[xmlsec] Big patch to xmlsec in recent OpenOffice.org sources

Aleksey Sanin aleksey at aleksey.com
Sun Mar 6 20:52:15 PST 2005


Hi, Andrew!

Thanks for your comments! Please see my comments interlaced with
yours bellow. I also have one huge request. Can you provide copyright
information for the new files, please? And also I would be glad to
extend the xmlsec authors list if you provide me with a list of
names :)

Aleksey



>> xmlsec-nss comments
>> --------------------------------------------------------
>> 3) src/nss/crypto.c, xmlSecCryptoGetFunctions_nss()
>> I  wonder why the patch sets all the App xmlsec-nss functions
>> to NULL. This means that xmlsec command line utility will not
>> run with xmlsec-nss at all.
>>
> :-( Pardon me for my lazy and time limitation when I implemented the 
> patch. However, it's in our plan to implement the apps. I'd be grateful 
> if you would help us on the implementation. :-) If you have no time, 
> please let me know what urgent you need these implementations.
Well, I would need these functions in order to test the code :)
Anyway, I am not sure I understand why the existing versions would
not work. I'll look into this.


>> 4) src/nss/ciphers.c
>> Quite a lot of things are moved around and this makes patch
>> hard to read. Also almost all "#ifndef XMLSEC_NO_<ALG>" were
>> removed thus it is hard to strip down xmlsec if needed.
> 
> 
> In fact, it is a complete new implement. After Tej contribute his 
> engine, I don't think his impl meet the requirements, so I didn't made 
> much changes over this file. Yes, I forgot to add the compiler 
> conditions before klass definition and *GetKlass* functions. Yes, it is 
> a little hard to read, I'm ready to answer any questions. :-)
> 
Ah... OK, if it is a new code then it makes sense :) Let me look at it
from the new angle :)

>> 7) src/nss/pkikeys.c, xmlSecNSSPKIKeyDataCtxDup()
>> I don't think there is a need to set ctxDst values to NULL here
>> because it is already done in xmlSecNSSPKIKeyDataCtxFree()
>>
> Yes, you're right. The values have been set to null at initializor and 
> finalizor.
> 
Good, this change is dropped.

>> 9) src/nss/symkeys.c, conversion to NSS SymKey
>> I like the idea! I just need to meditate on this code a little bit
>> and run tests.
>>
> :-)
Still in progress... :)

>> 10) src/nss/tokens.c
>> If I understand the patch correctly, it provides a way for application
>> to select crypto slot on which xmlsec would perform the crypto
>> operation for each signature/encryption separately. NSS already has
>> built in controls for defining "best" slot for a given crypto algorithm
>> but this is done globaly for all application. I do see the difference.
>> However, it is hard for me to believe that a user would really go and 
>> specify a crypto slot (device) before each operation. It is much more
>> likely that this would be done in ten levels of preferences menu and
>> it will be done globaly.
>>
>> Is it a requirement for you to support have such level of customization?
>> I feel that this is more of crypto layer responsibility and I would love
>> not to go into such details on xmlsec-crypto layer.
>>
> I think we have talked about the topic at 2003, and you also give me the 
> idea that binding the slot with mechanisms. OpenOffice really use this 
> function in order to support multiple crypto database/slot. I don't 
> think it is the crypto layer responsibility, crypto layer have provide 
> the getBest for general usage, and it also provide the funtions to 
> specify a certain slot. Here, I just use the specified slot while I 
> don't want to get best from a dozen, I want to get the one that I want. 
> Crypto layer has provide multiple choices and the ways, why xmlsec only 
> permit just one way, and close anyother doors?
Yes, I remember that discussion. However, I was under impression that
you want to do it in the application itself. Anyway, I wonder if you can
take a look at NSS folks reply to my question about GetBestSlot here

http://groups-beta.google.com/group/netscape.public.mozilla.crypto/browse_thread/thread/8b39688b4d707111/af472f5a8552f8b6?q=Aleksey+Sanin+nss#af472f5a8552f8b6

It might make sense to go directly to NSS instead of creating yet
another level.

> 
>> 11) src/nss/x509.c
>> Why the certificate xxxNodeWrite() functions were removed? Is it really
>> necessary? How one would write certs into the output xml file?
>>
> I think, xxxNodeWrite() is used by  xxxXmlWrite. In the 
> xmlSecNssKeyDataX509XmlWrite(), no xxxNodeWrite() is called. So I think 
> they're useless.  Then why I get rid of the xxxNodeWrite(), and create a 
> new wheel of xxxXmlWrite()? In the older implementation, xml writer will 
> get rid of the old and create a completely new signature/encryption 
> template regardless what ever in it. It is not the expected experience. 
> Sometimes, it is necessary to keep the template unchanged during 
> signning or at least keep its original struct and add a little necessary 
> stuff. However, I have to say that my implement also have the drawbacks 
> over the requirement, I faild to find any usable control info from 
> keyInfoCtx to character the template.
> 
Thanks for explanations and let me look at this more.


>> 12) src/nss/x509vfy.c
>> StringRead/NameRead functions are gone and I am not sure I see the
>> replacement. Am I missing something?
>>
> I'm not use the NameRead function, StringRead funtion is only  used by 
> NameRead, so both of them are gone. I couldn't see any necessary to call 
> NameRead before handling nss name.
OK, I see :)






More information about the xmlsec mailing list