You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@santuario.apache.org by Berin Lautenbach <be...@wingsofhermes.org> on 2006/01/15 01:15:46 UTC

NSS provider

Milan,

I've been working on getting the NSS provider stuff working on my 
machine and have run into a few snags.  So some questions :>.

1.  The includes in the NSS files are of the form "nss/....h", which 
means I have to put the nss include files into such a directory - 
including nspr files, which on linux systems (or at Debian) are 
separated intp nspr vs. nss directories.  Would we be better just 
including as (for example) <cert.h> and then having the user set what 
the directories are?  (Fits better with the mozilla model I think.)

2.  I'm having no joy with __CERT_DecodeDERCertificate?  From the 
comments and from looking around it's a private function that we can't 
see (or at least I can't when I link).  Looking at CERT_ImportCerts I 
don't know enough about the certificate DB to know how to do a temporary 
cert.  Any thoughts welcome!

Cheers,
	Berin

Re: NSS provider

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

Milan Tomic wrote:

> Well, if you have tested it and it worked OK, than it is better solution to
> use CERT_ImportCerts than using private function
> (__CERT_DecodeDERCertificate).

Now all tested.  I have updated checksig and cipher so they will work 
(for most things) with NSS.  Running the basicTests.pl script gets most 
things working - the only exceptions are those things you have to do 
special key loading for interop tests that I haven't done (I also never 
did for Windows CAPI).

Translating the above - the NSS stuff seems to be working very nicely 
indeed - including certificate loading using the ImportCerts function.

Cool!

Cheers,
	Berin

RE: NSS provider

Posted by Milan Tomic <mi...@setcce.org>.

Berin,

I have found few intereting articles on debugging apps under Windows that I
wanted to share with you:

http://www.debuginfo.com/tips/userbpntdll.html

http://support.microsoft.com/?kbid=268343

http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg

"Debugging Tools for Windows" helped me several times when Visual C++ 7.1
debugger couldn't. Today I'm sorry that I haven't discovered it before and
started using it long time ago.

Best regards,
Milan

RE: NSS provider

Posted by Milan Tomic <mi...@setcce.org>.

> Is it possible to view files online now, just like
> it was possible before ( with
> http://cvs.apache.org/viewcvs/xml-security/ )?

I have found it here:

http://svn.apache.org/viewcvs.cgi/xml/security/trunk/

RE: NSS provider

Posted by Milan Tomic <mi...@setcce.org>.

<GRIN>

> Now in SVN.  (Migrated over a couple of weeks back.)

Yes, I remember voting. Is it possible to view files online now, just like
it was possible before ( with http://cvs.apache.org/viewcvs/xml-security/ )?

Re: NSS provider

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

Milan Tomic wrote:

>>I just jumped in and replaced with CERT_ImportCerts
>>(I couldn't get it to compile otherwise).
> 
> 
> Well, if you have tested it and it worked OK, than it is better solution to
> use CERT_ImportCerts than using private function
> (__CERT_DecodeDERCertificate).

<GRIN>.  Not yet tested - but even with decleration I couldn't get 
CERT_DecodeDERCertificate to link.  So I will test.

> 
> 
>>I've also made some minor changes in a couple of the
>>other files to support Symmetric padding and re-use
>>of symmetric keys (particularly necessary for key
>>wraps and unwraps).
> 
> 
> Have you commited those files? I can't see it in CVS browser.

Now in SVN.  (Migrated over a couple of weeks back.)

Cheers,
	Berin

RE: NSS provider

Posted by Milan Tomic <mi...@setcce.org>.

> I just jumped in and replaced with CERT_ImportCerts
> (I couldn't get it to compile otherwise).

Well, if you have tested it and it worked OK, than it is better solution to
use CERT_ImportCerts than using private function
(__CERT_DecodeDERCertificate).

> I've also made some minor changes in a couple of the
> other files to support Symmetric padding and re-use
> of symmetric keys (particularly necessary for key
> wraps and unwraps).

Have you commited those files? I can't see it in CVS browser.

Re: NSS provider

Posted by Berin Lautenbach <be...@wingsofhermes.org>.

Milan,

I just jumped in and replaced with CERT_ImportCerts (I couldn't get it 
to compile otherwise).  Sorry about that - if you want to do it 
differently feel free to change what I've done :>.

I've also made some minor changes in a couple of the other files to 
support Symmetric padding and re-use of symmetric keys (particularly 
necessary for key wraps and unwraps).

The upside of all the above is that xtest now has an nss option added in 
and seems to run AOK!

I'll add it into the UNIX build process once we decide how we want to 
handle includes.

Cheers,
	Berin

Berin Lautenbach wrote:

> Milan,
> 
> I've been working on getting the NSS provider stuff working on my 
> machine and have run into a few snags.  So some questions :>.
> 
> 1.  The includes in the NSS files are of the form "nss/....h", which 
> means I have to put the nss include files into such a directory - 
> including nspr files, which on linux systems (or at Debian) are 
> separated intp nspr vs. nss directories.  Would we be better just 
> including as (for example) <cert.h> and then having the user set what 
> the directories are?  (Fits better with the mozilla model I think.)
> 
> 2.  I'm having no joy with __CERT_DecodeDERCertificate?  From the 
> comments and from looking around it's a private function that we can't 
> see (or at least I can't when I link).  Looking at CERT_ImportCerts I 
> don't know enough about the certificate DB to know how to do a temporary 
> cert.  Any thoughts welcome!
> 
> Cheers,
>     Berin
> 
> 
>

RE: NSS provider

Posted by Milan Tomic <mi...@setcce.org>.

Hello Berin,

Haven't heared from you for a long long time... :)

> I've been working on getting the NSS provider
> stuff working on my machine and have run into
> a few snags.  So some questions :>.

I'm really happy someone will use NSS stuff.

> 1.  The includes in the NSS files are of the
> form "nss/....h", which means I have to put
> the nss include files into such a directory - 
> including nspr files, which on linux systems
> (or at Debian) are separated intp nspr vs. nss
> directories.  Would we be better just 
> including as (for example) <cert.h> and then
> having the user set what the directories are?
> (Fits better with the mozilla model I think.)

I agree. Change it.

> 2.  I'm having no joy with
> __CERT_DecodeDERCertificate?  From the comments
> and from looking around it's a private function
> that we can't see (or at least I can't when I link).

Sorry, my comments were a little bit confusing. All
you have to do to be able to link is to add declaration
for CERT_DecodeDERCertificate() function in nss/cert.h
file. Declaration should be identical to (already
existing) __CERT_DecodeDERCertificate() function delaration.
In other words linker is now looking for
CERT_DecodeDERCertificate() and inside nss/cert.h is (only)
__CERT_DecodeDERCertificate() declared.

Best regards,
Milan