProv = prov ;
+	pprov->freeprov = callerFree ;
+	pprov->refcnt = 1 ;
+
+	return pprov ;
+}
+
+struct _mscrypt_prov* mscrypt_acquire_prov( struct _mscrypt_prov* prov ) {
+	if( prov )
+		prov->refcnt ++ ;
+
+	return prov ;
+}
+
+int mscrypt_release_prov( struct _mscrypt_prov* prov ) {
+	if( prov ) {
+		prov->refcnt -- ;
+		if( !prov->refcnt ) {
+			if( prov->hProv && prov->freeprov ) {
+				CryptReleaseContext( prov->hProv, 0 ) ;
+				prov->hProv = 0 ;
+			}
+			xmlFree( prov ) ;
+		} else {
+			return prov->refcnt ;
+		}
+	}
+
+	return 0 ;
+}
 
 /******************************************************************************
  *
@@ -88,24 +207,20 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
 
-    if (ctx->hKey != 0) {
-	CryptDestroyKey(ctx->hKey);
-	ctx->hKey = 0;
-    }
+	if( ctx->p_key != 0 ) {
+		mscrypt_release_key( ctx->p_key ) ;
+	}
+	ctx->p_key = mscrypt_create_key( 0 ) ;
 
     if(ctx->pCert != NULL) {
 	CertFreeCertificateContext(ctx->pCert);
 	ctx->pCert = NULL;
     }
 
-    if ((ctx->hProv != 0) && (ctx->fCallerFreeProv)) {
-	CryptReleaseContext(ctx->hProv, 0);
-	ctx->hProv = 0;
-	ctx->fCallerFreeProv = FALSE;
-    } else {
-	ctx->hProv = 0;
-	ctx->fCallerFreeProv = FALSE;
-    }
+	if( ( ctx->p_prov ) ) {
+		mscrypt_release_prov( ctx->p_prov ) ;
+	}
+	ctx->p_prov = mscrypt_create_prov( 0, FALSE ) ;
 
     ctx->type = type;
 
@@ -116,9 +231,9 @@
         if (!CryptAcquireCertificatePrivateKey(pCert, 
 					       CRYPT_ACQUIRE_USE_PROV_INFO_FLAG, 
 					       NULL, 
-					       &(ctx->hProv), 
+					       &(ctx->p_prov->hProv), 
 					       &(ctx->dwKeySpec), 
-					       &(ctx->fCallerFreeProv))) {
+					       &(ctx->p_prov->freeprov))) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			NULL,
 			"CryptAcquireCertificatePrivateKey",
@@ -127,9 +242,9 @@
 	    return(-1);
 	}
     } else if((type & xmlSecKeyDataTypePublic) != 0){
-	if (!CryptAcquireContext(&(ctx->hProv), 
+		if (!CryptAcquireContext(&(ctx->p_prov->hProv), 
 				 NULL, 
-				 ctx->providerName, 
+				 NULL, 	/*AF: replaces "ctx->providerName" with "NULL" */
 				 ctx->providerType, 
 				 CRYPT_VERIFYCONTEXT)) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
@@ -140,7 +255,19 @@
 	    return(-1);
 	}
 	ctx->dwKeySpec = 0;
-	ctx->fCallerFreeProv = TRUE;
+		ctx->p_prov->freeprov = TRUE;
+
+		if( !CryptImportPublicKeyInfo( ctx->p_prov->hProv, 
+				X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
+				&(pCert->pCertInfo->SubjectPublicKeyInfo), 
+				&(ctx->p_key->hKey) ) ) {
+		    xmlSecError(XMLSEC_ERRORS_HERE,
+				NULL,
+				"CryptImportPublicKeyInfo",
+				XMLSEC_ERRORS_R_CRYPTO_FAILED,
+				XMLSEC_ERRORS_NO_MESSAGE);
+		    return(-1);
+		}
     } else {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    NULL,
@@ -149,25 +276,6 @@
 		    "Unsupported keytype");
 	return(-1);
     }
-
-    /* CryptImportPublicKeyInfo is only needed when a real key handle
-     * is needed. The key handle is needed for de/encrypting and for
-     * verifying of a signature, *not* for signing. We could call
-     * CryptImportPublicKeyInfo in xmlSecMSCryptoKeyDataGetKey instead
-     * so no unnessecary calls to CryptImportPublicKeyInfo are being
-     * made. WK
-     */
-    if(!CryptImportPublicKeyInfo(ctx->hProv, 
-	X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
-	&(pCert->pCertInfo->SubjectPublicKeyInfo), 
-	&(ctx->hKey))) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"CryptImportPublicKeyInfo",
-			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    return(-1);
-    }
     ctx->pCert = pCert;
 
     return(0);
@@ -190,29 +298,26 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
 
-    if(ctx->hKey != 0) {
-	CryptDestroyKey(ctx->hKey);
-	ctx->hKey = 0;
-    }
+	if( ctx->p_key != 0 ) {
+		mscrypt_release_key( ctx->p_key ) ;
+		ctx->p_key = NULL ;
+	}
 
     if(ctx->pCert != NULL) {
 	CertFreeCertificateContext(ctx->pCert);
 	ctx->pCert = NULL;
     }
     
-    if((ctx->hProv != 0) && ctx->fCallerFreeProv) {
-	CryptReleaseContext(ctx->hProv, 0);
-	ctx->hProv = 0;
-	ctx->fCallerFreeProv = FALSE;
-    } else {
-	ctx->hProv = 0;
-	ctx->fCallerFreeProv = FALSE;
-    }
+	if( ( ctx->p_prov ) ) {
+		mscrypt_release_prov( ctx->p_prov ) ;
+		ctx->p_prov = NULL ;
+	} else {
+		ctx->p_prov = NULL ;
+	}
 
-    ctx->hProv		 = hProv;
-    ctx->fCallerFreeProv = fCallerFreeProv;
+    ctx->p_prov		 = mscrypt_create_prov( hProv, FALSE ) ;
     ctx->dwKeySpec	 = dwKeySpec;
-    ctx->hKey		 = hKey;
+    ctx->p_key		 = mscrypt_create_key( hKey ) ;
     ctx->type		 = type;
 
     return(0);
@@ -238,7 +343,7 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, 0);
  
-    return(ctx->hKey);
+    return( ctx->p_key ? ctx->p_key->hKey : 0 );
 }
 
 /**
@@ -273,7 +378,7 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, 0);
 
-    return(ctx->hProv);
+    return( ctx->p_prov ? ctx->p_prov->hProv : 0 );
 }
 
 DWORD
@@ -318,23 +423,34 @@
 	}
     } 
 
-    if (ctxSrc->hKey != 0) {
-	if (!CryptDuplicateKey(ctxSrc->hKey, NULL, 0, &(ctxDst->hKey))) {
+    if( ctxSrc->p_key ) {
+		if( ctxDst->p_key )
+			mscrypt_release_key( ctxDst->p_key ) ;
+
+		ctxDst->p_key = mscrypt_acquire_key( ctxSrc->p_key ) ;
+		if( !ctxDst->p_key ) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
-			"CryptDuplicateKey",
+				"mscrypt_acquire_key",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
 			XMLSEC_ERRORS_NO_MESSAGE);
 	    return(-1);
 	}
     }
-    if(ctxSrc->hProv != 0) {
-	CryptContextAddRef(ctxSrc->hProv, NULL, 0);
-	ctxDst->hProv		= ctxSrc->hProv;
-	ctxDst->fCallerFreeProv = TRUE;
-    } else {
-        ctxDst->hProv		= 0;
-	ctxDst->fCallerFreeProv = FALSE;
+
+    if( ctxSrc->p_prov ) {
+		if( ctxDst->p_prov )
+			mscrypt_release_prov( ctxDst->p_prov ) ;
+
+		ctxDst->p_prov = mscrypt_acquire_prov( ctxSrc->p_prov ) ;
+		if( !ctxDst->p_prov ) {
+		    xmlSecError(XMLSEC_ERRORS_HERE,
+				xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
+				"mscrypt_acquire_prov",
+				XMLSEC_ERRORS_R_CRYPTO_FAILED,
+				XMLSEC_ERRORS_NO_MESSAGE);
+		    return(-1);
+		}
     }
     
     ctxDst->dwKeySpec	    = ctxSrc->dwKeySpec;
@@ -355,16 +471,16 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert(ctx != NULL);
     
-    if (ctx->hKey != 0) {
-	CryptDestroyKey(ctx->hKey);
+    if( ctx->p_key ) {
+		mscrypt_release_key( ctx->p_key ) ;
     }
 
     if(ctx->pCert != NULL) {
 	CertFreeCertificateContext(ctx->pCert);
     }
 
-    if ((ctx->hProv != 0) && ctx->fCallerFreeProv) {
-	CryptReleaseContext(ctx->hProv, 0);
+    if( ctx->p_prov ) {
+		mscrypt_release_prov( ctx->p_prov ) ;
     }
 
     memset(ctx, 0, sizeof(xmlSecMSCryptoKeyDataCtx));
@@ -384,14 +500,14 @@
         xmlSecAssert2(ctx->pCert->pCertInfo != NULL, 0);
 	return (CertGetPublicKeyLength(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
 		&(ctx->pCert->pCertInfo->SubjectPublicKeyInfo)));
-    } else if (ctx->hKey != 0) {
+    } else if (ctx->p_key != 0 && ctx->p_key->hKey != 0 ) {
         DWORD length = 0;
 	DWORD lenlen = sizeof(DWORD);
 	
-	if (!CryptGetKeyParam(ctx->hKey, KP_KEYLEN, (BYTE *)&length, &lenlen, 0)) {
+	if (!CryptGetKeyParam(ctx->p_key->hKey, KP_KEYLEN, (BYTE *)&length, &lenlen, 0)) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			NULL,
-			"CertDuplicateCertificateContext",
+			"CryptGetKeyParam",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
 			XMLSEC_ERRORS_NO_MESSAGE);
 	    return(0);
@@ -938,9 +1054,10 @@
 
     ctx = xmlSecMSCryptoKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->hKey != 0, -1);
+    xmlSecAssert2(ctx->p_key != 0, -1);
+    xmlSecAssert2(ctx->p_key->hKey != 0, -1);
 
-    if (!CryptExportKey(ctx->hKey, 0, PUBLICKEYBLOB, 0, NULL, &dwBlobLen)) {
+    if (!CryptExportKey(ctx->p_key->hKey, 0, PUBLICKEYBLOB, 0, NULL, &dwBlobLen)) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
 		    "CryptExportKey",
@@ -960,7 +1077,7 @@
     }
 
     blob = xmlSecBufferGetData(&buf);
-    if (!CryptExportKey(ctx->hKey, 0, PUBLICKEYBLOB, 0, blob, &dwBlobLen)) {
+    if (!CryptExportKey(ctx->p_key->hKey, 0, PUBLICKEYBLOB, 0, blob, &dwBlobLen)) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
 		    "CryptExportKey",
@@ -1797,9 +1914,10 @@
 
     ctx = xmlSecMSCryptoKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->hKey != 0, -1);
+    xmlSecAssert2(ctx->p_key != 0, -1);
+    xmlSecAssert2(ctx->p_key->hKey != 0, -1);
     
-    if (!CryptExportKey(ctx->hKey, 0, PUBLICKEYBLOB, 0, NULL, &dwBlobLen)) {
+    if (!CryptExportKey(ctx->p_key->hKey, 0, PUBLICKEYBLOB, 0, NULL, &dwBlobLen)) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
 		    "CryptExportKey",
@@ -1819,7 +1937,7 @@
     }
 
     blob = xmlSecBufferGetData(&buf);
-    if (!CryptExportKey(ctx->hKey, 0, PUBLICKEYBLOB, 0, blob, &dwBlobLen)) {
+    if (!CryptExportKey(ctx->p_key->hKey, 0, PUBLICKEYBLOB, 0, blob, &dwBlobLen)) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
 		    "CryptExportKey",
@@ -2010,7 +2128,6 @@
     HCRYPTKEY hKey = 0;
     DWORD dwKeySpec;
     DWORD dwSize;
-    int res = -1;
     int ret;
 
     xmlSecAssert2(xmlSecKeyDataIsValid(data), xmlSecKeyDataTypeUnknown);
@@ -2048,7 +2165,9 @@
 		    "CryptGenKey",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
 		    XMLSEC_ERRORS_NO_MESSAGE);
-	goto done;
+    	if (hProv != 0)
+			CryptReleaseContext(hProv, 0);
+		return -1 ;
     }
 
     ret = xmlSecMSCryptoKeyDataAdoptKey(data, hProv, TRUE, hKey, dwKeySpec, 
@@ -2059,24 +2178,17 @@
 		    "xmlSecMSCryptoKeyDataAdoptKey",
 		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
 		    XMLSEC_ERRORS_NO_MESSAGE);
-	goto done;
+	    if( hKey != 0 )
+			CryptDestroyKey( hKey ) ;
+    	if( hProv != 0 )
+			CryptReleaseContext( hProv, 0 ) ;
+
+		return -1 ;
     }
     hProv = 0;
     hKey = 0;
 
-    /* success */
-    res = 0;
-
-done:
-    if (hProv != 0) {
-	CryptReleaseContext(ctx->hProv, 0);
-    }
-
-    if (hKey != 0) {
-	CryptDestroyKey(hKey);
-    }
-
-    return(res);
+    return 0 ;
 }
 
 static xmlSecKeyDataType
Index: xmlsec/src/mscrypto/x509.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509.c,v
retrieving revision 1.2
diff -u -r1.2 x509.c
--- xmlsec/src/mscrypto/x509.c	26 Sep 2003 00:58:13 -0000	1.2
+++ xmlsec/src/mscrypto/x509.c	6 Feb 2005 03:53:19 -0000
@@ -1572,6 +1572,7 @@
 					     xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecMSCryptoX509DataCtxPtr ctx;
     xmlSecKeyDataStorePtr x509Store;
+	PCCERT_CONTEXT pCert ;
     int ret;
     
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecMSCryptoKeyDataX509Id), -1);
@@ -1610,6 +1611,9 @@
 		return(-1);
 	    }
 
+		/*-
+		 * Get Public key from cert, which does not always work for sign action.
+         *
 	    keyValue = xmlSecMSCryptoX509CertGetKey(ctx->keyCert);
 	    if(keyValue == NULL) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1619,6 +1623,51 @@
 			    XMLSEC_ERRORS_NO_MESSAGE);
 		return(-1);
 	    }
+		*/
+
+		/*-
+		 * I'll search key according to KeyReq.
+		 */
+		pCert = CertDuplicateCertificateContext( ctx->keyCert ) ;
+		if( pCert == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE,
+		    	xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+				"CertDuplicateCertificateContext",
+				XMLSEC_ERRORS_R_CRYPTO_FAILED,
+				XMLSEC_ERRORS_NO_MESSAGE);
+
+			return(-1);
+		}
+
+		if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+			keyValue = xmlSecMSCryptoCertAdopt( pCert, xmlSecKeyDataTypePrivate ) ;
+			if(keyValue == NULL) {
+				xmlSecError(XMLSEC_ERRORS_HERE,
+						xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+						"xmlSecMSCryptoCertAdopt",
+						XMLSEC_ERRORS_R_XMLSEC_FAILED,
+						XMLSEC_ERRORS_NO_MESSAGE);
+
+				CertFreeCertificateContext( pCert ) ;
+				return(-1);
+			}
+			pCert = NULL ;
+		} else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+			keyValue = xmlSecMSCryptoCertAdopt( pCert, xmlSecKeyDataTypePublic ) ;
+			if(keyValue == NULL) {
+				xmlSecError(XMLSEC_ERRORS_HERE,
+						xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+						"xmlSecMSCryptoCertAdopt",
+						XMLSEC_ERRORS_R_XMLSEC_FAILED,
+						XMLSEC_ERRORS_NO_MESSAGE);
+
+				CertFreeCertificateContext( pCert ) ;
+				return(-1);
+			}
+			pCert = NULL ;
+		}
+
+
 
 	    /* verify that the key matches our expectations */
 	    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) {
Index: xmlsec/src/mscrypto/x509vfy.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/mscrypto/x509vfy.c,v
retrieving revision 1.3
diff -u -r1.3 x509vfy.c
--- xmlsec/src/mscrypto/x509vfy.c	27 Sep 2003 03:12:22 -0000	1.3
+++ xmlsec/src/mscrypto/x509vfy.c	6 Feb 2005 03:53:20 -0000
@@ -125,6 +125,7 @@
 				xmlChar *issuerName, xmlChar *issuerSerial,
 				xmlChar *ski, xmlSecKeyInfoCtx* keyInfoCtx) {
     xmlSecMSCryptoX509StoreCtxPtr ctx;
+	PCCERT_CONTEXT pCert ;
     
     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), NULL);
     xmlSecAssert2(keyInfoCtx != NULL, NULL);
@@ -132,10 +133,17 @@
     ctx = xmlSecMSCryptoX509StoreGetCtx(store);
     xmlSecAssert2(ctx != NULL, NULL);
     xmlSecAssert2(ctx->untrusted != NULL, NULL);
+    xmlSecAssert2(ctx->trusted != NULL, NULL);
 
-    return(xmlSecMSCryptoX509FindCert(ctx->untrusted, subjectName, issuerName, issuerSerial, ski));
-}
+	pCert = NULL ;
+	if( ctx->untrusted != NULL )
+		pCert = xmlSecMSCryptoX509FindCert( ctx->untrusted, subjectName, issuerName, issuerSerial, ski ) ;
+
+	if( ctx->trusted != NULL && pCert == NULL )
+		pCert = xmlSecMSCryptoX509FindCert( ctx->trusted, subjectName, issuerName, issuerSerial, ski ) ;
 
+    return( pCert ) ;
+}
 
 static void 
 xmlSecMSCryptoUnixTimeToFileTime(time_t t, LPFILETIME pft) {
@@ -252,17 +260,22 @@
 }
 
 static BOOL
-xmlSecMSCryptoX509StoreConstructCertsChain(xmlSecKeyDataStorePtr store, PCCERT_CONTEXT cert, HCERTSTORE certs, 
-			      xmlSecKeyInfoCtx* keyInfoCtx) {
+xmlSecMSCryptoX509StoreConstructCertsChain(
+	xmlSecKeyDataStorePtr store ,
+	PCCERT_CONTEXT cert ,
+	HCERTSTORE certStore , 
+	xmlSecKeyInfoCtx* keyInfoCtx
+) {
     xmlSecMSCryptoX509StoreCtxPtr ctx;
     PCCERT_CONTEXT issuerCert = NULL;
     FILETIME fTime;
     DWORD flags;
+    BOOL selfSigned ;
     
     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), FALSE);
     xmlSecAssert2(cert != NULL, FALSE);
     xmlSecAssert2(cert->pCertInfo != NULL, FALSE);
-    xmlSecAssert2(certs != NULL, FALSE);
+    xmlSecAssert2(certStore != NULL, FALSE);
     xmlSecAssert2(keyInfoCtx != NULL, FALSE);
 
     ctx = xmlSecMSCryptoX509StoreGetCtx(store);
@@ -283,18 +296,38 @@
 	return(FALSE);
     }
 
-    if (!xmlSecMSCryptoCheckRevocation(certs, cert)) {
+    if (!xmlSecMSCryptoCheckRevocation(certStore, cert)) {
 	return(FALSE);
     }
 
+    /*-
+	 * Firstly try to find the cert in the trusted cert store. We will trust
+	 * the certificate in the trusted store.
+	 */
+    issuerCert = CertFindCertificateInStore(ctx->trusted, 
+			    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+			    0,
+			    CERT_FIND_SUBJECT_NAME,
+			    &(cert->pCertInfo->Subject),
+			    NULL);
+    if( issuerCert != NULL ) {
+		/* We have found the trusted cert, so return true */
+		CertFreeCertificateContext( issuerCert ) ;
+		return( TRUE ) ;
+    }
+
+	/* Check whether the certificate is self signed certificate */
+	selfSigned = CertCompareCertificateName( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer) ) ;
+
     /* try the untrusted certs in the chain */
-    issuerCert = CertFindCertificateInStore(certs, 
+	if( !selfSigned ) {
+	    issuerCert = CertFindCertificateInStore(certStore, 
 			    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
 			    0,
 			    CERT_FIND_SUBJECT_NAME,
 			    &(cert->pCertInfo->Issuer),
 			    NULL);
-    if(issuerCert == cert) {
+	    if( issuerCert != NULL && CertCompareCertificate( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo, issuerCert->pCertInfo ) ) {
 	/* self signed cert, forget it */
 	CertFreeCertificateContext(issuerCert);
     } else if(issuerCert != NULL) {
@@ -304,23 +337,26 @@
 	    CertFreeCertificateContext(issuerCert);
 	    return(FALSE);
         }
-	if(!xmlSecMSCryptoX509StoreConstructCertsChain(store, issuerCert, certs, keyInfoCtx)) {
+			if(!xmlSecMSCryptoX509StoreConstructCertsChain(store, issuerCert, certStore, keyInfoCtx)) {
 	    xmlSecMSCryptoX509StoreCertError(store, issuerCert, flags);
 	    CertFreeCertificateContext(issuerCert);
 	    return(FALSE);
 	}
+
 	CertFreeCertificateContext(issuerCert);
 	return(TRUE);
     }
+	}
 
     /* try the untrusted certs in the store */
+	if( !selfSigned ) {
     issuerCert = CertFindCertificateInStore(ctx->untrusted, 
 			    X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
 			    0,
 			    CERT_FIND_SUBJECT_NAME,
 			    &(cert->pCertInfo->Issuer),
 			    NULL);
-    if(issuerCert == cert) {
+	    if( issuerCert != NULL && CertCompareCertificate( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo, issuerCert->pCertInfo ) ) {
 	/* self signed cert, forget it */
 	CertFreeCertificateContext(issuerCert);
     } else if(issuerCert != NULL) {
@@ -330,12 +366,14 @@
 	    CertFreeCertificateContext(issuerCert);
 	    return(FALSE);
         }
-	if(!xmlSecMSCryptoX509StoreConstructCertsChain(store, issuerCert, certs, keyInfoCtx)) {
+			if(!xmlSecMSCryptoX509StoreConstructCertsChain(store, issuerCert, certStore, keyInfoCtx)) {
 	    CertFreeCertificateContext(issuerCert);
 	    return(FALSE);
 	}
+
 	CertFreeCertificateContext(issuerCert);
 	return(TRUE);
+	    }
     }
 
     /* try to find issuer cert in the trusted cert in the store */
@@ -379,25 +417,46 @@
     xmlSecAssert2(certs != NULL, NULL);
     xmlSecAssert2(keyInfoCtx != NULL, NULL);
 
-    while((cert = CertEnumCertificatesInStore(certs, cert)) != NULL){
+    while( ( cert = CertEnumCertificatesInStore( certs, cert ) ) != NULL ) {
 	PCCERT_CONTEXT nextCert = NULL;
+		unsigned char selected ;
     
-	xmlSecAssert2(cert->pCertInfo != NULL, NULL);
+		xmlSecAssert2( cert->pCertInfo != NULL, NULL ) ;
 
 	/* if cert is the issuer of any other cert in the list, then it is 
-	* to be skipped */
+		 * to be skipped except that the cert list only have one self-signed
+		 * certificate.
+		 */
+		for( selected = 0, nextCert = NULL ; ; ) {
 	nextCert = CertFindCertificateInStore(certs,
 				X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
 				0,
 				CERT_FIND_ISSUER_NAME,
 				&(cert->pCertInfo->Subject),
-				NULL);
-	if(nextCert != NULL) {
-	    CertFreeCertificateContext(nextCert);
+				nextCert ) ;
+			if( nextCert != NULL ) {
+				if( CertCompareCertificate( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo, nextCert->pCertInfo ) ) {
+					selected = 1 ;
+					continue ;
+				} else {
+					selected = 0 ;
+					break ;
+				}
+			} else {
+				selected = 1 ;
+				break ;
+			}
+		}
+
+		if( nextCert != NULL )
+			CertFreeCertificateContext( nextCert ) ;
+
+		if( !selected ) {
 	    continue;
 	}
-	if(xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
-	    return(cert);
+
+		if( xmlSecMSCryptoX509StoreConstructCertsChain( store, cert, certs, keyInfoCtx ) ) {
+		    return( cert ) ;
 	}
     }
 
