--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.am	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.am	2009-09-21 14:02:48.563253008 +0200
@@ -3,6 +3,7 @@
 xmlsecmscryptoincdir = $(includedir)/xmlsec1/xmlsec/mscrypto
 
 xmlsecmscryptoinc_HEADERS = \
+akmngr.h \
 app.h \
 certkeys.h \
 crypto.h \
--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.in	2009-06-25 22:53:30.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.in	2009-09-21 14:02:48.571021349 +0200
@@ -281,6 +281,7 @@
 NULL = 
 xmlsecmscryptoincdir = $(includedir)/xmlsec1/xmlsec/mscrypto
 xmlsecmscryptoinc_HEADERS = \
+akmngr.h \
 app.h \
 certkeys.h \
 crypto.h \
--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/akmngr.h	2009-09-21 14:07:19.052318336 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/akmngr.h	2009-09-21 14:02:48.504966762 +0200
@@ -1 +1,71 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_MSCRYPTO_AKMNGR_H__
+#define __XMLSEC_MSCRYPTO_AKMNGR_H__    
+
+#include <windows.h>
+#include <wincrypt.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */ 
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr
+xmlSecMSCryptoAppliedKeysMngrCreate(
+    HCERTSTORE keyStore ,
+    HCERTSTORE certStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrSymKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	HCRYPTKEY	symKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrPubKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	HCRYPTKEY	pubKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrPriKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	HCRYPTKEY	priKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore (
+	xmlSecKeysMngrPtr	mngr ,
+	HCERTSTORE keyStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore (
+	xmlSecKeysMngrPtr	mngr ,
+	HCERTSTORE trustedStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore (
+	xmlSecKeysMngrPtr	mngr ,
+	HCERTSTORE untrustedStore
+) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_MSCRYPTO_AKMNGR_H__ */
+
+
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.am	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.am	2009-09-21 14:02:48.577933031 +0200
@@ -10,6 +10,9 @@
 keysstore.h \
 pkikeys.h \
 x509.h \
+akmngr.h \
+tokens.h \
+ciphers.h \
 $(NULL)
 
 install-exec-hook:
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.in	2009-06-25 22:53:31.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.in	2009-09-21 14:02:48.585376325 +0200
@@ -288,6 +288,9 @@
 keysstore.h \
 pkikeys.h \
 x509.h \
+akmngr.h \
+tokens.h \
+ciphers.h \
 $(NULL)
 
 all: all-am
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/akmngr.h	2009-09-21 14:07:19.105517659 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/akmngr.h	2009-09-21 14:02:48.510978278 +0200
@@ -1 +1,56 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_NSS_AKMNGR_H__
+#define __XMLSEC_NSS_AKMNGR_H__    
+
+#include <nss.h>
+#include <nspr.h>
+#include <pk11func.h>
+#include <cert.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */ 
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr
+xmlSecNssAppliedKeysMngrCreate(
+    PK11SlotInfo** slots,
+	int cSlots,
+    CERTCertDBHandle* handler
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrSymKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	PK11SymKey*			symKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrPubKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	SECKEYPublicKey*	pubKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrPriKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	SECKEYPrivateKey*	priKey
+) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_NSS_AKMNGR_H__ */
+
+
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/app.h	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/app.h	2009-09-21 14:02:48.612847068 +0200
@@ -22,6 +22,9 @@
 #include <xmlsec/keysmngr.h>
 #include <xmlsec/transforms.h>
 
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/akmngr.h>
+
 /**
  * Init/shutdown
  */
@@ -36,6 +39,8 @@
 									    xmlSecKeyPtr key);
 XMLSEC_CRYPTO_EXPORT int 		xmlSecNssAppDefaultKeysMngrLoad	(xmlSecKeysMngrPtr mngr,
 									 const char* uri);
+XMLSEC_CRYPTO_EXPORT int		xmlSecNssAppDefaultKeysMngrAdoptKeySlot(xmlSecKeysMngrPtr mngr,
+									 xmlSecNssKeySlotPtr keySlot);
 XMLSEC_CRYPTO_EXPORT int 		xmlSecNssAppDefaultKeysMngrSave	(xmlSecKeysMngrPtr mngr,
 									 const char* filename,
 									 xmlSecKeyDataType type);
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/ciphers.h	2009-09-21 14:07:19.146496548 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/ciphers.h	2009-09-21 14:02:48.516689712 +0200
@@ -1 +1,35 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_NSS_CIPHERS_H__
+#define __XMLSEC_NSS_CIPHERS_H__    
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */ 
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSymKeyDataAdoptKey( xmlSecKeyDataPtr data,
+									PK11SymKey* symkey ) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt( PK11SymKey* symKey ) ;
+
+XMLSEC_CRYPTO_EXPORT PK11SymKey*   xmlSecNssSymKeyDataGetKey(xmlSecKeyDataPtr data);
+
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_NSS_CIPHERS_H__ */
+
+
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/keysstore.h	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/keysstore.h	2009-09-21 14:02:48.626261748 +0200
@@ -16,6 +16,8 @@
 #endif /* __cplusplus */ 
 
 #include <xmlsec/xmlsec.h>
+#include <xmlsec/keysmngr.h>
+#include <xmlsec/nss/tokens.h>
 
 /****************************************************************************
  *
@@ -31,6 +33,8 @@
 XMLSEC_CRYPTO_EXPORT xmlSecKeyStoreId	xmlSecNssKeysStoreGetKlass	(void);
 XMLSEC_CRYPTO_EXPORT int		xmlSecNssKeysStoreAdoptKey	(xmlSecKeyStorePtr store,
 									 xmlSecKeyPtr key);
+XMLSEC_CRYPTO_EXPORT int		xmlSecNssKeysStoreAdoptKeySlot(xmlSecKeyStorePtr store,
+									 xmlSecNssKeySlotPtr keySlot);
 XMLSEC_CRYPTO_EXPORT int		xmlSecNssKeysStoreLoad 	(xmlSecKeyStorePtr store,
 								 const char *uri,
 								 xmlSecKeysMngrPtr keysMngr);
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/tokens.h	2009-09-21 14:07:19.172421448 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/tokens.h	2009-09-21 14:02:48.522913605 +0200
@@ -1 +1,182 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright (c) 2003 Sun Microsystems, Inc.  All rights reserved.
+ * 
+ * Contributor(s): _____________________________
+ * 
+ */
+#ifndef __XMLSEC_NSS_TOKENS_H__
+#define __XMLSEC_NSS_TOKENS_H__
+
+#include <string.h>
+
+#include <nss.h>
+#include <pk11func.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/list.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */ 
+
+/**
+ * xmlSecNssKeySlotListId
+ *
+ * The crypto mechanism list klass
+ */
+#define xmlSecNssKeySlotListId xmlSecNssKeySlotListGetKlass()
+XMLSEC_CRYPTO_EXPORT xmlSecPtrListId xmlSecNssKeySlotListGetKlass( void ) ;
+
+/*******************************************
+ * KeySlot interfaces
+ *******************************************/ 
+/**
+ * Internal NSS key slot data
+ * @mechanismList:		the mechanisms that the slot bound with.
+ * @slot:				the pkcs slot
+ *
+ * This context is located after xmlSecPtrList
+ */
+typedef struct _xmlSecNssKeySlot	xmlSecNssKeySlot ;
+typedef struct _xmlSecNssKeySlot*	xmlSecNssKeySlotPtr ;
+
+struct _xmlSecNssKeySlot {
+	CK_MECHANISM_TYPE_PTR	mechanismList ; /* mech. array, NULL ternimated */
+	PK11SlotInfo*			slot ;
+} ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSetMechList(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE_PTR mechanismList
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotEnableMech(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE mechanism
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotDisableMech(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE mechanism
+) ;
+
+XMLSEC_CRYPTO_EXPORT CK_MECHANISM_TYPE_PTR
+xmlSecNssKeySlotGetMechList(
+    xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSetSlot(
+    xmlSecNssKeySlotPtr keySlot ,
+	PK11SlotInfo* slot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotInitialize(
+    xmlSecNssKeySlotPtr keySlot ,
+	PK11SlotInfo* slot
+) ;
+
+XMLSEC_CRYPTO_EXPORT void
+xmlSecNssKeySlotFinalize(
+    xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT PK11SlotInfo*
+xmlSecNssKeySlotGetSlot(
+	xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr
+xmlSecNssKeySlotCreate() ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotCopy(
+	xmlSecNssKeySlotPtr newKeySlot ,
+	xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr
+xmlSecNssKeySlotDuplicate(
+	xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT void
+xmlSecNssKeySlotDestroy(
+	    xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotBindMech(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE type
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSupportMech(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE type
+) ;
+
+
+/************************************************************************
+ * PKCS#11 crypto token interfaces
+ *
+ * A PKCS#11 slot repository will be defined internally. From the
+ * repository, a user can specify a particular slot for a certain crypto
+ * mechanism.
+ *
+ * In some situation, some cryptographic operation should act in a user
+ * designated devices. The interfaces defined here provide the way. If 
+ * the user do not initialize the repository distinctly, the interfaces
+ * use the default functions provided by NSS itself.
+ *
+ ************************************************************************/
+/**
+ * Initialize NSS pkcs#11 slot repository
+ *
+ * Returns 0 if success or -1 if an error occurs.
+ */
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotInitialize( void ) ;
+
+/**
+ * Shutdown and destroy NSS pkcs#11 slot repository
+ */
+XMLSEC_CRYPTO_EXPORT void xmlSecNssSlotShutdown() ;
+
+/**
+ * Get PKCS#11 slot handler
+ * @type	the mechanism that the slot must support.
+ *
+ * Returns a pointer to PKCS#11 slot or NULL if an error occurs.
+ *
+ * Notes: The returned handler must be destroied distinctly.
+ */
+XMLSEC_CRYPTO_EXPORT PK11SlotInfo* xmlSecNssSlotGet( CK_MECHANISM_TYPE type ) ;
+
+/**
+ * Adopt a pkcs#11 slot with a mechanism into the repository
+ * @slot:	the pkcs#11 slot.
+ * @mech:	the mechanism.
+ *
+ * If @mech is available( @mech != CKM_INVALID_MECHANISM ), every operation with
+ * this mechanism only can perform on the @slot.
+ * 
+ * Returns 0 if success or -1 if an error occurs.
+ */
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotAdopt( PK11SlotInfo* slot, CK_MECHANISM_TYPE mech ) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif	/* __XMLSEC_NSS_TOKENS_H__ */
+
--- misc/xmlsec1-1.2.14/src/mscrypto/akmngr.c	2009-09-21 14:07:19.078910929 +0200
+++ misc/build/xmlsec1-1.2.14/src/mscrypto/akmngr.c	2009-09-21 14:02:48.531281225 +0200
@@ -1 +1,236 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright.........................
+ */
+#include "globals.h"
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/keysmngr.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/mscrypto/crypto.h>
+#include <xmlsec/mscrypto/keysstore.h>
+#include <xmlsec/mscrypto/akmngr.h>
+#include <xmlsec/mscrypto/x509.h>
+
+/**
+ * xmlSecMSCryptoAppliedKeysMngrCreate:
+ * @hKeyStore:		the pointer to key store.
+ * @hCertStore:		the pointer to certificate database.
+ *
+ * Create and load key store and certificate database into keys manager
+ *
+ * Returns keys manager pointer on success or NULL otherwise.
+ */
+xmlSecKeysMngrPtr
+xmlSecMSCryptoAppliedKeysMngrCreate(
+    HCERTSTORE hKeyStore ,
+    HCERTSTORE hCertStore
+) {
+	xmlSecKeyDataStorePtr	certStore = NULL ;
+	xmlSecKeysMngrPtr		keyMngr = NULL ;
+	xmlSecKeyStorePtr		keyStore = NULL ;
+
+	keyStore = xmlSecKeyStoreCreate( xmlSecMSCryptoKeysStoreId ) ;
+	if( keyStore == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeyStoreCreate" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return NULL ;
+	}
+
+	/*-
+	 * At present, MS Crypto engine do not provide a way to setup a key store.
+	 */
+	if( keyStore != NULL ) {
+		/*TODO: binding key store.*/
+	}
+
+	keyMngr = xmlSecKeysMngrCreate() ;
+	if( keyMngr == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrCreate" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeyStoreDestroy( keyStore ) ;
+		return NULL ;
+	}
+
+	/*-
+	 * Add key store to manager, from now on keys manager destroys the store if
+	 * needed
+	 */
+	if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+			"xmlSecKeysMngrAdoptKeyStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeyStoreDestroy( keyStore ) ;
+		xmlSecKeysMngrDestroy( keyMngr ) ;
+		return NULL ;
+	}
+
+	/*-
+	 * Initialize crypto library specific data in keys manager
+	 */
+	if( xmlSecMSCryptoKeysMngrInit( keyMngr ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecMSCryptoKeysMngrInit" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeysMngrDestroy( keyMngr ) ;
+		return NULL ;
+	}
+
+	/*-
+	 * Set certificate databse to X509 key data store
+	 */
+	/*-
+	 * At present, MS Crypto engine do not provide a way to setup a cert store.
+	 */
+
+	/*-
+	 * Set the getKey callback
+	 */
+	keyMngr->getKey = xmlSecKeysMngrGetKey ;
+
+	return keyMngr ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrSymKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	HCRYPTKEY			symKey
+) {
+	/*TODO: import the key into keys manager.*/
+	return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrPubKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	HCRYPTKEY	pubKey
+) {
+	/*TODO: import the key into keys manager.*/
+	return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrPriKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	HCRYPTKEY	priKey
+) {
+	/*TODO: import the key into keys manager.*/
+	return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore (
+	xmlSecKeysMngrPtr	mngr ,
+	HCERTSTORE keyStore
+) {
+	xmlSecKeyDataStorePtr x509Store ;
+
+	xmlSecAssert2( mngr != NULL, -1 ) ;
+	xmlSecAssert2( keyStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+	if( x509Store == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrGetDataStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( -1 ) ;
+	}
+
+	if( xmlSecMSCryptoX509StoreAdoptKeyStore( x509Store, keyStore ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+			"xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( -1 ) ;
+	}
+
+	return( 0 ) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore (
+	xmlSecKeysMngrPtr	mngr ,
+	HCERTSTORE trustedStore
+) {
+	xmlSecKeyDataStorePtr x509Store ;
+
+	xmlSecAssert2( mngr != NULL, -1 ) ;
+	xmlSecAssert2( trustedStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+	if( x509Store == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrGetDataStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( -1 ) ;
+	}
+
+	if( xmlSecMSCryptoX509StoreAdoptTrustedStore( x509Store, trustedStore ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+			"xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( -1 ) ;
+	}
+
+	return( 0 ) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore (
+	xmlSecKeysMngrPtr	mngr ,
+	HCERTSTORE untrustedStore
+) {
+	xmlSecKeyDataStorePtr x509Store ;
+
+	xmlSecAssert2( mngr != NULL, -1 ) ;
+	xmlSecAssert2( untrustedStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+	if( x509Store == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrGetDataStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( -1 ) ;
+	}
+
+	if( xmlSecMSCryptoX509StoreAdoptUntrustedStore( x509Store, untrustedStore ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+			"xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( -1 ) ;
+	}
+
+	return( 0 ) ;
+}
+
--- misc/xmlsec1-1.2.14/src/nss/Makefile.am	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/Makefile.am	2009-09-21 14:02:48.591560472 +0200
@@ -35,6 +35,9 @@
 	kw_des.c \
 	kw_aes.c \
 	globals.h \
+	akmngr.c \
+	keywrapers.c \
+	tokens.c \
 	$(NULL)
 
 if SHAREDLIB_HACK
--- misc/xmlsec1-1.2.14/src/nss/Makefile.in	2009-06-25 22:53:33.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/Makefile.in	2009-09-21 14:02:48.599339718 +0200
@@ -72,7 +72,8 @@
 am__libxmlsec1_nss_la_SOURCES_DIST = app.c bignum.c ciphers.c crypto.c \
 	digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \
 	x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \
-	../strings.c
+	../strings.c \
+	akmngr.c keywrapers.c tokens.c
 am__objects_1 =
 @SHAREDLIB_HACK_TRUE@am__objects_2 = libxmlsec1_nss_la-strings.lo
 am_libxmlsec1_nss_la_OBJECTS = libxmlsec1_nss_la-app.lo \
@@ -83,6 +84,8 @@
 	libxmlsec1_nss_la-x509.lo libxmlsec1_nss_la-x509vfy.lo \
 	libxmlsec1_nss_la-keysstore.lo libxmlsec1_nss_la-keytrans.lo \
 	libxmlsec1_nss_la-kw_des.lo libxmlsec1_nss_la-kw_aes.lo \
+	libxmlsec1_nss_la-akmngr.lo libxmlsec1_nss_la-keywrapers.lo \
+	libxmlsec1_nss_la-tokens.lo \
 	$(am__objects_1) $(am__objects_2)
 libxmlsec1_nss_la_OBJECTS = $(am_libxmlsec1_nss_la_OBJECTS)
 libxmlsec1_nss_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -333,6 +336,7 @@
 libxmlsec1_nss_la_SOURCES = app.c bignum.c ciphers.c crypto.c \
 	digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \
 	x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \
+	akmngr.c keywrapers.c tokens.c \
 	$(NULL) $(am__append_1)
 libxmlsec1_nss_la_LIBADD = \
 	../libxmlsec1.la \
@@ -439,6 +443,9 @@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-symkeys.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509vfy.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo@am__quote@
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -468,6 +475,27 @@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-app.lo `test -f 'app.c' || echo '$(srcdir)/'`app.c
 
