This xmlsec-nss patch is based on the XMLSEC_NSS_030714 branch. It add two new files in order to support end-user designated PKCS#11 slot instead of useing the default NSS built-in ones( PK11_GetBestSlot ).
Why I add the new interfaces:
1. NSS' function "PK11_GetBestSlot ", which will load all of the internal built-in slots or all of the actived pkcs11 module's slots;
2. Some time, end user hopes that a certain crypto operation act in a certain crypto device, especially in multi-crypto-devices environment.
3. Some time, a key generated from a certain slot, it only work in that slot( such as RSA private key ). PK11_GetBestSlot can not ensure this. In the case, end user can assign the specific slot with the new interface.
Here's the usage of the interfaces:
1. "xmlSecSetSlotList" is used to set the user designated slot list.
2. "xmlSecFreeSlot" is used to destroy the slot list repository.
3. When generate a new key, "xmlSecGetSlot" gives the user designated slot;
4. If end user want to maintain the slot list repository, he can access the repository with "xmlSecGetSlotList".
Andrew
/** * XMLSec library * * This is free software; see Copyright file in the source * distribution for preciese wording. * * Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved. * * Contributor(s): _____________________________ * */ #ifndef __XMLSEC_NSS_TOKENS_H__ #define __XMLSEC_NSS_TOKENS_H__
#include "globals.h"
#include <string.h>
#include <nss.h>
#include <pk11func.h>
#include <xmlsec/xmlsec.h>
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
/************************************************************************
* PKCS#11 crypto token interfaces
*
* A PKCS#11 slot repository will be defined internally. From the
* repository, a user can specify a particular slot for a certain crypto
* mechanism.
*
* In some situation, some cryptographic operation should act in a user
* designated devices. The interfaces defined here provide the way. If
* the user do not initialize the repository distinctly, the interfaces
* use the default functions provided by NSS itself.
*
************************************************************************/
/**
* Get PKCS#11 slot handler
* @type the mechanism that the slot must support.
*
* Returns a pointer to PKCS#11 slot or NULL if an error occurs.
*
* Notes: The returned handler should be destroied distinctly.
*/
XMLSEC_CRYPTO_EXPORT PK11SlotInfo* xmlSecGetSlot( CK_MECHANISM_TYPE type ) ;
/**
* Free NSS crypto engine PKCS#11 slot repository
*/
XMLSEC_CRYPTO_EXPORT void xmlSecFreeSlot( void ) ;
/**
* Set NSS crypto engine PKCS11 slots
* @list the PKCS#11 slot list that the crypto engine should work with.
*
* Returns a pointer to PKCS#11 slot list or NULL if an error occurs.
*/
XMLSEC_CRYPTO_EXPORT PK11SlotList* xmlSecSetSlotList( PK11SlotList* list ) ;
/**
* Get NSS crypto engine PKCS#11 slot list
*
* Returns a pointer to PKCS#11 slot list or NULL if an error occurs.
*/
XMLSEC_CRYPTO_EXPORT PK11SlotList* xmlSecGetSlotList( void ) ;
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* __XMLSEC_NSS_TOKENS_H__ */
/**
* XMLSec library
*
* This is free software; see Copyright file in the source
* distribution for preciese wording.
*
* Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.
*
* Contributor(s): _____________________________
*
*/
#include "globals.h"
#include <string.h>
#include <xmlsec/nss/tokens.h>
/*-
* Global PKCS#11 crypto token repository
*/
static PK11SlotList* _xmlSecSlotList = NULL ;
/**
* Get PKCS#11 slot handler
* @type the mechanism that the slot must support.
*
* Returns a pointer to PKCS#11 slot or NULL if an error occurs.
*
* Notes: The returned handler should be destroied distinctly.
*/
PK11SlotInfo*
xmlSecGetSlot(
CK_MECHANISM_TYPE type
) {
PK11SlotInfo* slot = NULL ;
if( _xmlSecSlotList == NULL ) {
slot = PK11_GetBestSlot( type , NULL ) ;
} else {
PK11SlotListElement* sle = NULL ;
for( sle = PK11_GetFirstSafe( _xmlSecSlotList ) ; sle != NULL ;
PK11_GetNextSafe( _xmlSecSlotList , sle , PR_TRUE ) ) {
if( !PK11_IsPresent( sle->slot ) )
continue ;
if( !PK11_DoesMechanism( sle->slot , type ) )
continue ;
if( PK11_NeedLogin( sle->slot ) ) {
if( PK11_Authenticate( sle->slot , PR_TRUE , NULL ) !=
SECSuccess )
continue ;
}
slot = PK11_ReferenceSlot( sle->slot ) ;
break ;
}
//Shall I destroy the non-null PK11SlotListElement?
}
return slot ;
}
/**
* Free NSS crypto engine PKCS#11 slot repository
*/
void
xmlSecFreeSlot(
void
) {
if( _xmlSecSlotList != NULL ) {
PK11_FreeSlotList( _xmlSecSlotList ) ;
_xmlSecSlotList = NULL ;
}
}
/**
* Set NSS crypto engine PKCS11 slots
* @list the PKCS#11 slot list that the crypto engine should work with.
*
* Returns a pointer to PKCS#11 slot list or NULL if an error occurs.
*/
PK11SlotList*
xmlSecSetSlotList(
PK11SlotList* list
) {
if( _xmlSecSlotList != NULL ) {
PK11_FreeSlotList( _xmlSecSlotList ) ;
_xmlSecSlotList = NULL ;
}
_xmlSecSlotList = list ;
return _xmlSecSlotList ;
}
/**
* Get NSS crypto engine PKCS#11 slot list
*
* Returns a pointer to PKCS#11 slot list or NULL if an error occurs.
*/
PK11SlotList*
xmlSecGetSlotList(
void
) {
return _xmlSecSlotList ;
}