@@ -458,9 +517,126 @@
     return(0);
 }
 
+int	
+xmlSecMSCryptoX509StoreAdoptKeyStore (
+	xmlSecKeyDataStorePtr store,
+	HCERTSTORE keyStore
+) {
+    xmlSecMSCryptoX509StoreCtxPtr ctx;
+    int ret;
+
+    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), -1);
+    xmlSecAssert2( keyStore != NULL, -1);
+
+    ctx = xmlSecMSCryptoX509StoreGetCtx(store);
+    xmlSecAssert2(ctx != NULL, -1);
+    xmlSecAssert2(ctx->trusted != NULL, -1);
+
+	if( !CertAddStoreToCollection ( ctx->trusted , keyStore , CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , 2 ) ) {
+		xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+		    "CertAddStoreToCollection",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+		return(-1);
+	}
+
+	{
+		PCCERT_CONTEXT ptCert ;
+
+		ptCert = NULL ;
+		while( 1 ) {
+			ptCert = CertEnumCertificatesInStore( ctx->trusted, ptCert ) ;
+			if( ptCert == NULL )
+				break ;
+		}
+	}
+
+    return(0);
+}
+
+int
+xmlSecMSCryptoX509StoreAdoptTrustedStore (
+	xmlSecKeyDataStorePtr store,
+	HCERTSTORE trustedStore
+) {
+    xmlSecMSCryptoX509StoreCtxPtr ctx;
+    int ret;
+
+    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), -1);
+    xmlSecAssert2( trustedStore != NULL, -1);
+
+    ctx = xmlSecMSCryptoX509StoreGetCtx(store);
+    xmlSecAssert2(ctx != NULL, -1);
+    xmlSecAssert2(ctx->trusted != NULL, -1);
+
+	if( !CertAddStoreToCollection ( ctx->trusted , trustedStore , CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , 3 ) ) {
+		xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+		    "CertAddStoreToCollection",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+		return(-1);
+	}
+
+	{
+		PCCERT_CONTEXT ptCert ;
+
+		ptCert = NULL ;
+		while( 1 ) {
+			ptCert = CertEnumCertificatesInStore( ctx->trusted, ptCert ) ;
+			if( ptCert == NULL )
+				break ;
+		}
+	}
+
+    return(0);
+}
+
+int
+xmlSecMSCryptoX509StoreAdoptUntrustedStore (
+	xmlSecKeyDataStorePtr store,
+	HCERTSTORE untrustedStore
+) {
+    xmlSecMSCryptoX509StoreCtxPtr ctx;
+    int ret;
+
+    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), -1);
+    xmlSecAssert2( untrustedStore != NULL, -1);
+
+    ctx = xmlSecMSCryptoX509StoreGetCtx(store);
+    xmlSecAssert2(ctx != NULL, -1);
+    xmlSecAssert2(ctx->untrusted != NULL, -1);
+
+	if( !CertAddStoreToCollection ( ctx->untrusted , untrustedStore , CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , 2 ) ) {
+		xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+		    "CertAddStoreToCollection",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+		return(-1);
+	}
+
+	{
+		PCCERT_CONTEXT ptCert ;
+
+		ptCert = NULL ;
+		while( 1 ) {
+			ptCert = CertEnumCertificatesInStore( ctx->untrusted, ptCert ) ;
+			if( ptCert == NULL )
+				break ;
+		}
+	}
+
+	return(0);
+}
+
 static int
 xmlSecMSCryptoX509StoreInitialize(xmlSecKeyDataStorePtr store) {
     xmlSecMSCryptoX509StoreCtxPtr ctx;
+	HCERTSTORE hTrustedMemStore ;
+	HCERTSTORE hUntrustedMemStore ;
+
     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), -1);
 
     ctx = xmlSecMSCryptoX509StoreGetCtx(store);
@@ -468,11 +644,11 @@
 
     memset(ctx, 0, sizeof(xmlSecMSCryptoX509StoreCtx));
 
-    /* create trusted certs store */
-    ctx->trusted = CertOpenStore(CERT_STORE_PROV_MEMORY,
-			       X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+    /* create trusted certs store collection */
+    ctx->trusted = CertOpenStore(CERT_STORE_PROV_COLLECTION,
+			       0,
+			       NULL,
 			       0,
-			       CERT_STORE_CREATE_NEW_FLAG,
 			       NULL);
     if(ctx->trusted == NULL) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
@@ -484,20 +660,88 @@
     }
 
     /* create trusted certs store */
-    ctx->untrusted = CertOpenStore(CERT_STORE_PROV_MEMORY,
+    hTrustedMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY,
 			       X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
 			       0,
 			       CERT_STORE_CREATE_NEW_FLAG,
 			       NULL);
+    if(hTrustedMemStore == NULL) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+		    "CertOpenStore",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+	CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+	ctx->trusted = NULL ;
+	return(-1);
+    }
+
+	/* add the memory trusted certs store to trusted certs store collection */
+	if( !CertAddStoreToCollection( ctx->trusted, hTrustedMemStore, CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 1 ) ) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+		    "CertAddStoreToCollection",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+	CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+	CertCloseStore(hTrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG);
+	ctx->trusted = NULL ;
+	return(-1);
+	}
+	CertCloseStore(hTrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG);
+
+    /* create untrusted certs store collection */
+    ctx->untrusted = CertOpenStore(CERT_STORE_PROV_COLLECTION,
+			       0,
+			       NULL,
+			       0,
+			       NULL);
     if(ctx->untrusted == NULL) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
 		    "CertOpenStore",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
 		    XMLSEC_ERRORS_NO_MESSAGE);
+	CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+	ctx->trusted = NULL ;
+	return(-1);
+	}
+
+    /* create untrusted certs store */
+    hUntrustedMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY,
+			       X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+			       0,
+			       CERT_STORE_CREATE_NEW_FLAG,
+			       NULL);
+    if(hUntrustedMemStore == NULL) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+		    "CertOpenStore",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+	CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+	CertCloseStore(ctx->untrusted, CERT_CLOSE_STORE_FORCE_FLAG);
+	ctx->trusted = NULL ;
+	ctx->untrusted = NULL ;
 	return(-1);
     }
 
+	/* add the memory trusted certs store to untrusted certs store collection */
+	if( !CertAddStoreToCollection( ctx->untrusted, hUntrustedMemStore, CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 1 ) ) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+		    "CertAddStoreToCollection",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+	CertCloseStore(ctx->untrusted, CERT_CLOSE_STORE_FORCE_FLAG);
+	CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+	CertCloseStore(hUntrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG);
+	ctx->trusted = NULL ;
+	ctx->untrusted = NULL ;
+	return(-1);
+	}
+	CertCloseStore(hUntrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG);
+
     return(0);    
 }
 
@@ -544,7 +788,7 @@
 
 	cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
 					   subjectName,
-					   CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
+					   CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
 					   &cNameLen);
 	if(cName == NULL) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
@@ -567,6 +811,7 @@
 
     if((pCert == NULL) && (NULL != issuerName) && (NULL != issuerSerial)) {
 	xmlSecBn issuerSerialBn;	
+	CERT_INFO certInfo ;
 	CERT_NAME_BLOB cnb;
         BYTE *cName = NULL; 
 	DWORD cNameLen = 0;	
@@ -592,10 +837,16 @@
 	    return(NULL);
 	}
 
+	/*
 	cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
 					   issuerName,
 					   CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
 					   &cNameLen);
+	*/
+	cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+					   issuerName,
+					   CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
+					   &cNameLen);
 	if(cName == NULL) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			NULL,
@@ -608,26 +859,34 @@
 
 	cnb.pbData = cName;
 	cnb.cbData = cNameLen;
-	while((pCert = CertFindCertificateInStore(store, 
-						  PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
-						  0,
-						  CERT_FIND_ISSUER_NAME,
-						  &cnb,
-						  pCert)) != NULL) {
-	    
-	    /* I have no clue why at a sudden a swap is needed to 
-	     * convert from lsb... This code is purely based upon 
-	     * trial and error :( WK
-	     */
-	    if((pCert->pCertInfo != NULL) && 
-	       (pCert->pCertInfo->SerialNumber.pbData != NULL) && 
-	       (pCert->pCertInfo->SerialNumber.cbData > 0) && 
-	       (0 == xmlSecBnCompareReverse(&issuerSerialBn, pCert->pCertInfo->SerialNumber.pbData, 
-				     pCert->pCertInfo->SerialNumber.cbData))) {
-		
-		break;
-	    }
+
+	certInfo.Issuer.cbData = cnb.cbData ;
+	certInfo.Issuer.pbData = cnb.pbData ;
+
+	/*-
+	 * I have no words for MS rubbish.
+	 */
+	if( xmlSecBnReverse( &issuerSerialBn ) < 0 ) {
+	    xmlSecError(XMLSEC_ERRORS_HERE,
+			NULL,
+			"xmlSecBnReverse",
+			XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			XMLSEC_ERRORS_NO_MESSAGE);
+	    xmlSecBnFinalize(&issuerSerialBn);
+	    return (NULL);
 	}
+	certInfo.SerialNumber.cbData = xmlSecBnGetSize( &issuerSerialBn ) ;
+	certInfo.SerialNumber.pbData = xmlSecBnGetData( &issuerSerialBn ) ;
+
+	pCert = CertFindCertificateInStore(
+		store,
+		X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+		0,
+		CERT_FIND_SUBJECT_CERT,
+		&certInfo,
+		NULL
+	) ;
+
 	xmlFree(cName);
 	xmlSecBnFinalize(&issuerSerialBn);
     }
cvs server: Diffing xmlsec/src/nss
Index: xmlsec/src/nss/Makefile.am
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/Makefile.am,v
retrieving revision 1.17
diff -u -r1.17 Makefile.am
--- xmlsec/src/nss/Makefile.am	16 Sep 2003 09:43:03 -0000	1.17
+++ xmlsec/src/nss/Makefile.am	6 Feb 2005 03:53:20 -0000
@@ -20,21 +20,22 @@
 	$(NULL)
 
 libxmlsec1_nss_la_SOURCES =\
+	akmngr.c \
 	app.c \
 	bignum.c \
 	ciphers.c \
 	crypto.c \
 	digests.c \
 	hmac.c \
+	keysstore.c \
+	keytrans.c \
+	keywrapers.c \
 	pkikeys.c \
 	signatures.c \
 	symkeys.c \
+	tokens.c \
 	x509.c \
 	x509vfy.c \
-	keysstore.c \
-	kt_rsa.c \
-	kw_des.c \
-	kw_aes.c \
 	$(NULL)
 
 libxmlsec1_nss_la_LIBADD = \
Index: xmlsec/src/nss/ciphers.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/ciphers.c,v
retrieving revision 1.19
diff -u -r1.19 ciphers.c
--- xmlsec/src/nss/ciphers.c	26 Sep 2003 00:58:15 -0000	1.19
+++ xmlsec/src/nss/ciphers.c	6 Feb 2005 03:53:20 -0000
@@ -9,830 +9,951 @@
  */
 #include "globals.h"
 
+#include <stdlib.h>
 #include <string.h>
 
-#include <nspr.h>
 #include <nss.h>
-#include <secoid.h>
 #include <pk11func.h>
 
 #include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/base64.h>
 #include <xmlsec/keys.h>
+#include <xmlsec/keyinfo.h>
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
 
-#define XMLSEC_NSS_MAX_KEY_SIZE		32
-#define XMLSEC_NSS_MAX_IV_SIZE		32
-#define XMLSEC_NSS_MAX_BLOCK_SIZE	32
-
-/**************************************************************************
- *
- * Internal Nss Block cipher CTX
+/**
+ * Internal Nss Block Cipher Context
  *
- *****************************************************************************/
-typedef struct _xmlSecNssBlockCipherCtx		xmlSecNssBlockCipherCtx,
-							*xmlSecNssBlockCipherCtxPtr;
+ * This context is designed for repositing a block cipher for transform
+ */
+typedef struct _xmlSecNssBlockCipherCtx		xmlSecNssBlockCipherCtx ;
+typedef struct _xmlSecNssBlockCipherCtx*	xmlSecNssBlockCipherCtxPtr ;
+
 struct _xmlSecNssBlockCipherCtx {
-    CK_MECHANISM_TYPE	cipher;
-    PK11Context*	cipherCtx;
-    xmlSecKeyDataId	keyId;
-    int			keyInitialized;
-    int			ctxInitialized;
-    xmlSecByte		key[XMLSEC_NSS_MAX_KEY_SIZE];
-    xmlSecSize		keySize;
-    xmlSecByte		iv[XMLSEC_NSS_MAX_IV_SIZE];
-    xmlSecSize		ivSize;
-};
-static int 	xmlSecNssBlockCipherCtxInit		(xmlSecNssBlockCipherCtxPtr ctx,
-							 xmlSecBufferPtr in,
-							 xmlSecBufferPtr out,
-							 int encrypt,
-							 const xmlChar* cipherName,
-							 xmlSecTransformCtxPtr transformCtx);
-static int 	xmlSecNssBlockCipherCtxUpdate	(xmlSecNssBlockCipherCtxPtr ctx,
-							 xmlSecBufferPtr in,
-							 xmlSecBufferPtr out,
-							 int encrypt,
-							 const xmlChar* cipherName,
-							 xmlSecTransformCtxPtr transformCtx);
-static int 	xmlSecNssBlockCipherCtxFinal		(xmlSecNssBlockCipherCtxPtr ctx,
-							 xmlSecBufferPtr in,
-							 xmlSecBufferPtr out,
-							 int encrypt,
-							 const xmlChar* cipherName,
-							 xmlSecTransformCtxPtr transformCtx);
-static int 
-xmlSecNssBlockCipherCtxInit(xmlSecNssBlockCipherCtxPtr ctx,
-				xmlSecBufferPtr in, xmlSecBufferPtr out,
-				int encrypt,
-				const xmlChar* cipherName,
-				xmlSecTransformCtxPtr transformCtx) {
-    SECItem keyItem;
-    SECItem ivItem;
-    PK11SlotInfo* slot;
-    PK11SymKey* symKey;
-    int ivLen;
-    SECStatus rv;
-    int ret;
-
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->cipherCtx == NULL, -1);
-    xmlSecAssert2(ctx->keyInitialized != 0, -1);
-    xmlSecAssert2(ctx->ctxInitialized == 0, -1);
-    xmlSecAssert2(in != NULL, -1);
-    xmlSecAssert2(out != NULL, -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
-
-    ivLen = PK11_GetIVLength(ctx->cipher);
-    xmlSecAssert2(ivLen > 0, -1);
-    xmlSecAssert2((xmlSecSize)ivLen <= sizeof(ctx->iv), -1);
-    
-    if(encrypt) {
-        /* generate random iv */
-        rv = PK11_GenerateRandom(ctx->iv, ivLen);
-	if(rv != SECSuccess) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			xmlSecErrorsSafeString(cipherName),
-			"PK11_GenerateRandom",
-			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			"size=%d", ivLen);
-	    return(-1);    
-	}
-	
-	/* write iv to the output */
-	ret = xmlSecBufferAppend(out, ctx->iv, ivLen);
-	if(ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE, 
-			xmlSecErrorsSafeString(cipherName),
-			"xmlSecBufferAppend",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"size=%d", ivLen);
-	    return(-1);
-	}
-	
-    } else {
-	/* if we don't have enough data, exit and hope that 
-	 * we'll have iv next time */
-	if(xmlSecBufferGetSize(in) < (xmlSecSize)ivLen) {
-	    return(0);
-	}
-	
-	/* copy iv to our buffer*/
-	xmlSecAssert2(xmlSecBufferGetData(in) != NULL, -1);
-	memcpy(ctx->iv, xmlSecBufferGetData(in), ivLen);
-	
-	/* and remove from input */
-	ret = xmlSecBufferRemoveHead(in, ivLen);
-	if(ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE, 
-			xmlSecErrorsSafeString(cipherName),
-			"xmlSecBufferRemoveHead",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"size=%d", ivLen);
-	    return(-1);
+	CK_MECHANISM_TYPE		cipher ;
+	PK11SymKey*				symkey ;
+	PK11Context*			cipherCtx ;
+	xmlSecKeyDataId			keyId ;
+} ;
+
+#define xmlSecNssBlockCipherSize	\
+	( sizeof( xmlSecTransform ) + sizeof( xmlSecNssBlockCipherCtx ) )
+
+#define xmlSecNssBlockCipherGetCtx( transform ) \
+	( ( xmlSecNssBlockCipherCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) )
+
+static int
+xmlSecNssBlockCipherCheckId(
+	xmlSecTransformPtr transform
+) {
+	#ifndef XMLSEC_NO_DES
+	if( xmlSecTransformCheckId( transform, xmlSecNssTransformDes3CbcId ) ) {
+		return 1 ;
 	}
-    }
+	#endif /* XMLSEC_NO_DES */
 
-    memset(&keyItem, 0, sizeof(keyItem));
-    keyItem.data = ctx->key;
-    keyItem.len  = ctx->keySize; 
-    memset(&ivItem, 0, sizeof(ivItem));
-    ivItem.data = ctx->iv;
-    ivItem.len  = ctx->ivSize; 
-
-    slot = PK11_GetBestSlot(ctx->cipher, NULL);
-    if(slot == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "PK11_GetBestSlot",
-		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-	
-    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginDerive, 
-			       CKA_SIGN, &keyItem, NULL);
-    if(symKey == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "PK11_ImportSymKey",
-		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-        PK11_FreeSlot(slot);
-	return(-1);
-    }
+	#ifndef XMLSEC_NO_AES
+	if( xmlSecTransformCheckId( transform, xmlSecNssTransformAes128CbcId ) ||
+		xmlSecTransformCheckId( transform, xmlSecNssTransformAes192CbcId ) ||
+		xmlSecTransformCheckId( transform, xmlSecNssTransformAes256CbcId ) ) {
 
-    ctx->cipherCtx = PK11_CreateContextBySymKey(ctx->cipher, 
-			(encrypt) ? CKA_ENCRYPT : CKA_DECRYPT, 
-			symKey, &ivItem);
-    if(ctx->cipherCtx == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "PK11_CreateContextBySymKey",
-		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	PK11_FreeSymKey(symKey);
-        PK11_FreeSlot(slot);
-	return(-1);
+		return 1 ;
     }
-
-    ctx->ctxInitialized = 1;
-    PK11_FreeSymKey(symKey);
-    PK11_FreeSlot(slot);
-    return(0);
+	#endif /* XMLSEC_NO_AES */
+    
+    return 0 ;
 }
 
-static int 
-xmlSecNssBlockCipherCtxUpdate(xmlSecNssBlockCipherCtxPtr ctx,
-				  xmlSecBufferPtr in, xmlSecBufferPtr out,
-				  int encrypt,
-				  const xmlChar* cipherName,
-				  xmlSecTransformCtxPtr transformCtx) {
-    xmlSecSize inSize, inBlocks, outSize;
-    int blockLen;
-    int outLen = 0;
-    xmlSecByte* outBuf;
-    SECStatus rv;
-    int ret;
-    
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->cipherCtx != NULL, -1);
-    xmlSecAssert2(ctx->ctxInitialized != 0, -1);
-    xmlSecAssert2(in != NULL, -1);
-    xmlSecAssert2(out != NULL, -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
+static int
+xmlSecNssBlockCipherFetchCtx(
+	xmlSecNssBlockCipherCtxPtr		context ,
+	xmlSecTransformId				id
+) {
+	xmlSecAssert2( context != NULL, -1 ) ;
+
+	#ifndef XMLSEC_NO_DES
+	if( id == xmlSecNssTransformDes3CbcId ) {
+		context->cipher = CKM_DES3_CBC ;
+		context->keyId = xmlSecNssKeyDataDesId ;
+	} else
+	#endif		/* XMLSEC_NO_DES */
+
+	#ifndef XMLSEC_NO_AES
+	if( id == xmlSecNssTransformAes128CbcId ) {
+		context->cipher = CKM_AES_CBC ;
+		context->keyId = xmlSecNssKeyDataAesId ;
+	} else
+	if( id == xmlSecNssTransformAes192CbcId ) {
+		context->cipher = CKM_AES_CBC ;
+		context->keyId = xmlSecNssKeyDataAesId ;
+	} else
+	if( id == xmlSecNssTransformAes256CbcId ) {
+		context->cipher = CKM_AES_CBC ;
+		context->keyId = xmlSecNssKeyDataAesId ;
+	} else
+	#endif		/* XMLSEC_NO_AES */
+
+	if( 1 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    NULL ,
+		    NULL ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
 
-    blockLen = PK11_GetBlockSize(ctx->cipher, NULL);
-    xmlSecAssert2(blockLen > 0, -1);
+	return 0 ;
+}
 
-    inSize = xmlSecBufferGetSize(in);
-    outSize = xmlSecBufferGetSize(out);
-    
-    if(inSize < (xmlSecSize)blockLen) {
-	return(0);
-    }
+/**
+ * xmlSecTransformInitializeMethod:
+ * @transform:			the pointer to transform object.
+ *
+ * The transform specific initialization method.
+ *
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int
+xmlSecNssBlockCipherInitialize(
+	xmlSecTransformPtr transform
+) {
+	xmlSecNssBlockCipherCtxPtr context = NULL ;
+
+	xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+	xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+
+	context = xmlSecNssBlockCipherGetCtx( transform ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+		    "xmlSecNssBlockCipherGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	if( xmlSecNssBlockCipherFetchCtx( context , transform->id ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+		    "xmlSecNssBlockCipherFetchCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
 
-    if(encrypt) {
-        inBlocks = inSize / ((xmlSecSize)blockLen);
-    } else {
-	/* we want to have the last block in the input buffer 
-	 * for padding check */
-        inBlocks = (inSize - 1) / ((xmlSecSize)blockLen);
-    }
-    inSize = inBlocks * ((xmlSecSize)blockLen);
+	context->symkey = NULL ;
+	context->cipherCtx = NULL ;
 
-    /* we write out the input size plus may be one block */
-    ret = xmlSecBufferSetMaxSize(out, outSize + inSize + blockLen);
-    if(ret < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "xmlSecBufferSetMaxSize",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", outSize + inSize + blockLen);
-	return(-1);
-    }
-    outBuf = xmlSecBufferGetData(out) + outSize;
-    
-    rv = PK11_CipherOp(ctx->cipherCtx, outBuf, &outLen, inSize + blockLen,
-			xmlSecBufferGetData(in), inSize);
-    if(rv != SECSuccess) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "PK11_CipherOp",
-		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-    xmlSecAssert2((xmlSecSize)outLen == inSize, -1);
-    
-    /* set correct output buffer size */
-    ret = xmlSecBufferSetSize(out, outSize + outLen);
-    if(ret < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "xmlSecBufferSetSize",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", outSize + outLen);
-	return(-1);
-    }
-        
-    /* remove the processed block from input */
-    ret = xmlSecBufferRemoveHead(in, inSize);
-    if(ret < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "xmlSecBufferRemoveHead",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", inSize);
-	return(-1);
-    }
-    return(0);
+	return 0 ;
 }
 
-static int 
-xmlSecNssBlockCipherCtxFinal(xmlSecNssBlockCipherCtxPtr ctx,
-				 xmlSecBufferPtr in,
-				 xmlSecBufferPtr out,
-				 int encrypt,
-				 const xmlChar* cipherName,
-				 xmlSecTransformCtxPtr transformCtx) {
-    xmlSecSize inSize, outSize;
-    int blockLen, outLen = 0;
-    xmlSecByte* inBuf;
-    xmlSecByte* outBuf;
-    SECStatus rv;
-    int ret;
-    
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->cipherCtx != NULL, -1);
-    xmlSecAssert2(ctx->ctxInitialized != 0, -1);
-    xmlSecAssert2(in != NULL, -1);
-    xmlSecAssert2(out != NULL, -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
-
-    blockLen = PK11_GetBlockSize(ctx->cipher, NULL);
-    xmlSecAssert2(blockLen > 0, -1);
+/**
+ * xmlSecTransformFinalizeMethod:
+ * @transform:			the pointer to transform object.
+ *
+ * The transform specific destroy method.
+ */
+static void 
+xmlSecNssBlockCipherFinalize(
+	xmlSecTransformPtr transform
+) {
+	xmlSecNssBlockCipherCtxPtr context = NULL ;
 