+libxmlsec1_nss_la-akmngr.lo: akmngr.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-akmngr.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo" -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='akmngr.c' object='libxmlsec1_nss_la-akmngr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c
+
+libxmlsec1_nss_la-keywrapers.lo: keywrapers.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-keywrapers.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='keywrapers.c' object='libxmlsec1_nss_la-keywrapers.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c
+
+libxmlsec1_nss_la-tokens.lo: tokens.c
+@am__fastdepCC_TRUE@	if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-tokens.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c; \
+@am__fastdepCC_TRUE@	then mv -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='tokens.c' object='libxmlsec1_nss_la-tokens.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c
+
 libxmlsec1_nss_la-bignum.lo: bignum.c
 @am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-bignum.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo -c -o libxmlsec1_nss_la-bignum.lo `test -f 'bignum.c' || echo '$(srcdir)/'`bignum.c
 @am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo $(DEPDIR)/libxmlsec1_nss_la-bignum.Plo
--- misc/xmlsec1-1.2.14/src/nss/akmngr.c	2009-09-21 14:07:19.197249962 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/akmngr.c	2009-09-21 14:02:48.539616129 +0200
@@ -1 +1,384 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright.........................
+ */
+#include "globals.h"
+
+#include <nspr.h>
+#include <nss.h>
+#include <pk11func.h>
+#include <cert.h>
+#include <keyhi.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/akmngr.h>
+#include <xmlsec/nss/pkikeys.h>
+#include <xmlsec/nss/ciphers.h>
+#include <xmlsec/nss/keysstore.h>
+
+/**
+ * xmlSecNssAppliedKeysMngrCreate:
+ * @slot:			array of pointers to NSS PKCS#11 slot information.
+ * @cSlots:			number of slots in the array
+ * @handler:		the pointer to NSS certificate database.
+ *
+ * Create and load NSS crypto slot and certificate database into keys manager
+ *
+ * Returns keys manager pointer on success or NULL otherwise.
+ */
+xmlSecKeysMngrPtr
+xmlSecNssAppliedKeysMngrCreate(
+	PK11SlotInfo** slots, 
+	int cSlots,
+	CERTCertDBHandle* handler
+) {
+	xmlSecKeyDataStorePtr	certStore = NULL ;
+	xmlSecKeysMngrPtr		keyMngr = NULL ;
+	xmlSecKeyStorePtr		keyStore = NULL ;
+	int islot = 0;
+	keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ;
+	if( keyStore == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeyStoreCreate" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return NULL ;
+	}
+
+	for (islot = 0; islot < cSlots; islot++)
+	{
+		xmlSecNssKeySlotPtr		keySlot ;
+
+		/* Create a key slot */
+		keySlot = xmlSecNssKeySlotCreate() ;
+		if( keySlot == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+				"xmlSecNssKeySlotCreate" ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+			xmlSecKeyStoreDestroy( keyStore ) ;
+			return NULL ;
+		}
+
+		/* Set slot */
+		if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+				"xmlSecNssKeySlotSetSlot" ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+			xmlSecKeyStoreDestroy( keyStore ) ;
+			xmlSecNssKeySlotDestroy( keySlot ) ;
+			return NULL ;
+		}
+
+		/* Adopt keySlot */
+		if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+				"xmlSecNssKeysStoreAdoptKeySlot" ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+			xmlSecKeyStoreDestroy( keyStore ) ;
+			xmlSecNssKeySlotDestroy( keySlot ) ;
+			return NULL ;
+		}
+	}
+
+	keyMngr = xmlSecKeysMngrCreate() ;
+	if( keyMngr == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrCreate" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeyStoreDestroy( keyStore ) ;
+		return NULL ;
+	}
+
+	/*-
+	 * Add key store to manager, from now on keys manager destroys the store if
+	 * needed
+	 */
+	if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+			"xmlSecKeysMngrAdoptKeyStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeyStoreDestroy( keyStore ) ;
+		xmlSecKeysMngrDestroy( keyMngr ) ;
+		return NULL ;
+	}
+
+	/*-
+	 * Initialize crypto library specific data in keys manager
+	 */
+	if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrCreate" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeysMngrDestroy( keyMngr ) ;
+		return NULL ;
+	}
+
+	/*-
+	 * Set certificate databse to X509 key data store
+	 */
+	/**
+	 * Because Tej's implementation of certDB use the default DB, so I ignore
+	 * the certDB handler at present. I'll modify the cert store sources to
+	 * accept particular certDB instead of default ones.
+	certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ;
+	if( certStore == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+			"xmlSecKeysMngrGetDataStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeysMngrDestroy( keyMngr ) ;
+		return NULL ;
+	}
+
+	if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+			"xmlSecNssKeyDataStoreX509SetCertDb" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+		xmlSecKeysMngrDestroy( keyMngr ) ;
+		return NULL ;
+	}
+	*/
+
+	/*-
+	 * Set the getKey callback
+	 */
+	keyMngr->getKey = xmlSecKeysMngrGetKey ;
+
+	return keyMngr ;
+}
+
+int
+xmlSecNssAppliedKeysMngrSymKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	PK11SymKey*			symKey
+) {
+	xmlSecKeyPtr		key ;
+	xmlSecKeyDataPtr	data ;
+	xmlSecKeyStorePtr	keyStore ;
+
+	xmlSecAssert2( mngr != NULL , -1 ) ;
+	xmlSecAssert2( symKey != NULL , -1 ) ;
+
+	keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+	if( keyStore == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrGetKeysStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1) ;
+	}
+	xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+	data = xmlSecNssSymKeyDataKeyAdopt( symKey ) ;
+	if( data == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1) ;
+	}
+
+	key = xmlSecKeyCreate() ;
+	if( key == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDataDestroy( data ) ;
+		return(-1) ;
+	}
+
+	if( xmlSecKeySetValue( key , data ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDataDestroy( data ) ;
+		return(-1) ;
+	}
+
+	if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDestroy( key ) ;
+		return(-1) ;
+	}
+
+	return(0) ;
+}
+
+int
+xmlSecNssAppliedKeysMngrPubKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	SECKEYPublicKey*	pubKey
+) {
+	xmlSecKeyPtr		key ;
+	xmlSecKeyDataPtr	data ;
+	xmlSecKeyStorePtr	keyStore ;
+
+	xmlSecAssert2( mngr != NULL , -1 ) ;
+	xmlSecAssert2( pubKey != NULL , -1 ) ;
+
+	keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+	if( keyStore == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrGetKeysStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1) ;
+	}
+	xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+	data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ;
+	if( data == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssPKIAdoptKey" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1) ;
+	}
+
+	key = xmlSecKeyCreate() ;
+	if( key == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDataDestroy( data ) ;
+		return(-1) ;
+	}
+
+	if( xmlSecKeySetValue( key , data ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDataDestroy( data ) ;
+		return(-1) ;
+	}
+
+	if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDestroy( key ) ;
+		return(-1) ;
+	}
+
+	return(0) ;
+}
+
+int
+xmlSecNssAppliedKeysMngrPriKeyLoad(
+	xmlSecKeysMngrPtr	mngr ,
+	SECKEYPrivateKey*	priKey
+) {
+	xmlSecKeyPtr		key ;
+	xmlSecKeyDataPtr	data ;
+	xmlSecKeyStorePtr	keyStore ;
+
+	xmlSecAssert2( mngr != NULL , -1 ) ;
+	xmlSecAssert2( priKey != NULL , -1 ) ;
+
+	keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+	if( keyStore == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecKeysMngrGetKeysStore" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1) ;
+	}
+	xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+	data = xmlSecNssPKIAdoptKey( priKey, NULL ) ;
+	if( data == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssPKIAdoptKey" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1) ;
+	}
+
+	key = xmlSecKeyCreate() ;
+	if( key == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDataDestroy( data ) ;
+		return(-1) ;
+	}
+
+	if( xmlSecKeySetValue( key , data ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDataDestroy( data ) ;
+		return(-1) ;
+	}
+
+	if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecNssSymKeyDataKeyAdopt" ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecKeyDestroy( key ) ;
+		return(-1) ;
+	}
+
+	return(0) ;
+}
+
--- misc/xmlsec1-1.2.14/src/nss/hmac.c	2009-06-26 06:18:13.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/hmac.c	2009-09-21 14:02:48.649065288 +0200
@@ -23,8 +23,8 @@
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
-#include <xmlsec/nss/app.h>
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/tokens.h>
 
 /* sizes in bits */
 #define XMLSEC_NSS_MIN_HMAC_SIZE		80
@@ -286,13 +286,13 @@
     keyItem.data = xmlSecBufferGetData(buffer);
     keyItem.len  = xmlSecBufferGetSize(buffer); 
 
-    slot = PK11_GetBestSlot(ctx->digestType, NULL);
+    slot = xmlSecNssSlotGet(ctx->digestType);
     if(slot == NULL) {
 	xmlSecError(XMLSEC_ERRORS_HERE, 
 		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-		    "PK11_GetBestSlot",
+		    "xmlSecNssSlotGet",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	return(-1);
     }
 	
--- misc/xmlsec1-1.2.14/src/nss/keysstore.c	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/keysstore.c	2009-09-21 14:02:48.633533885 +0200
@@ -1,36 +1,56 @@
 /** 
  * XMLSec library
  * 
- * Nss keys store that uses Simple Keys Store under the hood. Uses the
- * Nss DB as a backing store for the finding keys, but the NSS DB is
- * not written to by the keys store.
- * So, if store->findkey is done and the key is not found in the simple
- * keys store, the NSS DB is looked up.
- * If store is called to adopt a key, that key is not written to the NSS
- * DB.
- * Thus, the NSS DB can be used to pre-load keys and becomes an alternate 
- * source of keys for xmlsec
- * 
  * This is free software; see Copyright file in the source
  * distribution for precise wording.
  * 
  * Copyright (c) 2003 America Online, Inc.  All rights reserved.
  */
+
+/**
+ * NSS key store uses a key list and a slot list as the key repository. NSS slot
+ * list is a backup repository for the finding keys. If a key is not found from
+ * the key list, the NSS slot list is looked up.
+ *
+ * Any key in the key list will not save to pkcs11 slot. When a store to called
+ * to adopt a key, the key is resident in the key list; While a store to called
+ * to set a is resident in the key list; While a store to called to set a slot 
+ * list, which means that the keys in the listed slot can be used for xml sign-
+ * nature or encryption.
+ *
+ * Then, a user can adjust slot list to effect the crypto behaviors of xmlSec.
+ *
+ * The framework will decrease the user interfaces to administrate xmlSec crypto
+ * engine. He can only focus on NSS layer functions. For examples, after the
+ * user set up a slot list handler to the keys store, he do not need to do any
+ * other work atop xmlSec interfaces, his action on the slot list handler, such
+ * as add a token to, delete a token from the list, will directly effect the key
+ * store behaviors.
+ *
+ * For example, a scenariio:
+ * 0. Create a slot list;( NSS interfaces )
+ * 1. Create a keys store;( xmlSec interfaces )
+ * 2. Set slot list with the keys store;( xmlSec Interfaces )
+ * 3. Add a slot to the slot list;( NSS interfaces )
+ * 4. Perform xml signature; ( xmlSec Interfaces )
+ * 5. Deleter a slot from the slot list;( NSS interfaces )
+ * 6. Perform xml encryption; ( xmlSec Interfaces )
+ * 7. Perform xml signature;( xmlSec Interfaces )
+ * 8. Destroy the keys store;( xmlSec Interfaces )
+ * 8. Destroy the slot list.( NSS Interfaces )
+ */
 #include "globals.h"
 
 #include <stdlib.h>
 #include <string.h>
 
 #include <nss.h> 
-#include <cert.h> 
 #include <pk11func.h> 
+#include <prinit.h>
 #include <keyhi.h> 
 
-#include <libxml/tree.h> 
-
 #include <xmlsec/xmlsec.h>
-#include <xmlsec/buffer.h>
-#include <xmlsec/base64.h>
+#include <xmlsec/keys.h>
 #include <xmlsec/errors.h>
 #include <xmlsec/xmltree.h>
 
@@ -38,82 +58,461 @@
 
 #include <xmlsec/nss/crypto.h>
 #include <xmlsec/nss/keysstore.h>
-#include <xmlsec/nss/x509.h>
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/ciphers.h>
 #include <xmlsec/nss/pkikeys.h>
 
 /****************************************************************************
  *
- * Nss Keys Store. Uses Simple Keys Store under the hood
+ * Internal NSS key store context
  * 
- * Simple Keys Store ptr is located after xmlSecKeyStore
+ * This context is located after xmlSecKeyStore
  *
  ***************************************************************************/
+typedef struct _xmlSecNssKeysStoreCtx  xmlSecNssKeysStoreCtx ;
+typedef struct _xmlSecNssKeysStoreCtx* xmlSecNssKeysStoreCtxPtr ;
+
+struct _xmlSecNssKeysStoreCtx {
+       xmlSecPtrListPtr                keyList ;
+       xmlSecPtrListPtr                slotList ;
+} ;
+
 #define xmlSecNssKeysStoreSize \
-	(sizeof(xmlSecKeyStore) + sizeof(xmlSecKeyStorePtr))
+	( sizeof( xmlSecKeyStore ) + sizeof( xmlSecNssKeysStoreCtx ) )
 
-#define xmlSecNssKeysStoreGetSS(store) \
-    ((xmlSecKeyStoreCheckSize((store), xmlSecNssKeysStoreSize)) ? \
-     (xmlSecKeyStorePtr*)(((xmlSecByte*)(store)) + sizeof(xmlSecKeyStore)) : \
-     (xmlSecKeyStorePtr*)NULL)
-
-static int			xmlSecNssKeysStoreInitialize	(xmlSecKeyStorePtr store);
-static void			xmlSecNssKeysStoreFinalize	(xmlSecKeyStorePtr store);
-static xmlSecKeyPtr 		xmlSecNssKeysStoreFindKey	(xmlSecKeyStorePtr store, 
-								 const xmlChar* name, 
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
+#define xmlSecNssKeysStoreGetCtx( data ) \
+       ( ( xmlSecNssKeysStoreCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyStore ) ) )
 
-static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
-    sizeof(xmlSecKeyStoreKlass),
-    xmlSecNssKeysStoreSize,
+int xmlSecNssKeysStoreAdoptKeySlot(
+       xmlSecKeyStorePtr               store ,
+       xmlSecNssKeySlotPtr             keySlot
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( context->slotList == NULL ) {
+               if( ( context->slotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                               "xmlSecPtrListCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;
+               }
+       }
+
+       if( !xmlSecPtrListCheckId( context->slotList , xmlSecNssKeySlotListId ) ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListCheckId" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( xmlSecPtrListAdd( context->slotList , keySlot ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListAdd" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+       return 0 ;
+}
 
-    /* data */
-    BAD_CAST "NSS-keys-store",		/* const xmlChar* name; */ 
-        
-    /* constructors/destructor */
-    xmlSecNssKeysStoreInitialize,	/* xmlSecKeyStoreInitializeMethod initialize; */
-    xmlSecNssKeysStoreFinalize,		/* xmlSecKeyStoreFinalizeMethod finalize; */
-    xmlSecNssKeysStoreFindKey,		/* xmlSecKeyStoreFindKeyMethod findKey; */
-
-    /* reserved for the future */
-    NULL,				/* void* reserved0; */
-    NULL,				/* void* reserved1; */
-};
+int xmlSecNssKeysStoreAdoptKey(
+       xmlSecKeyStorePtr       store ,
+       xmlSecKeyPtr            key
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( context->keyList == NULL ) {
+               if( ( context->keyList = xmlSecPtrListCreate( xmlSecKeyPtrListId ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                               "xmlSecPtrListCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;
+               }
+       }
+
+       if( !xmlSecPtrListCheckId( context->keyList , xmlSecKeyPtrListId ) ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListCheckId" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( xmlSecPtrListAdd( context->keyList , key ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListAdd" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
 
-/**
- * xmlSecNssKeysStoreGetKlass:
- * 
- * The Nss list based keys store klass.
+       return 0 ;
+}
+
+/*
+ * xmlSecKeyStoreInitializeMethod:
+ * @store:             the store.
+ *
+ * Keys store specific initialization method.
  *
- * Returns: Nss list based keys store klass.
+ * Returns 0 on success or a negative value if an error occurs.
  */
-xmlSecKeyStoreId 
-xmlSecNssKeysStoreGetKlass(void) {
-    return(&xmlSecNssKeysStoreKlass);
+static int
+xmlSecNssKeysStoreInitialize(
+       xmlSecKeyStorePtr store
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       context->keyList = NULL ;
+       context->slotList = NULL ;
+
+       return 0 ;
 }
 