-    inSize = xmlSecBufferGetSize(in);
-    outSize = xmlSecBufferGetSize(out);
+	xmlSecAssert( xmlSecNssBlockCipherCheckId( transform ) ) ;
+	xmlSecAssert( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ) ) ;
 
-    if(encrypt != 0) {
-        xmlSecAssert2(inSize < (xmlSecSize)blockLen, -1);        
-    
-	/* create padding */
-        ret = xmlSecBufferSetMaxSize(in, blockLen);
-	if(ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE, 
-			xmlSecErrorsSafeString(cipherName),
-			"xmlSecBufferSetMaxSize",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"size=%d", blockLen);
-	    return(-1);
-	}
-	inBuf = xmlSecBufferGetData(in);
-
-        /* generate random padding */
-	if((xmlSecSize)blockLen > (inSize + 1)) {
-	    rv = PK11_GenerateRandom(inBuf + inSize, blockLen - inSize - 1);
-	    if(rv != SECSuccess) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(cipherName),
-			    "PK11_GenerateRandom",
-			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    "size=%d", blockLen - inSize - 1); 
-		return(-1);    
-	    }
-	}
-	inBuf[blockLen - 1] = blockLen - inSize;
-	inSize = blockLen;
-    } else {
-	if(inSize != (xmlSecSize)blockLen) {
-	    xmlSecError(XMLSEC_ERRORS_HERE, 
-			xmlSecErrorsSafeString(cipherName),
-			NULL,
-			XMLSEC_ERRORS_R_INVALID_DATA,
-			"data=%d;block=%d", inSize, blockLen);
-	    return(-1);
+	context = xmlSecNssBlockCipherGetCtx( transform ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+		    "xmlSecNssBlockCipherGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return ;    
 	}
-    }
-    
-    /* process last block */
-    ret = xmlSecBufferSetMaxSize(out, outSize + 2 * blockLen);
-    if(ret < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "xmlSecBufferSetMaxSize",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", outSize + 2 * blockLen);
-	return(-1);
-    }
-    outBuf = xmlSecBufferGetData(out) + outSize;
 
-    rv = PK11_CipherOp(ctx->cipherCtx, outBuf, &outLen, 2 * blockLen,
-			xmlSecBufferGetData(in), inSize);
-    if(rv != SECSuccess) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "PK11_CipherOp",
-		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-    xmlSecAssert2((xmlSecSize)outLen == inSize, -1);
-    
-    if(encrypt == 0) {
-	/* check padding */
-	if(outLen < outBuf[blockLen - 1]) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			xmlSecErrorsSafeString(cipherName),
-			NULL,
-			XMLSEC_ERRORS_R_INVALID_DATA,
-			"padding=%d;buffer=%d",
-			outBuf[blockLen - 1], outLen);
-	    return(-1);	
-	}
-	outLen -= outBuf[blockLen - 1];
-    } 
-
-    /* set correct output buffer size */
-    ret = xmlSecBufferSetSize(out, outSize + outLen);
-    if(ret < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "xmlSecBufferSetSize",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", outSize + outLen);
-	return(-1);
-    }
+	if( context->cipherCtx != NULL ) {
+		PK11_DestroyContext( context->cipherCtx, PR_TRUE ) ;
+		context->cipherCtx = NULL ;
+	}
 
-    /* remove the processed block from input */
-    ret = xmlSecBufferRemoveHead(in, inSize);
-    if(ret < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(cipherName),
-		    "xmlSecBufferRemoveHead",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "size=%d", inSize);
-	return(-1);
-    }
+	if( context->symkey != NULL ) {
+		PK11_FreeSymKey( context->symkey ) ;
+		context->symkey = NULL ;
+	}
 
-    return(0);
+	context->cipher = CKM_INVALID_MECHANISM ;
+	context->keyId = NULL ;
 }
 
-
-/******************************************************************************
- *
- * EVP Block Cipher transforms
+/**
+ * xmlSecTransformSetKeyRequirementsMethod:
+ * @transform:			the pointer to transform object.
+ * @keyReq:				the pointer to key requirements structure.
  *
- * xmlSecNssBlockCipherCtx block is located after xmlSecTransform structure
+ * Transform specific method to set transform's key requirements.
  * 
- *****************************************************************************/
-#define xmlSecNssBlockCipherSize	\
-    (sizeof(xmlSecTransform) + sizeof(xmlSecNssBlockCipherCtx))
-#define xmlSecNssBlockCipherGetCtx(transform) \
-    ((xmlSecNssBlockCipherCtxPtr)(((xmlSecByte*)(transform)) + sizeof(xmlSecTransform)))
-
-static int	xmlSecNssBlockCipherInitialize	(xmlSecTransformPtr transform);
-static void	xmlSecNssBlockCipherFinalize		(xmlSecTransformPtr transform);
-static int  	xmlSecNssBlockCipherSetKeyReq	(xmlSecTransformPtr transform, 
-							 xmlSecKeyReqPtr keyReq);
-static int	xmlSecNssBlockCipherSetKey		(xmlSecTransformPtr transform,
-							 xmlSecKeyPtr key);
-static int	xmlSecNssBlockCipherExecute		(xmlSecTransformPtr transform,
-							 int last,
-							 xmlSecTransformCtxPtr transformCtx);
-static int	xmlSecNssBlockCipherCheckId		(xmlSecTransformPtr transform);
-							 
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int  
+xmlSecNssBlockCipherSetKeyReq(
+	xmlSecTransformPtr transform ,
+	xmlSecKeyReqPtr keyReq
+) {
+	xmlSecNssBlockCipherCtxPtr context = NULL ;
+	xmlSecSize cipherSize = 0 ;
+
+	xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+	xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+	xmlSecAssert2( keyReq != NULL , -1 ) ;
+	xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+
+	context = xmlSecNssBlockCipherGetCtx( transform ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+		    "xmlSecNssBlockCipherGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	keyReq->keyId = context->keyId ;
+	keyReq->keyType = xmlSecKeyDataTypeSymmetric ;
+
+	if( transform->operation == xmlSecTransformOperationEncrypt ) {
+		keyReq->keyUsage = xmlSecKeyUsageEncrypt ;
+	} else {
+		keyReq->keyUsage = xmlSecKeyUsageDecrypt ;
+	}
+
+	/*
+	if( context->symkey != NULL )
+		cipherSize = PK11_GetKeyLength( context->symkey ) ; 
 
+	keyReq->keyBitsSize = cipherSize * 8 ;
+	*/
 
+	return 0 ;
+}
+
+/**
+ * xmlSecTransformSetKeyMethod:
+ * @transform:			the pointer to transform object.
+ * @key: 				the pointer to key.
+ *
+ * The transform specific method to set the key for use.
+ * 
+ * Returns 0 on success or a negative value otherwise.
+ */
 static int
-xmlSecNssBlockCipherCheckId(xmlSecTransformPtr transform) {
-#ifndef XMLSEC_NO_DES
-    if(xmlSecTransformCheckId(transform, xmlSecNssTransformDes3CbcId)) {
-	return(1);
-    }
-#endif /* XMLSEC_NO_DES */
+xmlSecNssBlockCipherSetKey(
+	xmlSecTransformPtr transform ,
+	xmlSecKeyPtr key
+) {
+	xmlSecNssBlockCipherCtxPtr context = NULL ;
+	xmlSecKeyDataPtr	keyData = NULL ;
+	PK11SymKey*			symkey = NULL ;
+	CK_ATTRIBUTE_TYPE	operation ;
+	int					ivLen ;
+
+	xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+	xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+	xmlSecAssert2( key != NULL , -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+
+	context = xmlSecNssBlockCipherGetCtx( transform ) ;
+	if( context == NULL || context->keyId == NULL || context->symkey != NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+		    "xmlSecNssBlockCipherGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+	xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ;
+
+	keyData = xmlSecKeyGetValue( key ) ;
+	if( keyData == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) ,
+		    "xmlSecKeyGetValue" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
+		    "xmlSecNssSymKeyDataGetKey" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
 
-#ifndef XMLSEC_NO_AES
-    if(xmlSecTransformCheckId(transform, xmlSecNssTransformAes128CbcId) ||
-       xmlSecTransformCheckId(transform, xmlSecNssTransformAes192CbcId) ||
-       xmlSecTransformCheckId(transform, xmlSecNssTransformAes256CbcId)) {
-       
-       return(1);
-    }
-#endif /* XMLSEC_NO_AES */
-    
-    return(0);
+	context->symkey = symkey ;
+
+	return 0 ;
 }
 
+/**
+ * Block cipher transform init
+ */
 static int 
-xmlSecNssBlockCipherInitialize(xmlSecTransformPtr transform) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
+xmlSecNssBlockCipherCtxInit(
+	xmlSecNssBlockCipherCtxPtr	ctx ,
+	xmlSecBufferPtr 			in ,
+	xmlSecBufferPtr 			out ,
+	int 						encrypt ,
+	const xmlChar* 				cipherName ,
+	xmlSecTransformCtxPtr 		transformCtx
+) {
+	SECItem				ivItem ;
+	SECItem*			secParam = NULL ;
+	xmlSecBufferPtr		ivBuf = NULL ;
+	int					ivLen ;
+
+	xmlSecAssert2( ctx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipherCtx == NULL , -1 ) ;
+	xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+	xmlSecAssert2( in != NULL , -1 ) ;
+	xmlSecAssert2( out != NULL , -1 ) ;
+	xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+	ivLen = PK11_GetIVLength( ctx->cipher ) ;
+	if( ivLen < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"PK11_GetIVLength" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	if( ( ivBuf = xmlSecBufferCreate( ivLen ) ) == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferCreate" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	if( encrypt ) {
+		if( PK11_GenerateRandom( ivBuf->data , ivLen ) != SECSuccess ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( cipherName ) ,
+				"PK11_GenerateRandom" ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			xmlSecBufferDestroy( ivBuf ) ;
+			return -1 ;    
+		}
+		if( xmlSecBufferSetSize( ivBuf , ivLen ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				"xmlSecBufferSetSize" ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			xmlSecBufferDestroy( ivBuf ) ;
+			return -1 ;    
+		}
+
+		if( xmlSecBufferAppend( out , ivBuf->data , ivLen ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( cipherName ) ,
+				"xmlSecBufferAppend" ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			xmlSecBufferDestroy( ivBuf ) ;
+			return -1 ;    
+		}
+	} else {
+		if( xmlSecBufferSetData( ivBuf , in->data , ivLen ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( cipherName ) ,
+				"xmlSecBufferSetData" ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			xmlSecBufferDestroy( ivBuf ) ;
+			return -1 ;    
+		}
+
+		if( xmlSecBufferRemoveHead( in , ivLen ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( cipherName ) ,
+				"xmlSecBufferRemoveHead" ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			xmlSecBufferDestroy( ivBuf ) ;
+			return -1 ;    
+		}
+	}
+
+	ivItem.data = xmlSecBufferGetData( ivBuf ) ;
+	ivItem.len = xmlSecBufferGetSize( ivBuf ) ;
+	if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"PK11_ParamFromIV" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecBufferDestroy( ivBuf ) ;
+		return -1 ;    
+	}
+
+	ctx->cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ;
+	if( ctx->cipherCtx == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"xmlSecBufferRemoveHead" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		SECITEM_FreeItem( secParam , PR_TRUE ) ;
+		xmlSecBufferDestroy( ivBuf ) ;
+		return -1 ;    
+	}
 
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    
-    memset(ctx, 0, sizeof(xmlSecNssBlockCipherCtx));
+	SECITEM_FreeItem( secParam , PR_TRUE ) ;
+	xmlSecBufferDestroy( ivBuf ) ;
 
-#ifndef XMLSEC_NO_DES
-    if(transform->id == xmlSecNssTransformDes3CbcId) {
-	ctx->cipher 	= CKM_DES3_CBC;
-	ctx->keyId 	= xmlSecNssKeyDataDesId;
-	ctx->keySize	= 24;
-    } else 
-#endif /* XMLSEC_NO_DES */
-
-#ifndef XMLSEC_NO_AES
-    if(transform->id == xmlSecNssTransformAes128CbcId) {
-	ctx->cipher 	= CKM_AES_CBC;	
-	ctx->keyId 	= xmlSecNssKeyDataAesId;
-	ctx->keySize	= 16;
-    } else if(transform->id == xmlSecNssTransformAes192CbcId) {
-	ctx->cipher 	= CKM_AES_CBC;	
-	ctx->keyId 	= xmlSecNssKeyDataAesId;
-	ctx->keySize	= 24;
-    } else if(transform->id == xmlSecNssTransformAes256CbcId) {
-	ctx->cipher 	= CKM_AES_CBC;	
-	ctx->keyId 	= xmlSecNssKeyDataAesId;
-	ctx->keySize	= 32;
-    } else 
-#endif /* XMLSEC_NO_AES */
-
-    if(1) {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-		    NULL,
-		    XMLSEC_ERRORS_R_INVALID_TRANSFORM,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }        
-    
-    return(0);
+	return 0 ;
 }
 
-static void 
-xmlSecNssBlockCipherFinalize(xmlSecTransformPtr transform) {
-    xmlSecNssBlockCipherCtxPtr ctx;
+/**
+ * Block cipher transform update
+ */
+static int 
+xmlSecNssBlockCipherCtxUpdate(
+	xmlSecNssBlockCipherCtxPtr	ctx ,
+	xmlSecBufferPtr 			in ,
+	xmlSecBufferPtr 			out ,
+	int 						encrypt ,
+	const xmlChar* 				cipherName ,
+	xmlSecTransformCtxPtr 		transformCtx
+) {
+	xmlSecSize			inSize ;
+	xmlSecSize			outSize ;
+	xmlSecSize			inBlocks ;
+	int					blockSize ;
+	int					outLen ;
+	xmlSecByte*			outBuf ;
+
+	xmlSecAssert2( ctx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipherCtx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+	xmlSecAssert2( in != NULL , -1 ) ;
+	xmlSecAssert2( out != NULL , -1 ) ;
+	xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+	if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"PK11_GetBlockSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	inSize = xmlSecBufferGetSize( in ) ;
+	outSize = xmlSecBufferGetSize( out ) ;
+
+	inBlocks = ( encrypt != 0 ? inSize : ( inSize - 1 ) ) / blockSize ;
+	inSize = inBlocks * blockSize ;
+
+	if( inSize < blockSize ) {
+		return 0 ;
+	}
+
+	if( xmlSecBufferSetMaxSize( out , outSize + inSize + blockSize ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"xmlSecBufferSetMaxSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+	outBuf = xmlSecBufferGetData( out ) + outSize ;
+
+	if( PK11_CipherOp( ctx->cipherCtx , outBuf , &outLen , inSize + blockSize , xmlSecBufferGetData( in ) , inSize ) != SECSuccess ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"PK11_CipherOp" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	if( xmlSecBufferSetSize( out , outSize + outLen ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"xmlSecBufferSetSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	if( xmlSecBufferRemoveHead( in , inSize ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"xmlSecBufferRemoveHead" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
 
-    xmlSecAssert(xmlSecNssBlockCipherCheckId(transform));
-    xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize));
+	return 0 ;
+}
 
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert(ctx != NULL);
+/**
+ * Block cipher transform final
+ */
+static int 
+xmlSecNssBlockCipherCtxFinal(
+	xmlSecNssBlockCipherCtxPtr	ctx ,
+	xmlSecBufferPtr 			in ,
+	xmlSecBufferPtr 			out ,
+	int 						encrypt ,
+	const xmlChar* 				cipherName ,
+	xmlSecTransformCtxPtr 		transformCtx
+) {
+	xmlSecSize			inSize ;
+	xmlSecSize			outSize ;
+	int					blockSize ;
+	int					outLen ;
+	xmlSecByte*			inBuf ;
+	xmlSecByte*			outBuf ;
+
+	xmlSecAssert2( ctx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipherCtx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+	xmlSecAssert2( in != NULL , -1 ) ;
+	xmlSecAssert2( out != NULL , -1 ) ;
+	xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+	if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"PK11_GetBlockSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	inSize = xmlSecBufferGetSize( in ) ;
+	outSize = xmlSecBufferGetSize( out ) ;
+
+	/******************************************************************/
+	if( encrypt != 0 ) {
+		xmlSecAssert2( inSize < blockSize, -1 ) ;
+
+		/* create padding */
+		if( xmlSecBufferSetMaxSize( in , blockSize ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( cipherName ) ,
+				"xmlSecBufferSetMaxSize" ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return -1 ;    
+		}
+		inBuf = xmlSecBufferGetData( in ) ;
+
+		/* generate random */
+		if( blockSize > ( inSize + 1 ) ) {
+			if( PK11_GenerateRandom( inBuf + inSize, blockSize - inSize - 1 ) != SECSuccess ) {
+				xmlSecError( XMLSEC_ERRORS_HERE ,
+					xmlSecErrorsSafeString( cipherName ) ,
+					"PK11_GenerateRandom" ,
+					XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				return -1 ;    
+			}
+		}
+
+		inBuf[blockSize-1] = blockSize - inSize ;
+		inSize = blockSize ;
+	} else {
+		if( inSize != blockSize ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( cipherName ) ,
+				NULL ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return -1 ;    
+		}
+	}
+
+	/* process the last block */
+	if( xmlSecBufferSetMaxSize( out , outSize + inSize + blockSize ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"xmlSecBufferSetMaxSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+	outBuf = xmlSecBufferGetData( out ) + outSize ;
+
+	if( PK11_CipherOp( ctx->cipherCtx , outBuf , &outLen , inSize + blockSize , xmlSecBufferGetData( in ) , inSize ) != SECSuccess ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"PK11_CipherOp" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	if( encrypt == 0 ) {
+		/* check padding */
+		if( outLen < outBuf[blockSize-1] ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( cipherName ) ,
+				NULL ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return -1 ;    
+		}
+
+		outLen -= outBuf[blockSize-1] ;
+	}
+	/******************************************************************/
+
+	/******************************************************************
+	if( xmlSecBufferSetMaxSize( out , outSize + blockSize ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"xmlSecBufferSetMaxSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	outBuf = xmlSecBufferGetData( out ) + outSize ;
+
+	if( PK11_DigestFinal( ctx->cipherCtx , outBuf , &outLen , blockSize ) != SECSuccess ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"PK11_DigestFinal" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+	******************************************************************/
+
+	if( xmlSecBufferSetSize( out , outSize + outLen ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"xmlSecBufferSetSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	if( xmlSecBufferRemoveHead( in , inSize ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( cipherName ) ,
+			"xmlSecBufferRemoveHead" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+//	PK11_Finalize( ctx->cipherCtx ) ;
+	PK11_DestroyContext( ctx->cipherCtx , PR_TRUE ) ;
+	ctx->cipherCtx = NULL ;
 
-    if(ctx->cipherCtx != NULL) {
-        PK11_DestroyContext(ctx->cipherCtx, PR_TRUE);
-    }
-    
-    memset(ctx, 0, sizeof(xmlSecNssBlockCipherCtx));
+	return 0 ;
 }
 
-static int  
-xmlSecNssBlockCipherSetKeyReq(xmlSecTransformPtr transform,  xmlSecKeyReqPtr keyReq) {
-    xmlSecNssBlockCipherCtxPtr ctx;
 
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(keyReq != NULL, -1);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->keyId != NULL, -1);
-
-    keyReq->keyId 	= ctx->keyId;
-    keyReq->keyType 	= xmlSecKeyDataTypeSymmetric;
-    if(transform->operation == xmlSecTransformOperationEncrypt) {
-	keyReq->keyUsage = xmlSecKeyUsageEncrypt;
-    } else {
-	keyReq->keyUsage = xmlSecKeyUsageDecrypt;
-    }
-    keyReq->keyBitsSize = 8 * ctx->keySize;
-    return(0);
-}
 
+/**
+ * xmlSecTransformExecuteMethod:
+ * @transform:			the pointer to transform object.
+ * @last:			the flag: if set to 1 then it's the last data chunk.
+ * @transformCtx:		the pointer to transform context object.
+ *
+ * Transform specific method to process a chunk of data.
+ *
+ * Returns 0 on success or a negative value otherwise.
+ */
 static int
-xmlSecNssBlockCipherSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    xmlSecBufferPtr buffer;
-    
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(key != NULL, -1);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->keyInitialized == 0, -1);
-    xmlSecAssert2(ctx->keyId != NULL, -1);
-    xmlSecAssert2(xmlSecKeyCheckId(key, ctx->keyId), -1);
-
-    xmlSecAssert2(ctx->keySize > 0, -1);
-    xmlSecAssert2(ctx->keySize <= sizeof(ctx->key), -1);
-
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(xmlSecKeyGetValue(key));
-    xmlSecAssert2(buffer != NULL, -1);
-
-    if(xmlSecBufferGetSize(buffer) < ctx->keySize) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-		    NULL,
-		    XMLSEC_ERRORS_R_INVALID_KEY_DATA_SIZE,
-		    "keySize=%d;expected=%d",
-		    xmlSecBufferGetSize(buffer), ctx->keySize);
-	return(-1);
-    }
-    
-    xmlSecAssert2(xmlSecBufferGetData(buffer) != NULL, -1);
-    memcpy(ctx->key, xmlSecBufferGetData(buffer), ctx->keySize);
-    
-    ctx->keyInitialized = 1;
-    return(0);
+xmlSecNssBlockCipherExecute(
+	xmlSecTransformPtr transform ,
+	int last ,
+	xmlSecTransformCtxPtr transformCtx
+) {
+	xmlSecNssBlockCipherCtxPtr 	context = NULL ;
+	xmlSecBufferPtr				inBuf = NULL ;
+	xmlSecBufferPtr				outBuf = NULL ;
+	const xmlChar*				cipherName ;
+	int							operation ;
+	int							rtv ;
+
+	xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+	xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+	xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+	context = xmlSecNssBlockCipherGetCtx( transform ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+		    "xmlSecNssBlockCipherGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;    
+	}
+
+	inBuf = &( transform->inBuf ) ;
+	outBuf = &( transform->outBuf ) ;
+
+	if( transform->status == xmlSecTransformStatusNone ) {
+		transform->status = xmlSecTransformStatusWorking ;
+	}
+
+	operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ;
+	cipherName = xmlSecTransformGetName( transform ) ;
+
+	if( transform->status == xmlSecTransformStatusWorking ) {
+		if( context->cipherCtx == NULL ) {
+			rtv = xmlSecNssBlockCipherCtxInit( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+			if( rtv < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE , 
+					xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+					"xmlSecNssBlockCipherCtxInit" ,
+					XMLSEC_ERRORS_R_INVALID_STATUS ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				return -1 ;
+			}
+		}
+
+		if( context->cipherCtx == NULL && last != 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE , 
+				xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+				NULL ,
+				XMLSEC_ERRORS_R_INVALID_STATUS ,
+				"No enough data to intialize transform" ) ;
+			return -1 ;
+		}
+
+		if( context->cipherCtx != NULL ) {
+			rtv = xmlSecNssBlockCipherCtxUpdate( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+			if( rtv < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE , 
+					xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+					"xmlSecNssBlockCipherCtxUpdate" ,
+					XMLSEC_ERRORS_R_INVALID_STATUS ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				return -1 ;
+			}
+		}
+		
+		if( last ) {
+			rtv = xmlSecNssBlockCipherCtxFinal( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+			if( rtv < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE , 
+					xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+					"xmlSecNssBlockCipherCtxFinal" ,
+					XMLSEC_ERRORS_R_INVALID_STATUS ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				return -1 ;
+			}
+			transform->status = xmlSecTransformStatusFinished ;
+		}
+	} else if( transform->status == xmlSecTransformStatusFinished ) {
+		if( xmlSecBufferGetSize( inBuf ) != 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE , 
+				xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+				NULL ,
+				XMLSEC_ERRORS_R_INVALID_STATUS ,
+				"status=%d", transform->status ) ;
+			return -1 ;
+		}
+	} else {
+		xmlSecError( XMLSEC_ERRORS_HERE , 
+			xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+			NULL ,
+			XMLSEC_ERRORS_R_INVALID_STATUS ,
+			"status=%d", transform->status ) ;
+		return -1 ;
+	}
+
+	return 0 ;
 }
 
-static int 
-xmlSecNssBlockCipherExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    xmlSecBufferPtr in, out;
-    int ret;
-    
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
+static xmlSecTransformKlass xmlSecNssAes128CbcKlass = {
+	sizeof( xmlSecTransformKlass ) ,
+	xmlSecNssBlockCipherSize ,
 
-    in = &(transform->inBuf);
-    out = &(transform->outBuf);
+	xmlSecNameAes128Cbc ,
+	xmlSecHrefAes128Cbc ,
+	xmlSecTransformUsageEncryptionMethod ,
+
+	xmlSecNssBlockCipherInitialize ,
+	xmlSecNssBlockCipherFinalize ,
+	NULL ,
+	NULL ,
+
+	xmlSecNssBlockCipherSetKeyReq ,
+	xmlSecNssBlockCipherSetKey ,
+	NULL ,
+	xmlSecTransformDefaultGetDataType ,
+
+	xmlSecTransformDefaultPushBin ,
+	xmlSecTransformDefaultPopBin ,
+	NULL ,
+	NULL ,
+	xmlSecNssBlockCipherExecute ,
+
+	NULL ,
+	NULL
+} ;
 
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
 
-    if(transform->status == xmlSecTransformStatusNone) {
-	transform->status = xmlSecTransformStatusWorking;
-    }
+static xmlSecTransformKlass xmlSecNssAes192CbcKlass = {
+	sizeof( xmlSecTransformKlass ) ,
+	xmlSecNssBlockCipherSize ,
 
-    if(transform->status == xmlSecTransformStatusWorking) {
-	if(ctx->ctxInitialized == 0) {
-	    ret = xmlSecNssBlockCipherCtxInit(ctx, in, out, 
-			(transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-			xmlSecTransformGetName(transform), transformCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE, 
-			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-			    "xmlSecNssBlockCipherCtxInit",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
-		return(-1);
-	    }
-	}
-	if((ctx->ctxInitialized == 0) && (last != 0)) {
-	    xmlSecError(XMLSEC_ERRORS_HERE, 
-			xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-			NULL,
-			XMLSEC_ERRORS_R_INVALID_DATA,
-			"not enough data to initialize transform");
-	    return(-1);
-	}
-
-	if(ctx->ctxInitialized != 0) {
-	    ret = xmlSecNssBlockCipherCtxUpdate(ctx, in, out, 
-			(transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-			xmlSecTransformGetName(transform), transformCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE, 
-			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-			    "xmlSecNssBlockCipherCtxUpdate",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
-		return(-1);
-	    }
-	}
-	
-	if(last) {
-	    ret = xmlSecNssBlockCipherCtxFinal(ctx, in, out, 
-			(transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-			xmlSecTransformGetName(transform), transformCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE, 
-			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-			    "xmlSecNssBlockCipherCtxFinal",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
-		return(-1);
-	    }
-	    transform->status = xmlSecTransformStatusFinished;
-	} 
-    } else if(transform->status == xmlSecTransformStatusFinished) {
-	/* the only way we can get here is if there is no input */
-	xmlSecAssert2(xmlSecBufferGetSize(in) == 0, -1);
-    } else if(transform->status == xmlSecTransformStatusNone) {
-	/* the only way we can get here is if there is no enough data in the input */
-	xmlSecAssert2(last == 0, -1);
-    } else {
-	xmlSecError(XMLSEC_ERRORS_HERE, 
-		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-		    NULL,
-		    XMLSEC_ERRORS_R_INVALID_STATUS,
-		    "status=%d", transform->status);
-	return(-1);
-    }
-    
-    return(0);
-}
+	xmlSecNameAes192Cbc ,
+	xmlSecHrefAes192Cbc ,
+	xmlSecTransformUsageEncryptionMethod ,
+
+	xmlSecNssBlockCipherInitialize ,
+	xmlSecNssBlockCipherFinalize ,
+	NULL ,
+	NULL ,
+
+	xmlSecNssBlockCipherSetKeyReq ,
+	xmlSecNssBlockCipherSetKey ,
+	NULL ,
+	xmlSecTransformDefaultGetDataType ,
+
+	xmlSecTransformDefaultPushBin ,
+	xmlSecTransformDefaultPopBin ,
+	NULL ,
+	NULL ,
+	xmlSecNssBlockCipherExecute ,
+
+	NULL ,
+	NULL
+} ;
 
 
-#ifndef XMLSEC_NO_AES
-/*********************************************************************
- *
- * AES CBC cipher transforms
- *
- ********************************************************************/
-static xmlSecTransformKlass xmlSecNssAes128CbcKlass = {
-    /* klass/object sizes */
-    sizeof(xmlSecTransformKlass),		/* xmlSecSize klassSize */
-    xmlSecNssBlockCipherSize,		/* xmlSecSize objSize */
-
-    xmlSecNameAes128Cbc,			/* const xmlChar* name; */
-    xmlSecHrefAes128Cbc,			/* const xmlChar* href; */
-    xmlSecTransformUsageEncryptionMethod,	/* xmlSecAlgorithmUsage usage; */
-
-    xmlSecNssBlockCipherInitialize, 		/* xmlSecTransformInitializeMethod initialize; */
-    xmlSecNssBlockCipherFinalize,		/* xmlSecTransformFinalizeMethod finalize; */
-    NULL,					/* xmlSecTransformNodeReadMethod readNode; */
-    NULL,					/* xmlSecTransformNodeWriteMethod writeNode; */
-    xmlSecNssBlockCipherSetKeyReq,		/* xmlSecTransformSetKeyMethod setKeyReq; */
-    xmlSecNssBlockCipherSetKey,		/* xmlSecTransformSetKeyMethod setKey; */
-    NULL,					/* xmlSecTransformValidateMethod validate; */
-    xmlSecTransformDefaultGetDataType,		/* xmlSecTransformGetDataTypeMethod getDataType; */
-    xmlSecTransformDefaultPushBin,		/* xmlSecTransformPushBinMethod pushBin; */
-    xmlSecTransformDefaultPopBin,		/* xmlSecTransformPopBinMethod popBin; */
-    NULL,					/* xmlSecTransformPushXmlMethod pushXml; */
-    NULL,					/* xmlSecTransformPopXmlMethod popXml; */
-    xmlSecNssBlockCipherExecute,		/* xmlSecTransformExecuteMethod execute; */
-
-    NULL,					/* void* reserved0; */
-    NULL,					/* void* reserved1; */
-};
+static xmlSecTransformKlass xmlSecNssAes256CbcKlass = {
+	sizeof( xmlSecTransformKlass ) ,
+	xmlSecNssBlockCipherSize ,
 
-/**
- * xmlSecNssTransformAes128CbcGetKlass:
- * 
- * AES 128 CBC encryption transform klass.
- * 
- * Returns pointer to AES 128 CBC encryption transform.
- */ 
-xmlSecTransformId 
-xmlSecNssTransformAes128CbcGetKlass(void) {
-    return(&xmlSecNssAes128CbcKlass);
-}
+	xmlSecNameAes256Cbc ,
+	xmlSecHrefAes256Cbc ,
+	xmlSecTransformUsageEncryptionMethod ,
+
+	xmlSecNssBlockCipherInitialize ,
+	xmlSecNssBlockCipherFinalize ,
+	NULL ,
+	NULL ,
+
+	xmlSecNssBlockCipherSetKeyReq ,
+	xmlSecNssBlockCipherSetKey ,
+	NULL ,
+	xmlSecTransformDefaultGetDataType ,
+
+	xmlSecTransformDefaultPushBin ,
+	xmlSecTransformDefaultPopBin ,
+	NULL ,
+	NULL ,
+	xmlSecNssBlockCipherExecute ,
+
+	NULL ,
+	NULL
+} ;
 
-static xmlSecTransformKlass xmlSecNssAes192CbcKlass = {
-    /* klass/object sizes */
-    sizeof(xmlSecTransformKlass),		/* xmlSecSize klassSize */
-    xmlSecNssBlockCipherSize,		/* xmlSecSize objSize */
-
-    xmlSecNameAes192Cbc,			/* const xmlChar* name; */
-    xmlSecHrefAes192Cbc,			/* const xmlChar* href; */
-    xmlSecTransformUsageEncryptionMethod,	/* xmlSecAlgorithmUsage usage; */
-
-    xmlSecNssBlockCipherInitialize, 		/* xmlSecTransformInitializeMethod initialize; */
-    xmlSecNssBlockCipherFinalize,		/* xmlSecTransformFinalizeMethod finalize; */
-    NULL,					/* xmlSecTransformNodeReadMethod readNode; */
-    NULL,					/* xmlSecTransformNodeWriteMethod writeNode; */
-    xmlSecNssBlockCipherSetKeyReq,		/* xmlSecTransformSetKeyMethod setKeyReq; */
-    xmlSecNssBlockCipherSetKey,		/* xmlSecTransformSetKeyMethod setKey; */
-    NULL,					/* xmlSecTransformValidateMethod validate; */
-    xmlSecTransformDefaultGetDataType,		/* xmlSecTransformGetDataTypeMethod getDataType; */
-    xmlSecTransformDefaultPushBin,		/* xmlSecTransformPushBinMethod pushBin; */
-    xmlSecTransformDefaultPopBin,		/* xmlSecTransformPopBinMethod popBin; */
-    NULL,					/* xmlSecTransformPushXmlMethod pushXml; */
-    NULL,					/* xmlSecTransformPopXmlMethod popXml; */
-    xmlSecNssBlockCipherExecute,		/* xmlSecTransformExecuteMethod execute; */
-    
-    NULL,					/* void* reserved0; */
-    NULL,					/* void* reserved1; */
-};
+static xmlSecTransformKlass xmlSecNssDes3CbcKlass = {
+	sizeof( xmlSecTransformKlass ) ,
+	xmlSecNssBlockCipherSize ,
+
+	xmlSecNameDes3Cbc ,
+	xmlSecHrefDes3Cbc ,
+	xmlSecTransformUsageEncryptionMethod ,
+
+	xmlSecNssBlockCipherInitialize ,
+	xmlSecNssBlockCipherFinalize ,
+	NULL ,
+	NULL ,
+
+	xmlSecNssBlockCipherSetKeyReq ,
+	xmlSecNssBlockCipherSetKey ,
+	NULL ,
+	xmlSecTransformDefaultGetDataType ,
+
+	xmlSecTransformDefaultPushBin ,
+	xmlSecTransformDefaultPopBin ,
+	NULL ,
+	NULL ,
+	xmlSecNssBlockCipherExecute ,
+
+	NULL ,
+	NULL
+} ;
 
 /**
- * xmlSecNssTransformAes192CbcGetKlass:
- * 
- * AES 192 CBC encryption transform klass.
- * 
- * Returns pointer to AES 192 CBC encryption transform.
- */ 
-xmlSecTransformId 
-xmlSecNssTransformAes192CbcGetKlass(void) {
-    return(&xmlSecNssAes192CbcKlass);
+ * xmlSecNssTransformAes128CbcGetKlass
+ *
+ * Get the AES128_CBC transform klass
+ *
+ * Return AES128_CBC transform klass
+ */
+xmlSecTransformId
+xmlSecNssTransformAes128CbcGetKlass( void ) {
+	return ( &xmlSecNssAes128CbcKlass ) ;
 }
 
-static xmlSecTransformKlass xmlSecNssAes256CbcKlass = {
-    /* klass/object sizes */
-    sizeof(xmlSecTransformKlass),		/* xmlSecSize klassSize */
-    xmlSecNssBlockCipherSize,		/* xmlSecSize objSize */
-
-    xmlSecNameAes256Cbc,			/* const xmlChar* name; */
-    xmlSecHrefAes256Cbc,			/* const xmlChar* href; */
-    xmlSecTransformUsageEncryptionMethod,	/* xmlSecAlgorithmUsage usage; */
-
-    xmlSecNssBlockCipherInitialize, 		/* xmlSecTransformInitializeMethod initialize; */
-    xmlSecNssBlockCipherFinalize,		/* xmlSecTransformFinalizeMethod finalize; */
-    NULL,					/* xmlSecTransformNodeReadMethod readNode; */
-    NULL,					/* xmlSecTransformNodeWriteMethod writeNode; */
-    xmlSecNssBlockCipherSetKeyReq,		/* xmlSecTransformSetKeyMethod setKeyReq; */
-    xmlSecNssBlockCipherSetKey,		/* xmlSecTransformSetKeyMethod setKey; */
-    NULL,					/* xmlSecTransformValidateMethod validate; */
-    xmlSecTransformDefaultGetDataType,		/* xmlSecTransformGetDataTypeMethod getDataType; */
-    xmlSecTransformDefaultPushBin,		/* xmlSecTransformPushBinMethod pushBin; */
-    xmlSecTransformDefaultPopBin,		/* xmlSecTransformPopBinMethod popBin; */
-    NULL,					/* xmlSecTransformPushXmlMethod pushXml; */
-    NULL,					/* xmlSecTransformPopXmlMethod popXml; */
-    xmlSecNssBlockCipherExecute,		/* xmlSecTransformExecuteMethod execute; */
-    
-    NULL,					/* void* reserved0; */
-    NULL,					/* void* reserved1; */
-};
-
 /**
- * xmlSecNssTransformAes256CbcGetKlass:
- * 
- * AES 256 CBC encryption transform klass.
- * 
- * Returns pointer to AES 256 CBC encryption transform.
- */ 
-xmlSecTransformId 
-xmlSecNssTransformAes256CbcGetKlass(void) {
-    return(&xmlSecNssAes256CbcKlass);
+ * xmlSecNssTransformAes192CbcGetKlass
+ *
+ * Get the AES192_CBC transform klass
+ *
+ * Return AES192_CBC transform klass
+ */
+xmlSecTransformId
+xmlSecNssTransformAes192CbcGetKlass( void ) {
+	return ( &xmlSecNssAes192CbcKlass ) ;
 }
 
-#endif /* XMLSEC_NO_AES */
-
-#ifndef XMLSEC_NO_DES
-static xmlSecTransformKlass xmlSecNssDes3CbcKlass = {
-    /* klass/object sizes */
-    sizeof(xmlSecTransformKlass),		/* xmlSecSize klassSize */
-    xmlSecNssBlockCipherSize,		/* xmlSecSize objSize */
-
-    xmlSecNameDes3Cbc,				/* const xmlChar* name; */
-    xmlSecHrefDes3Cbc, 				/* const xmlChar* href; */
-    xmlSecTransformUsageEncryptionMethod,	/* xmlSecAlgorithmUsage usage; */
-
-    xmlSecNssBlockCipherInitialize, 		/* xmlSecTransformInitializeMethod initialize; */
-    xmlSecNssBlockCipherFinalize,		/* xmlSecTransformFinalizeMethod finalize; */
-    NULL,					/* xmlSecTransformNodeReadMethod readNode; */
-    NULL,					/* xmlSecTransformNodeWriteMethod writeNode; */
-    xmlSecNssBlockCipherSetKeyReq,		/* xmlSecTransformSetKeyMethod setKeyReq; */
-    xmlSecNssBlockCipherSetKey,		/* xmlSecTransformSetKeyMethod setKey; */
-    NULL,					/* xmlSecTransformValidateMethod validate; */
-    xmlSecTransformDefaultGetDataType,		/* xmlSecTransformGetDataTypeMethod getDataType; */
-    xmlSecTransformDefaultPushBin,		/* xmlSecTransformPushBinMethod pushBin; */
-    xmlSecTransformDefaultPopBin,		/* xmlSecTransformPopBinMethod popBin; */
-    NULL,					/* xmlSecTransformPushXmlMethod pushXml; */
-    NULL,					/* xmlSecTransformPopXmlMethod popXml; */
-    xmlSecNssBlockCipherExecute,		/* xmlSecTransformExecuteMethod execute; */
-    
-    NULL,					/* void* reserved0; */
-    NULL,					/* void* reserved1; */
-};
+/**
+ * xmlSecNssTransformAes256CbcGetKlass
+ *
+ * Get the AES256_CBC transform klass
+ *
+ * Return AES256_CBC transform klass
+ */
+xmlSecTransformId
+xmlSecNssTransformAes256CbcGetKlass( void ) {
+	return ( &xmlSecNssAes256CbcKlass ) ;
+}
 
-/** 
- * xmlSecNssTransformDes3CbcGetKlass:
+/**
+ * xmlSecNssTransformDes3CbcGetKlass
  *
- * Triple DES CBC encryption transform klass.
- * 
- * Returns pointer to Triple DES encryption transform.
+ * Get the DES3_CBC transform klass
+ *
+ * Return DES3_CBC transform klass
  */
-xmlSecTransformId 
-xmlSecNssTransformDes3CbcGetKlass(void) {
-    return(&xmlSecNssDes3CbcKlass);
+xmlSecTransformId
+xmlSecNssTransformDes3CbcGetKlass( void ) {
+	return ( &xmlSecNssDes3CbcKlass ) ;
 }
-#endif /* XMLSEC_NO_DES */
+
 
Index: xmlsec/src/nss/crypto.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/crypto.c,v
retrieving revision 1.27
diff -u -r1.27 crypto.c
--- xmlsec/src/nss/crypto.c	29 Oct 2003 15:57:25 -0000	1.27
+++ xmlsec/src/nss/crypto.c	6 Feb 2005 03:53:20 -0000
@@ -130,23 +130,23 @@
     /**
      * High level routines form xmlsec command line utility
      */ 
-    gXmlSecNssFunctions->cryptoAppInit 			= xmlSecNssAppInit;
-    gXmlSecNssFunctions->cryptoAppShutdown 		= xmlSecNssAppShutdown;
-    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrInit 	= xmlSecNssAppDefaultKeysMngrInit;
-    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrAdoptKey 	= xmlSecNssAppDefaultKeysMngrAdoptKey;
-    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrLoad 	= xmlSecNssAppDefaultKeysMngrLoad;
-    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrSave 	= xmlSecNssAppDefaultKeysMngrSave;
+    gXmlSecNssFunctions->cryptoAppInit 			= NULL ;
+    gXmlSecNssFunctions->cryptoAppShutdown 		= NULL ;
+    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrInit 	= NULL ;
+    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrAdoptKey 	= NULL ;
+    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrLoad 	= NULL ;
+    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrSave 	= NULL ;
 #ifndef XMLSEC_NO_X509
-    gXmlSecNssFunctions->cryptoAppKeysMngrCertLoad 	= xmlSecNssAppKeysMngrCertLoad;
-    gXmlSecNssFunctions->cryptoAppKeysMngrCertLoadMemory= xmlSecNssAppKeysMngrCertLoadMemory;
-    gXmlSecNssFunctions->cryptoAppPkcs12Load  		= xmlSecNssAppPkcs12Load; 
-    gXmlSecNssFunctions->cryptoAppPkcs12LoadMemory	= xmlSecNssAppPkcs12LoadMemory; 
-    gXmlSecNssFunctions->cryptoAppKeyCertLoad 		= xmlSecNssAppKeyCertLoad;
-    gXmlSecNssFunctions->cryptoAppKeyCertLoadMemory	= xmlSecNssAppKeyCertLoadMemory;
+    gXmlSecNssFunctions->cryptoAppKeysMngrCertLoad 	= NULL ;
+    gXmlSecNssFunctions->cryptoAppKeysMngrCertLoadMemory= NULL ;
+    gXmlSecNssFunctions->cryptoAppPkcs12Load  		= NULL ; 
+    gXmlSecNssFunctions->cryptoAppPkcs12LoadMemory	= NULL ; 
+    gXmlSecNssFunctions->cryptoAppKeyCertLoad 		= NULL ;
+    gXmlSecNssFunctions->cryptoAppKeyCertLoadMemory	= NULL ;
 #endif /* XMLSEC_NO_X509 */
-    gXmlSecNssFunctions->cryptoAppKeyLoad 		= xmlSecNssAppKeyLoad; 
-    gXmlSecNssFunctions->cryptoAppKeyLoadMemory		= xmlSecNssAppKeyLoadMemory; 
-    gXmlSecNssFunctions->cryptoAppDefaultPwdCallback	= (void*)xmlSecNssAppGetDefaultPwdCallback;
+    gXmlSecNssFunctions->cryptoAppKeyLoad 		= NULL ; 
+    gXmlSecNssFunctions->cryptoAppKeyLoadMemory		= NULL ; 
+    gXmlSecNssFunctions->cryptoAppDefaultPwdCallback	= (void*)NULL ;
 
     return(gXmlSecNssFunctions);
 }
Index: xmlsec/src/nss/digests.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/digests.c,v
retrieving revision 1.18
diff -u -r1.18 digests.c
--- xmlsec/src/nss/digests.c	26 Sep 2003 00:58:15 -0000	1.18
+++ xmlsec/src/nss/digests.c	6 Feb 2005 03:53:20 -0000
@@ -21,7 +21,6 @@
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
-#include <xmlsec/nss/app.h>
 #include <xmlsec/nss/crypto.h>
 
 #define XMLSEC_NSS_MAX_DIGEST_SIZE		32
@@ -107,7 +106,7 @@
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 		    "SECOID_FindOIDByTag",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	return(-1);
     }
     
@@ -117,7 +116,7 @@
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 		    "PK11_CreateDigestContext",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	return(-1);
     }
 	
@@ -208,7 +207,7 @@
 			xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			"PK11_DigestBegin",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+			"error code=%d", PORT_GetError());
 	    return(-1);
 	}
 	transform->status = xmlSecTransformStatusWorking;
@@ -225,7 +224,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "PK11_DigestOp",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	    
@@ -246,7 +245,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "PK11_DigestFinal",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	    xmlSecAssert2(ctx->dgstSize > 0, -1);
Index: xmlsec/src/nss/hmac.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/hmac.c,v
retrieving revision 1.21
diff -u -r1.21 hmac.c
--- xmlsec/src/nss/hmac.c	26 Sep 2003 00:58:15 -0000	1.21
+++ xmlsec/src/nss/hmac.c	6 Feb 2005 03:53:21 -0000
@@ -23,8 +23,8 @@
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
-#include <xmlsec/nss/app.h>
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/tokens.h>
 
 #define XMLSEC_NSS_MAX_HMAC_SIZE		128
 
@@ -241,13 +241,13 @@
     keyItem.data = xmlSecBufferGetData(buffer);
     keyItem.len  = xmlSecBufferGetSize(buffer); 
 
-    slot = PK11_GetBestSlot(ctx->digestType, NULL);
+    slot = xmlSecNssSlotGet(ctx->digestType);
     if(slot == NULL) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-		    "PK11_GetBestSlot",
+		    "xmlSecNssSlotGet",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	return(-1);
     }
 	