 /**
- * xmlSecNssKeysStoreAdoptKey:
- * @store:		the pointer to Nss keys store.
- * @key:		the pointer to key.
- * 
- * Adds @key to the @store. 
  *
- * Returns: 0 on success or a negative value if an error occurs.
+ * xmlSecKeyStoreFinalizeMethod:
+ * @store:             the store.
+ *
+ * Keys store specific finalization (destroy) method.
  */
-int 
-xmlSecNssKeysStoreAdoptKey(xmlSecKeyStorePtr store, xmlSecKeyPtr key) {
-    xmlSecKeyStorePtr *ss;
-    
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
-    xmlSecAssert2((key != NULL), -1);
+void
+xmlSecNssKeysStoreFinalize(
+       xmlSecKeyStorePtr store
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) ) ;
+       xmlSecAssert( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return ;
+       }
+
+       if( context->keyList != NULL ) {
+               xmlSecPtrListDestroy( context->keyList ) ;
+               context->keyList = NULL ;
+       }
+
+       if( context->slotList != NULL ) {
+               xmlSecPtrListDestroy( context->slotList ) ;
+               context->slotList = NULL ;
+       }
+}
+
+xmlSecKeyPtr
+xmlSecNssKeysStoreFindKeyFromSlot(
+       PK11SlotInfo* slot,
+       const xmlChar* name,
+       xmlSecKeyInfoCtxPtr keyInfoCtx
+) {
+       xmlSecKeyPtr            key = NULL ;
+       xmlSecKeyDataPtr        data = NULL ;
+       int                                     length ;
+
+       xmlSecAssert2( slot != NULL , NULL ) ;
+       xmlSecAssert2( name != NULL , NULL ) ;
+       xmlSecAssert2( keyInfoCtx != NULL , NULL ) ;
+
+       if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSymmetric ) == xmlSecKeyDataTypeSymmetric ) {
+               PK11SymKey*                     symKey ;
+               PK11SymKey*                     curKey ;
+
+               /* Find symmetric key from the slot by name */
+               symKey = PK11_ListFixedKeysInSlot( slot , ( char* )name , NULL ) ;
+               for( curKey = symKey ; curKey != NULL ; curKey = PK11_GetNextSymKey( curKey ) ) {
+                       /* Check the key request */
+                       length = PK11_GetKeyLength( curKey ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       data = xmlSecNssSymKeyDataKeyAdopt( curKey ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+                       break ;
+               }
+
+               /* Destroy the sym key list */
+               for( curKey = symKey ; curKey != NULL ; ) {
+                       symKey = curKey ;
+                       curKey = PK11_GetNextSymKey( symKey ) ;
+                       PK11_FreeSymKey( symKey ) ;
+               }
+       } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+               SECKEYPublicKeyList*            pubKeyList ;
+               SECKEYPublicKey*                        pubKey ;
+               SECKEYPublicKeyListNode*        curPub ;
+
+               /* Find asymmetric key from the slot by name */
+               pubKeyList = PK11_ListPublicKeysInSlot( slot , ( char* )name ) ;
+               pubKey = NULL ;
+               curPub = PUBKEY_LIST_HEAD(pubKeyList);
+               for( ; !PUBKEY_LIST_END(curPub, pubKeyList) ; curPub = PUBKEY_LIST_NEXT( curPub ) ) {
+                       /* Check the key request */
+                       length = SECKEY_PublicKeyStrength( curPub->key ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       pubKey = curPub->key ;
+                       break ;
+               }
+
+               if( pubKey != NULL ) {
+                       data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+               }
+
+               /* Destroy the public key list */
+               SECKEY_DestroyPublicKeyList( pubKeyList ) ;
+       } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+               SECKEYPrivateKeyList*           priKeyList = NULL ;
+               SECKEYPrivateKey*                       priKey = NULL ;
+               SECKEYPrivateKeyListNode*       curPri ;
+
+               /* Find asymmetric key from the slot by name */
+               priKeyList = PK11_ListPrivKeysInSlot( slot , ( char* )name , NULL ) ;
+               priKey = NULL ;
+               curPri = PRIVKEY_LIST_HEAD(priKeyList);
+               for( ; !PRIVKEY_LIST_END(curPri, priKeyList) ; curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
+                       /* Check the key request */
+                       length = PK11_SignatureLen( curPri->key ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       priKey = curPri->key ;
+                       break ;
+               }
+
+               if( priKey != NULL ) {
+                       data = xmlSecNssPKIAdoptKey( priKey, NULL ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+               }
+
+               /* Destroy the private key list */
+               SECKEY_DestroyPrivateKeyList( priKeyList ) ;
+       }
+
+       /* If we have gotten the key value */
+       if( data != NULL ) {
+               if( ( key = xmlSecKeyCreate() ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "xmlSecKeyCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyDataDestroy( data ) ;
+                       return NULL ;
+               }
+
+               if( xmlSecKeySetValue( key , data ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "xmlSecKeySetValue" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyDestroy( key ) ;
+                       xmlSecKeyDataDestroy( data ) ;
+                       return NULL ;
+               }
+       }
 
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL) && 
-		   (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1);
+    return(key);
+}
+
+/** 
+ * xmlSecKeyStoreFindKeyMethod:
+ * @store:             the store.
+ * @name:              the desired key name.
+ * @keyInfoCtx:        the pointer to key info context.
+ *
+ * Keys store specific find method. The caller is responsible for destroying 
+ * the returned key using #xmlSecKeyDestroy method.
+ *
+ * Returns the pointer to a key or NULL if key is not found or an error occurs.
+ */
+static xmlSecKeyPtr
+xmlSecNssKeysStoreFindKey(
+       xmlSecKeyStorePtr store ,
+       const xmlChar* name ,
+       xmlSecKeyInfoCtxPtr keyInfoCtx
+) {
+    xmlSecNssKeysStoreCtxPtr context = NULL ;
+    xmlSecKeyPtr    key = NULL ;
+    xmlSecNssKeySlotPtr     keySlot = NULL ;
+    xmlSecSize              pos ;
+    xmlSecSize              size ;
+
+    xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , NULL ) ;
+    xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , NULL ) ;
+    xmlSecAssert2( keyInfoCtx != NULL , NULL ) ;
+
+    context = xmlSecNssKeysStoreGetCtx( store ) ;
+    if( context == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                    "xmlSecNssKeysStoreGetCtx" ,
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return NULL ;
+    }
+
+    /*-
+     * Look for key at keyList at first.
+     */
+    if( context->keyList != NULL ) {
+            size = xmlSecPtrListGetSize( context->keyList ) ;
+            for( pos = 0 ; pos < size ; pos ++ ) {
+                    key = ( xmlSecKeyPtr )xmlSecPtrListGetItem( context->keyList , pos ) ;
+                    if( key != NULL && xmlSecKeyMatch( key , name , &( keyInfoCtx->keyReq ) ) ) {
+                            return xmlSecKeyDuplicate( key ) ;
+                    }
+            }
+    }
+
+    /*-
+     * Find the key from slotList
+     */
+    if( context->slotList != NULL ) {
+            PK11SlotInfo*                   slot = NULL ;
+
+            size = xmlSecPtrListGetSize( context->slotList ) ;
+            for( pos = 0 ; pos < size ; pos ++ ) {
+                    keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( context->slotList , pos ) ;
+                    slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+                    if( slot == NULL ) {
+                            continue ;
+                    } else {
+                            key = xmlSecNssKeysStoreFindKeyFromSlot( slot, name, keyInfoCtx ) ;
+                            if( key == NULL ) {
+                                    continue ;
+                            } else {
+                                    return( key ) ;
+                            }
+                    }
+            }
+    }
+
+    /*-
+     * Create a session key if we can not find the key from keyList and slotList
+     */
+    if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSession ) == xmlSecKeyDataTypeSession ) {
+            key = xmlSecKeyGenerate( keyInfoCtx->keyReq.keyId , keyInfoCtx->keyReq.keyBitsSize , xmlSecKeyDataTypeSession ) ;
+            if( key == NULL ) {
+                    xmlSecError( XMLSEC_ERRORS_HERE ,
+                            xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                            "xmlSecKeySetValue" ,
+                            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                            XMLSEC_ERRORS_NO_MESSAGE ) ;
+                    return NULL ;
+            }
+
+            return key ;
+    }
+ 
+   /**
+    * We have no way to find the key any more.
+    */
+    return NULL ;
+}
+
+static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
+       sizeof( xmlSecKeyStoreKlass ) ,
+       xmlSecNssKeysStoreSize ,
+       BAD_CAST "implicit_nss_keys_store" ,
+       xmlSecNssKeysStoreInitialize ,
+       xmlSecNssKeysStoreFinalize ,
+       xmlSecNssKeysStoreFindKey ,
+       NULL ,
+       NULL
+} ;
 
-    return (xmlSecSimpleKeysStoreAdoptKey(*ss, key));
+/**
+ * xmlSecNssKeysStoreGetKlass:
+ * 
+ * The simple list based keys store klass.
+ *
+ */
+xmlSecKeyStoreId 
+xmlSecNssKeysStoreGetKlass( void ) {
+    return &xmlSecNssKeysStoreKlass ;
 }
 
+/**************************
+ * Application routines
+ */
+
 /** 
  * xmlSecNssKeysStoreLoad:
  * @store:		the pointer to Nss keys store.
@@ -252,234 +651,147 @@
  */
 int
 xmlSecNssKeysStoreSave(xmlSecKeyStorePtr store, const char *filename, xmlSecKeyDataType type) {
-    xmlSecKeyStorePtr *ss;
+    xmlSecKeyInfoCtx keyInfoCtx;
+    xmlSecNssKeysStoreCtxPtr context ;
+    xmlSecPtrListPtr list;
+    xmlSecKeyPtr key;
+    xmlSecSize i, keysSize;    
+    xmlDocPtr doc;
+    xmlNodePtr cur;
+    xmlSecKeyDataPtr data;
+    xmlSecPtrListPtr idsList;
+    xmlSecKeyDataId dataId;
+    xmlSecSize idsSize, j;
+    int ret;
 
     xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
-    xmlSecAssert2((filename != NULL), -1);    
-    
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL) && 
-		   (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1);
-
-    return (xmlSecSimpleKeysStoreSave(*ss, filename, type));
-}
-
-static int
-xmlSecNssKeysStoreInitialize(xmlSecKeyStorePtr store) {
-    xmlSecKeyStorePtr *ss;
+    xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ), -1 ) ;
+    xmlSecAssert2(filename != NULL, -1);   
 
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
+    context = xmlSecNssKeysStoreGetCtx( store ) ;
+    xmlSecAssert2( context != NULL, -1 );
 
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2((*ss == NULL), -1);
+    list = context->keyList ;
+       xmlSecAssert2( list != NULL, -1 );
+    xmlSecAssert2(xmlSecPtrListCheckId(list, xmlSecKeyPtrListId), -1);
 
-    *ss = xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId);
-    if(*ss == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
+    /* create doc */
+    doc = xmlSecCreateTree(BAD_CAST "Keys", xmlSecNs);
+    if(doc == NULL) {
+	    xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
-		    "xmlSecKeyStoreCreate",
+		    "xmlSecCreateTree",
 		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "xmlSecSimpleKeysStoreId");
+		    XMLSEC_ERRORS_NO_MESSAGE);
 	return(-1);
     }
 
-    return(0);    
-}
-
-static void
-xmlSecNssKeysStoreFinalize(xmlSecKeyStorePtr store) {
-    xmlSecKeyStorePtr *ss;
-    
-    xmlSecAssert(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId));
-    
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert((ss != NULL) && (*ss != NULL));
-    
-    xmlSecKeyStoreDestroy(*ss);
-}
-
-static xmlSecKeyPtr 
-xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name, 
-		          xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecKeyStorePtr* ss;
-    xmlSecKeyPtr key = NULL;
-    xmlSecKeyPtr retval = NULL;
-    xmlSecKeyReqPtr keyReq = NULL;
-    CERTCertificate *cert = NULL;
-    SECKEYPublicKey *pubkey = NULL;
-    SECKEYPrivateKey *privkey = NULL;
-    xmlSecKeyDataPtr data = NULL;
-    xmlSecKeyDataPtr x509Data = NULL;
-    int ret;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), NULL);
-    xmlSecAssert2(keyInfoCtx != NULL, NULL);
-
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL)), NULL);
-
-    key = xmlSecKeyStoreFindKey(*ss, name, keyInfoCtx);
-    if (key != NULL) {
-	return (key);
-    }
-
-    /* Try to find the key in the NSS DB, and construct an xmlSecKey.
-     * we must have a name to lookup keys in NSS DB.
-     */
-    if (name == NULL) {
-	goto done;
-    }
+    idsList = xmlSecKeyDataIdsGet();   
+    xmlSecAssert2(idsList != NULL, -1);
 
-    /* what type of key are we looking for? 
-     * TBD: For now, we'll look only for public/private keys using the
-     * name as a cert nickname. Later on, we can attempt to find
-     * symmetric keys using PK11_FindFixedKey 
-     */
-    keyReq = &(keyInfoCtx->keyReq);
-    if (keyReq->keyType & 
-	(xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate)) {
-	cert = CERT_FindCertByNickname (CERT_GetDefaultCertDB(), (char *)name);
-	if (cert == NULL) {
-	    goto done;
-	}
+    keysSize = xmlSecPtrListGetSize(list);
+    idsSize = xmlSecPtrListGetSize(idsList);
+    for(i = 0; i < keysSize; ++i) {
+        key = (xmlSecKeyPtr)xmlSecPtrListGetItem(list, i);
+        xmlSecAssert2(key != NULL, -1);
 
-	if (keyReq->keyType & xmlSecKeyDataTypePublic) {
- 	    pubkey = CERT_ExtractPublicKey(cert);
-	    if (pubkey == NULL) {
+        cur = xmlSecAddChild(xmlDocGetRootElement(doc), xmlSecNodeKeyInfo, xmlSecDSigNs);
+        if(cur == NULL) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
-			    NULL,
-			    "CERT_ExtractPublicKey",
-			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
-		goto done;
-	    }
+                    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                    "xmlSecAddChild",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    "node=%s",
+                    xmlSecErrorsSafeString(xmlSecNodeKeyInfo));
+            xmlFreeDoc(doc); 
+            return(-1);
 	} 
 
-	if (keyReq->keyType & xmlSecKeyDataTypePrivate) { 
- 	    privkey = PK11_FindKeyByAnyCert(cert, NULL);
-	    if (privkey == NULL) {
+        /* special data key name */
+        if(xmlSecKeyGetName(key) != NULL) {
+            if(xmlSecAddChild(cur, xmlSecNodeKeyName, xmlSecDSigNs) == NULL) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
-			    NULL,
-			    "PK11_FindKeyByAnyCert",
-			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
-		goto done;
+                xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                "xmlSecAddChild",
+                XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                "node=%s",
+                xmlSecErrorsSafeString(xmlSecNodeKeyName));
+            xmlFreeDoc(doc); 
+            return(-1);
 	    }
 	}
 
-	data = xmlSecNssPKIAdoptKey(privkey, pubkey);
-	if(data == NULL) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecNssPKIAdoptKey",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    goto done;
-	}    
-	privkey = NULL;
-	pubkey = NULL;
-
-        key = xmlSecKeyCreate();
-        if (key == NULL) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecKeyCreate",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    return (NULL);
-        }
-
-	x509Data = xmlSecKeyDataCreate(xmlSecNssKeyDataX509Id);
-	if(x509Data == NULL) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecKeyDataCreate",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"transform=%s",
-			xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecNssKeyDataX509Id)));
-	    goto done;
-	}
+        /* create nodes for other keys data */
+        for(j = 0; j < idsSize; ++j) {
+            dataId = (xmlSecKeyDataId)xmlSecPtrListGetItem(idsList, j);
+            xmlSecAssert2(dataId != xmlSecKeyDataIdUnknown, -1);
+
+            if(dataId->dataNodeName == NULL) {
+                continue;
+            }
+
+            data = xmlSecKeyGetData(key, dataId);
+            if(data == NULL) {
+                continue;
+	    }
 
-	ret = xmlSecNssKeyDataX509AdoptKeyCert(x509Data, cert);
-	if (ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecNssKeyDataX509AdoptKeyCert",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"data=%s",
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-	    goto done;
-	}
-	cert = CERT_DupCertificate(cert);
-	if (cert == NULL) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"CERT_DupCertificate",
-			XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			"data=%s",
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-	    goto done;
+            if(xmlSecAddChild(cur, dataId->dataNodeName, dataId->dataNodeNs) == NULL) {
+	        xmlSecError(XMLSEC_ERRORS_HERE,
+                xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                "xmlSecAddChild",
+		XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                "node=%s", 
+                xmlSecErrorsSafeString(dataId->dataNodeName));
+                xmlFreeDoc(doc); 
+                return(-1);
+	    }
 	}
 
-	ret = xmlSecNssKeyDataX509AdoptCert(x509Data, cert);
+	ret = xmlSecKeyInfoCtxInitialize(&keyInfoCtx, NULL);
 	if (ret < 0) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecNssKeyDataX509AdoptCert",
+            xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+            "xmlSecKeyInfoCtxInitialize",
 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"data=%s",
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-	    goto done;
+            XMLSEC_ERRORS_NO_MESSAGE);
+            xmlFreeDoc(doc);
+            return(-1);
 	}
-	cert = NULL;
 
-	ret = xmlSecKeySetValue(key, data);
-	if (ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecKeySetValue",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"data=%s", 
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)));
-	    goto done;
-	}
-	data = NULL;
+        keyInfoCtx.mode                 = xmlSecKeyInfoModeWrite;
+        keyInfoCtx.keyReq.keyId         = xmlSecKeyDataIdUnknown;
+        keyInfoCtx.keyReq.keyType       = type;
+        keyInfoCtx.keyReq.keyUsage      = xmlSecKeyDataUsageAny;
 
-	ret = xmlSecKeyAdoptData(key, x509Data);
+        /* finally write key in the node */
+        ret = xmlSecKeyInfoNodeWrite(cur, key, &keyInfoCtx);
 	if (ret < 0) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecKeyAdoptData",
+            xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+            "xmlSecKeyInfoNodeWrite",
 			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"data=%s",
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-	    goto done;
-	}
-	x509Data = NULL;
+            XMLSEC_ERRORS_NO_MESSAGE);
+        xmlSecKeyInfoCtxFinalize(&keyInfoCtx);
+        xmlFreeDoc(doc); 
+        return(-1);
+        }
 
-	retval = key;
-	key = NULL;
+        xmlSecKeyInfoCtxFinalize(&keyInfoCtx);
     }
 
-done:
-    if (cert != NULL) {
-	CERT_DestroyCertificate(cert);
-    }
-    if (pubkey != NULL) {
-	SECKEY_DestroyPublicKey(pubkey);
-    }
-    if (privkey != NULL) {
-	SECKEY_DestroyPrivateKey(privkey);
-    }
-    if (data != NULL) {
-	xmlSecKeyDataDestroy(data);
-    }
-    if (x509Data != NULL) {
-	xmlSecKeyDataDestroy(x509Data);
-    }
-    if (key != NULL) {
-	xmlSecKeyDestroy(key);
+    /* now write result */
+    ret = xmlSaveFormatFile(filename, doc, 1);
+    if (ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+            "xmlSaveFormatFile",
+            XMLSEC_ERRORS_R_XML_FAILED,
+            "filename=%s", 
+            xmlSecErrorsSafeString(filename));
+        xmlFreeDoc(doc); 
+        return(-1);
     }
 