@@ -258,7 +258,7 @@
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 		    "PK11_ImportSymKey",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
         PK11_FreeSlot(slot);
 	return(-1);
     }
@@ -269,7 +269,7 @@
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 		    "PK11_CreateContextBySymKey",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	PK11_FreeSymKey(symKey);
         PK11_FreeSlot(slot);
 	return(-1);
@@ -368,7 +368,7 @@
 			xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			"PK11_DigestBegin",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+			"error code=%d", PORT_GetError());
 	    return(-1);
 	}
 	transform->status = xmlSecTransformStatusWorking;
@@ -385,7 +385,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "PK11_DigestOp",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	    
@@ -408,7 +408,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "PK11_DigestFinal",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	    xmlSecAssert2(dgstSize > 0, -1);
Index: xmlsec/src/nss/keysstore.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/keysstore.c,v
retrieving revision 1.3
diff -u -r1.3 keysstore.c
--- xmlsec/src/nss/keysstore.c	26 Sep 2003 00:58:15 -0000	1.3
+++ xmlsec/src/nss/keysstore.c	6 Feb 2005 03:53:21 -0000
@@ -16,104 +16,511 @@
  * 
  * Copyright (c) 2003 America Online, Inc.  All rights reserved.
  */
+/**
+ * NSS key store uses a key list and a slot list as the key repository. NSS slot
+ * list is a backup repository for the finding keys. If a key is not found from
+ * the key list, the NSS slot list is looked up.
+ *
+ * Any key in the key list will not save to pkcs11 slot. When a store to called
+ * to adopt a key, the key is resident in the key list; While a store to called
+ * to set a is resident in the key list; While a store to called to set a slot 
+ * list, which means that the keys in the listed slot can be used for xml sign-
+ * nature or encryption.
+ *
+ * Then, a user can adjust slot list to effect the crypto behaviors of xmlSec.
+ *
+ * The framework will decrease the user interfaces to administrate xmlSec crypto
+ * engine. He can only focus on NSS layer functions. For examples, after the
+ * user set up a slot list handler to the keys store, he do not need to do any
+ * other work atop xmlSec interfaces, his action on the slot list handler, such
+ * as add a token to, delete a token from the list, will directly effect the key
+ * store behaviors.
+ *
+ * For example, a scenariio:
+ * 0. Create a slot list;( NSS interfaces )
+ * 1. Create a keys store;( xmlSec interfaces )
+ * 2. Set slot list with the keys store;( xmlSec Interfaces )
+ * 3. Add a slot to the slot list;( NSS interfaces )
+ * 4. Perform xml signature; ( xmlSec Interfaces )
+ * 5. Deleter a slot from the slot list;( NSS interfaces )
+ * 6. Perform xml encryption; ( xmlSec Interfaces )
+ * 7. Perform xml signature;( xmlSec Interfaces )
+ * 8. Destroy the keys store;( xmlSec Interfaces )
+ * 8. Destroy the slot list.( NSS Interfaces )
+ */
 #include "globals.h"
-
-#include <stdlib.h>
 #include <string.h>
 
-#include <nss.h> 
-#include <cert.h> 
-#include <pk11func.h> 
-#include <keyhi.h> 
+#include <nss.h>
+#include <pk11func.h>
+#include <prinit.h>
+#include <keyhi.h>
 
-#include <libxml/tree.h> 
 
 #include <xmlsec/xmlsec.h>
-#include <xmlsec/buffer.h>
-#include <xmlsec/base64.h>
-#include <xmlsec/errors.h>
-#include <xmlsec/xmltree.h>
-
+#include <xmlsec/keys.h>
 #include <xmlsec/keysmngr.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
 #include <xmlsec/nss/keysstore.h>
-#include <xmlsec/nss/x509.h>
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/ciphers.h>
 #include <xmlsec/nss/pkikeys.h>
 
-/****************************************************************************
+/**
+ * Internal NSS key store context
  *
- * Nss Keys Store. Uses Simple Keys Store under the hood
- * 
- * Simple Keys Store ptr is located after xmlSecKeyStore
+ * This context is located after xmlSecKeyStore
+ */
+typedef struct _xmlSecNssKeysStoreCtx	xmlSecNssKeysStoreCtx ;
+typedef struct _xmlSecNssKeysStoreCtx*	xmlSecNssKeysStoreCtxPtr ;
+
+struct _xmlSecNssKeysStoreCtx {
+	xmlSecPtrListPtr		keyList ;
+	xmlSecPtrListPtr		slotList ;
+} ;
+
+#define xmlSecNssKeysStoreSize	\
+	( sizeof( xmlSecKeyStore ) + sizeof( xmlSecNssKeysStoreCtx ) )
+
+#define xmlSecNssKeysStoreGetCtx( data ) \
+	( ( xmlSecNssKeysStoreCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyStore ) ) )
+
+int xmlSecNssKeysStoreAdoptKeySlot(
+	xmlSecKeyStorePtr		store ,
+	xmlSecNssKeySlotPtr		keySlot
+) {
+	xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+	xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+	xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+	context = xmlSecNssKeysStoreGetCtx( store ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecNssKeysStoreGetCtx" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;
+	}
+
+	if( context->slotList == NULL ) {
+		if( ( context->slotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ) == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+				"xmlSecPtrListCreate" ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return -1 ;
+		}
+	}
+
+	if( !xmlSecPtrListCheckId( context->slotList , xmlSecNssKeySlotListId ) ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecPtrListCheckId" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;
+	}
+
+	if( xmlSecPtrListAdd( context->slotList , keySlot ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecPtrListAdd" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;
+	}
+
+	return 0 ;
+}
+
+int xmlSecNssKeysStoreAdoptKey(
+	xmlSecKeyStorePtr	store ,
+	xmlSecKeyPtr		key
+) {
+	xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+	xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+	xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+	context = xmlSecNssKeysStoreGetCtx( store ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecNssKeysStoreGetCtx" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;
+	}
+
+	if( context->keyList == NULL ) {
+		if( ( context->keyList = xmlSecPtrListCreate( xmlSecKeyPtrListId ) ) == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+				"xmlSecPtrListCreate" ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return -1 ;
+		}
+	}
+
+	if( !xmlSecPtrListCheckId( context->keyList , xmlSecKeyPtrListId ) ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecPtrListCheckId" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;
+	}
+
+	if( xmlSecPtrListAdd( context->keyList , key ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecPtrListAdd" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;
+	}
+
+	return 0 ;
+}
+
+/** 
+ * xmlSecKeyStoreInitializeMethod:
+ * @store: 		the store.
+ *
+ * Keys store specific initialization method.
  *
- ***************************************************************************/
-#define xmlSecNssKeysStoreSize \
-	(sizeof(xmlSecKeyStore) + sizeof(xmlSecKeyStorePtr))
-
-#define xmlSecNssKeysStoreGetSS(store) \
-    ((xmlSecKeyStoreCheckSize((store), xmlSecNssKeysStoreSize)) ? \
-     (xmlSecKeyStorePtr*)(((xmlSecByte*)(store)) + sizeof(xmlSecKeyStore)) : \
-     (xmlSecKeyStorePtr*)NULL)
-
-static int			xmlSecNssKeysStoreInitialize	(xmlSecKeyStorePtr store);
-static void			xmlSecNssKeysStoreFinalize	(xmlSecKeyStorePtr store);
-static xmlSecKeyPtr 		xmlSecNssKeysStoreFindKey	(xmlSecKeyStorePtr store, 
-								 const xmlChar* name, 
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
+ * Returns 0 on success or a negative value if an error occurs.
+ */
+static int
+xmlSecNssKeysStoreInitialize(
+	xmlSecKeyStorePtr store
+) {
+	xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+	xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+	xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+	context = xmlSecNssKeysStoreGetCtx( store ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecNssKeysStoreGetCtx" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;
+	}
 
-static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
-    sizeof(xmlSecKeyStoreKlass),
-    xmlSecNssKeysStoreSize,
+	context->keyList = NULL ;
+	context->slotList = NULL ;
 
-    /* data */
-    BAD_CAST "NSS-keys-store",		/* const xmlChar* name; */ 
-        
-    /* constructors/destructor */
-    xmlSecNssKeysStoreInitialize,	/* xmlSecKeyStoreInitializeMethod initialize; */
-    xmlSecNssKeysStoreFinalize,		/* xmlSecKeyStoreFinalizeMethod finalize; */
-    xmlSecNssKeysStoreFindKey,		/* xmlSecKeyStoreFindKeyMethod findKey; */
-
-    /* reserved for the future */
-    NULL,				/* void* reserved0; */
-    NULL,				/* void* reserved1; */
-};
+	return 0 ;
+}
 
-/**
- * xmlSecNssKeysStoreGetKlass:
- * 
- * The Nss list based keys store klass.
+/** 
+ * xmlSecKeyStoreFinalizeMethod:
+ * @store: 		the store.
  *
- * Returns Nss list based keys store klass.
+ * Keys store specific finalization (destroy) method.
  */
-xmlSecKeyStoreId 
-xmlSecNssKeysStoreGetKlass(void) {
-    return(&xmlSecNssKeysStoreKlass);
+void
+xmlSecNssKeysStoreFinalize(
+	xmlSecKeyStorePtr store
+) {
+	xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+	xmlSecAssert( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) ) ;
+	xmlSecAssert( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) ) ;
+
+	context = xmlSecNssKeysStoreGetCtx( store ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecNssKeysStoreGetCtx" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return ;
+	}
+
+	if( context->keyList != NULL ) {
+		xmlSecPtrListDestroy( context->keyList ) ;
+		context->keyList = NULL ;
+	}
+
+	if( context->slotList != NULL ) {
+		xmlSecPtrListDestroy( context->slotList ) ;
+		context->slotList = NULL ;
+	}
 }
 
-/**
- * xmlSecNssKeysStoreAdoptKey:
- * @store:		the pointer to Nss keys store.
- * @key:		the pointer to key.
- * 
- * Adds @key to the @store. 
+xmlSecKeyPtr
+xmlSecNssKeysStoreFindKeyFromSlot(
+	PK11SlotInfo* slot,
+	const xmlChar* name,
+	xmlSecKeyInfoCtxPtr keyInfoCtx
+) {
+	xmlSecKeyPtr		key = NULL ;
+	xmlSecKeyDataPtr	data = NULL ;
+	int					length ;
+
+	xmlSecAssert2( slot != NULL , NULL ) ;
+	xmlSecAssert2( name != NULL , NULL ) ;
+	xmlSecAssert2( keyInfoCtx != NULL , NULL ) ;
+
+	if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSymmetric ) == xmlSecKeyDataTypeSymmetric ) {
+		PK11SymKey*			symKey ;
+		PK11SymKey*			curKey ;
+
+		/* Find symmetric key from the slot by name */
+		symKey = PK11_ListFixedKeysInSlot( slot , ( char* )name , NULL ) ;
+		for( curKey = symKey ; curKey != NULL ; curKey = PK11_GetNextSymKey( curKey ) ) {
+			/* Check the key request */
+			length = PK11_GetKeyLength( curKey ) ;
+			length *= 8 ;
+			if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+				( length > 0 ) &&
+				( length < keyInfoCtx->keyReq.keyBitsSize ) )
+				continue ;
+
+			/* We find a eligible key */
+			data = xmlSecNssSymKeyDataKeyAdopt( curKey ) ;
+			if( data == NULL ) {
+				/* Do nothing */
+			}
+			break ;
+		}
+
+		/* Destroy the sym key list */
+		for( curKey = symKey ; curKey != NULL ; ) {
+			symKey = curKey ;
+			curKey = PK11_GetNextSymKey( symKey ) ;
+			PK11_FreeSymKey( symKey ) ;
+		}
+	} else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+		SECKEYPublicKeyList*		pubKeyList ;
+		SECKEYPublicKey*			pubKey ;
+		SECKEYPublicKeyListNode*	curPub ;
+
+		/* Find asymmetric key from the slot by name */
+		pubKeyList = PK11_ListPublicKeysInSlot( slot , ( char* )name ) ;
+		pubKey = NULL ;
+		curPub = PUBKEY_LIST_HEAD(pubKeyList);
+		for( ; !PUBKEY_LIST_END(curPub, pubKeyList) ; curPub = PUBKEY_LIST_NEXT( curPub ) ) {
+			/* Check the key request */
+			length = SECKEY_PublicKeyStrength( curPub->key ) ;
+			length *= 8 ;
+			if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+				( length > 0 ) &&
+				( length < keyInfoCtx->keyReq.keyBitsSize ) )
+				continue ;
+
+			/* We find a eligible key */
+			pubKey = curPub->key ;
+			break ;
+		}
+
+		if( pubKey != NULL ) {
+			data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ;
+			if( data == NULL ) {
+				/* Do nothing */
+			}
+		}
+
+		/* Destroy the public key list */
+		SECKEY_DestroyPublicKeyList( pubKeyList ) ;
+	} else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+		SECKEYPrivateKeyList*		priKeyList = NULL ;
+		SECKEYPrivateKey*			priKey = NULL ;
+		SECKEYPrivateKeyListNode*	curPri ;
+
+		/* Find asymmetric key from the slot by name */
+		priKeyList = PK11_ListPrivKeysInSlot( slot , ( char* )name , NULL ) ;
+		priKey = NULL ;
+		curPri = PRIVKEY_LIST_HEAD(priKeyList);
+		for( ; !PRIVKEY_LIST_END(curPri, priKeyList) ; curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
+			/* Check the key request */
+			length = PK11_SignatureLen( curPri->key ) ;
+			length *= 8 ;
+			if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+				( length > 0 ) &&
+				( length < keyInfoCtx->keyReq.keyBitsSize ) )
+				continue ;
+
+			/* We find a eligible key */
+			priKey = curPri->key ;
+			break ;
+		}
+
+		if( priKey != NULL ) {
+			data = xmlSecNssPKIAdoptKey( priKey, NULL ) ;
+			if( data == NULL ) {
+				/* Do nothing */
+			}
+		}
+
+		/* Destroy the private key list */
+		SECKEY_DestroyPrivateKeyList( priKeyList ) ;
+	}
+
+	/* If we have gotten the key value */
+	if( data != NULL ) {
+		if( ( key = xmlSecKeyCreate() ) == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				"xmlSecKeyCreate" ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+			xmlSecKeyDataDestroy( data ) ;
+			return NULL ;
+		}
+
+		if( xmlSecKeySetValue( key , data ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				"xmlSecKeySetValue" ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+			xmlSecKeyDestroy( key ) ;
+			xmlSecKeyDataDestroy( data ) ;
+			return NULL ;
+		}
+	}
+
+	return(key);
+}
+
+/** 
+ * xmlSecKeyStoreFindKeyMethod:
+ * @store: 		the store.
+ * @name:		the desired key name.
+ * @keyInfoCtx: 	the pointer to key info context.
  *
- * Returns 0 on success or a negative value if an error occurs.
+ * Keys store specific find method. The caller is responsible for destroying 
+ * the returned key using #xmlSecKeyDestroy method.
+ *
+ * Returns the pointer to a key or NULL if key is not found or an error occurs.
  */
-int 
-xmlSecNssKeysStoreAdoptKey(xmlSecKeyStorePtr store, xmlSecKeyPtr key) {
-    xmlSecKeyStorePtr *ss;
-    
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
-    xmlSecAssert2((key != NULL), -1);
+static xmlSecKeyPtr
+xmlSecNssKeysStoreFindKey(
+	xmlSecKeyStorePtr store ,
+	const xmlChar* name ,
+	xmlSecKeyInfoCtxPtr keyInfoCtx
+) {
+	xmlSecNssKeysStoreCtxPtr context = NULL ;
+	xmlSecKeyPtr	key = NULL ;
+	xmlSecNssKeySlotPtr	keySlot = NULL ;
+	xmlSecSize		pos ;
+	xmlSecSize		size ;
+
+	xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , NULL ) ;
+	xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , NULL ) ;
+	xmlSecAssert2( keyInfoCtx != NULL , NULL ) ;
+
+	context = xmlSecNssKeysStoreGetCtx( store ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+			"xmlSecNssKeysStoreGetCtx" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return NULL ;
+	}
+
+	/*-
+	 * Look for key at keyList at first.
+	 */
+	if( context->keyList != NULL ) {
+		size = xmlSecPtrListGetSize( context->keyList ) ;
+		for( pos = 0 ; pos < size ; pos ++ ) {
+			key = ( xmlSecKeyPtr )xmlSecPtrListGetItem( context->keyList , pos ) ;
+			if( key != NULL && xmlSecKeyMatch( key , name , &( keyInfoCtx->keyReq ) ) ) {
+				return xmlSecKeyDuplicate( key ) ;
+			}
+		}
+	}
+
+	/*-
+	 * Find the key from slotList
+	 */
+	if( context->slotList != NULL ) {
+		PK11SlotInfo*			slot = NULL ;
+
+		size = xmlSecPtrListGetSize( context->slotList ) ;
+		for( pos = 0 ; pos < size ; pos ++ ) {
+			keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( context->slotList , pos ) ;
+			slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+			if( slot == NULL ) {
+				continue ;
+			} else {
+				key = xmlSecNssKeysStoreFindKeyFromSlot( slot, name, keyInfoCtx ) ;
+				if( key == NULL ) {
+					continue ;
+				} else {
+					return( key ) ;
+				}
+			}
+		}
+	}
+
+	/*-
+	 * Create a session key if we can not find the key from keyList and slotList
+	 */
+	if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSession ) == xmlSecKeyDataTypeSession ) {
+		key = xmlSecKeyGenerate( keyInfoCtx->keyReq.keyId , keyInfoCtx->keyReq.keyBitsSize , xmlSecKeyDataTypeSession ) ;
+		if( key == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+				"xmlSecKeySetValue" ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return NULL ;
+		}
+
+		return key ;
+	}
+
+	/**
+	 * We have no way to find the key any more.
+	 */
+	return NULL ;
+}
 
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL) && 
-		   (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1);
+static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
+	sizeof( xmlSecKeyStoreKlass ) ,
+	xmlSecNssKeysStoreSize ,
+	BAD_CAST "implicit_nss_keys_store" ,
+	xmlSecNssKeysStoreInitialize ,
+	xmlSecNssKeysStoreFinalize ,
+	xmlSecNssKeysStoreFindKey ,
+	NULL ,
+	NULL
+} ;
 
-    return (xmlSecSimpleKeysStoreAdoptKey(*ss, key));
+/**
+ * xmlSecNssKeysStoreGetKlass:
+ * 
+ * The simple list based keys store klass.
+ *
+ * Returns simple list based keys store klass.
+ */
+xmlSecKeyStoreId 
+xmlSecNssKeysStoreGetKlass( void ) {
+    return &xmlSecNssKeysStoreKlass ;
 }
 
+
+/**************************
+ * Application routines
+ */
 /** 
  * xmlSecNssKeysStoreLoad:
  * @store:		the pointer to Nss keys store.
@@ -125,8 +532,11 @@
  * Returns 0 on success or a negative value if an error occurs.
  */
 int
-xmlSecNssKeysStoreLoad(xmlSecKeyStorePtr store, const char *uri, 
-			    xmlSecKeysMngrPtr keysMngr) {
+xmlSecNssKeysStoreLoad(
+	xmlSecKeyStorePtr store,
+	const char *uri, 
+	xmlSecKeysMngrPtr keysMngr
+) {
     xmlDocPtr doc;
     xmlNodePtr root;
     xmlNodePtr cur;
@@ -252,254 +662,147 @@
  */
 int
 xmlSecNssKeysStoreSave(xmlSecKeyStorePtr store, const char *filename, xmlSecKeyDataType type) {
-    xmlSecKeyStorePtr *ss;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
-    xmlSecAssert2((filename != NULL), -1);    
-    
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL) && 
-		   (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1);
-
-    return (xmlSecSimpleKeysStoreSave(*ss, filename, type));
-}
-
-static int
-xmlSecNssKeysStoreInitialize(xmlSecKeyStorePtr store) {
-    xmlSecKeyStorePtr *ss;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
+    xmlSecKeyInfoCtx keyInfoCtx;
+	xmlSecNssKeysStoreCtxPtr context ;
+    xmlSecPtrListPtr list;
+    xmlSecKeyPtr key;
+    xmlSecSize i, keysSize;    
+    xmlDocPtr doc;
+    xmlNodePtr cur;
+    xmlSecKeyDataPtr data;
+    xmlSecPtrListPtr idsList;
+    xmlSecKeyDataId dataId;
+    xmlSecSize idsSize, j;
+    int ret;
 
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2((*ss == NULL), -1);
+	xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ), -1 ) ;
+	xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ), -1 ) ;
+    xmlSecAssert2(filename != NULL, -1);    
+
+	context = xmlSecNssKeysStoreGetCtx( store ) ;
+	xmlSecAssert2( context != NULL, -1 );
+
+    list = context->keyList ;
+	xmlSecAssert2( list != NULL, -1 );
+    xmlSecAssert2(xmlSecPtrListCheckId(list, xmlSecKeyPtrListId), -1);
 
-    *ss = xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId);
-    if(*ss == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
+    /* create doc */
+    doc = xmlSecCreateTree(BAD_CAST "Keys", xmlSecNs);
+    if(doc == NULL) {
+		xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
-		    "xmlSecKeyStoreCreate",
+		    "xmlSecCreateTree",
 		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "xmlSecSimpleKeysStoreId");
-	return(-1);
+		    XMLSEC_ERRORS_NO_MESSAGE);
+		return(-1);
     }
-
-    return(0);    
-}
-
-static void
-xmlSecNssKeysStoreFinalize(xmlSecKeyStorePtr store) {
-    xmlSecKeyStorePtr *ss;
     
-    xmlSecAssert(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId));
-    
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert((ss != NULL) && (*ss != NULL));
-    
-    xmlSecKeyStoreDestroy(*ss);
-}
-
-static xmlSecKeyPtr 
-xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name, 
-		          xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecKeyStorePtr* ss;
-    xmlSecKeyPtr key = NULL;
-    xmlSecKeyPtr retval = NULL;
-    xmlSecKeyReqPtr keyReq = NULL;
-    CERTCertificate *cert = NULL;
-    SECKEYPublicKey *pubkey = NULL;
-    SECKEYPrivateKey *privkey = NULL;
-    xmlSecKeyDataPtr data = NULL;
-    xmlSecKeyDataPtr x509Data = NULL;
-    int ret;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), NULL);
-    xmlSecAssert2(keyInfoCtx != NULL, NULL);
-
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL)), NULL);
-
-    key = xmlSecKeyStoreFindKey(*ss, name, keyInfoCtx);
-    if (key != NULL) {
-	return (key);
-    }
+    idsList = xmlSecKeyDataIdsGet();	
+    xmlSecAssert2(idsList != NULL, -1);
+	
+    keysSize = xmlSecPtrListGetSize(list);
+    idsSize = xmlSecPtrListGetSize(idsList);
+    for(i = 0; i < keysSize; ++i) {
+	key = (xmlSecKeyPtr)xmlSecPtrListGetItem(list, i);
+	xmlSecAssert2(key != NULL, -1);
+	    
+    cur = xmlSecAddChild(xmlDocGetRootElement(doc), xmlSecNodeKeyInfo, xmlSecDSigNs);
+	if(cur == NULL) {
+	    xmlSecError(XMLSEC_ERRORS_HERE,
+			xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+			"xmlSecAddChild",
+			XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			"node=%s",
+			xmlSecErrorsSafeString(xmlSecNodeKeyInfo));
+	    xmlFreeDoc(doc); 
+	    return(-1);
+	}
 
-    /* Try to find the key in the NSS DB, and construct an xmlSecKey.
-     * we must have a name to lookup keys in NSS DB.
-     */
-    if (name == NULL) {
-	goto done;
-    }
+	/* special data key name */
+	if(xmlSecKeyGetName(key) != NULL) {
+    	if(xmlSecAddChild(cur, xmlSecNodeKeyName, xmlSecDSigNs) == NULL) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+			    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+			    "xmlSecAddChild",
+			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    "node=%s",
+			    xmlSecErrorsSafeString(xmlSecNodeKeyName));
+			xmlFreeDoc(doc); 
+			return(-1);
+	    }
+	}
+    
+	/* create nodes for other keys data */
+	for(j = 0; j < idsSize; ++j) {
+	    dataId = (xmlSecKeyDataId)xmlSecPtrListGetItem(idsList, j);
+	    xmlSecAssert2(dataId != xmlSecKeyDataIdUnknown, -1);
 
-    /* what type of key are we looking for? 
-     * TBD: For now, we'll look only for public/private keys using the
-     * name as a cert nickname. Later on, we can attempt to find
-     * symmetric keys using PK11_FindFixedKey 
-     */
-    keyReq = &(keyInfoCtx->keyReq);
-    if (keyReq->keyType & 
-	(xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate)) {
-	cert = CERT_FindCertByNickname (CERT_GetDefaultCertDB(), (char *)name);
-	if (cert == NULL) {
-	    goto done;
-	}
-
-	if (keyReq->keyType & xmlSecKeyDataTypePublic) {
- 	    pubkey = CERT_ExtractPublicKey(cert);
-	    if (pubkey == NULL) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    NULL,
-			    "CERT_ExtractPublicKey",
-			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
-		goto done;
+	    if(dataId->dataNodeName == NULL) {
+			continue;
+	    }
+	    
+	    data = xmlSecKeyGetData(key, dataId);
+	    if(data == NULL) {
+			continue;
 	    }
-	} 
 
-	if (keyReq->keyType & xmlSecKeyDataTypePrivate) { 
- 	    privkey = PK11_FindKeyByAnyCert(cert, NULL);
-	    if (privkey == NULL) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    NULL,
-			    "PK11_FindKeyByAnyCert",
-			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
-		goto done;
+	    if(xmlSecAddChild(cur, dataId->dataNodeName, dataId->dataNodeNs) == NULL) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+			    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+			    "xmlSecAddChild",
+			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    "node=%s", 
+			    xmlSecErrorsSafeString(dataId->dataNodeName));
+			xmlFreeDoc(doc); 
+	        return(-1);
 	    }
 	}
 
-	data = xmlSecNssPKIAdoptKey(privkey, pubkey);
-	if(data == NULL) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecNssPKIAdoptKey",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    goto done;
-	}    
-	privkey = NULL;
-	pubkey = NULL;
-
-        key = xmlSecKeyCreate();
-        if (key == NULL) {
+    ret = xmlSecKeyInfoCtxInitialize(&keyInfoCtx, NULL);
+	if(ret < 0) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecKeyCreate",
+		    	xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+			"xmlSecKeyInfoCtxInitialize",
 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
 			XMLSEC_ERRORS_NO_MESSAGE);
-	    return (NULL);
-        }
-
-	x509Data = xmlSecKeyDataCreate(xmlSecNssKeyDataX509Id);
-	if(x509Data == NULL) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecKeyDataCreate",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"transform=%s",
-			xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecNssKeyDataX509Id)));
-	    goto done;
-	}
-
-	ret = xmlSecNssKeyDataX509AdoptKeyCert(x509Data, cert);
-	if (ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecNssKeyDataX509AdoptKeyCert",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"data=%s",
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-	    goto done;
-	}
-	cert = CERT_DupCertificate(cert);
-	if (cert == NULL) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"CERT_DupCertificate",
-			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			"data=%s",
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-	    goto done;
-	}
-
-	ret = xmlSecNssKeyDataX509AdoptCert(x509Data, cert);
-	if (ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecNssKeyDataX509AdoptCert",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"data=%s",
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-	    goto done;
+	    xmlFreeDoc(doc);
+	    return(-1);
 	}
-	cert = NULL;
 
-	ret = xmlSecKeySetValue(key, data);
-	if (ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecKeySetValue",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"data=%s", 
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)));
-	    goto done;
-	}
-	data = NULL;
+	keyInfoCtx.mode 		= xmlSecKeyInfoModeWrite;
+    keyInfoCtx.keyReq.keyId		= xmlSecKeyDataIdUnknown;
+	keyInfoCtx.keyReq.keyType	= type;
+	keyInfoCtx.keyReq.keyUsage 	= xmlSecKeyDataUsageAny;
 
-	ret = xmlSecKeyAdoptData(key, x509Data);
-	if (ret < 0) {
+	/* finally write key in the node */
+	ret = xmlSecKeyInfoNodeWrite(cur, key, &keyInfoCtx);
+	if(ret < 0) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecKeyAdoptData",
+			xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+			"xmlSecKeyInfoNodeWrite",
 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"data=%s",
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-	    goto done;
-	}
-	x509Data = NULL;
-
-	retval = key;
-	key = NULL;
-    }
-
-done:
-    if (cert != NULL) {
-	CERT_DestroyCertificate(cert);
-    }
-    if (pubkey != NULL) {
-	SECKEY_DestroyPublicKey(pubkey);
-    }
-    if (privkey != NULL) {
-	SECKEY_DestroyPrivateKey(privkey);
-    }
-    if (data != NULL) {
-	xmlSecKeyDataDestroy(data);
-    }
-    if (x509Data != NULL) {
-	xmlSecKeyDataDestroy(x509Data);
-    }
-    if (key != NULL) {
-	xmlSecKeyDestroy(key);
+			XMLSEC_ERRORS_NO_MESSAGE);
+	    xmlSecKeyInfoCtxFinalize(&keyInfoCtx);
+	    xmlFreeDoc(doc); 
+	    return(-1);
+	}		
+	xmlSecKeyInfoCtxFinalize(&keyInfoCtx);
     }
-
-    /* now that we have a key, make sure it is valid and let the simple
-     * store adopt it */
-    if (retval) {
-	if (xmlSecKeyIsValid(retval)) {
-	    ret = xmlSecSimpleKeysStoreAdoptKey(*ss, retval);
-	    if (ret < 0) {
+    
+    /* now write result */
+    ret = xmlSaveFormatFile(filename, doc, 1);
+    if(ret < 0) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
-			    "xmlSecSimpleKeysStoreAdoptKey",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
-		xmlSecKeyDestroy(retval);
-		retval = NULL;
-	    }
-        } else {
-	    xmlSecKeyDestroy(retval);
-	    retval = NULL;
-	}
-    }
-
-    return (retval);
+		    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+		    "xmlSaveFormatFile",
+		    XMLSEC_ERRORS_R_XML_FAILED,
+		    "filename=%s", 
+		    xmlSecErrorsSafeString(filename));
+		xmlFreeDoc(doc); 
+		return(-1);
+    }	   
+    
+    xmlFreeDoc(doc);
+    return(0);
 }
+
Index: xmlsec/src/nss/pkikeys.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/pkikeys.c,v
retrieving revision 1.4
diff -u -r1.4 pkikeys.c
--- xmlsec/src/nss/pkikeys.c	17 Mar 2004 05:06:45 -0000	1.4
+++ xmlsec/src/nss/pkikeys.c	6 Feb 2005 03:53:22 -0000
@@ -24,6 +24,7 @@
 #include <xmlsec/nss/crypto.h>
 #include <xmlsec/nss/bignum.h>
 #include <xmlsec/nss/pkikeys.h>
+#include <xmlsec/nss/tokens.h>
 
 /**************************************************************************
  *
@@ -115,6 +116,8 @@
                           xmlSecNssPKIKeyDataCtxPtr ctxSrc)
 {
     xmlSecNSSPKIKeyDataCtxFree(ctxDst);
+	ctxDst->privkey = NULL ;
+	ctxDst->pubkey = NULL ;
     if (ctxSrc->privkey != NULL) {
 	ctxDst->privkey = SECKEY_CopyPrivateKey(ctxSrc->privkey);
 	if(ctxDst->privkey == NULL) {
@@ -122,7 +125,7 @@
 			NULL,
 			"SECKEY_CopyPrivateKey",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+				"error code=%d", PORT_GetError());
 	    return(-1);
 	}
     }
@@ -134,7 +137,7 @@
 			NULL,
 			"SECKEY_CopyPublicKey",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+				"error code=%d", PORT_GetError());
 	    return(-1);
 	}
     }
@@ -147,10 +150,31 @@
                             SECKEYPublicKey  *pubkey)
 {
     xmlSecNssPKIKeyDataCtxPtr ctx;
+	KeyType					pubType = nullKey ;
+	KeyType					priType = nullKey ;
     
     xmlSecAssert2(xmlSecKeyDataIsValid(data), -1);
     xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssPKIKeyDataSize), -1);
 
+	if( privkey != NULL ) {
+		priType = SECKEY_GetPrivateKeyType( privkey ) ;
+	}
+
+	if( pubkey != NULL ) {
+		pubType = SECKEY_GetPublicKeyType( pubkey ) ;
+	}
+
+	if( priType != nullKey && pubType != nullKey ) {
+		if( pubType != priType ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				"different type of private and public key" ) ;
+			return -1 ;
+		}
+	}
+
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
     
@@ -183,16 +207,30 @@
 {
     xmlSecKeyDataPtr data = NULL;
     int ret;
-    KeyType kt;
-    
-    if (pubkey != NULL) {
-	kt = SECKEY_GetPublicKeyType(pubkey);
-    } else {
-	kt = SECKEY_GetPrivateKeyType(privkey);
-	pubkey = SECKEY_ConvertToPublicKey(privkey);
-    }
+	KeyType					pubType = nullKey ;
+	KeyType					priType = nullKey ;
     
-    switch(kt) {	
+	if( privkey != NULL ) {
+		priType = SECKEY_GetPrivateKeyType( privkey ) ;
+	}
+
+	if( pubkey != NULL ) {
+		pubType = SECKEY_GetPublicKeyType( pubkey ) ;
+	}
+
+	if( priType != nullKey && pubType != nullKey ) {
+		if( pubType != priType ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				"different type of private and public key" ) ;
+			return( NULL ) ;
+		}
+	}
+   
+	pubType = priType != nullKey ? priType : pubType ;
+    switch(pubType) {	
 #ifndef XMLSEC_NO_RSA    
     case rsaKey:
 	data = xmlSecKeyDataCreate(xmlSecNssKeyDataRsaId);
@@ -224,7 +262,7 @@
 		    NULL,
 		    NULL,
 		    XMLSEC_ERRORS_R_INVALID_TYPE,
-		    "PKI key type %d not supported", kt);
+		    "PKI key type %d not supported", pubType);
 	return(NULL);
     }
 
@@ -553,13 +591,13 @@
 	goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_DSA, NULL);
+    slot = xmlSecNssSlotGet(CKM_DSA);
     if(slot == NULL) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-		    "PK11_GetBestSlot",
+		    "xmlSecNssSlotGet",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	ret = -1;
 	goto done;
     }
@@ -570,7 +608,7 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
 		    "PORT_NewArena",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	ret = -1;
 	goto done;
     }
@@ -582,7 +620,7 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
 		    "PORT_ArenaZAlloc",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	PORT_FreeArena(arena, PR_FALSE);
 	ret = -1;
 	goto done;
@@ -757,14 +795,14 @@
     if (slot != NULL) {
 	PK11_FreeSlot(slot);
     }
-    if (ret != 0) {
+
 	if (pubkey != NULL) {
 	    SECKEY_DestroyPublicKey(pubkey);
 	}
 	if (data != NULL) {
 	    xmlSecKeyDataDestroy(data);
 	}
-    }
+
     return(ret);
 }
 
@@ -783,7 +821,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+//    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
 
     if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) {
 	/* we can have only private key or public key */
@@ -905,7 +943,8 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    "PK11_PQG_ParamGen",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    "size=%d", sizeBits);
+		    "size=%d, error code=%d", sizeBits, PORT_GetError());
+	ret = -1;
 	goto done;
     }
 
@@ -915,11 +954,12 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    "PK11_PQG_VerifyParams",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    "size=%d", sizeBits);
+		    "size=%d, error code=%d", sizeBits, PORT_GetError());
+	ret = -1;
 	goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL);
+    slot = xmlSecNssSlotGet(CKM_DSA_KEY_PAIR_GEN);
     PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */);
     privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, pqgParams,
 				   &pubkey, PR_FALSE, PR_TRUE, NULL);
@@ -929,8 +969,9 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    "PK11_GenerateKeyPair",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
         
+	ret = -1;
 	goto done;
     }
 
@@ -943,7 +984,8 @@
 		    XMLSEC_ERRORS_NO_MESSAGE);
 	goto done;
     }
-
+	privkey = NULL ;
+	pubkey = NULL ;
     ret = 0;
 
 done:
@@ -956,16 +998,14 @@
     if (pqgVerify != NULL) {
 	PK11_PQG_DestroyVerify(pqgVerify);
     }
-    if (ret == 0) {
-	return (0);
-    }
+
     if (pubkey != NULL) {
 	SECKEY_DestroyPublicKey(pubkey);
     }
     if (privkey != NULL) {
 	SECKEY_DestroyPrivateKey(privkey);
     }
-    return(-1);
+    return(ret);
 }
 
 static xmlSecKeyDataType
@@ -975,10 +1015,10 @@
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), xmlSecKeyDataTypeUnknown);
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+//    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
     if (ctx->privkey != NULL) {
 	return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
-    } else {
+    } else if( ctx->pubkey != NULL ) {
 	return(xmlSecKeyDataTypePublic);
     }
        
@@ -992,7 +1032,7 @@
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), 0);
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+//    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
 
     return(8 * SECKEY_PublicKeyStrength(ctx->pubkey));
 }
@@ -1181,13 +1221,13 @@
 	goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_RSA_PKCS, NULL);
+    slot = xmlSecNssSlotGet(CKM_RSA_PKCS);
     if(slot == NULL) {
         xmlSecError(XMLSEC_ERRORS_HERE,
                     xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                    "PK11_GetBestSlot",
+                    "xmlSecNssSlotGet",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
         ret = -1;
         goto done;
     }
@@ -1198,7 +1238,7 @@
                     xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                     "PORT_NewArena",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
         ret = -1;
         goto done;
     }
@@ -1210,7 +1250,7 @@
                     xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                     "PORT_ArenaZAlloc",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
 	PORT_FreeArena(arena, PR_FALSE);
         ret = -1;
         goto done;
@@ -1349,7 +1389,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+//    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
 
 
     if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) {
@@ -1420,7 +1460,7 @@
     params.keySizeInBits = sizeBits;
     params.pe = 65537;
 
-    slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, NULL);
+    slot = xmlSecNssSlotGet(CKM_RSA_PKCS_KEY_PAIR_GEN);
     PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */);
     privkey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &params,
 				   &pubkey, PR_FALSE, PR_TRUE, NULL);
@@ -1430,7 +1470,7 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    "PK11_GenerateKeyPair",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
         
 	goto done;
     }
@@ -1472,7 +1512,7 @@
     
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+//    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
     if (ctx->privkey != NULL) {
 	return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
     } else {
@@ -1490,7 +1530,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+//    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
 
     return(8 * SECKEY_PublicKeyStrength(ctx->pubkey));
 }
Index: xmlsec/src/nss/signatures.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/signatures.c,v
retrieving revision 1.3
diff -u -r1.3 signatures.c
--- xmlsec/src/nss/signatures.c	26 Sep 2003 00:58:15 -0000	1.3
+++ xmlsec/src/nss/signatures.c	6 Feb 2005 03:53:22 -0000
@@ -199,7 +199,7 @@
 			xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			"SGN_NewContext",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+			"error code=%d", PORT_GetError());
 	    return(-1);
         }
     } else {
@@ -222,7 +222,7 @@
 			xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			"VFY_CreateContext",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+			"error code=%d", PORT_GetError());
 	    return(-1);
         }
     }
@@ -282,7 +282,7 @@
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 		    "VFY_Update, VFY_End",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 
 	if (PORT_GetError() == SEC_ERROR_PKCS7_BAD_SIGNATURE) {
 	    xmlSecError(XMLSEC_ERRORS_HERE, 
@@ -341,7 +341,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "SGN_Begin",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	} else {
@@ -351,7 +351,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "VFY_Begin",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	}
@@ -368,7 +368,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "SGN_Update",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	} else {
@@ -378,7 +378,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "VFY_Update",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	}
@@ -404,7 +404,7 @@
 			    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
 			    "SGN_End",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 
Index: xmlsec/src/nss/symkeys.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/symkeys.c,v
retrieving revision 1.9
diff -u -r1.9 symkeys.c
--- xmlsec/src/nss/symkeys.c	21 Jul 2003 03:12:52 -0000	1.9
+++ xmlsec/src/nss/symkeys.c	6 Feb 2005 03:53:23 -0000
@@ -15,20 +15,42 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <pk11func.h>
+#include <nss.h>
+
 #include <xmlsec/xmlsec.h>
 #include <xmlsec/xmltree.h>
+#include <xmlsec/base64.h>
 #include <xmlsec/keys.h>
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
+#include <xmlsec/nss/tokens.h>
 
 /*****************************************************************************
  * 
- * Symmetic (binary) keys - just a wrapper for xmlSecKeyDataBinary
+ * Symmetic (binary) keys - a wrapper over slot information and PK11SymKey
  *
  ****************************************************************************/
+typedef struct _xmlSecNssSymKeyDataCtx      xmlSecNssSymKeyDataCtx ;
+typedef struct _xmlSecNssSymKeyDataCtx*     xmlSecNssSymKeyDataCtxPtr ;
+
+struct _xmlSecNssSymKeyDataCtx {
+    CK_MECHANISM_TYPE       cipher ;    /* the symmetic key mechanism */
+    PK11SlotInfo*           slot ;      /* the key resident slot */
+    PK11SymKey*             symkey ;    /* the symmetic key */
+} ;
+
+#define xmlSecNssSymKeyDataSize \
+    ( sizeof( xmlSecKeyData ) + sizeof( xmlSecNssSymKeyDataCtx ) )
+
+#define xmlSecNssSymKeyDataGetCtx( data ) \
+    ( ( xmlSecNssSymKeyDataCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyData ) ) )
+
+
 static int	xmlSecNssSymKeyDataInitialize		(xmlSecKeyDataPtr data);
 static int	xmlSecNssSymKeyDataDuplicate		(xmlSecKeyDataPtr dst,
 							 xmlSecKeyDataPtr src);
@@ -69,105 +91,620 @@
 
 static int
 xmlSecNssSymKeyDataInitialize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1);
-    
-    return(xmlSecKeyDataBinaryValueInitialize(data));
+    xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), -1);
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    memset( ctx, 0, sizeof(xmlSecNssSymKeyDataCtx));
+
+    /* Set the block cipher mechanism */
+#ifndef XMLSEC_NO_DES
+    if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) {
+        ctx->cipher = CKM_DES3_KEY_GEN;
+    } else
+#endif  /* XMLSEC_NO_DES */
+
+#ifndef XMLSEC_NO_AES
+    if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) {
+        ctx->cipher = CKM_AES_KEY_GEN;
+    } else
+#endif  /* XMLSEC_NO_AES */
+
+    if(1) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            NULL ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            "Unsupported block cipher" ) ;
+        return(-1) ;
+    }
+
+    return(0);
 }
 
 static int
 xmlSecNssSymKeyDataDuplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) {
+    xmlSecNssSymKeyDataCtxPtr ctxDst;
+    xmlSecNssSymKeyDataCtxPtr ctxSrc;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(dst), -1);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(dst, xmlSecNssSymKeyDataSize), -1);
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(src), -1);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(src, xmlSecNssSymKeyDataSize), -1);
     xmlSecAssert2(dst->id == src->id, -1);
-        
-    return(xmlSecKeyDataBinaryValueDuplicate(dst, src));
+
+    ctxDst = xmlSecNssSymKeyDataGetCtx(dst);
+    xmlSecAssert2(ctxDst != NULL, -1);
+
+    ctxSrc = xmlSecNssSymKeyDataGetCtx(src);
+    xmlSecAssert2(ctxSrc != NULL, -1);
+
+    ctxDst->cipher = ctxSrc->cipher ;
+
+    if( ctxSrc->slot != NULL ) {
+        if( ctxDst->slot != NULL && ctxDst->slot != ctxSrc->slot ) {
+            PK11_FreeSlot( ctxDst->slot ) ;
+            ctxDst->slot = NULL ;
+        }
+
+        if( ctxDst->slot == NULL && ctxSrc->slot != NULL )
+            ctxDst->slot = PK11_ReferenceSlot( ctxSrc->slot ) ;
+    } else {
+        if( ctxDst->slot != NULL ) {
+            PK11_FreeSlot( ctxDst->slot ) ;
+            ctxDst->slot = NULL ;
+        }
+    }
+
+    if( ctxSrc->symkey != NULL ) {
+        if( ctxDst->symkey != NULL && ctxDst->symkey != ctxSrc->symkey ) {
+            PK11_FreeSymKey( ctxDst->symkey ) ;
+            ctxDst->symkey = NULL ;
+        }
+
+        if( ctxDst->symkey == NULL && ctxSrc->symkey != NULL )
+            ctxDst->symkey = PK11_ReferenceSymKey( ctxSrc->symkey ) ;
+    } else {
+        if( ctxDst->symkey != NULL ) {
+            PK11_FreeSymKey( ctxDst->symkey ) ;
+            ctxDst->symkey = NULL ;
+        }
+    }
+
+    return(0);
 }
 
 static void
 xmlSecNssSymKeyDataFinalize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
-    
-    xmlSecKeyDataBinaryValueFinalize(data);
+    xmlSecAssert(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize));
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert(ctx != NULL);
+
+    if( ctx->slot != NULL ) {
+        PK11_FreeSlot( ctx->slot ) ;
+        ctx->slot = NULL ;
+    }
+
+    if( ctx->symkey != NULL ) {
+        PK11_FreeSymKey( ctx->symkey ) ;
+        ctx->symkey = NULL ;
+    }
+
+    ctx->cipher = CKM_INVALID_MECHANISM ;
 }
 
 static int
 xmlSecNssSymKeyDataXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
 			       xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    PK11SymKey* symKey ;
+    PK11SlotInfo* slot ;
+    xmlSecBufferPtr keyBuf;
+    xmlSecSize len;
+    xmlSecKeyDataPtr data;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    SECItem keyItem ;
+    int ret;
+    
+    xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* Create a new KeyData from a id */
+    data = xmlSecKeyDataCreate(id);
+    if(data == NULL ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    /* Create a buffer for raw symmetric key value */
+    if( ( keyBuf = xmlSecBufferCreate( 128 ) ) == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecBufferCreate" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Read the raw key value */
+    if( xmlSecBufferBase64NodeContentRead( keyBuf , node ) < 0 ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+        xmlSecBufferDestroy( keyBuf ) ;
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+        xmlSecBufferDestroy( keyBuf ) ;
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Wrap the raw key value SECItem */
+    keyItem.type = siBuffer ;
+    keyItem.data = xmlSecBufferGetData( keyBuf ) ;
+    keyItem.len = xmlSecBufferGetSize( keyBuf ) ;
+
+    /* Import the raw key into slot temporalily and get the key handler*/
+    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ;
+    if( symKey == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "PK11_ImportSymKey" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		PK11_FreeSlot( slot ) ;
+        xmlSecBufferDestroy( keyBuf ) ;
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+	PK11_FreeSlot( slot ) ;
+
+    /* raw key material has been copied into symKey, it isn't used any more */
+    xmlSecBufferDestroy( keyBuf ) ;
     
-    return(xmlSecKeyDataBinaryValueXmlRead(id, key, node, keyInfoCtx));
+    /* Adopt the symmetric key into key data */
+    ret = xmlSecNssSymKeyDataAdoptKey(data, symKey);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataBinaryValueSetBuffer",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        PK11_FreeSymKey( symKey ) ;
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+    /* symKey has been duplicated into data, it isn't used any more */
+    PK11_FreeSymKey( symKey ) ;
+
+    /* Check value */
+    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyReqMatchKeyValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+		xmlSecKeyDataDestroy( data ) ;
+        return(0);
+    }
+    
+    ret = xmlSecKeySetValue(key, data);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeySetValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+
+    return(0);
 }
 
 static int 
 xmlSecNssSymKeyDataXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
 				    xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+	/* Get symmetric key from "key" */
+    symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); 
+    if( symKey != NULL ) {
+        SECItem* keyItem ;
+		xmlSecBufferPtr keyBuf ;
+
+		/* Extract raw key data from symmetric key */
+		if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+        	xmlSecError(XMLSEC_ERRORS_HERE,
+            	xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            	"PK11_ExtractKeyValue",
+            	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            	XMLSEC_ERRORS_NO_MESSAGE);
+			PK11_FreeSymKey( symKey ) ;
+        	return(-1);
+		}
+
+		/* Get raw key data from "symKey" */
+        keyItem = PK11_GetKeyData( symKey ) ;
+	    if(keyItem == NULL) {
+        	xmlSecError(XMLSEC_ERRORS_HERE,
+            	xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            	"PK11_GetKeyData",
+            	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            	XMLSEC_ERRORS_NO_MESSAGE);
+			PK11_FreeSymKey( symKey ) ;
+        	return(-1);
+    	}
+
+		/* Create key data buffer with raw kwy material */
+		keyBuf = xmlSecBufferCreate(keyItem->len) ;
+	    if(keyBuf == NULL) {
+        	xmlSecError(XMLSEC_ERRORS_HERE,
+            	xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            	"xmlSecBufferCreate",
+            	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            	XMLSEC_ERRORS_NO_MESSAGE);
+			PK11_FreeSymKey( symKey ) ;
+        	return(-1);
+    	}
+
+		xmlSecBufferSetData( keyBuf , keyItem->data , keyItem->len ) ;
+
+		/* Write raw key material into current xml node */
+		if( xmlSecBufferBase64NodeContentWrite( keyBuf, node, XMLSEC_BASE64_LINESIZE ) < 0 ) {
+        	xmlSecError(XMLSEC_ERRORS_HERE,
+            	xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            	"xmlSecBufferBase64NodeContentWrite",
+            	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            	XMLSEC_ERRORS_NO_MESSAGE);
+			xmlSecBufferDestroy(keyBuf);
+			PK11_FreeSymKey( symKey ) ;
+        	return(-1);
+		}
+		xmlSecBufferDestroy(keyBuf);
+		PK11_FreeSymKey( symKey ) ;
+    }
     