-    return (retval);
+    xmlFreeDoc(doc);
+    return(0);
 }
--- misc/xmlsec1-1.2.14/src/nss/keywrapers.c	2009-09-21 14:07:19.223802688 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/keywrapers.c	2009-09-21 14:02:48.548869372 +0200
@@ -1 +1,1213 @@
-dummy
+/** 
+ *
+ * XMLSec library
+ * 
+ * AES Algorithm support
+ * 
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright .................................
+ */
+#include "globals.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <nss.h>
+#include <pk11func.h>
+#include <hasht.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
+
+#define XMLSEC_NSS_AES128_KEY_SIZE		16
+#define XMLSEC_NSS_AES192_KEY_SIZE		24
+#define XMLSEC_NSS_AES256_KEY_SIZE		32
+#define XMLSEC_NSS_DES3_KEY_SIZE		24
+#define XMLSEC_NSS_DES3_KEY_LENGTH      24
+#define XMLSEC_NSS_DES3_IV_LENGTH       8
+#define XMLSEC_NSS_DES3_BLOCK_LENGTH    8
+
+static xmlSecByte xmlSecNssKWDes3Iv[XMLSEC_NSS_DES3_IV_LENGTH] = { 
+    0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 
+};
+
+/*********************************************************************
+ *
+ * key wrap transforms
+ *
+ ********************************************************************/
+typedef struct _xmlSecNssKeyWrapCtx			xmlSecNssKeyWrapCtx ;
+typedef struct _xmlSecNssKeyWrapCtx*		xmlSecNssKeyWrapCtxPtr ;
+
+#define xmlSecNssKeyWrapSize	\
+	( sizeof( xmlSecTransform ) + sizeof( xmlSecNssKeyWrapCtx ) )
+
+#define xmlSecNssKeyWrapGetCtx( transform ) \
+	( ( xmlSecNssKeyWrapCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) )
+
+struct _xmlSecNssKeyWrapCtx {
+	CK_MECHANISM_TYPE		cipher ;
+	PK11SymKey*				symkey ;
+	xmlSecKeyDataId			keyId ;
+	xmlSecBufferPtr			material ; /* to be encrypted/decrypted key material */
+} ;
+
+static int 		xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform);
+static void 	xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform);
+static int  	xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, 
+							 xmlSecKeyReqPtr keyReq);
+static int  	xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, 
+							 xmlSecKeyPtr key);
+static int  	xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, 
+							 int last,
+							 xmlSecTransformCtxPtr transformCtx);
+static xmlSecSize  	xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform);
+
+static int
+xmlSecNssKeyWrapCheckId(
+	xmlSecTransformPtr transform
+) {
+	#ifndef XMLSEC_NO_DES
+	if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) {
+		return(1);
+	}
+	#endif /* XMLSEC_NO_DES */
+
+	#ifndef XMLSEC_NO_AES
+	if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes128Id ) ||
+		xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes192Id ) ||
+		xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes256Id ) ) {
+
+		return(1);
+    }
+	#endif /* XMLSEC_NO_AES */
+    
+    return(0);
+}
+
+static xmlSecSize  
+xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform) {
+#ifndef XMLSEC_NO_DES
+	if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) {
+		return(XMLSEC_NSS_DES3_KEY_SIZE);
+	} else
+#endif /* XMLSEC_NO_DES */
+
+#ifndef XMLSEC_NO_AES
+    if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes128Id)) {
+		return(XMLSEC_NSS_AES128_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes192Id)) {
+		return(XMLSEC_NSS_AES192_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) {
+		return(XMLSEC_NSS_AES256_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) {
+		return(XMLSEC_NSS_AES256_KEY_SIZE);
+    } else
+#endif /* XMLSEC_NO_AES */
+
+	if(1)
+   		return(0);
+}
+
+
+static int 
+xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform) {
+	xmlSecNssKeyWrapCtxPtr context ;
+    int ret;
+    
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+    
+	context = xmlSecNssKeyWrapGetCtx( transform ) ;
+	xmlSecAssert2( context != NULL , -1 ) ;
+
+	#ifndef XMLSEC_NO_DES
+	if( transform->id == xmlSecNssTransformKWDes3Id ) {
+		context->cipher = CKM_DES3_CBC ;
+		context->keyId = xmlSecNssKeyDataDesId ;
+	} else
+	#endif		/* XMLSEC_NO_DES */
+
+	#ifndef XMLSEC_NO_AES
+	if( transform->id == xmlSecNssTransformKWAes128Id ) {
+	/*	context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+		context->cipher = CKM_AES_CBC ;
+		context->keyId = xmlSecNssKeyDataAesId ;
+	} else
+	if( transform->id == xmlSecNssTransformKWAes192Id ) {
+	/*	context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+		context->cipher = CKM_AES_CBC ;
+		context->keyId = xmlSecNssKeyDataAesId ;
+	} else
+	if( transform->id == xmlSecNssTransformKWAes256Id ) {
+	/*	context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+		context->cipher = CKM_AES_CBC ;
+		context->keyId = xmlSecNssKeyDataAesId ;
+	} else
+	#endif		/* XMLSEC_NO_AES */
+
+
+	if( 1 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+		    NULL ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	context->symkey = NULL ;
+	context->material = NULL ;
+
+    return(0);
+}
+
+static void 
+xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform) {
+	xmlSecNssKeyWrapCtxPtr context ;
+    
+    xmlSecAssert(xmlSecNssKeyWrapCheckId(transform));
+    xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize));
+    
+	context = xmlSecNssKeyWrapGetCtx( transform ) ;
+	xmlSecAssert( context != NULL ) ;
+
+	if( context->symkey != NULL ) {
+		PK11_FreeSymKey( context->symkey ) ;
+		context->symkey = NULL ;
+	}
+
+	if( context->material != NULL ) {
+		xmlSecBufferDestroy(context->material);
+		context->material = NULL ;
+	}
+}
+
+static int  
+xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform,  xmlSecKeyReqPtr keyReq) {
+	xmlSecNssKeyWrapCtxPtr context ;
+	xmlSecSize cipherSize = 0 ;
+
+    
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
+    xmlSecAssert2(keyReq != NULL, -1);
+    
+	context = xmlSecNssKeyWrapGetCtx( transform ) ;
+	xmlSecAssert2( context != NULL , -1 ) ;
+
+    keyReq->keyId 	 = context->keyId;
+    keyReq->keyType  = xmlSecKeyDataTypeSymmetric;
+    if(transform->operation == xmlSecTransformOperationEncrypt) {
+		keyReq->keyUsage = xmlSecKeyUsageEncrypt;
+    } else {
+		keyReq->keyUsage = xmlSecKeyUsageDecrypt;
+    }
+
+	keyReq->keyBitsSize = xmlSecNssKeyWrapGetKeySize( transform ) ;
+
+    return(0);
+}
+
+static int  	
+xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
+	xmlSecNssKeyWrapCtxPtr context = NULL ;
+	xmlSecKeyDataPtr	keyData = NULL ;
+	PK11SymKey*			symkey = NULL ;
+
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
+    xmlSecAssert2(key != NULL, -1);
+
+	context = xmlSecNssKeyWrapGetCtx( transform ) ;
+	if( context == NULL || context->keyId == NULL || context->symkey != NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+		    "xmlSecNssKeyWrapGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+	xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ;
+
+	keyData = xmlSecKeyGetValue( key ) ;
+	if( keyData == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) ,
+		    "xmlSecKeyGetValue" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
+		    "xmlSecNssSymKeyDataGetKey" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	context->symkey = symkey ;
+
+	return(0) ;
+}
+
+/**
+ * key wrap transform
+ */
+static int 
+xmlSecNssKeyWrapCtxInit(
+	xmlSecNssKeyWrapCtxPtr		ctx ,
+	xmlSecBufferPtr 			in ,
+	xmlSecBufferPtr 			out ,
+	int 						encrypt ,
+	xmlSecTransformCtxPtr 		transformCtx
+) {
+	xmlSecSize			blockSize ;
+
+	xmlSecAssert2( ctx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+	xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+	xmlSecAssert2( in != NULL , -1 ) ;
+	xmlSecAssert2( out != NULL , -1 ) ;
+	xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+	if( ctx->material != NULL ) {
+		xmlSecBufferDestroy( ctx->material ) ;
+		ctx->material = NULL ;
+	}
+
+	if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"PK11_GetBlockSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	ctx->material = xmlSecBufferCreate( blockSize ) ;
+	if( ctx->material == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferCreate" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	/* read raw key material into context */
+	if( xmlSecBufferSetData( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferSetData" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferRemoveHead" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	return(0);
+}
+
+/**
+ * key wrap transform update
+ */
+static int 
+xmlSecNssKeyWrapCtxUpdate(
+	xmlSecNssKeyWrapCtxPtr		ctx ,
+	xmlSecBufferPtr 			in ,
+	xmlSecBufferPtr 			out ,
+	int 						encrypt ,
+	xmlSecTransformCtxPtr 		transformCtx
+) {
+	xmlSecAssert2( ctx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+	xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+	xmlSecAssert2( ctx->material != NULL , -1 ) ;
+	xmlSecAssert2( in != NULL , -1 ) ;
+	xmlSecAssert2( out != NULL , -1 ) ;
+	xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+	/* read raw key material and append into context */
+	if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferAppend" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferRemoveHead" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	return(0);
+}
+
+static int 
+xmlSecNssKWDes3BufferReverse(xmlSecByte *buf, xmlSecSize size) {
+    xmlSecSize s;
+    xmlSecSize i;
+    xmlSecByte c;
+    
+    xmlSecAssert2(buf != NULL, -1);
+    
+    s = size / 2;
+    --size;
+    for(i = 0; i < s; ++i) {
+	c = buf[i];
+	buf[i] = buf[size - i];
+	buf[size - i] = c;
+    }
+    return(0);
+}
+
+static xmlSecByte *
+xmlSecNssComputeSHA1(const xmlSecByte *in, xmlSecSize inSize, 
+		     xmlSecByte *out, xmlSecSize outSize)
+{
+    PK11Context *context = NULL;
+    SECStatus s;
+    xmlSecByte *digest = NULL;
+    unsigned int len;
+
+    xmlSecAssert2(in != NULL, NULL);
+    xmlSecAssert2(out != NULL, NULL);
+    xmlSecAssert2(outSize >= SHA1_LENGTH, NULL);
+
+    /* Create a context for hashing (digesting) */
+    context = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (context == NULL) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "PK11_CreateDigestContext",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    "error code = %d", PORT_GetError());
+	goto done;
+    }
+
+    s = PK11_DigestBegin(context);
+    if (s != SECSuccess) { 
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "PK11_DigestBegin",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    "error code = %d", PORT_GetError());
+	goto done;
+    }
+
+    s = PK11_DigestOp(context, in, inSize);
+    if (s != SECSuccess) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "PK11_DigestOp",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    "error code = %d", PORT_GetError());
+	goto done;
+    }
+
+    s = PK11_DigestFinal(context, out, &len, outSize);
+    if (s != SECSuccess) {
+	xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "PK11_DigestFinal",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    "error code = %d", PORT_GetError());
+	goto done;
+    }
+    xmlSecAssert2(len == SHA1_LENGTH, NULL);
+
+    digest = out;
+
+done:
+    if (context != NULL) {
+	PK11_DestroyContext(context, PR_TRUE);
+    }
+    return (digest);
+}
+
+static int
+xmlSecNssKWDes3Encrypt(
+	PK11SymKey*					symKey ,
+	CK_MECHANISM_TYPE			cipherMech ,
+    const xmlSecByte*			iv ,
+	xmlSecSize					ivSize ,
+    const xmlSecByte*			in ,
+	xmlSecSize					inSize ,
+    xmlSecByte*     			out ,
+	xmlSecSize					outSize ,
+	int							enc
+) {
+    PK11Context*        EncContext = NULL;
+	SECItem				ivItem ;
+	SECItem*			secParam = NULL ;
+    int					tmp1_outlen;
+    unsigned int		tmp2_outlen;
+	int                 result_len = -1;
+	SECStatus           rv;
+
+	xmlSecAssert2( cipherMech != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( symKey != NULL , -1 ) ;
+    xmlSecAssert2(iv != NULL, -1);
+    xmlSecAssert2(ivSize == XMLSEC_NSS_DES3_IV_LENGTH, -1);
+    xmlSecAssert2(in != NULL, -1);
+    xmlSecAssert2(inSize > 0, -1);
+    xmlSecAssert2(out != NULL, -1);
+    xmlSecAssert2(outSize >= inSize, -1);
+ 
+	/* Prepare IV */
+	ivItem.data = ( unsigned char* )iv ;
+	ivItem.len = ivSize ;
+
+    secParam = PK11_ParamFromIV(cipherMech, &ivItem);
+    if (secParam == NULL) {
+		xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "PK11_ParamFromIV",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    "Error code = %d", PORT_GetError());
+		goto done;
+    }
+
+    EncContext = PK11_CreateContextBySymKey(cipherMech, 
+		    			    enc ? CKA_ENCRYPT : CKA_DECRYPT,
+					    symKey, secParam);
+    if (EncContext == NULL) {
+		xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "PK11_CreateContextBySymKey",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    "Error code = %d", PORT_GetError());
+		goto done;
+    }
+
+    tmp1_outlen = tmp2_outlen = 0;
+    rv = PK11_CipherOp(EncContext, out, &tmp1_outlen, outSize,
+		       (unsigned char *)in, inSize);
+    if (rv != SECSuccess) {
+		xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "PK11_CipherOp",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    "Error code = %d", PORT_GetError());
+		goto done;
+    }
+
+    rv = PK11_DigestFinal(EncContext, out+tmp1_outlen, 
+		    	  &tmp2_outlen, outSize-tmp1_outlen);
+    if (rv != SECSuccess) {
+		xmlSecError(XMLSEC_ERRORS_HERE,
+		    NULL,
+		    "PK11_DigestFinal",
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    "Error code = %d", PORT_GetError());
+		goto done;
+    }
+
+    result_len = tmp1_outlen + tmp2_outlen;
+
+done:
+    if (secParam) {
+		SECITEM_FreeItem(secParam, PR_TRUE);
+    }
+    if (EncContext) {
+	PK11_DestroyContext(EncContext, PR_TRUE);
+    }
+
+    return(result_len);
+}
+
+static int
+xmlSecNssKeyWrapDesOp(
+	xmlSecNssKeyWrapCtxPtr		ctx ,
+	int 						encrypt ,
+	xmlSecBufferPtr 			result
+) {
+    xmlSecByte sha1[SHA1_LENGTH];    
+    xmlSecByte iv[XMLSEC_NSS_DES3_IV_LENGTH];
+    xmlSecByte* in;    
+    xmlSecSize inSize;    
+    xmlSecByte* out;    
+    xmlSecSize outSize;    
+    xmlSecSize s;    
+    int ret;
+    SECStatus status;
+
+	xmlSecAssert2( ctx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+	xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+	xmlSecAssert2( ctx->material != NULL , -1 ) ;
+	xmlSecAssert2( result != NULL , -1 ) ;
+
+	in = xmlSecBufferGetData(ctx->material);
+	inSize = xmlSecBufferGetSize(ctx->material) ;
+	out = xmlSecBufferGetData(result);
+	outSize = xmlSecBufferGetMaxSize(result) ;
+	if( encrypt ) {
+    	/* step 2: calculate sha1 and CMS */
+    	if(xmlSecNssComputeSHA1(in, inSize, sha1, SHA1_LENGTH) == NULL) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+			    NULL,
+			    "xmlSecNssComputeSHA1",
+			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+			    XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+    	}
+
+	    /* step 3: construct WKCKS */
+    	memcpy(out, in, inSize);
+	    memcpy(out + inSize, sha1, XMLSEC_NSS_DES3_BLOCK_LENGTH);
+
+    	/* step 4: generate random iv */
+    	status = PK11_GenerateRandom(iv, XMLSEC_NSS_DES3_IV_LENGTH);
+    	if(status != SECSuccess) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+		    	NULL,
+		    	"PK11_GenerateRandom",
+		    	XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    	"error code = %d", PORT_GetError());
+			return(-1);    
+    	}	
+
+    	/* step 5: first encryption, result is TEMP1 */
+    	ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+				    iv, XMLSEC_NSS_DES3_IV_LENGTH, 
+					out, inSize + XMLSEC_NSS_DES3_IV_LENGTH,
+					out, outSize, 1);
+    	if(ret < 0) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+		    	NULL,
+		    	"xmlSecNssKWDes3Encrypt",
+		    	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		    	XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+    	}
+
+    	/* step 6: construct TEMP2=IV || TEMP1 */
+    	memmove(out + XMLSEC_NSS_DES3_IV_LENGTH, out, 
+	    	inSize + XMLSEC_NSS_DES3_IV_LENGTH);
+    	memcpy(out, iv, XMLSEC_NSS_DES3_IV_LENGTH);
+    		s = ret + XMLSEC_NSS_DES3_IV_LENGTH; 
+    
+    	/* step 7: reverse octets order, result is TEMP3 */
+	    ret = xmlSecNssKWDes3BufferReverse(out, s);
+   	 	if(ret < 0) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+			    NULL,
+			    "xmlSecNssKWDes3BufferReverse",
+			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+    	}
+
+    	/* step 8: second encryption with static IV */
+    	ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+				    xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, 
+					out, s,
+					out, outSize, 1);
+    	if(ret < 0) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+			    NULL,
+			    "xmlSecNssKWDes3Encrypt",
+			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+    	}
+		s = ret;
+
+		if( xmlSecBufferSetSize( result , s ) < 0 ) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+			    NULL,
+			    "xmlSecBufferSetSize",
+			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+		}
+	} else {
+    	/* step 2: first decryption with static IV, result is TEMP3 */
+    	ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+				    xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, 
+					in, inSize,
+					out, outSize, 0);
+    	if((ret < 0) || (ret < XMLSEC_NSS_DES3_IV_LENGTH)) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+		    	NULL,
+		    	"xmlSecNssKWDes3Encrypt",
+		    	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		    	XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+    	}
+    	s = ret; 
+    
+    	/* step 3: reverse octets order in TEMP3, result is TEMP2 */
+    	ret = xmlSecNssKWDes3BufferReverse(out, s);
+    	if(ret < 0) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+		    	NULL,
+		    	"xmlSecNssKWDes3BufferReverse",
+		    	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		    	XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+    	}
+
+    	/* steps 4 and 5: get IV and decrypt second time, result is WKCKS */
+    	ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+				    out, XMLSEC_NSS_DES3_IV_LENGTH, 
+					out+XMLSEC_NSS_DES3_IV_LENGTH, s-XMLSEC_NSS_DES3_IV_LENGTH,
+					out, outSize, 0);
+    	if((ret < 0) || (ret < XMLSEC_NSS_DES3_BLOCK_LENGTH)) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+		    	NULL,
+		    	"xmlSecNssKWDes3Encrypt",
+		    	XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		    	XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+    	}
+		s = ret - XMLSEC_NSS_DES3_IV_LENGTH;
+    
+    	/* steps 6 and 7: calculate SHA1 and validate it */
+    	if(xmlSecNssComputeSHA1(out, s, sha1, SHA1_LENGTH) == NULL) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+		    	NULL,
+		    	"xmlSecNssComputeSHA1",
+		    	XMLSEC_ERRORS_R_CRYPTO_FAILED,
+		    	XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+   		 }
+
+		if(memcmp(sha1, out + s, XMLSEC_NSS_DES3_BLOCK_LENGTH) != 0) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+			    NULL,
+		   		 NULL,
+			    XMLSEC_ERRORS_R_INVALID_DATA,
+			    "SHA1 does not match");
+			return(-1);	    
+		}
+
+		if( xmlSecBufferSetSize( result , s ) < 0 ) {
+			xmlSecError(XMLSEC_ERRORS_HERE,
+			    NULL,
+			    "xmlSecBufferSetSize",
+			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+			    XMLSEC_ERRORS_NO_MESSAGE);
+			return(-1);	    
+		}
+	}
+
+	return(0);
+}
+
+static int
+xmlSecNssKeyWrapAesOp(
+	xmlSecNssKeyWrapCtxPtr		ctx ,
+	int 						encrypt ,
+	xmlSecBufferPtr 			result
+) {
+    PK11Context*        cipherCtx = NULL;
+	SECItem				ivItem ;
+	SECItem*			secParam = NULL ;
+	xmlSecSize			inSize ;
+	xmlSecSize			inBlocks ;
+	int					blockSize ;
+	int					midSize ;
+	int					finSize ;
+	xmlSecByte*			out ;
+    xmlSecSize			outSize;    
+
+	xmlSecAssert2( ctx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+	xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+	xmlSecAssert2( ctx->material != NULL , -1 ) ;
+	xmlSecAssert2( result != NULL , -1 ) ;
+
+	/* Do not set any IV */
+    memset(&ivItem, 0, sizeof(ivItem));
+
+	/* Get block size */
+	if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"PK11_GetBlockSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	inSize = xmlSecBufferGetSize( ctx->material ) ;
+	if( xmlSecBufferSetMaxSize( result , inSize + blockSize ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferSetMaxSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	/* Get Param for context initialization */
+	if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"PK11_ParamFromIV" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ;
+	if( cipherCtx == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"PK11_CreateContextBySymKey" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		SECITEM_FreeItem( secParam , PR_TRUE ) ;
+		return(-1);    
+	}
+
+	out = xmlSecBufferGetData(result) ;
+	outSize = xmlSecBufferGetMaxSize(result) ;
+	if( PK11_CipherOp( cipherCtx , out, &midSize , outSize , xmlSecBufferGetData( ctx->material ) , inSize ) != SECSuccess ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"PK11_CipherOp" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	if( PK11_DigestFinal( cipherCtx , out + midSize , &finSize , outSize - midSize ) != SECSuccess ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"PK11_DigestFinal" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	if( xmlSecBufferSetSize( result , midSize + finSize ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferSetSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	return 0 ;
+}
+
+/**
+ * Block cipher transform final
+ */
+static int 
+xmlSecNssKeyWrapCtxFinal(
+	xmlSecNssKeyWrapCtxPtr		ctx ,
+	xmlSecBufferPtr 			in ,
+	xmlSecBufferPtr 			out ,
+	int 						encrypt ,
+	xmlSecTransformCtxPtr 		transformCtx
+) {
+	PK11SymKey*			targetKey ;
+	xmlSecSize			blockSize ;
+	xmlSecBufferPtr		result ;
+
+	xmlSecAssert2( ctx != NULL , -1 ) ;
+	xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+	xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+	xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+	xmlSecAssert2( ctx->material != NULL , -1 ) ;
+	xmlSecAssert2( in != NULL , -1 ) ;
+	xmlSecAssert2( out != NULL , -1 ) ;
+	xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+	/* read raw key material and append into context */
+	if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferAppend" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferRemoveHead" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	/* Now we get all of the key materail */
+	/* from now on we will wrap or unwrap the key */
+	if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"PK11_GetBlockSize" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	result = xmlSecBufferCreate( blockSize ) ;
+	if( result == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferCreate" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	switch( ctx->cipher ) {
+		case CKM_DES3_CBC :
+			if( xmlSecNssKeyWrapDesOp(ctx, encrypt, result) < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE ,
+					NULL ,
+					"xmlSecNssKeyWrapDesOp" ,
+					XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				xmlSecBufferDestroy(result);
+				return(-1);    
+			}
+			break ;
+	/*	case CKM_NETSCAPE_AES_KEY_WRAP :*/
+		case CKM_AES_CBC :
+			if( xmlSecNssKeyWrapAesOp(ctx, encrypt, result) < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE ,
+					NULL ,
+					"xmlSecNssKeyWrapAesOp" ,
+					XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				xmlSecBufferDestroy(result);
+				return(-1);    
+			}
+			break ;
+	}
+
+	/* Write output */
+	if( xmlSecBufferAppend( out, xmlSecBufferGetData(result), xmlSecBufferGetSize(result) ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			"xmlSecBufferAppend" ,
+			XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		xmlSecBufferDestroy(result);
+		return(-1);    
+	}
+	xmlSecBufferDestroy(result);
+
+	return(0);
+}
+
+static int 
+xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) {
+	xmlSecNssKeyWrapCtxPtr 	context = NULL ;
+	xmlSecBufferPtr			inBuf, outBuf ; 
+	int						operation ;
+	int						rtv ;
+
+	xmlSecAssert2( xmlSecNssKeyWrapCheckId( transform ), -1 ) ;
+	xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssKeyWrapSize ), -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+	xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+	context = xmlSecNssKeyWrapGetCtx( transform ) ;
+	if( context == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+		    xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+		    "xmlSecNssKeyWrapGetCtx" ,
+		    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+		    XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return(-1);    
+	}
+
+	inBuf = &( transform->inBuf ) ;
+	outBuf = &( transform->outBuf ) ;
+
+	if( transform->status == xmlSecTransformStatusNone ) {
+		transform->status = xmlSecTransformStatusWorking ;
+	}
+
+	operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ;
+	if( transform->status == xmlSecTransformStatusWorking ) {
+		if( context->material == NULL ) {
+			rtv = xmlSecNssKeyWrapCtxInit( context, inBuf , outBuf , operation , transformCtx ) ;
+			if( rtv < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE , 
+					xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+					"xmlSecNssKeyWrapCtxInit" ,
+					XMLSEC_ERRORS_R_INVALID_STATUS ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				return(-1);
+			}
+		}
+
+		if( context->material == NULL && last != 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE , 
+				xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+				NULL ,
+				XMLSEC_ERRORS_R_INVALID_STATUS ,
+				"No enough data to intialize transform" ) ;
+			return(-1);
+		}
+
+		if( context->material != NULL ) {
+			rtv = xmlSecNssKeyWrapCtxUpdate( context, inBuf , outBuf , operation , transformCtx ) ;
+			if( rtv < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE , 
+					xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+					"xmlSecNssKeyWrapCtxUpdate" ,
+					XMLSEC_ERRORS_R_INVALID_STATUS ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				return(-1);
+			}
+		}
+		
+		if( last ) {
+			rtv = xmlSecNssKeyWrapCtxFinal( context, inBuf , outBuf , operation , transformCtx ) ;
+			if( rtv < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE , 
+					xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+					"xmlSecNssKeyWrapCtxFinal" ,
+					XMLSEC_ERRORS_R_INVALID_STATUS ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				return(-1);
+			}
+			transform->status = xmlSecTransformStatusFinished ;
+		}
+	} else if( transform->status == xmlSecTransformStatusFinished ) {
+		if( xmlSecBufferGetSize( inBuf ) != 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE , 
+				xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+				NULL ,
+				XMLSEC_ERRORS_R_INVALID_STATUS ,
+				"status=%d", transform->status ) ;
+			return(-1);
+		}
+	} else {
+		xmlSecError( XMLSEC_ERRORS_HERE , 
+			xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+			NULL ,
+			XMLSEC_ERRORS_R_INVALID_STATUS ,
+			"status=%d", transform->status ) ;
+		return(-1);
+	}
+
+	return(0);
+}
+
+#ifndef XMLSEC_NO_AES
+
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes128Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes128Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),		/* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,				/* xmlSecSize objSize */
+
+    xmlSecNameKWAes128,				/* const xmlChar* name; */
+    xmlSecHrefKWAes128,				/* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,	/* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize, 			/* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,			/* xmlSecTransformFinalizeMethod finalize; */
+    NULL,					/* xmlSecTransformNodeReadMethod readNode; */
+    NULL,					/* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,			/* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,			/* xmlSecTransformSetKeyMethod setKey; */
+    NULL,					/* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,		/* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,		/* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,		/* xmlSecTransformPopBinMethod popBin; */
+    NULL,					/* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,					/* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,			/* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,					/* void* reserved0; */
+    NULL,					/* void* reserved1; */
+};
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes192Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes192Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),		/* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,				/* xmlSecSize objSize */
+
+    xmlSecNameKWAes192,				/* const xmlChar* name; */
+    xmlSecHrefKWAes192,				/* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,	/* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize, 			/* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,			/* xmlSecTransformFinalizeMethod finalize; */
+    NULL,					/* xmlSecTransformNodeReadMethod readNode; */
+    NULL,					/* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,			/* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,			/* xmlSecTransformSetKeyMethod setKey; */
+    NULL,					/* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,		/* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,		/* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,		/* xmlSecTransformPopBinMethod popBin; */
+    NULL,					/* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,					/* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,			/* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,					/* void* reserved0; */
+    NULL,					/* void* reserved1; */
+};
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes256Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes256Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),		/* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,				/* xmlSecSize objSize */
+
+    xmlSecNameKWAes256,				/* const xmlChar* name; */
+    xmlSecHrefKWAes256,				/* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,	/* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize, 			/* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,			/* xmlSecTransformFinalizeMethod finalize; */
+    NULL,					/* xmlSecTransformNodeReadMethod readNode; */
+    NULL,					/* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,			/* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,			/* xmlSecTransformSetKeyMethod setKey; */
+    NULL,					/* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,		/* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,		/* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,		/* xmlSecTransformPopBinMethod popBin; */
+    NULL,					/* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,					/* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,			/* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,					/* void* reserved0; */
+    NULL,					/* void* reserved1; */
+};
+
+/** 
+ * xmlSecNssTransformKWAes128GetKlass:
+ *
+ * The AES-128 key wrapper transform klass.
+ *
+ * Returns AES-128 key wrapper transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformKWAes128GetKlass(void) {
+    return(&xmlSecNssKWAes128Klass);
+}
+
+/** 
+ * xmlSecNssTransformKWAes192GetKlass:
+ *
+ * The AES-192 key wrapper transform klass.
+ *
+ * Returns AES-192 key wrapper transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformKWAes192GetKlass(void) {
+    return(&xmlSecNssKWAes192Klass);
+}
+
+/** 
+ *
+ * The AES-256 key wrapper transform klass.
+ *
+ * Returns AES-256 key wrapper transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformKWAes256GetKlass(void) {
+    return(&xmlSecNssKWAes256Klass);
+}
+
+#endif /* XMLSEC_NO_AES */
+
+
+#ifndef XMLSEC_NO_DES
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWDes3Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWDes3Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),		/* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,			/* xmlSecSize objSize */
+
+    xmlSecNameKWDes3,				/* const xmlChar* name; */
+    xmlSecHrefKWDes3, 				/* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,	/* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize, 			/* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,			/* xmlSecTransformFinalizeMethod finalize; */
+    NULL,					/* xmlSecTransformNodeReadMethod readNode; */
+    NULL,					/* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,			/* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,			/* xmlSecTransformSetKeyMethod setKey; */
+    NULL,					/* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,		/* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,		/* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,		/* xmlSecTransformPopBinMethod popBin; */
+    NULL,					/* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,					/* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,			/* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,					/* void* reserved0; */
+    NULL,					/* void* reserved1; */
+};
+
+/** 
+ * xmlSecNssTransformKWDes3GetKlass:
+ * 
+ * The Triple DES key wrapper transform klass.
+ *
+ * Returns Triple DES key wrapper transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformKWDes3GetKlass(void) {
+    return(&xmlSecNssKWDes3Klass);
+}
+
+#endif /* XMLSEC_NO_DES */
+
--- misc/xmlsec1-1.2.14/src/nss/pkikeys.c	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/pkikeys.c	2009-09-21 14:02:48.657352624 +0200
@@ -24,6 +24,7 @@
 #include <xmlsec/nss/crypto.h>
 #include <xmlsec/nss/bignum.h>
 #include <xmlsec/nss/pkikeys.h>
+#include <xmlsec/nss/tokens.h>
 
 /**************************************************************************
  *
@@ -115,6 +116,8 @@
                           xmlSecNssPKIKeyDataCtxPtr ctxSrc)
 {
     xmlSecNSSPKIKeyDataCtxFree(ctxDst);
+    ctxDst->privkey = NULL ;
+    ctxDst->pubkey = NULL ;
     if (ctxSrc->privkey != NULL) {
 	ctxDst->privkey = SECKEY_CopyPrivateKey(ctxSrc->privkey);
 	if(ctxDst->privkey == NULL) {
@@ -588,13 +591,13 @@
 	goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_DSA, NULL);
+    slot = xmlSecNssSlotGet(CKM_DSA);
     if(slot == NULL) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-		    "PK11_GetBestSlot",
+		    "xmlSecNssSlotGet",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
 	ret = -1;
 	goto done;
     }
@@ -792,14 +795,14 @@
     if (slot != NULL) {
 	PK11_FreeSlot(slot);
     }
-    if (ret != 0) {
+
 	if (pubkey != NULL) {
 	    SECKEY_DestroyPublicKey(pubkey);
 	}
 	if (data != NULL) {
 	    xmlSecKeyDataDestroy(data);
 	}
-    }
+
     return(ret);
 }
 
@@ -818,7 +821,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/
 
     if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) {
 	/* we can have only private key or public key */
@@ -940,7 +943,8 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    "PK11_PQG_ParamGen",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    "size=%d", sizeBits);
+		    "size=%d, error code=%d", sizeBits, PORT_GetError());
+	ret = -1;
 	goto done;
     }
 
@@ -950,11 +954,12 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    "PK11_PQG_VerifyParams",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    "size=%d", sizeBits);
+		    "size=%d, error code=%d", sizeBits, PORT_GetError());
+	ret = -1;
 	goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL);
+    slot = xmlSecNssSlotGet(CKM_DSA_KEY_PAIR_GEN);
     PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */);
     privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, pqgParams,
 				   &pubkey, PR_FALSE, PR_TRUE, NULL);
@@ -964,8 +969,9 @@
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    "PK11_GenerateKeyPair",
 		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
+		    "error code=%d", PORT_GetError());
         
+	ret = -1;
 	goto done;
     }
 
@@ -979,6 +985,8 @@
 	goto done;
     }
 
+    privkey = NULL ;
+    pubkey = NULL ;
     ret = 0;
 
 done:
@@ -991,16 +999,13 @@
     if (pqgVerify != NULL) {
 	PK11_PQG_DestroyVerify(pqgVerify);
     }
-    if (ret == 0) {
-	return (0);
-    }
     if (pubkey != NULL) {
 	SECKEY_DestroyPublicKey(pubkey);
     }
     if (privkey != NULL) {
 	SECKEY_DestroyPrivateKey(privkey);
     }
-    return(-1);
+    return(ret);
 }
 
 static xmlSecKeyDataType
@@ -1010,10 +1015,10 @@
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), xmlSecKeyDataTypeUnknown);
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/
     if (ctx->privkey != NULL) {
 	return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
-    } else {
+    } else if( ctx->pubkey != NULL ) {
 	return(xmlSecKeyDataTypePublic);
     }
        
@@ -1027,7 +1032,7 @@
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), 0);
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/
 
     return(8 * SECKEY_PublicKeyStrength(ctx->pubkey));
 }
@@ -1216,13 +1221,13 @@
 	goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_RSA_PKCS, NULL);
+    slot = xmlSecNssSlotGet(CKM_RSA_PKCS);
     if(slot == NULL) {
         xmlSecError(XMLSEC_ERRORS_HERE,
                     xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                    "PK11_GetBestSlot",
+                    "xmlSecNssSlotGet",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
         ret = -1;
         goto done;
     }
@@ -1384,7 +1389,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/
 
 
     if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) {
@@ -1455,7 +1460,7 @@
     params.keySizeInBits = sizeBits;
     params.pe = 65537;
 
-    slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, NULL);
+    slot = xmlSecNssSlotGet(CKM_RSA_PKCS_KEY_PAIR_GEN);
     PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */);
     privkey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &params,
 				   &pubkey, PR_FALSE, PR_TRUE, NULL);
@@ -1525,7 +1530,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/
 
     return(8 * SECKEY_PublicKeyStrength(ctx->pubkey));
 }
--- misc/xmlsec1-1.2.14/src/nss/symkeys.c	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/symkeys.c	2009-09-21 14:02:48.620574832 +0200
@@ -15,20 +15,41 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <pk11func.h>
+#include <nss.h>
+
 #include <xmlsec/xmlsec.h>
 #include <xmlsec/xmltree.h>
+#include <xmlsec/base64.h>
 #include <xmlsec/keys.h>
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
+#include <xmlsec/nss/tokens.h>
 
 /*****************************************************************************
  * 
- * Symmetic (binary) keys - just a wrapper for xmlSecKeyDataBinary
+ * Symmetic (binary) keys - a wrapper over slot information and PK11SymKey
  *
  ****************************************************************************/
+typedef struct _xmlSecNssSymKeyDataCtx      xmlSecNssSymKeyDataCtx ;
+typedef struct _xmlSecNssSymKeyDataCtx*     xmlSecNssSymKeyDataCtxPtr ;
+
+struct _xmlSecNssSymKeyDataCtx {
+    CK_MECHANISM_TYPE       cipher ;    /* the symmetic key mechanism */
+    PK11SlotInfo*           slot ;      /* the key resident slot */
+    PK11SymKey*             symkey ;    /* the symmetic key */
+} ;
+
+#define xmlSecNssSymKeyDataSize \
+    ( sizeof( xmlSecKeyData ) + sizeof( xmlSecNssSymKeyDataCtx ) )
+
+#define xmlSecNssSymKeyDataGetCtx( data ) \
+    ( ( xmlSecNssSymKeyDataCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyData ) ) )
+
 static int	xmlSecNssSymKeyDataInitialize		(xmlSecKeyDataPtr data);
 static int	xmlSecNssSymKeyDataDuplicate		(xmlSecKeyDataPtr dst,
 							 xmlSecKeyDataPtr src);
@@ -67,107 +88,743 @@
     (xmlSecKeyDataIsValid((data)) && \
      xmlSecNssSymKeyDataKlassCheck((data)->id))
 