-    return(xmlSecKeyDataBinaryValueXmlWrite(id, key, node, keyInfoCtx));
+    return 0 ;
 }
 
 static int
 xmlSecNssSymKeyDataBinRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
 				    const xmlSecByte* buf, xmlSecSize bufSize,
 				    xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    PK11SymKey* symKey ;
+    PK11SlotInfo* slot ;
+    xmlSecKeyDataPtr data;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    SECItem keyItem ;
+    int ret;
     
-    return(xmlSecKeyDataBinaryValueBinRead(id, key, buf, bufSize, keyInfoCtx));
+    xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(buf != NULL, -1);
+    xmlSecAssert2(bufSize != 0, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* Create a new KeyData from a id */
+    data = xmlSecKeyDataCreate(id);
+    if(data == NULL ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Wrap the raw key value SECItem */
+    keyItem.type = siBuffer ;
+    keyItem.data = buf ;
+    keyItem.len = bufSize ;
+
+    /* Import the raw key into slot temporalily and get the key handler*/
+    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ;
+    if( symKey == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "PK11_ImportSymKey" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+		PK11_FreeSlot( slot ) ;
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Adopt the symmetric key into key data */
+    ret = xmlSecNssSymKeyDataAdoptKey(data, symKey);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataBinaryValueSetBuffer",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        PK11_FreeSymKey( symKey ) ;
+		PK11_FreeSlot( slot ) ;
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+    /* symKey has been duplicated into data, it isn't used any more */
+    PK11_FreeSymKey( symKey ) ;
+	PK11_FreeSlot( slot ) ;
+
+    /* Check value */
+    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyReqMatchKeyValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+		xmlSecKeyDataDestroy( data ) ;
+        return(0);
+    }
+    
+    ret = xmlSecKeySetValue(key, data);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeySetValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+		xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+
+    return(0);
 }
 
 static int
 xmlSecNssSymKeyDataBinWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
 				    xmlSecByte** buf, xmlSecSize* bufSize,
 				    xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(buf != NULL, -1);
+    xmlSecAssert2(bufSize != 0, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+	/* Get symmetric key from "key" */
+    symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); 
+    if( symKey != NULL ) {
+        SECItem* keyItem ;
+
+		/* Extract raw key data from symmetric key */
+		if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+        	xmlSecError(XMLSEC_ERRORS_HERE,
+            	xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            	"PK11_ExtractKeyValue",
+            	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            	XMLSEC_ERRORS_NO_MESSAGE);
+			PK11_FreeSymKey( symKey ) ;
+        	return(-1);
+		}
+
+		/* Get raw key data from "symKey" */
+        keyItem = PK11_GetKeyData( symKey ) ;
+	    if(keyItem == NULL) {
+        	xmlSecError(XMLSEC_ERRORS_HERE,
+            	xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            	"PK11_GetKeyData",
+            	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ 	           	XMLSEC_ERRORS_NO_MESSAGE);
+			PK11_FreeSymKey( symKey ) ;
+        	return(-1);
+    	}
+
+		*bufSize = keyItem->len;
+		*buf = ( xmlSecByte* )xmlMalloc( *bufSize );
+		if( *buf == NULL ) {
+        	xmlSecError(XMLSEC_ERRORS_HERE,
+            	xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            	NULL,
+            	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            	XMLSEC_ERRORS_NO_MESSAGE);
+			PK11_FreeSymKey( symKey ) ;
+        	return(-1);
+    	}
+
+		memcpy((*buf), keyItem->data, (*bufSize));
+		PK11_FreeSymKey( symKey ) ;
+    }
     
-    return(xmlSecKeyDataBinaryValueBinWrite(id, key, buf, bufSize, keyInfoCtx));
+    return 0 ;
 }
 
 static int
 xmlSecNssSymKeyDataGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlSecKeyDataType type ATTRIBUTE_UNUSED) {
-    xmlSecBufferPtr buffer;
-
+    PK11SymKey* symkey ;
+    PK11SlotInfo* slot ;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    int ret;
+    
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1);
     xmlSecAssert2(sizeBits > 0, -1);
 
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(data);
-    xmlSecAssert2(buffer != NULL, -1);
-    
-    return(xmlSecNssGenerateRandom(buffer, (sizeBits + 7) / 8));
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+	if( sizeBits % 8 != 0 ) {
+       	xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            NULL,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            "Symmetric key size must be octuple");
+        return(-1);
+	}
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        return(-1) ;
+    }
+
+	if( PK11_Authenticate( slot, PR_FALSE , NULL ) != SECSuccess ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+		    "PK11_Authenticate" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		PK11_FreeSlot( slot ) ;
+		return -1 ;
+	}
+
+	symkey = PK11_KeyGen( slot , ctx->cipher , NULL , sizeBits/8 , NULL ) ;
+	if( symkey == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+		    "PK11_KeyGen" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		PK11_FreeSlot( slot ) ;
+		return -1 ;
+	}
+
+	if( ctx->slot != NULL ) {
+		PK11_FreeSlot( ctx->slot ) ;
+		ctx->slot = NULL ;
+	}
+	ctx->slot = slot ;
+
+	if( ctx->symkey != NULL ) {
+		PK11_FreeSymKey( ctx->symkey ) ;
+		ctx->symkey = NULL ;
+	}
+	ctx->symkey = symkey ;
+
+	return 0 ;
 }
 
 static xmlSecKeyDataType
 xmlSecNssSymKeyDataGetType(xmlSecKeyDataPtr data) {
-    xmlSecBufferPtr buffer;
+	xmlSecNssSymKeyDataCtxPtr context = NULL ;
+	xmlSecKeyDataType type = xmlSecKeyDataTypeUnknown ;
 
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), xmlSecKeyDataTypeUnknown);
+	xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), xmlSecKeyDataTypeUnknown ) ;
 
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(data);
-    xmlSecAssert2(buffer != NULL, xmlSecKeyDataTypeUnknown);
+	context = xmlSecNssSymKeyDataGetCtx( data ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+		    "xmlSecNssSymKeyDataGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return xmlSecKeyDataTypeUnknown ;
+	}
+
+	if( context->symkey != NULL ) {
+		type |= xmlSecKeyDataTypeSymmetric ;
+	} else {
+		type |= xmlSecKeyDataTypeUnknown ;
+	}
 
-    return((xmlSecBufferGetSize(buffer) > 0) ? xmlSecKeyDataTypeSymmetric : xmlSecKeyDataTypeUnknown);
+	return type ;
 }
 
 static xmlSecSize 
 xmlSecNssSymKeyDataGetSize(xmlSecKeyDataPtr data) {
+	xmlSecNssSymKeyDataCtxPtr context ;
+	unsigned int	length = 0 ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), 0);
-    
-    return(xmlSecKeyDataBinaryValueGetSize(data));
+	xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), 0 ) ;
+
+	context = xmlSecNssSymKeyDataGetCtx( data ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+		    "xmlSecNssSymKeyDataGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return 0 ;
+	}
+
+	if( context->symkey != NULL ) {
+		length = PK11_GetKeyLength( context->symkey ) ;
+		length *= 8 ;
+	}
+
+	return length ;
 }
 
 static void 
 xmlSecNssSymKeyDataDebugDump(xmlSecKeyDataPtr data, FILE* output) {
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
     
-    xmlSecKeyDataBinaryValueDebugDump(data, output);    
+	/* print only size, everything else is sensitive */
+	fprintf( output , "=== %s: size=%d\n" , data->id->dataNodeName ,
+											xmlSecKeyDataGetSize(data)) ;
 }
 
 static void
 xmlSecNssSymKeyDataDebugXmlDump(xmlSecKeyDataPtr data, FILE* output) {
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
     
-    xmlSecKeyDataBinaryValueDebugXmlDump(data, output);    
+	/* print only size, everything else is sensitive */
+	fprintf( output , "<%s size=\"%d\" />\n" , data->id->dataNodeName ,
+											xmlSecKeyDataGetSize(data)) ;
 }
 
 static int 
@@ -201,7 +738,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataAesKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameAESKeyValue,
@@ -282,7 +819,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataDesKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameDESKeyValue,
@@ -364,7 +901,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataHmacKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameHMACKeyValue,
@@ -435,6 +972,126 @@
     
     return(xmlSecBufferSetData(buffer, buf, bufSize));
 }
+/**
+ * xmlSecNssSymKeyDataAdoptKey:
+ * @data:				the pointer to symmetric key data.
+ * @symkey:				the symmetric key
+ *
+ * Set the value of symmetric key data.
+ *
+ * Returns 0 on success or a negative value if an error occurs.
+ */
+int
+xmlSecNssSymKeyDataAdoptKey(
+	xmlSecKeyDataPtr data ,
+	PK11SymKey* symkey
+) {
+	xmlSecNssSymKeyDataCtxPtr context = NULL ;
+
+	xmlSecAssert2( xmlSecNssSymKeyDataCheckId( data ), -1 ) ;
+	xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), -1 ) ;
+	xmlSecAssert2( symkey != NULL, -1 ) ;
+
+	context = xmlSecNssSymKeyDataGetCtx( data ) ;
+	xmlSecAssert2(context != NULL, -1);
+
+	context->cipher = PK11_GetMechanism( symkey ) ;
+
+	if( context->slot != NULL ) {
+		PK11_FreeSlot( context->slot ) ;
+		context->slot = NULL ;
+	}
+	context->slot = PK11_GetSlotFromKey( symkey ) ;
+
+	if( context->symkey != NULL ) {
+		PK11_FreeSymKey( context->symkey ) ;
+		context->symkey = NULL ;
+	}
+	context->symkey = PK11_ReferenceSymKey( symkey ) ;
+
+	return 0 ;
+}
+
+xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt(
+    PK11SymKey*     symKey
+) {
+	xmlSecKeyDataPtr	data = NULL ;
+	CK_MECHANISM_TYPE	mechanism = CKM_INVALID_MECHANISM ;
+
+	xmlSecAssert2( symKey != NULL , NULL ) ;
+
+	mechanism = PK11_GetMechanism( symKey ) ;
+	switch( mechanism ) {
+		case CKM_DES3_KEY_GEN :
+		case CKM_DES3_CBC :
+		case CKM_DES3_MAC :
+			data = xmlSecKeyDataCreate( xmlSecNssKeyDataDesId ) ;
+			if( data == NULL ) {
+				xmlSecError( XMLSEC_ERRORS_HERE ,
+					NULL ,
+					"xmlSecKeyDataCreate" ,
+					XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+					"xmlSecNssKeyDataDesId" ) ;
+				return NULL ;
+			}
+			break ;
+		case CKM_AES_KEY_GEN :
+		case CKM_AES_CBC :
+		case CKM_AES_MAC :
+			data = xmlSecKeyDataCreate( xmlSecNssKeyDataAesId ) ;
+			if( data == NULL ) {
+				xmlSecError( XMLSEC_ERRORS_HERE ,
+					NULL ,
+					"xmlSecKeyDataCreate" ,
+					XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+					"xmlSecNssKeyDataDesId" ) ;
+				return NULL ;
+			}
+			break ;
+		default :
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+				"Unsupported mechanism" ) ;
+			return NULL ;
+	}
+
+	if( xmlSecNssSymKeyDataAdoptKey( data , symKey ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataAdoptKey" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeyDataDestroy( data ) ;
+		return NULL ;
+	}
 
+	return data ;
+}
+
+
+PK11SymKey*
+xmlSecNssSymKeyDataGetKey(
+    xmlSecKeyDataPtr data
+) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    PK11SymKey* symkey ;
+
+    xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), NULL);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), NULL);
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, NULL);
+
+    if( ctx->symkey != NULL ) {
+        symkey = PK11_ReferenceSymKey( ctx->symkey ) ;
+    } else {
+        symkey = NULL ;
+    }
+
+    return(symkey);
+}
 #endif /* XMLSEC_NO_HMAC */
 
Index: xmlsec/src/nss/x509.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/x509.c,v
retrieving revision 1.5
diff -u -r1.5 x509.c
--- xmlsec/src/nss/x509.c	26 Sep 2003 03:53:09 -0000	1.5
+++ xmlsec/src/nss/x509.c	6 Feb 2005 03:53:24 -0000
@@ -34,7 +34,6 @@
 #include <xmlsec/keys.h>
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/keysmngr.h>
-#include <xmlsec/x509.h>
 #include <xmlsec/base64.h>
 #include <xmlsec/errors.h>
 
@@ -61,33 +60,18 @@
 static int		xmlSecNssX509CertificateNodeRead	(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509CertificateNodeWrite	(CERTCertificate* cert,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssX509SubjectNameNodeRead	(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509SubjectNameNodeWrite	(CERTCertificate* cert,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssX509IssuerSerialNodeRead	(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509IssuerSerialNodeWrite	(CERTCertificate* cert,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssX509SKINodeRead		(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509SKINodeWrite		(CERTCertificate* cert,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssX509CRLNodeRead		(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509CRLNodeWrite		(CERTSignedCrl* crl,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, 
 								xmlSecKeyPtr key,
 								xmlSecKeyInfoCtxPtr keyInfoCtx);
@@ -104,9 +88,6 @@
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static xmlChar*		xmlSecNssX509CrlBase64DerWrite		(CERTSignedCrl* crl, 
 								 int base64LineWrap);
-static xmlChar*		xmlSecNssX509NameWrite			(CERTName* nm);
-static xmlChar*		xmlSecNssASN1IntegerWrite		(SECItem *num);
-static xmlChar*		xmlSecNssX509SKIWrite			(CERTCertificate* cert);
 static void		xmlSecNssX509CertDebugDump		(CERTCertificate* cert, 
 								 FILE* output);
 static void		xmlSecNssX509CertDebugXmlDump		(CERTCertificate* cert, 
@@ -378,7 +359,7 @@
 			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 			"CERT_NewCertList",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+			"error code=%d", PORT_GetError());
 	    return(-1);	
 	}
     }
@@ -389,7 +370,7 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    "CERT_AddCertToListTail",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	return(-1);	
     }
     ctx->numCerts++;
@@ -588,7 +569,7 @@
 			xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
 			"CERT_DupCertificate",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+			"error code=%d", PORT_GetError());
 	    return(-1);
 	}
 	
@@ -627,7 +608,7 @@
                         xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
                         "SEC_DupCrl",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
             return(-1);
         }
 
@@ -652,7 +633,7 @@
 			xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
 			"CERT_DupCertificate",
 			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
+			"error code=%d", PORT_GetError());
 	    return(-1);
 	}
 	ret = xmlSecNssKeyDataX509AdoptKeyCert(dst, certDst);
@@ -752,30 +733,21 @@
 xmlSecNssKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
 				xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataPtr data;
+    xmlNodePtr cur;
+    xmlChar* buf;
     CERTCertificate* cert;
     CERTSignedCrl* crl;
     xmlSecSize size, pos;
-    int content = 0;
-    int ret;
     				
     xmlSecAssert2(id == xmlSecNssKeyDataX509Id, -1);
     xmlSecAssert2(key != NULL, -1);
     xmlSecAssert2(node != NULL, -1);
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
-    content = xmlSecX509DataGetNodeContent (node, 1, keyInfoCtx);
-    if (content < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-		    "xmlSecX509DataGetNodeContent",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "content=%d", content);
-	return(-1);
-    } else if(content == 0) {
-	/* by default we are writing certificates and crls */
-	content = XMLSEC_X509DATA_DEFAULT;
+    /* todo: flag in ctx remove all existing content */
+    if(0) {
+        xmlNodeSetContent(node, NULL);
     }
-
     /* get x509 data */
     data = xmlSecKeyGetData(key, id);
     if(data == NULL) {
@@ -795,80 +767,75 @@
 			"pos=%d", pos);
 	    return(-1);
 	}
-
-	if((content & XMLSEC_X509DATA_CERTIFICATE_NODE) != 0) {
-	    ret = xmlSecNssX509CertificateNodeWrite(cert, node, keyInfoCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509CertificateNodeWrite",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
+	
+	/* set base64 lines size from context */
+	buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); 
+	if(buf == NULL) {
+	    xmlSecError(XMLSEC_ERRORS_HERE,
+			xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+			"xmlSecNssX509CertBase64DerWrite",
+			XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			XMLSEC_ERRORS_NO_MESSAGE);
+	    return(-1);
 	}
-
-	if((content & XMLSEC_X509DATA_SUBJECTNAME_NODE) != 0) {
-	    ret = xmlSecNssX509SubjectNameNodeWrite(cert, node, keyInfoCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509SubjectNameNodeWrite",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
+	
+	cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
+	if(cur == NULL) {
+	    xmlSecError(XMLSEC_ERRORS_HERE,
+			xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+			"xmlSecAddChild",
+			XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			"node=%s",
+			xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
+	    xmlFree(buf);
+	    return(-1);	
 	}
+	/* todo: add \n around base64 data - from context */
+	/* todo: add errors check */
+	xmlNodeSetContent(cur, xmlSecStringCR);
+	xmlNodeSetContent(cur, buf);
+	xmlFree(buf);
+    }    
 
-	if((content & XMLSEC_X509DATA_ISSUERSERIAL_NODE) != 0) {
-	    ret = xmlSecNssX509IssuerSerialNodeWrite(cert, node, keyInfoCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509IssuerSerialNodeWrite",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
-	}
+    /* write crls */
+    size = xmlSecNssKeyDataX509GetCrlsSize(data);
+    for(pos = 0; pos < size; ++pos) {
+        crl = xmlSecNssKeyDataX509GetCrl(data, pos);
+        if(crl == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                        "xmlSecNssKeyDataX509GetCrl",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "pos=%d", pos);
+            return(-1);
+        }
 
-	if((content & XMLSEC_X509DATA_SKI_NODE) != 0) {
-	    ret = xmlSecNssX509SKINodeWrite(cert, node, keyInfoCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509SKINodeWrite",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
-	}
-    }    
+        /* set base64 lines size from context */
+        buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize);
+        if(buf == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                        "xmlSecNssX509CrlBase64DerWrite",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        XMLSEC_ERRORS_NO_MESSAGE);
+            return(-1);
+        }
 
-    /* write crls if needed */
-    if((content & XMLSEC_X509DATA_CRL_NODE) != 0) {
-	size = xmlSecNssKeyDataX509GetCrlsSize(data);
-	for(pos = 0; pos < size; ++pos) {
-	    crl = xmlSecNssKeyDataX509GetCrl(data, pos);
-	    if(crl == NULL) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssKeyDataX509GetCrl",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
-	    
-	    ret = xmlSecNssX509CRLNodeWrite(crl, node, keyInfoCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509CRLNodeWrite",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
-	}
+        cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
+        if(cur == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                        "xmlSecAddChild",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "new_node=%s",
+                        xmlSecErrorsSafeString(xmlSecNodeX509CRL));
+            xmlFree(buf);
+            return(-1);
+        }
+        /* todo: add \n around base64 data - from context */
+        /* todo: add errors check */
+        xmlNodeSetContent(cur, xmlSecStringCR);
+        xmlNodeSetContent(cur, buf);
     }
 
     return(0);
@@ -1015,19 +982,13 @@
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
     content = xmlNodeGetContent(node);
-    if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
-	if(content != NULL) {
-	    xmlFree(content);
-	}
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-			xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
-			XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    return(-1);
-	}
-	return(0);
+    if(content == NULL){
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+		    xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+		    XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+	return(-1);
     }
 
     cert = xmlSecNssX509CertBase64DerRead(content);
@@ -1058,46 +1019,6 @@
 }
 
 static int 
-xmlSecNssX509CertificateNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlChar* buf;
-    xmlNodePtr cur;
-    
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-    xmlSecAssert2(keyInfoCtx != NULL, -1);
-    
-    /* set base64 lines size from context */
-    buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); 
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssX509CertBase64DerWrite",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-	
-    cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
-	xmlFree(buf);
-	return(-1);	
-    }
-
-    /* todo: add \n around base64 data - from context */
-    /* todo: add errors check */
-    xmlNodeSetContent(cur, xmlSecStringCR);
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-    return(0);
-}
-
-static int		
 xmlSecNssX509SubjectNameNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {	
     xmlSecKeyDataStorePtr x509Store;
     xmlChar* subject;
@@ -1120,19 +1041,13 @@
     }
 
     subject = xmlNodeGetContent(node);
-    if((subject == NULL) || (xmlSecIsEmptyString(subject) == 1)) {
-	if(subject != NULL) {
-	    xmlFree(subject);
-	}
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-		        xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-			xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
-			XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    return(-1);
-	}
-	return(0);
+    if(subject == NULL) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+		    xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+		    XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+	return(-1);
     }
 
     cert = xmlSecNssX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx);
@@ -1168,40 +1083,6 @@
 }
 
 static int
-xmlSecNssX509SubjectNameNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlChar* buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    buf = xmlSecNssX509NameWrite(&(cert->subject));
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-	    NULL,
-	    "xmlSecNssX509NameWrite(&(cert->subject))",
-	    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-	    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509SubjectName, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-	    NULL,
-	    "xmlSecAddChild",
-	    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-	    "node=%s",
-	    xmlSecErrorsSafeString(xmlSecNodeX509SubjectName));
-	xmlFree(buf);
-	return(-1);
-    }
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-    return(0);
-}
-
-static int 
 xmlSecNssX509IssuerSerialNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
     xmlNodePtr cur;
@@ -1226,21 +1107,9 @@
     }
 
     cur = xmlSecGetNextElementNode(node->children);
-    if(cur == NULL) {
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-			xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
-			XMLSEC_ERRORS_R_NODE_NOT_FOUND,
-			"node=%s",
-			xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
-	    return(-1);
-	}
-	return(0);
-    }
-    
+
     /* the first is required node X509IssuerName */
-    if(!xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
+    if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
@@ -1333,78 +1202,6 @@
 }
 
 static int
-xmlSecNssX509IssuerSerialNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlNodePtr cur;
-    xmlNodePtr issuerNameNode;
-    xmlNodePtr issuerNumberNode;
-    xmlChar* buf;
-    
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    /* create xml nodes */
-    cur = xmlSecAddChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509IssuerSerial));
-	return(-1);
-    }
-
-    issuerNameNode = xmlSecAddChild(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs);
-    if(issuerNameNode == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509IssuerName));
-	return(-1);
-    }
-
-    issuerNumberNode = xmlSecAddChild(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs);
-    if(issuerNumberNode == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber));
-	return(-1);
-    }
-
-    /* write data */
-    buf = xmlSecNssX509NameWrite(&(cert->issuer));
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssX509NameWrite(&(cert->issuer))",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-    xmlNodeSetContent(issuerNameNode, buf);
-    xmlFree(buf);
-
-    buf = xmlSecNssASN1IntegerWrite(&(cert->serialNumber));
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssASN1IntegerWrite(&(cert->serialNumber))",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-    xmlNodeSetContent(issuerNumberNode, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
-static int 
 xmlSecNssX509SKINodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
     xmlChar* ski;
@@ -1427,20 +1224,14 @@
     }
     
     ski = xmlNodeGetContent(node);
-    if((ski == NULL) || (xmlSecIsEmptyString(ski) == 1)) {
-	if(ski != NULL) {
-	    xmlFree(ski);
-	}
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-			xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
-			XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
-			"node=%s",
-			xmlSecErrorsSafeString(xmlSecNodeX509SKI));
-	    return(-1);
-	}
-	return(0);
+    if(ski == NULL) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+		    xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+		    XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+		    "node=%s",
+		    xmlSecErrorsSafeString(xmlSecNodeX509SKI));
+	return(-1);
     }
 
     cert = xmlSecNssX509StoreFindCert(x509Store, NULL, NULL, NULL, ski, keyInfoCtx);
@@ -1476,41 +1267,6 @@
 }
 
 static int
-xmlSecNssX509SKINodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlChar *buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    buf = xmlSecNssX509SKIWrite(cert);
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssX509SKIWrite",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509SKI, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "new_node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509SKI));
-	xmlFree(buf);
-	return(-1);
-    }
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
-static int 
 xmlSecNssX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlChar *content;
     CERTSignedCrl* crl;
@@ -1520,19 +1276,13 @@
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
     content = xmlNodeGetContent(node);
-   if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
-	if(content != NULL) {
-	    xmlFree(content);
-	}
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-			xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
-			XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    return(-1);
-	}
-	return(0);
+    if(content == NULL){
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+		    xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+		    XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+		    XMLSEC_ERRORS_NO_MESSAGE);
+	return(-1);
     }
 
     crl = xmlSecNssX509CrlBase64DerRead(content, keyInfoCtx);
@@ -1552,47 +1302,6 @@
 }
 
 static int
-xmlSecNssX509CRLNodeWrite(CERTSignedCrl* crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlChar* buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(crl != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-    xmlSecAssert2(keyInfoCtx != NULL, -1);
-
-    /* set base64 lines size from context */
-    buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize); 
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssX509CrlBase64DerWrite",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "new_node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509CRL));
-	xmlFree(buf);
-	return(-1);
-    }
-    /* todo: add \n around base64 data - from context */
-    /* todo: add errors check */
-    xmlNodeSetContent(cur, xmlSecStringCR);
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
-
-static int
 xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key,
 				    xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecNssX509DataCtxPtr ctx;
@@ -1600,6 +1309,10 @@
     int ret;
     SECStatus status;
     PRTime notBefore, notAfter;
+
+    PK11SlotInfo* slot ;
+    SECKEYPublicKey *pubKey = NULL;
+    SECKEYPrivateKey *priKey = NULL;
     