+/**
+ * xmlSecNssSymKeyDataAdoptKey:
+ * @data:                              the pointer to symmetric key data.
+ * @symkey:                            the symmetric key
+ *
+ * Set the value of symmetric key data.
+ *
+ * Returns 0 on success or a negative value if an error occurs.
+ */
+int
+xmlSecNssSymKeyDataAdoptKey(
+       xmlSecKeyDataPtr data ,
+       PK11SymKey* symkey
+) {
+       xmlSecNssSymKeyDataCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecNssSymKeyDataCheckId( data ), -1 ) ;
+       xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), -1 ) ;
+       xmlSecAssert2( symkey != NULL, -1 ) ;
+
+       context = xmlSecNssSymKeyDataGetCtx( data ) ;
+       xmlSecAssert2(context != NULL, -1);
+
+       context->cipher = PK11_GetMechanism( symkey ) ;
+
+       if( context->slot != NULL ) {
+               PK11_FreeSlot( context->slot ) ;
+               context->slot = NULL ;
+       }
+       context->slot = PK11_GetSlotFromKey( symkey ) ;
+
+       if( context->symkey != NULL ) {
+               PK11_FreeSymKey( context->symkey ) ;
+               context->symkey = NULL ;
+       }
+       context->symkey = PK11_ReferenceSymKey( symkey ) ;
+
+       return 0 ;
+}
+
+xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt(
+    PK11SymKey*     symKey
+) {
+       xmlSecKeyDataPtr        data = NULL ;
+       CK_MECHANISM_TYPE       mechanism = CKM_INVALID_MECHANISM ;
+
+       xmlSecAssert2( symKey != NULL , NULL ) ;
+
+       mechanism = PK11_GetMechanism( symKey ) ;
+       switch( mechanism ) {
+               case CKM_DES3_KEY_GEN :
+               case CKM_DES3_CBC :
+               case CKM_DES3_MAC :
+                       data = xmlSecKeyDataCreate( xmlSecNssKeyDataDesId ) ;
+                       if( data == NULL ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecKeyDataCreate" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       "xmlSecNssKeyDataDesId" ) ;
+                               return NULL ;
+                       }
+                       break ;
+               case CKM_AES_KEY_GEN :
+               case CKM_AES_CBC :
+               case CKM_AES_MAC :
+                       data = xmlSecKeyDataCreate( xmlSecNssKeyDataAesId ) ;
+                       if( data == NULL ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecKeyDataCreate" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       "xmlSecNssKeyDataDesId" ) ;
+                               return NULL ;
+                       }
+                       break ;
+               default :
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               "Unsupported mechanism" ) ;
+                       return NULL ;
+       }
+
+       if( xmlSecNssSymKeyDataAdoptKey( data , symKey ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataAdoptKey" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeyDataDestroy( data ) ;
+               return NULL ;
+       }
+
+       return data ;
+}
+
+
+PK11SymKey*
+xmlSecNssSymKeyDataGetKey(
+    xmlSecKeyDataPtr data
+) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    PK11SymKey* symkey ;
+
+    xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), NULL);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), NULL);
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, NULL);
+
+    if( ctx->symkey != NULL ) {
+        symkey = PK11_ReferenceSymKey( ctx->symkey ) ;
+    } else {
+        symkey = NULL ;
+    }
+
+    return(symkey);
+}
+
 static int
 xmlSecNssSymKeyDataInitialize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1);
-    
-    return(xmlSecKeyDataBinaryValueInitialize(data));
+    xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), -1);
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    memset( ctx, 0, sizeof(xmlSecNssSymKeyDataCtx));
+
+    /* Set the block cipher mechanism */
+#ifndef XMLSEC_NO_DES
+    if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) {
+        ctx->cipher = CKM_DES3_KEY_GEN;
+    } else
+#endif  /* XMLSEC_NO_DES */
+
+#ifndef XMLSEC_NO_AES
+    if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) {
+        ctx->cipher = CKM_AES_KEY_GEN;
+    } else
+#endif  /* XMLSEC_NO_AES */
+
+    if(1) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            NULL ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            "Unsupported block cipher" ) ;
+        return(-1) ;
+    }
+
+    return(0);
 }
 
 static int
 xmlSecNssSymKeyDataDuplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) {
+    xmlSecNssSymKeyDataCtxPtr ctxDst;
+    xmlSecNssSymKeyDataCtxPtr ctxSrc;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(dst), -1);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(dst, xmlSecNssSymKeyDataSize), -1);
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(src), -1);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(src, xmlSecNssSymKeyDataSize), -1);
     xmlSecAssert2(dst->id == src->id, -1);
-        
-    return(xmlSecKeyDataBinaryValueDuplicate(dst, src));
+
+    ctxDst = xmlSecNssSymKeyDataGetCtx(dst);
+    xmlSecAssert2(ctxDst != NULL, -1);
+
+    ctxSrc = xmlSecNssSymKeyDataGetCtx(src);
+    xmlSecAssert2(ctxSrc != NULL, -1);
+
+    ctxDst->cipher = ctxSrc->cipher ;
+
+    if( ctxSrc->slot != NULL ) {
+        if( ctxDst->slot != NULL && ctxDst->slot != ctxSrc->slot ) {
+            PK11_FreeSlot( ctxDst->slot ) ;
+            ctxDst->slot = NULL ;
+        }
+
+        if( ctxDst->slot == NULL && ctxSrc->slot != NULL )
+            ctxDst->slot = PK11_ReferenceSlot( ctxSrc->slot ) ;
+    } else {
+        if( ctxDst->slot != NULL ) {
+            PK11_FreeSlot( ctxDst->slot ) ;
+            ctxDst->slot = NULL ;
+        }
+    }
+
+    if( ctxSrc->symkey != NULL ) {
+        if( ctxDst->symkey != NULL && ctxDst->symkey != ctxSrc->symkey ) {
+            PK11_FreeSymKey( ctxDst->symkey ) ;
+            ctxDst->symkey = NULL ;
+        }
+
+        if( ctxDst->symkey == NULL && ctxSrc->symkey != NULL )
+            ctxDst->symkey = PK11_ReferenceSymKey( ctxSrc->symkey ) ;
+    } else {
+        if( ctxDst->symkey != NULL ) {
+            PK11_FreeSymKey( ctxDst->symkey ) ;
+            ctxDst->symkey = NULL ;
+        }
+    }
+
+    return(0);
 }
 
 static void
 xmlSecNssSymKeyDataFinalize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
-    
-    xmlSecKeyDataBinaryValueFinalize(data);
+    xmlSecAssert(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize));
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert(ctx != NULL);
+
+    if( ctx->slot != NULL ) {
+        PK11_FreeSlot( ctx->slot ) ;
+        ctx->slot = NULL ;
+    }
+
+    if( ctx->symkey != NULL ) {
+        PK11_FreeSymKey( ctx->symkey ) ;
+        ctx->symkey = NULL ;
+    }
+
+    ctx->cipher = CKM_INVALID_MECHANISM ;
 }
 
 static int
 xmlSecNssSymKeyDataXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
 			       xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    PK11SymKey* symKey ;
+    PK11SlotInfo* slot ;
+    xmlSecBufferPtr keyBuf;
+    xmlSecSize len;
+    xmlSecKeyDataPtr data;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    SECItem keyItem ;
+    int ret;
+    
+    xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* Create a new KeyData from a id */
+    data = xmlSecKeyDataCreate(id);
+    if(data == NULL ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    /* Create a buffer for raw symmetric key value */
+    if( ( keyBuf = xmlSecBufferCreate( 128 ) ) == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecBufferCreate" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Read the raw key value */
+    if( xmlSecBufferBase64NodeContentRead( keyBuf , node ) < 0 ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Wrap the raw key value SECItem */
+    keyItem.type = siBuffer ;
+    keyItem.data = xmlSecBufferGetData( keyBuf ) ;
+    keyItem.len = xmlSecBufferGetSize( keyBuf ) ;
+
+    /* Import the raw key into slot temporalily and get the key handler*/
+    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ;
+    if( symKey == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "PK11_ImportSymKey" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               PK11_FreeSlot( slot ) ;
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+       PK11_FreeSlot( slot ) ;
+
+    /* raw key material has been copied into symKey, it isn't used any more */
+    xmlSecBufferDestroy( keyBuf ) ;
+    
+    /* Adopt the symmetric key into key data */
+    ret = xmlSecNssSymKeyDataAdoptKey(data, symKey);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataBinaryValueSetBuffer",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        PK11_FreeSymKey( symKey ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+    /* symKey has been duplicated into data, it isn't used any more */
+    PK11_FreeSymKey( symKey ) ;
+
+    /* Check value */
+    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyReqMatchKeyValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(0);
+    }
     
-    return(xmlSecKeyDataBinaryValueXmlRead(id, key, node, keyInfoCtx));
+    ret = xmlSecKeySetValue(key, data);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeySetValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+
+    return(0);
 }
 
 static int 
 xmlSecNssSymKeyDataXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
 				    xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
-    
-    return(xmlSecKeyDataBinaryValueXmlWrite(id, key, node, keyInfoCtx));
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+       /* Get symmetric key from "key" */
+    symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); 
+    if( symKey != NULL ) {
+        SECItem* keyItem ;
+               xmlSecBufferPtr keyBuf ;
+
+               /* Extract raw key data from symmetric key */
+               if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_ExtractKeyValue",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+
+               /* Get raw key data from "symKey" */
+        keyItem = PK11_GetKeyData( symKey ) ;
+           if(keyItem == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_GetKeyData",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               /* Create key data buffer with raw kwy material */
+               keyBuf = xmlSecBufferCreate(keyItem->len) ;
+           if(keyBuf == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "xmlSecBufferCreate",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               xmlSecBufferSetData( keyBuf , keyItem->data , keyItem->len ) ;
+
+               /* Write raw key material into current xml node */
+               if( xmlSecBufferBase64NodeContentWrite( keyBuf, node, XMLSEC_BASE64_LINESIZE ) < 0 ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "xmlSecBufferBase64NodeContentWrite",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       xmlSecBufferDestroy(keyBuf);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+               xmlSecBufferDestroy(keyBuf);
+               PK11_FreeSymKey( symKey ) ;
+    }
+
+    return 0 ;
 }
 
 static int
 xmlSecNssSymKeyDataBinRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
 				    const xmlSecByte* buf, xmlSecSize bufSize,
 				    xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    PK11SymKey* symKey ;
+    PK11SlotInfo* slot ;
+    xmlSecKeyDataPtr data;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    SECItem keyItem ;
+    int ret;
+
+    xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(buf != NULL, -1);
+    xmlSecAssert2(bufSize != 0, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* Create a new KeyData from a id */
+    data = xmlSecKeyDataCreate(id);
+    if(data == NULL ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Wrap the raw key value SECItem */
+    keyItem.type = siBuffer ;
+    keyItem.data = buf ;
+    keyItem.len = bufSize ;
+
+    /* Import the raw key into slot temporalily and get the key handler*/
+    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ;
+    if( symKey == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "PK11_ImportSymKey" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               PK11_FreeSlot( slot ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Adopt the symmetric key into key data */
+    ret = xmlSecNssSymKeyDataAdoptKey(data, symKey);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataBinaryValueSetBuffer",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        PK11_FreeSymKey( symKey ) ;
+               PK11_FreeSlot( slot ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+    /* symKey has been duplicated into data, it isn't used any more */
+    PK11_FreeSymKey( symKey ) ;
+       PK11_FreeSlot( slot ) ;
+
+    /* Check value */
+    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyReqMatchKeyValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(0);
+    }
     
-    return(xmlSecKeyDataBinaryValueBinRead(id, key, buf, bufSize, keyInfoCtx));
+    ret = xmlSecKeySetValue(key, data);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeySetValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+
+    return(0);
 }
 
 static int
 xmlSecNssSymKeyDataBinWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
 				    xmlSecByte** buf, xmlSecSize* bufSize,
 				    xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(buf != NULL, -1);
+    xmlSecAssert2(bufSize != 0, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+       /* Get symmetric key from "key" */
+    symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); 
+    if( symKey != NULL ) {
+        SECItem* keyItem ;
+
+               /* Extract raw key data from symmetric key */
+               if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_ExtractKeyValue",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+
+               /* Get raw key data from "symKey" */
+        keyItem = PK11_GetKeyData( symKey ) ;
+           if(keyItem == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_GetKeyData",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               *bufSize = keyItem->len;
+               *buf = ( xmlSecByte* )xmlMalloc( *bufSize );
+               if( *buf == NULL ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               NULL,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+       memcpy((*buf), keyItem->data, (*bufSize));
+       PK11_FreeSymKey( symKey ) ;
+    }
     
-    return(xmlSecKeyDataBinaryValueBinWrite(id, key, buf, bufSize, keyInfoCtx));
+    return 0 ;
 }
 
 static int
 xmlSecNssSymKeyDataGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlSecKeyDataType type ATTRIBUTE_UNUSED) {
-    xmlSecBufferPtr buffer;
+    PK11SymKey* symkey ;
+    PK11SlotInfo* slot ;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    int ret;
 
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1);
     xmlSecAssert2(sizeBits > 0, -1);
 
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(data);
-    xmlSecAssert2(buffer != NULL, -1);
-    
-    return(xmlSecNssGenerateRandom(buffer, (sizeBits + 7) / 8));
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    if( sizeBits % 8 != 0 ) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+         xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+         NULL,
+         XMLSEC_ERRORS_R_XMLSEC_FAILED,
+         "Symmetric key size must be octuple");
+     return(-1);
+    }
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        return(-1) ;
+    }
+
+    if( PK11_Authenticate( slot, PR_FALSE , NULL ) != SECSuccess ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "PK11_Authenticate" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+            PK11_FreeSlot( slot ) ;
+            return -1 ;
+    }
+
+    symkey = PK11_KeyGen( slot , ctx->cipher , NULL , sizeBits/8 , NULL ) ;
+    if( symkey == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "PK11_KeyGen" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+            PK11_FreeSlot( slot ) ;
+            return -1 ;
+    }
+
+    if( ctx->slot != NULL ) {
+            PK11_FreeSlot( ctx->slot ) ;
+            ctx->slot = NULL ;
+    }
+    ctx->slot = slot ;
+
+    if( ctx->symkey != NULL ) {
+            PK11_FreeSymKey( ctx->symkey ) ;
+            ctx->symkey = NULL ;
+    }
+    ctx->symkey = symkey ;
+
+    return 0;
 }
 
 static xmlSecKeyDataType
 xmlSecNssSymKeyDataGetType(xmlSecKeyDataPtr data) {
-    xmlSecBufferPtr buffer;
+    xmlSecNssSymKeyDataCtxPtr context = NULL ;
+    xmlSecKeyDataType type = xmlSecKeyDataTypeUnknown ;
 
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), xmlSecKeyDataTypeUnknown);
+    xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), xmlSecKeyDataTypeUnknown ) ;
 
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(data);
-    xmlSecAssert2(buffer != NULL, xmlSecKeyDataTypeUnknown);
+    context = xmlSecNssSymKeyDataGetCtx( data ) ;
+    if( context == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "xmlSecNssSymKeyDataGetCtx" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return xmlSecKeyDataTypeUnknown ;
+    }
 
-    return((xmlSecBufferGetSize(buffer) > 0) ? xmlSecKeyDataTypeSymmetric : xmlSecKeyDataTypeUnknown);
+    if( context->symkey != NULL ) {
+            type |= xmlSecKeyDataTypeSymmetric ;
+    } else {
+            type |= xmlSecKeyDataTypeUnknown ;
+    }
+
+    return type ;
 }
 
 static xmlSecSize 
 xmlSecNssSymKeyDataGetSize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr context ;
+    unsigned int    length = 0 ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), 0);
+    xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), 0 ) ;
+    context = xmlSecNssSymKeyDataGetCtx( data ) ;
+    if( context == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "xmlSecNssSymKeyDataGetCtx" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return 0 ;
+    }
+
+    if( context->symkey != NULL ) {
+            length = PK11_GetKeyLength( context->symkey ) ;
+            length *= 8 ;
+    }
     
-    return(xmlSecKeyDataBinaryValueGetSize(data));
+    return length ;
 }
 
 static void 
 xmlSecNssSymKeyDataDebugDump(xmlSecKeyDataPtr data, FILE* output) {
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
     
-    xmlSecKeyDataBinaryValueDebugDump(data, output);    
+    /* print only size, everything else is sensitive */
+    fprintf( output , "=== %s: size=%d\n" , data->id->dataNodeName ,
+        xmlSecKeyDataGetSize(data)) ;
 }
 
 static void
 xmlSecNssSymKeyDataDebugXmlDump(xmlSecKeyDataPtr data, FILE* output) {
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
-    
-    xmlSecKeyDataBinaryValueDebugXmlDump(data, output);    
+
+    /* print only size, everything else is sensitive */
+    fprintf( output , "<%s size=\"%d\" />\n" , data->id->dataNodeName ,
+        xmlSecKeyDataGetSize(data)) ;
 }
 
 static int 
@@ -201,7 +858,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataAesKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameAESKeyValue,
@@ -282,7 +939,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataDesKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameDESKeyValue,
@@ -364,7 +1021,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataHmacKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameHMACKeyValue,
--- misc/xmlsec1-1.2.14/src/nss/tokens.c	2009-09-21 14:07:19.249145861 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/tokens.c	2009-09-21 14:02:48.556772442 +0200
@@ -1 +1,548 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright..................................
+ *
+ * Contributor(s): _____________________________
+ *
+ */
+
+/**
+ * In order to ensure that particular crypto operation is performed on
+ * particular crypto device, a subclass of xmlSecList is used to store slot and 
+ * mechanism information.
+ *
+ * In the list, a slot is bound with a mechanism. If the mechanism is available,
+ * this mechanism only can perform on the slot; otherwise, it can perform on
+ * every eligibl slot in the list.
+ *
+ * When try to find a slot for a particular mechanism, the slot bound with
+ * available mechanism will be looked up firstly.
+ */
+#include "globals.h"
+#include <string.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/errors.h>
+#include <xmlsec/list.h>
+
+#include <xmlsec/nss/tokens.h>
+
+int
+xmlSecNssKeySlotSetMechList(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE_PTR mechanismList
+) {
+	int counter ;
+
+	xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+	if( keySlot->mechanismList != CK_NULL_PTR ) {
+		xmlFree( keySlot->mechanismList ) ;
+
+		for( counter = 0 ; *( mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+		keySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+		if( keySlot->mechanismList == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return( -1 );
+		}
+		for( ; counter >= 0 ; counter -- )
+			*( keySlot->mechanismList + counter ) = *(  mechanismList + counter ) ;
+	}
+
+	return( 0 );
+}
+
+int
+xmlSecNssKeySlotEnableMech(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE mechanism
+) {
+	int counter ;
+	CK_MECHANISM_TYPE_PTR newList ;
+
+	xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+	if( mechanism != CKM_INVALID_MECHANISM ) {
+		for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+		newList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+		if( newList == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return( -1 );
+		}
+		*( newList + counter + 1 ) = CKM_INVALID_MECHANISM ;
+		*( newList + counter ) = mechanism ;
+		for( counter -= 1 ; counter >= 0 ; counter -- )
+			*( newList + counter ) = *(  keySlot->mechanismList + counter ) ;
+
+		xmlFree( keySlot->mechanismList ) ;
+		keySlot->mechanismList = newList ;
+	}
+
+	return(0);
+}
+
+int
+xmlSecNssKeySlotDisableMech(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE mechanism
+) {
+	int counter ;
+
+	xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+	for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+		if( *( keySlot->mechanismList + counter ) == mechanism ) {
+			for( ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+				*( keySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter + 1 ) ;
+			}
+
+			break ;
+		}
+	}
+
+	return(0); 
+}
+
+CK_MECHANISM_TYPE_PTR
+xmlSecNssKeySlotGetMechList(
+    xmlSecNssKeySlotPtr keySlot
+) {
+	if( keySlot != NULL )
+		return keySlot->mechanismList ;
+	else
+		return NULL ;
+}
+
+int
+xmlSecNssKeySlotSetSlot(
+    xmlSecNssKeySlotPtr keySlot ,
+	PK11SlotInfo* slot
+) {
+	xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+	if( slot != NULL && keySlot->slot != slot ) {
+		if( keySlot->slot != NULL )
+			PK11_FreeSlot( keySlot->slot ) ;
+
+		if( keySlot->mechanismList != NULL ) {
+			xmlFree( keySlot->mechanismList ) ;
+			keySlot->mechanismList = NULL ;
+		}
+
+		keySlot->slot = PK11_ReferenceSlot( slot ) ;
+	}
+
+	return(0);
+}
+
+int
+xmlSecNssKeySlotInitialize(
+    xmlSecNssKeySlotPtr keySlot ,
+	PK11SlotInfo* slot
+) {
+	xmlSecAssert2( keySlot != NULL , -1 ) ;
+	xmlSecAssert2( keySlot->slot == NULL , -1 ) ;
+	xmlSecAssert2( keySlot->mechanismList == NULL , -1 ) ;
+
+	if( slot != NULL ) {
+		keySlot->slot = PK11_ReferenceSlot( slot ) ;
+	}
+
+	return(0);
+}
+
+void
+xmlSecNssKeySlotFinalize(
+    xmlSecNssKeySlotPtr keySlot
+) {
+	xmlSecAssert( keySlot != NULL ) ;
+
+	if( keySlot->mechanismList != NULL ) {
+		xmlFree( keySlot->mechanismList ) ;
+		keySlot->mechanismList = NULL ;
+	}
+
+	if( keySlot->slot != NULL ) {
+		PK11_FreeSlot( keySlot->slot ) ;
+		keySlot->slot = NULL ;
+	}
+		
+}
+
+PK11SlotInfo*
+xmlSecNssKeySlotGetSlot(
+	xmlSecNssKeySlotPtr keySlot
+) {
+	if( keySlot != NULL )
+		return keySlot->slot ;
+	else
+		return NULL ;
+}
+
+xmlSecNssKeySlotPtr
+xmlSecNssKeySlotCreate() {
+	xmlSecNssKeySlotPtr keySlot ;
+
+	/* Allocates a new xmlSecNssKeySlot and fill the fields */
+	keySlot = ( xmlSecNssKeySlotPtr )xmlMalloc( sizeof( xmlSecNssKeySlot ) ) ;
+	if( keySlot == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			NULL ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( NULL );
+	}
+	memset( keySlot, 0, sizeof( xmlSecNssKeySlot ) ) ;
+
+	return( keySlot ) ;
+}
+
+int
+xmlSecNssKeySlotCopy(
+	xmlSecNssKeySlotPtr newKeySlot ,
+	xmlSecNssKeySlotPtr keySlot
+) {
+	CK_MECHANISM_TYPE_PTR mech ;
+	int counter ;
+
+	xmlSecAssert2( newKeySlot != NULL , -1 ) ;
+	xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+	if( keySlot->slot != NULL && newKeySlot->slot != keySlot->slot ) {
+		if( newKeySlot->slot != NULL )
+			PK11_FreeSlot( newKeySlot->slot ) ;
+
+		newKeySlot->slot = PK11_ReferenceSlot( keySlot->slot ) ;
+	}
+
+	if( keySlot->mechanismList != CK_NULL_PTR ) {
+		xmlFree( newKeySlot->mechanismList ) ;
+
+		for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+		newKeySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+		if( newKeySlot->mechanismList == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return( -1 );
+		}
+		for( ; counter >= 0 ; counter -- )
+			*( newKeySlot->mechanismList + counter ) = *(  keySlot->mechanismList + counter ) ;
+	}
+
+	return( 0 );
+}
+
+xmlSecNssKeySlotPtr
+xmlSecNssKeySlotDuplicate(
+	xmlSecNssKeySlotPtr keySlot
+) {
+	xmlSecNssKeySlotPtr newKeySlot ;
+	int ret ;
+
+	xmlSecAssert2( keySlot != NULL , NULL ) ;
+
+	newKeySlot = xmlSecNssKeySlotCreate() ;
+	if( newKeySlot == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			NULL ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( NULL );
+	}
+
+	if( xmlSecNssKeySlotCopy( newKeySlot, keySlot ) < 0 ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			NULL ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( NULL );
+	}
+
+	return( newKeySlot );
+}
+
+void
+xmlSecNssKeySlotDestroy(
+	    xmlSecNssKeySlotPtr keySlot
+) {
+	xmlSecAssert( keySlot != NULL ) ;
+
+	if( keySlot->mechanismList != NULL )
+		xmlFree( keySlot->mechanismList ) ;
+
+	if( keySlot->slot != NULL )
+		PK11_FreeSlot( keySlot->slot ) ;
+		
+	xmlFree( keySlot ) ;
+}
+
+int
+xmlSecNssKeySlotBindMech(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE type
+) {
+	int counter ;
+
+	xmlSecAssert2( keySlot != NULL , 0 ) ;
+	xmlSecAssert2( keySlot->slot != NULL , 0 ) ;
+	xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ;
+
+	for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+		if( *( keySlot->mechanismList + counter ) == type )
+			return(1) ;
+	}
+
+	return( 0 ) ;
+}
+
+int
+xmlSecNssKeySlotSupportMech(
+	xmlSecNssKeySlotPtr keySlot ,
+	CK_MECHANISM_TYPE type
+) {
+	xmlSecAssert2( keySlot != NULL , 0 ) ;
+	xmlSecAssert2( keySlot->slot != NULL , 0 ) ;
+	xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ;
+
+	if( PK11_DoesMechanism( keySlot->slot , type ) == PR_TRUE ) {
+		return(1);
+	} else
+		return(0);
+}
+
+void
+xmlSecNssKeySlotDebugDump(
+	xmlSecNssKeySlotPtr keySlot ,
+	FILE* output
+) {
+	xmlSecAssert( keySlot != NULL ) ;
+	xmlSecAssert( output != NULL ) ;
+
+	fprintf( output, "== KEY SLOT\n" );
+}
+
+void
+xmlSecNssKeySlotDebugXmlDump(
+	xmlSecNssKeySlotPtr keySlot ,
+	FILE* output
+) {
+}
+
+/**
+ * Key Slot List
+ */
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = {
+#else
+static xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = {
+#endif
+    BAD_CAST "mechanism-list",
+    (xmlSecPtrDuplicateItemMethod)xmlSecNssKeySlotDuplicate,
+    (xmlSecPtrDestroyItemMethod)xmlSecNssKeySlotDestroy,
+    (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugDump,
+    (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugXmlDump,
+};
+
+xmlSecPtrListId 
+xmlSecNssKeySlotListGetKlass(void) {
+    return(&xmlSecNssKeySlotPtrListKlass);
+}
+
+
+/*-
+ * Global PKCS#11 crypto token repository -- Key slot list
+ */
+static xmlSecPtrListPtr _xmlSecNssKeySlotList = NULL ;
+
+PK11SlotInfo*
+xmlSecNssSlotGet(
+	CK_MECHANISM_TYPE type
+) {
+	PK11SlotInfo*			slot = NULL ;
+	xmlSecNssKeySlotPtr		keySlot ;
+	xmlSecSize				ksSize ;
+	xmlSecSize				ksPos ;
+	char					flag ;
+
+	if( _xmlSecNssKeySlotList == NULL ) {
+		slot = PK11_GetBestSlot( type , NULL ) ;
+	} else {
+		ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ;
+
+		/*-
+		 * Firstly, checking whether the mechanism is bound with a special slot.
+		 * If no bound slot, we try to find the first eligible slot in the list.
+		 */
+		for( flag = 0, ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) {
+			keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ;
+			if( keySlot != NULL && xmlSecNssKeySlotBindMech( keySlot, type ) ) {
+				slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+				flag = 2 ;
+			} else if( flag == 0 && xmlSecNssKeySlotSupportMech( keySlot, type ) ) {
+				slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+				flag = 1 ;
+			}
+
+			if( flag == 2 )
+				break ;
+		}
+		if( slot != NULL )
+			slot = PK11_ReferenceSlot( slot ) ;
+	}
+
+	if( slot != NULL && PK11_NeedLogin( slot ) ) {
+		if( PK11_Authenticate( slot , PR_TRUE , NULL ) != SECSuccess ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			PK11_FreeSlot( slot ) ;
+			return( NULL );
+		}
+	}
+
+	return slot ;
+}
+
+int
+xmlSecNssSlotInitialize(
+	void
+) {
+	if( _xmlSecNssKeySlotList != NULL ) {
+		xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ;
+		_xmlSecNssKeySlotList = NULL ;
+	}
+
+	_xmlSecNssKeySlotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ;
+	if( _xmlSecNssKeySlotList == NULL ) {
+		xmlSecError( XMLSEC_ERRORS_HERE ,
+			NULL ,
+			NULL ,
+			XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+			XMLSEC_ERRORS_NO_MESSAGE ) ;
+		return( -1 );
+	}
+
+	return(0);
+}
+
+void
+xmlSecNssSlotShutdown(
+	void
+) {
+	if( _xmlSecNssKeySlotList != NULL ) {
+		xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ;
+		_xmlSecNssKeySlotList = NULL ;
+	}
+}
+
+int
+xmlSecNssSlotAdopt(
+	PK11SlotInfo* slot,
+	CK_MECHANISM_TYPE type
+) {
+	xmlSecNssKeySlotPtr		keySlot ;
+	xmlSecSize				ksSize ;
+	xmlSecSize				ksPos ;
+	char					flag ;
+
+	xmlSecAssert2( _xmlSecNssKeySlotList != NULL, -1 ) ;
+	xmlSecAssert2( slot != NULL, -1 ) ;
+
+	ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ;
+
+	/*-
+	 * Firstly, checking whether the slot is in the repository already.
+	 */
+	flag = 0 ;
+	for( ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) {
+		keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ;
+		/* If find the slot in the list */
+		if( keySlot != NULL && xmlSecNssKeySlotGetSlot( keySlot ) == slot ) {
+			/* If mechnism type is valid, bind the slot with the mechanism */
+			if( type != CKM_INVALID_MECHANISM ) {
+				if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) {
+					xmlSecError( XMLSEC_ERRORS_HERE ,
+						NULL ,
+						NULL ,
+						XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+						XMLSEC_ERRORS_NO_MESSAGE ) ;
+					return(-1);
+				}
+			}
+
+			flag = 1 ;
+		}
+	}
+
+	/* If the slot do not in the list, add a new item to the list */
+	if( flag == 0 ) {
+		/* Create a new KeySlot */
+		keySlot = xmlSecNssKeySlotCreate() ;
+		if( keySlot == NULL ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			return(-1);
+		}
+
+		/* Initialize the keySlot with a slot */
+		if( xmlSecNssKeySlotInitialize( keySlot, slot ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			xmlSecNssKeySlotDestroy( keySlot ) ;
+			return(-1);
+		}
+
+		/* If mechnism type is valid, bind the slot with the mechanism */
+		if( type != CKM_INVALID_MECHANISM ) {
+			if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) {
+				xmlSecError( XMLSEC_ERRORS_HERE ,
+					NULL ,
+					NULL ,
+					XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+					XMLSEC_ERRORS_NO_MESSAGE ) ;
+				xmlSecNssKeySlotDestroy( keySlot ) ;
+				return(-1);
+			}
+		}
+
+		/* Add keySlot into the list */
+		if( xmlSecPtrListAdd( _xmlSecNssKeySlotList, keySlot ) < 0 ) {
+			xmlSecError( XMLSEC_ERRORS_HERE ,
+				NULL ,
+				NULL ,
+				XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+				XMLSEC_ERRORS_NO_MESSAGE ) ;
+			xmlSecNssKeySlotDestroy( keySlot ) ;
+			return(-1);
+		}
+	}
+
+	return(0);
+}
+
--- misc/xmlsec1-1.2.14/src/nss/x509.c	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/x509.c	2009-09-21 14:02:48.642312431 +0200
@@ -34,7 +34,6 @@
 #include <xmlsec/keys.h>
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/keysmngr.h>
-#include <xmlsec/x509.h>
 #include <xmlsec/base64.h>
 #include <xmlsec/errors.h>
 
@@ -61,33 +60,18 @@
 static int		xmlSecNssX509CertificateNodeRead	(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509CertificateNodeWrite	(CERTCertificate* cert,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssX509SubjectNameNodeRead	(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509SubjectNameNodeWrite	(CERTCertificate* cert,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssX509IssuerSerialNodeRead	(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509IssuerSerialNodeWrite	(CERTCertificate* cert,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssX509SKINodeRead		(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509SKINodeWrite		(CERTCertificate* cert,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssX509CRLNodeRead		(xmlSecKeyDataPtr data,
 								 xmlNodePtr node,
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int		xmlSecNssX509CRLNodeWrite		(CERTSignedCrl* crl,
-								 xmlNodePtr node,
-								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int		xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, 
 								xmlSecKeyPtr key,
 								xmlSecKeyInfoCtxPtr keyInfoCtx);
@@ -104,9 +88,6 @@
 								 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static xmlChar*		xmlSecNssX509CrlBase64DerWrite		(CERTSignedCrl* crl, 
 								 int base64LineWrap);
-static xmlChar*		xmlSecNssX509NameWrite			(CERTName* nm);
-static xmlChar*		xmlSecNssASN1IntegerWrite		(SECItem *num);
-static xmlChar*		xmlSecNssX509SKIWrite			(CERTCertificate* cert);
 static void		xmlSecNssX509CertDebugDump		(CERTCertificate* cert, 
 								 FILE* output);
 static void		xmlSecNssX509CertDebugXmlDump		(CERTCertificate* cert, 
@@ -752,31 +733,22 @@
 xmlSecNssKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
 				xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataPtr data;
+    xmlNodePtr cur;
+    xmlChar* buf;
     CERTCertificate* cert;
     CERTSignedCrl* crl;
     xmlSecSize size, pos;
-    int content = 0;
-    int ret;
     				
     xmlSecAssert2(id == xmlSecNssKeyDataX509Id, -1);
     xmlSecAssert2(key != NULL, -1);
     xmlSecAssert2(node != NULL, -1);
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
-    content = xmlSecX509DataGetNodeContent (node, 1, keyInfoCtx);
-    if (content < 0) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-		    "xmlSecX509DataGetNodeContent",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "content=%d", content);
-	return(-1);
-    } else if(content == 0) {
-	/* by default we are writing certificates and crls */
-	content = XMLSEC_X509DATA_DEFAULT;
+    /* todo: flag in ctx remove all existing content */
+    if(0) {
+        xmlNodeSetContent(node, NULL);
     }
 
-    /* get x509 data */
     data = xmlSecKeyGetData(key, id);
     if(data == NULL) {
 	/* no x509 data in the key */
@@ -796,79 +768,74 @@
 	    return(-1);
 	}
 
-	if((content & XMLSEC_X509DATA_CERTIFICATE_NODE) != 0) {
-	    ret = xmlSecNssX509CertificateNodeWrite(cert, node, keyInfoCtx);
-	    if(ret < 0) {
+	/* set base64 lines size from context */
+	buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); 
+	if(buf == NULL) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
 			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509CertificateNodeWrite",
+			    "xmlSecNssX509CertBase64DerWrite",
 			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
+			    XMLSEC_ERRORS_NO_MESSAGE);
 		return(-1);
-	    }
 	}
 
-	if((content & XMLSEC_X509DATA_SUBJECTNAME_NODE) != 0) {
-	    ret = xmlSecNssX509SubjectNameNodeWrite(cert, node, keyInfoCtx);
-	    if(ret < 0) {
+	cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
+	if(cur == NULL) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
 			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509SubjectNameNodeWrite",
+			    "xmlSecAddChild",
 			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
+			    "node=%s",
+			    xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
+		xmlFree(buf);
 		return(-1);
-	    }
 	}
+	/* todo: add \n around base64 data - from context */
+	/* todo: add errors check */
+	xmlNodeSetContent(cur, xmlSecStringCR);
+	xmlNodeSetContent(cur, buf);
+	xmlFree(buf);
+    }
 
-	if((content & XMLSEC_X509DATA_ISSUERSERIAL_NODE) != 0) {
-	    ret = xmlSecNssX509IssuerSerialNodeWrite(cert, node, keyInfoCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509IssuerSerialNodeWrite",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
+    /* write crls */
+    size = xmlSecNssKeyDataX509GetCrlsSize(data);
+    for(pos = 0; pos < size; ++pos) {
+	crl = xmlSecNssKeyDataX509GetCrl(data, pos);
+	if(crl == NULL) {
+	    xmlSecError(XMLSEC_ERRORS_HERE,
+		xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+		"xmlSecNssKeyDataX509GetCrl",
+		XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		"pos=%d", pos);
+	    return(-1);
 	}
 