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
     xmlSecAssert2(key != NULL, -1);
@@ -1632,10 +1345,13 @@
 			    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 			    "CERT_DupCertificate",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
 	
+		/*-
+		 * Get Public key from cert, which does not always work for sign action.
+         *
 	    keyValue = xmlSecNssX509CertGetKey(ctx->keyCert);
 	    if(keyValue == NULL) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1645,6 +1361,54 @@
 			    XMLSEC_ERRORS_NO_MESSAGE);
 		return(-1);
 	    }
+		 */
+
+		/*-
+		 * I'll search key according to KeyReq.
+		 */
+        slot = cert->slot ;
+        if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+            if( ( priKey = PK11_FindPrivateKeyFromCert( slot , cert , NULL ) ) == NULL ) {
+                xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                    "PK11_FindPrivateKeyFromCert" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+                return -1 ;
+            }
+        }
+
+		if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+            if( ( pubKey = CERT_ExtractPublicKey( cert ) ) == NULL ) {
+                xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                    "CERT_ExtractPublicKey" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+				if( priKey != NULL )
+					SECKEY_DestroyPrivateKey( priKey ) ;
+                return -1 ;
+            }
+        }
+
+        keyValue = xmlSecNssPKIAdoptKey(priKey, pubKey);
+		if( keyValue == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "xmlSecNssPKIAdoptKey" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+			if( priKey != NULL )
+				SECKEY_DestroyPrivateKey( priKey ) ;
+
+			if( pubKey != NULL )
+				SECKEY_DestroyPublicKey( pubKey ) ;
+
+            return -1 ;
+		}
+		/* Modify keyValue get Done */
 	    
 	    /* verify that the key matches our expectations */
 	    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) {
@@ -1746,7 +1510,7 @@
 		    NULL,
 		    "CERT_ExtractPublicKey",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	return(NULL);
     }    
 
@@ -1804,7 +1568,7 @@
 		    NULL,
 		    "__CERT_NewTempCertificate",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	return(NULL);
     }
 
@@ -1827,7 +1591,7 @@
 		    NULL,
 		    "cert->derCert",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	return(NULL);
     }
     
@@ -1890,7 +1654,7 @@
                     NULL,
                     "PK11_GetInternalKeySlot",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
 	return NULL;
     }
 
@@ -1905,7 +1669,7 @@
 		    NULL,
 		    "PK11_ImportCRL",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	PK11_FreeSlot(slot);
 	return(NULL);
     }
@@ -1929,7 +1693,7 @@
                     NULL,
                     "crl->derCrl",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
         return(NULL);
     }
 
@@ -1945,86 +1709,6 @@
 
     return(res);
 }
-
-static xmlChar*
-xmlSecNssX509NameWrite(CERTName* nm) {
-    xmlChar *res = NULL;
-    char *str;
-
-    xmlSecAssert2(nm != NULL, NULL);
-
-    str = CERT_NameToAscii(nm);
-    if (str == NULL) {
-        xmlSecError(XMLSEC_ERRORS_HERE,
-        	    NULL,
-        	    "CERT_NameToAscii",
-        	    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-        	    XMLSEC_ERRORS_NO_MESSAGE);
-        return(NULL);
-    }
-
-    res = xmlStrdup(BAD_CAST str);
-    if(res == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlStrdup",
-		    XMLSEC_ERRORS_R_MALLOC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	PORT_Free(str);
-	return(NULL);
-    }
-    PORT_Free(str);
-    return(res);
-}
-
-static xmlChar*
-xmlSecNssASN1IntegerWrite(SECItem *num) {
-    xmlChar *res = NULL;
-    
-    xmlSecAssert2(num != NULL, NULL);
-
-    /* TODO : to be implemented after 
-     * NSS bug http://bugzilla.mozilla.org/show_bug.cgi?id=212864 is fixed 
-     */
-    return(res);
-}
-
-static xmlChar*
-xmlSecNssX509SKIWrite(CERTCertificate* cert) {
-    xmlChar *res = NULL;
-    SECItem ski;
-    SECStatus rv;
-
-    xmlSecAssert2(cert != NULL, NULL);
-
-    memset(&ski, 0, sizeof(ski));
-
-    rv = CERT_FindSubjectKeyIDExtension(cert, &ski);
-    if (rv != SECSuccess) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "CERT_FindSubjectKeyIDExtension",
-		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	SECITEM_FreeItem(&ski, PR_FALSE);
-	return(NULL);
-    }
-
-    res = xmlSecBase64Encode(ski.data, ski.len, 0);
-    if(res == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecBase64Encode",
-	    	    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	SECITEM_FreeItem(&ski, PR_FALSE);
-	return(NULL);
-    }
-    SECITEM_FreeItem(&ski, PR_FALSE);
-    
-    return(res);
-}
-
 
 static void 
 xmlSecNssX509CertDebugDump(CERTCertificate* cert, FILE* output) {
Index: xmlsec/src/nss/x509vfy.c
===================================================================
RCS file: /cvs/gnome/xmlsec/src/nss/x509vfy.c,v
retrieving revision 1.3
diff -u -r1.3 x509vfy.c
--- xmlsec/src/nss/x509vfy.c	26 Sep 2003 00:58:15 -0000	1.3
+++ xmlsec/src/nss/x509vfy.c	6 Feb 2005 03:53:24 -0000
@@ -30,6 +30,7 @@
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/keysmngr.h>
 #include <xmlsec/base64.h>
+#include <xmlsec/bn.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
@@ -61,17 +62,8 @@
  
 static int		xmlSecNssX509StoreInitialize	(xmlSecKeyDataStorePtr store);
 static void		xmlSecNssX509StoreFinalize	(xmlSecKeyDataStorePtr store);
-static int 		xmlSecNssX509NameStringRead	(xmlSecByte **str, 
-							 int *strLen, 
-							 xmlSecByte *res, 
-							 int resLen,
-							 xmlSecByte delim, 
-							 int ingoreTrailingSpaces);
-static xmlSecByte * 	xmlSecNssX509NameRead		(xmlSecByte *str, 
-							 int len);
-
-static void 		xmlSecNssNumToItem(SECItem *it, unsigned long num);
 
+static int 		xmlSecNssIntegerToItem( const xmlChar* integer , SECItem *it ) ;
 
 static xmlSecKeyDataStoreKlass xmlSecNssX509StoreKlass = {
     sizeof(xmlSecKeyDataStoreKlass),
@@ -245,8 +237,9 @@
                         xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
                         NULL,
                         XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
-                        "cert with subject name %s could not be verified",
-                        cert->subjectName);
+						"cert with subject name %s could not be verified, errcode %d",
+						cert->subjectName,
+			PORT_GetError());
 	    break;
     }
    
@@ -281,7 +274,7 @@
                         xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
                         "CERT_NewCertList",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+						"error code=%d", PORT_GetError());
             return(-1);
         }
     }
@@ -292,7 +285,7 @@
                     xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
                     "CERT_AddCertToListTail",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+					"error code=%d", PORT_GetError());
         return(-1);
     }
 
@@ -342,40 +335,28 @@
 xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName, 
 		      xmlChar *issuerSerial, xmlChar *ski) {
     CERTCertificate *cert = NULL;
-    xmlChar         *p = NULL;
     CERTName *name = NULL;
     SECItem *nameitem = NULL;
     PRArenaPool *arena = NULL;
 
     if (subjectName != NULL) {
-	p = xmlSecNssX509NameRead(subjectName, xmlStrlen(subjectName));
-	if (p == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecNssX509NameRead",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "subject=%s",
-                        xmlSecErrorsSafeString(subjectName));
-	    goto done;
-	}
-
 	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 	if (arena == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "PORT_NewArena",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+						"error code=%d", PORT_GetError());
 	    goto done;
 	}
 
-	name = CERT_AsciiToName((char*)p);
+		name = CERT_AsciiToName((char*)subjectName);
 	if (name == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "CERT_AsciiToName",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+						"error code=%d", PORT_GetError());
 	    goto done;
 	}
 
@@ -386,7 +367,7 @@
                         NULL,
                         "SEC_ASN1EncodeItem",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+						"error code=%d", PORT_GetError());
 	    goto done;
 	}
 
@@ -397,34 +378,23 @@
     if((issuerName != NULL) && (issuerSerial != NULL)) {
 	CERTIssuerAndSN issuerAndSN;
 
-	p = xmlSecNssX509NameRead(issuerName, xmlStrlen(issuerName));
-	if (p == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecNssX509NameRead",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "issuer=%s",
-                        xmlSecErrorsSafeString(issuerName));
-	    goto done;
-	}
-
 	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 	if (arena == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "PORT_NewArena",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+						"error code=%d", PORT_GetError());
 	    goto done;
 	}
 
-	name = CERT_AsciiToName((char*)p);
+		name = CERT_AsciiToName((char*)issuerName);
 	if (name == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "CERT_AsciiToName",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+				"error code=%d", PORT_GetError());
 	    goto done;
 	}
 
@@ -435,7 +405,7 @@
                         NULL,
                         "SEC_ASN1EncodeItem",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+						"error code=%d", PORT_GetError());
 	    goto done;
 	}
 
@@ -445,7 +415,15 @@
 	issuerAndSN.derIssuer.len = nameitem->len;
 
 	/* TBD: serial num can be arbitrarily long */
-	xmlSecNssNumToItem(&issuerAndSN.serialNumber, PORT_Atoi((char *)issuerSerial));
+		if( xmlSecNssIntegerToItem( issuerSerial, &issuerAndSN.serialNumber ) < 0 ) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+				NULL,
+				"xmlSecNssIntegerToItem",
+				XMLSEC_ERRORS_R_XMLSEC_FAILED,
+				"serial number=%s",
+				xmlSecErrorsSafeString(issuerSerial));
+			goto done;
+		}
 
 	cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), 
 					  &issuerAndSN);
@@ -476,9 +454,6 @@
     }
 
 done:
-    if (p != NULL) {
-	PORT_Free(p);
-    }
     if (arena != NULL) {
 	PORT_FreeArena(arena, PR_FALSE);
     }
@@ -489,227 +464,84 @@
     return(cert);
 }
 
-/**
- * xmlSecNssX509NameRead:
- */       
-static xmlSecByte *
-xmlSecNssX509NameRead(xmlSecByte *str, int len) {
-    xmlSecByte name[256];
-    xmlSecByte value[256];
-    xmlSecByte *retval = NULL;
-    xmlSecByte *p = NULL;
-    int nameLen, valueLen;
+static int
+xmlSecNssIntegerToItem(
+	const xmlChar* integer ,
+	SECItem *item
+) {
+	xmlSecBn bn ;
+	xmlSecSize i, length ;
+	const xmlSecByte* bnInteger ;
 
-    xmlSecAssert2(str != NULL, NULL);
-    
-    /* return string should be no longer than input string */
-    retval = (xmlSecByte *)PORT_Alloc(len+1);
-    if(retval == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "PORT_Alloc",
-		    XMLSEC_ERRORS_R_MALLOC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(NULL);
-    }
-    p = retval;
-    
-    while(len > 0) {
-	/* skip spaces after comma or semicolon */
-	while((len > 0) && isspace(*str)) {
-	    ++str; --len;
+	xmlSecAssert2( integer != NULL, -1 ) ;
+	xmlSecAssert2( item != NULL, -1 ) ;
+
+	if( xmlSecBnInitialize( &bn, 0 ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE,
+			NULL,
+			"xmlSecBnInitialize",
+			XMLSEC_ERRORS_R_INVALID_DATA,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return -1 ;	
 	}
 
-	nameLen = xmlSecNssX509NameStringRead(&str, &len, name, sizeof(name), '=', 0);	
-	if(nameLen < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
+	if( xmlSecBnFromDecString( &bn, integer ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE,
 			NULL,
-			"xmlSecNssX509NameStringRead",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    goto done;
+			"xmlSecBnFromDecString",
+			XMLSEC_ERRORS_R_INVALID_DATA,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecBnFinalize( &bn ) ;
+		return -1 ;	
 	}
-	memcpy(p, name, nameLen);
-	p+=nameLen;
-	*p++='=';
-	if(len > 0) {
-	    ++str; --len;
-	    if((*str) == '\"') {
-		valueLen = xmlSecNssX509NameStringRead(&str, &len, 
-					value, sizeof(value), '"', 1);	
-		if(valueLen < 0) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				"xmlSecNssX509NameStringRead",
-				XMLSEC_ERRORS_R_XMLSEC_FAILED,
-				XMLSEC_ERRORS_NO_MESSAGE);
-		    goto done;
-    		}
-		/* skip spaces before comma or semicolon */
-		while((len > 0) && isspace(*str)) {
-		    ++str; --len;
-		}
-		if((len > 0) && ((*str) != ',')) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				NULL,
-				XMLSEC_ERRORS_R_INVALID_DATA,
-				"comma is expected");
-		    goto done;
-		}
-		if(len > 0) {
-		    ++str; --len;
-		}
-		*p++='\"';
-		memcpy(p, value, valueLen);
-		p+=valueLen;
-		*p++='\"';
-	    } else if((*str) == '#') {
-		/* TODO: read octect values */
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    NULL,
-			    NULL,
-			    XMLSEC_ERRORS_R_INVALID_DATA,
-			    "reading octect values is not implemented yet");
-		goto done;
-	    } else {
-		valueLen = xmlSecNssX509NameStringRead(&str, &len, 
-					value, sizeof(value), ',', 1);	
-		if(valueLen < 0) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				"xmlSecNssX509NameStringRead",
-				XMLSEC_ERRORS_R_XMLSEC_FAILED,
-				XMLSEC_ERRORS_NO_MESSAGE);
-		    goto done;
-    		}
-		memcpy(p, value, valueLen);
-		p+=valueLen;
-		if (len > 0)
-		    *p++=',';
-	    } 			
-	} else {
-	    valueLen = 0;
+
+	length = xmlSecBnGetSize( &bn ) ;
+	if( length <= 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE,
+			NULL,
+			"xmlSecBnGetSize",
+			XMLSEC_ERRORS_R_INVALID_DATA,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecBnFinalize( &bn ) ;
+		return -1 ;
 	}
-	if(len > 0) {
-	    ++str; --len;
-	}	
-    }
 
-    *p = 0;
-    return(retval);
-    
-done:
-    PORT_Free(retval);
-    return (NULL);
-}
+	bnInteger = xmlSecBnGetData( &bn ) ;
+	if( bnInteger == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE,
+			NULL,
+			"xmlSecBnGetData",
+			XMLSEC_ERRORS_R_INVALID_DATA,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
 
+		xmlSecBnFinalize( &bn ) ;
+		return -1 ;
+	}
 
+	item->data = ( unsigned char * )PORT_Alloc( length );
+	if( item->data == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE,
+			NULL,
+			"PORT_Alloc",
+			XMLSEC_ERRORS_R_INVALID_DATA,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
 
-/**
- * xmlSecNssX509NameStringRead:
- */
-static int 
-xmlSecNssX509NameStringRead(xmlSecByte **str, int *strLen, 
-			    xmlSecByte *res, int resLen,
-			    xmlSecByte delim, int ingoreTrailingSpaces) {
-    xmlSecByte *p, *q, *nonSpace; 
-
-    xmlSecAssert2(str != NULL, -1);
-    xmlSecAssert2(strLen != NULL, -1);
-    xmlSecAssert2(res != NULL, -1);
-    
-    p = (*str);
-    nonSpace = q = res;
-    while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) { 
-	if((*p) != '\\') {
-	    if(ingoreTrailingSpaces && !isspace(*p)) {
-		nonSpace = q;	
-	    }
-	    *(q++) = *(p++);
-	} else {
-	    ++p;
-	    nonSpace = q;    
-	    if(xmlSecIsHex((*p))) {
-		if((p - (*str) + 1) >= (*strLen)) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				NULL,
-				XMLSEC_ERRORS_R_INVALID_DATA,
-				"two hex digits expected");
-	    	    return(-1);
-		}
-		*(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]);
-		p += 2;
-	    } else {
-		if(((++p) - (*str)) >= (*strLen)) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				NULL,
-				XMLSEC_ERRORS_R_INVALID_DATA,
-				"escaped symbol missed");
-		    return(-1);
-		}
-		*(q++) = *(p++); 
-	    }
-	}	    
-    }
-    if(((p - (*str)) < (*strLen)) && ((*p) != delim)) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    NULL,
-		    XMLSEC_ERRORS_R_INVALID_SIZE,
-		    "buffer is too small");
-	return(-1);
-    }
-    (*strLen) -= (p - (*str));
-    (*str) = p;
-    return((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res);
-}
+		xmlSecBnFinalize( &bn ) ;
+		return -1 ;
+	}
 
-/* code lifted from NSS */
-static void
-xmlSecNssNumToItem(SECItem *it, unsigned long ui)
-{
-    unsigned char bb[5];
-    int len;
-
-    bb[0] = 0;
-    bb[1] = (unsigned char) (ui >> 24);
-    bb[2] = (unsigned char) (ui >> 16);
-    bb[3] = (unsigned char) (ui >> 8);
-    bb[4] = (unsigned char) (ui);
-
-    /*
-    ** Small integers are encoded in a single byte. Larger integers
-    ** require progressively more space.
-    */
-    if (ui > 0x7f) {
-        if (ui > 0x7fff) {
-            if (ui > 0x7fffffL) {
-                if (ui >= 0x80000000L) {
-                    len = 5;
-                } else {
-                    len = 4;
-                }
-            } else {
-                len = 3;
-            }
-        } else {
-            len = 2;
-        }
-    } else {
-        len = 1;
-    }
+	item->len = length;
 
-    it->data = (unsigned char *)PORT_Alloc(len);
-    if (it->data == NULL) {
-        return;
-    }
+	for( i = 0 ; i < length ; i ++ )
+		item->data[i] = *( bnInteger + i ) ;
 
-    it->len = len;
-    PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
+	xmlSecBnFinalize( &bn ) ;
+
+	return 0 ;
 }
+
 #endif /* XMLSEC_NO_X509 */
 
 
cvs server: Diffing xmlsec/src/openssl
cvs server: Diffing xmlsec/src/skeleton
cvs server: Diffing xmlsec/tests
cvs server: Diffing xmlsec/tests/01-geuerp-xfilter2
cvs server: Diffing xmlsec/tests/01-phaos-xmlenc-3
cvs server: Diffing xmlsec/tests/aleksey-xkms-01
cvs server: Diffing xmlsec/tests/aleksey-xkms-01/keys
cvs server: Diffing xmlsec/tests/aleksey-xmldsig-01
cvs server: Diffing xmlsec/tests/aleksey-xmlenc-01
cvs server: Diffing xmlsec/tests/keys
cvs server: Diffing xmlsec/tests/keys/demoCA
cvs server: Diffing xmlsec/tests/keys/demoCA/newcerts
cvs server: Diffing xmlsec/tests/keys/demoCA/private
cvs server: Diffing xmlsec/tests/merlin-c14n-three
cvs server: Diffing xmlsec/tests/merlin-exc-c14n-one
cvs server: Diffing xmlsec/tests/merlin-xmldsig-twenty-three
cvs server: Diffing xmlsec/tests/merlin-xmldsig-twenty-three/certs
cvs server: Diffing xmlsec/tests/merlin-xmlenc-five
cvs server: Diffing xmlsec/tests/merlin-xpath-filter2-three
cvs server: Diffing xmlsec/tests/nssdb
cvs server: Diffing xmlsec/tests/phaos-xmldsig-three
cvs server: Diffing xmlsec/tests/phaos-xmldsig-three/certs
cvs server: Diffing xmlsec/win32
Index: xmlsec/win32/Makefile.msvc
===================================================================
RCS file: /cvs/gnome/xmlsec/win32/Makefile.msvc,v
retrieving revision 1.27
diff -u -r1.27 Makefile.msvc
--- xmlsec/win32/Makefile.msvc	9 Jun 2004 14:35:12 -0000	1.27
+++ xmlsec/win32/Makefile.msvc	6 Feb 2005 03:53:27 -0000
@@ -223,6 +223,10 @@
 	$(XMLSEC_OPENSSL_INTDIR_A)\x509vfy.obj 
 
 XMLSEC_NSS_OBJS = \
+	$(XMLSEC_NSS_INTDIR)\akmngr.obj\
+	$(XMLSEC_NSS_INTDIR)\keytrans.obj\
+	$(XMLSEC_NSS_INTDIR)\keywrapers.obj\
+	$(XMLSEC_NSS_INTDIR)\tokens.obj\
 	$(XMLSEC_NSS_INTDIR)\app.obj\
 	$(XMLSEC_NSS_INTDIR)\bignum.obj\
 	$(XMLSEC_NSS_INTDIR)\ciphers.obj \
@@ -235,9 +239,6 @@
 	$(XMLSEC_NSS_INTDIR)\x509.obj\
 	$(XMLSEC_NSS_INTDIR)\x509vfy.obj\
 	$(XMLSEC_NSS_INTDIR)\keysstore.obj\
-	$(XMLSEC_NSS_INTDIR)\kt_rsa.obj\
-	$(XMLSEC_NSS_INTDIR)\kw_des.obj\
-	$(XMLSEC_NSS_INTDIR)\kw_aes.obj\
 	$(XMLSEC_NSS_INTDIR)\strings.obj
 XMLSEC_NSS_OBJS_A = \
 	$(XMLSEC_NSS_INTDIR_A)\app.obj\
@@ -258,6 +259,7 @@
 	$(XMLSEC_NSS_INTDIR_A)\strings.obj
 
 XMLSEC_MSCRYPTO_OBJS = \
+	$(XMLSEC_MSCRYPTO_INTDIR)\akmngr.obj\
 	$(XMLSEC_MSCRYPTO_INTDIR)\app.obj\
 	$(XMLSEC_MSCRYPTO_INTDIR)\crypto.obj \
 	$(XMLSEC_MSCRYPTO_INTDIR)\ciphers.obj \

*****CVS exited normally with code 1*****
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xmlsec.zip
Type: application/octet-stream
Size: 18391 bytes
Desc: not available
Url : http://www.aleksey.com/pipermail/xmlsec/attachments/20050206/7b028c1d/xmlsec-0001.obj


More information about the xmlsec mailing list