-	if((content & XMLSEC_X509DATA_SKI_NODE) != 0) {
-	    ret = xmlSecNssX509SKINodeWrite(cert, node, keyInfoCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509SKINodeWrite",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
+        /* set base64 lines size from context */
+        buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize);
+        if(buf == NULL) {
+	    xmlSecError(XMLSEC_ERRORS_HERE,
+		xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+		"xmlSecNssX509CrlBase64DerWrite",
+		XMLSEC_ERRORS_R_XMLSEC_FAILED,
+		XMLSEC_ERRORS_NO_MESSAGE);
+	    return(-1);
 	}
-    }    
 
-    /* write crls if needed */
-    if((content & XMLSEC_X509DATA_CRL_NODE) != 0) {
-	size = xmlSecNssKeyDataX509GetCrlsSize(data);
-	for(pos = 0; pos < size; ++pos) {
-	    crl = xmlSecNssKeyDataX509GetCrl(data, pos);
-	    if(crl == NULL) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssKeyDataX509GetCrl",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
-	    
-	    ret = xmlSecNssX509CRLNodeWrite(crl, node, keyInfoCtx);
-	    if(ret < 0) {
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-			    "xmlSecNssX509CRLNodeWrite",
-			    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			    "pos=%d", pos);
-		return(-1);
-	    }
-	}
+        cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
+        if(cur == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                        "xmlSecAddChild",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "new_node=%s",
+                        xmlSecErrorsSafeString(xmlSecNodeX509CRL));
+            xmlFree(buf);
+            return(-1);
+        }
+        /* todo: add \n around base64 data - from context */
+        /* todo: add errors check */
+        xmlNodeSetContent(cur, xmlSecStringCR);
+        xmlNodeSetContent(cur, buf);
     }
 
     return(0);
@@ -1057,46 +1024,6 @@
     return(0);
 }
 
-static int 
-xmlSecNssX509CertificateNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlChar* buf;
-    xmlNodePtr cur;
-    
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-    xmlSecAssert2(keyInfoCtx != NULL, -1);
-    
-    /* set base64 lines size from context */
-    buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); 
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssX509CertBase64DerWrite",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-	
-    cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
-	xmlFree(buf);
-	return(-1);	
-    }
-
-    /* todo: add \n around base64 data - from context */
-    /* todo: add errors check */
-    xmlNodeSetContent(cur, xmlSecStringCR);
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-    return(0);
-}
-
 static int		
 xmlSecNssX509SubjectNameNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {	
     xmlSecKeyDataStorePtr x509Store;
@@ -1120,19 +1047,13 @@
     }
 
     subject = xmlNodeGetContent(node);
-    if((subject == NULL) || (xmlSecIsEmptyString(subject) == 1)) {
-	if(subject != NULL) {
-	    xmlFree(subject);
-	}
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
+    if(subject == NULL) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 		        xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 			xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
 			XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
 			XMLSEC_ERRORS_NO_MESSAGE);
 	    return(-1);
-	}
-	return(0);
     }
 
     cert = xmlSecNssX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx);
@@ -1169,40 +1090,6 @@
     return(0);
 }
 
-static int
-xmlSecNssX509SubjectNameNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlChar* buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    buf = xmlSecNssX509NameWrite(&(cert->subject));
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-	    NULL,
-	    "xmlSecNssX509NameWrite(&(cert->subject))",
-	    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-	    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509SubjectName, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-	    NULL,
-	    "xmlSecAddChild",
-	    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-	    "node=%s",
-	    xmlSecErrorsSafeString(xmlSecNodeX509SubjectName));
-	xmlFree(buf);
-	return(-1);
-    }
-    xmlSecNodeEncodeAndSetContent(cur, buf);
-    xmlFree(buf);
-    return(0);
-}
-
 static int 
 xmlSecNssX509IssuerSerialNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
@@ -1228,21 +1115,9 @@
     }
 
     cur = xmlSecGetNextElementNode(node->children);
-    if(cur == NULL) {
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-			xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
-			XMLSEC_ERRORS_R_NODE_NOT_FOUND,
-			"node=%s",
-			xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
-	    return(-1);
-	}
-	return(0);
-    }
     
     /* the first is required node X509IssuerName */
-    if(!xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
+    if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
 	xmlSecError(XMLSEC_ERRORS_HERE,
 		    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 		    xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
@@ -1336,78 +1211,6 @@
     return(0);
 }
 
-static int
-xmlSecNssX509IssuerSerialNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlNodePtr cur;
-    xmlNodePtr issuerNameNode;
-    xmlNodePtr issuerNumberNode;
-    xmlChar* buf;
-    
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    /* create xml nodes */
-    cur = xmlSecAddChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509IssuerSerial));
-	return(-1);
-    }
-
-    issuerNameNode = xmlSecAddChild(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs);
-    if(issuerNameNode == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509IssuerName));
-	return(-1);
-    }
-
-    issuerNumberNode = xmlSecAddChild(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs);
-    if(issuerNumberNode == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber));
-	return(-1);
-    }
-
-    /* write data */
-    buf = xmlSecNssX509NameWrite(&(cert->issuer));
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssX509NameWrite(&(cert->issuer))",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-    xmlSecNodeEncodeAndSetContent(issuerNameNode, buf);
-    xmlFree(buf);
-
-    buf = xmlSecNssASN1IntegerWrite(&(cert->serialNumber));
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssASN1IntegerWrite(&(cert->serialNumber))",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-    xmlNodeSetContent(issuerNumberNode, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
 static int 
 xmlSecNssX509SKINodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
@@ -1431,11 +1234,7 @@
     }
     
     ski = xmlNodeGetContent(node);
-    if((ski == NULL) || (xmlSecIsEmptyString(ski) == 1)) {
-	if(ski != NULL) {
-	    xmlFree(ski);
-	}
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
+    if(ski == NULL) {
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 			xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
@@ -1443,8 +1242,6 @@
 			"node=%s",
 			xmlSecErrorsSafeString(xmlSecNodeX509SKI));
 	    return(-1);
-	}
-	return(0);
     }
 
     cert = xmlSecNssX509StoreFindCert(x509Store, NULL, NULL, NULL, ski, keyInfoCtx);
@@ -1479,41 +1276,6 @@
     return(0);
 }
 
-static int
-xmlSecNssX509SKINodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlChar *buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    buf = xmlSecNssX509SKIWrite(cert);
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssX509SKIWrite",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509SKI, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "new_node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509SKI));
-	xmlFree(buf);
-	return(-1);
-    }
-    xmlSecNodeEncodeAndSetContent(cur, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
 static int 
 xmlSecNssX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlChar *content;
@@ -1524,19 +1286,13 @@
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
     content = xmlNodeGetContent(node);
-   if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
-	if(content != NULL) {
-	    xmlFree(content);
-	}
-	if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
+    if(content == NULL){
 	    xmlSecError(XMLSEC_ERRORS_HERE,
 			xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 			xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
 			XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
 			XMLSEC_ERRORS_NO_MESSAGE);
 	    return(-1);
-	}
-	return(0);
     }
 
     crl = xmlSecNssX509CrlBase64DerRead(content, keyInfoCtx);
@@ -1556,47 +1312,6 @@
 }
 
 static int
-xmlSecNssX509CRLNodeWrite(CERTSignedCrl* crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlChar* buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(crl != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-    xmlSecAssert2(keyInfoCtx != NULL, -1);
-
-    /* set base64 lines size from context */
-    buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize); 
-    if(buf == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecNssX509CrlBase64DerWrite",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
-    if(cur == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecAddChild",
-		    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    "new_node=%s",
-		    xmlSecErrorsSafeString(xmlSecNodeX509CRL));
-	xmlFree(buf);
-	return(-1);
-    }
-    /* todo: add \n around base64 data - from context */
-    /* todo: add errors check */
-    xmlNodeSetContent(cur, xmlSecStringCR);
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
-
-static int
 xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key,
 				    xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecNssX509DataCtxPtr ctx;
@@ -1604,6 +1319,10 @@
     int ret;
     SECStatus status;
     PRTime notBefore, notAfter;
+
+    PK11SlotInfo* slot ;
+    SECKEYPublicKey *pubKey = NULL;
+    SECKEYPrivateKey *priKey = NULL;
     
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
     xmlSecAssert2(key != NULL, -1);
@@ -1636,10 +1355,14 @@
 			    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
 			    "CERT_DupCertificate",
 			    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-			    XMLSEC_ERRORS_NO_MESSAGE);
+			    "error code=%d", PORT_GetError());
 		return(-1);
 	    }
-	
+
+          /*-
+	   * Get Public key from cert, which does not always work for sign
+	   * action.
+           *
 	    keyValue = xmlSecNssX509CertGetKey(ctx->keyCert);
 	    if(keyValue == NULL) {
 		xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1649,6 +1372,54 @@
 			    XMLSEC_ERRORS_NO_MESSAGE);
 		return(-1);
 	    }
+	   */
+            /*-
+             * I'll search key according to KeyReq.
+             */
+	    slot = cert->slot ;
+	    if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+	        if( ( priKey = PK11_FindPrivateKeyFromCert( slot , cert , NULL ) ) == NULL ) {
+	                xmlSecError( XMLSEC_ERRORS_HERE ,
+	                    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+	                    "PK11_FindPrivateKeyFromCert" ,
+	                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+	                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+	                return -1 ;
+	            }
+	    }
+
+            if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+                if( ( pubKey = CERT_ExtractPublicKey( cert ) ) == NULL ) {
+                    xmlSecError( XMLSEC_ERRORS_HERE ,
+                        xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                        "CERT_ExtractPublicKey" ,
+                        XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                        XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+
+                    if( priKey != NULL )
+                        SECKEY_DestroyPrivateKey( priKey ) ;
+                    return -1 ;
+                }
+            }
+
+            keyValue = xmlSecNssPKIAdoptKey(priKey, pubKey);
+            if( keyValue == NULL ) {
+                xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "xmlSecNssPKIAdoptKey" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                if( priKey != NULL )
+                    SECKEY_DestroyPrivateKey( priKey ) ;
+
+                if( pubKey != NULL )
+                    SECKEY_DestroyPublicKey( pubKey ) ;
+
+                return -1 ;
+            }
+            /* Modify keyValue get Done */
 	    
 	    /* verify that the key matches our expectations */
 	    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) {
@@ -1950,86 +1721,6 @@
     return(res);
 }
 
-static xmlChar*
-xmlSecNssX509NameWrite(CERTName* nm) {
-    xmlChar *res = NULL;
-    char *str;
-
-    xmlSecAssert2(nm != NULL, NULL);
-
-    str = CERT_NameToAscii(nm);
-    if (str == NULL) {
-        xmlSecError(XMLSEC_ERRORS_HERE,
-        	    NULL,
-        	    "CERT_NameToAscii",
-        	    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-        	    XMLSEC_ERRORS_NO_MESSAGE);
-        return(NULL);
-    }
-
-    res = xmlStrdup(BAD_CAST str);
-    if(res == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlStrdup",
-		    XMLSEC_ERRORS_R_MALLOC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	PORT_Free(str);
-	return(NULL);
-    }
-    PORT_Free(str);
-    return(res);
-}
-
-static xmlChar*
-xmlSecNssASN1IntegerWrite(SECItem *num) {
-    xmlChar *res = NULL;
-    
-    xmlSecAssert2(num != NULL, NULL);
-
-    /* TODO : to be implemented after 
-     * NSS bug http://bugzilla.mozilla.org/show_bug.cgi?id=212864 is fixed 
-     */
-    return(res);
-}
-
-static xmlChar*
-xmlSecNssX509SKIWrite(CERTCertificate* cert) {
-    xmlChar *res = NULL;
-    SECItem ski;
-    SECStatus rv;
-
-    xmlSecAssert2(cert != NULL, NULL);
-
-    memset(&ski, 0, sizeof(ski));
-
-    rv = CERT_FindSubjectKeyIDExtension(cert, &ski);
-    if (rv != SECSuccess) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "CERT_FindSubjectKeyIDExtension",
-		    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	SECITEM_FreeItem(&ski, PR_FALSE);
-	return(NULL);
-    }
-
-    res = xmlSecBase64Encode(ski.data, ski.len, 0);
-    if(res == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "xmlSecBase64Encode",
-	    	    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	SECITEM_FreeItem(&ski, PR_FALSE);
-	return(NULL);
-    }
-    SECITEM_FreeItem(&ski, PR_FALSE);
-    
-    return(res);
-}
-
-
 static void 
 xmlSecNssX509CertDebugDump(CERTCertificate* cert, FILE* output) {
     SECItem *sn;
--- misc/xmlsec1-1.2.14/src/nss/x509vfy.c	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/x509vfy.c	2009-09-21 14:02:48.669245207 +0200
@@ -30,6 +30,7 @@
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/keysmngr.h>
 #include <xmlsec/base64.h>
+#include <xmlsec/bn.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
@@ -61,17 +62,7 @@
  
 static int		xmlSecNssX509StoreInitialize	(xmlSecKeyDataStorePtr store);
 static void		xmlSecNssX509StoreFinalize	(xmlSecKeyDataStorePtr store);
-static int 		xmlSecNssX509NameStringRead	(xmlSecByte **str, 
-							 int *strLen, 
-							 xmlSecByte *res, 
-							 int resLen,
-							 xmlSecByte delim, 
-							 int ingoreTrailingSpaces);
-static xmlSecByte * 	xmlSecNssX509NameRead		(xmlSecByte *str, 
-							 int len);
-
-static void 		xmlSecNssNumToItem(SECItem *it, unsigned long num);
-
+static int		xmlSecNssIntegerToItem( const xmlChar* integer , SECItem *it ) ;
 
 static xmlSecKeyDataStoreKlass xmlSecNssX509StoreKlass = {
     sizeof(xmlSecKeyDataStoreKlass),
@@ -339,40 +330,28 @@
 xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName, 
 		      xmlChar *issuerSerial, xmlChar *ski) {
     CERTCertificate *cert = NULL;
-    xmlChar         *p = NULL;
     CERTName *name = NULL;
     SECItem *nameitem = NULL;
     PRArenaPool *arena = NULL;
 
     if (subjectName != NULL) {
-	p = xmlSecNssX509NameRead(subjectName, xmlStrlen(subjectName));
-	if (p == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecNssX509NameRead",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "subject=%s",
-                        xmlSecErrorsSafeString(subjectName));
-	    goto done;
-	}
-
 	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 	if (arena == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "PORT_NewArena",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
 	    goto done;
 	}
 
-	name = CERT_AsciiToName((char*)p);
+	name = CERT_AsciiToName((char*)subjectName);
 	if (name == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "CERT_AsciiToName",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
 	    goto done;
 	}
 
@@ -394,34 +373,23 @@
     if((issuerName != NULL) && (issuerSerial != NULL)) {
 	CERTIssuerAndSN issuerAndSN;
 
-	p = xmlSecNssX509NameRead(issuerName, xmlStrlen(issuerName));
-	if (p == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecNssX509NameRead",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "issuer=%s",
-                        xmlSecErrorsSafeString(issuerName));
-	    goto done;
-	}
-
 	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 	if (arena == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "PORT_NewArena",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
 	    goto done;
 	}
 
-	name = CERT_AsciiToName((char*)p);
+	name = CERT_AsciiToName((char*)issuerName);
 	if (name == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "CERT_AsciiToName",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
 	    goto done;
 	}
 
@@ -441,8 +409,15 @@
 	issuerAndSN.derIssuer.data = nameitem->data;
 	issuerAndSN.derIssuer.len = nameitem->len;
 
-	/* TBD: serial num can be arbitrarily long */
-	xmlSecNssNumToItem(&issuerAndSN.serialNumber, PORT_Atoi((char *)issuerSerial));
+        if( xmlSecNssIntegerToItem( issuerSerial, &issuerAndSN.serialNumber ) < 0 ) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecNssIntegerToItem",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "serial number=%s",
+                        xmlSecErrorsSafeString(issuerSerial));
+                goto done;
+        }
 
 	cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), 
 					  &issuerAndSN);
@@ -473,9 +448,6 @@
     }
 
 done:
-    if (p != NULL) {
-	PORT_Free(p);
-    }
     if (arena != NULL) {
 	PORT_FreeArena(arena, PR_FALSE);
     }
@@ -486,176 +458,6 @@
     return(cert);
 }
 
-static xmlSecByte *
-xmlSecNssX509NameRead(xmlSecByte *str, int len) {
-    xmlSecByte name[256];
-    xmlSecByte value[256];
-    xmlSecByte *retval = NULL;
-    xmlSecByte *p = NULL;
-    int nameLen, valueLen;
-
-    xmlSecAssert2(str != NULL, NULL);
-    
-    /* return string should be no longer than input string */
-    retval = (xmlSecByte *)PORT_Alloc(len+1);
-    if(retval == NULL) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    "PORT_Alloc",
-		    XMLSEC_ERRORS_R_MALLOC_FAILED,
-		    XMLSEC_ERRORS_NO_MESSAGE);
-	return(NULL);
-    }
-    p = retval;
-    
-    while(len > 0) {
-	/* skip spaces after comma or semicolon */
-	while((len > 0) && isspace(*str)) {
-	    ++str; --len;
-	}
-
-	nameLen = xmlSecNssX509NameStringRead(&str, &len, name, sizeof(name), '=', 0);	
-	if(nameLen < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecNssX509NameStringRead",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			XMLSEC_ERRORS_NO_MESSAGE);
-	    goto done;
-	}
-	memcpy(p, name, nameLen);
-	p+=nameLen;
-	*p++='=';
-	if(len > 0) {
-	    ++str; --len;
-	    if((*str) == '\"') {
-		valueLen = xmlSecNssX509NameStringRead(&str, &len, 
-					value, sizeof(value), '"', 1);	
-		if(valueLen < 0) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				"xmlSecNssX509NameStringRead",
-				XMLSEC_ERRORS_R_XMLSEC_FAILED,
-				XMLSEC_ERRORS_NO_MESSAGE);
-		    goto done;
-    		}
-		/* skip spaces before comma or semicolon */
-		while((len > 0) && isspace(*str)) {
-		    ++str; --len;
-		}
-		if((len > 0) && ((*str) != ',')) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				NULL,
-				XMLSEC_ERRORS_R_INVALID_DATA,
-				"comma is expected");
-		    goto done;
-		}
-		if(len > 0) {
-		    ++str; --len;
-		}
-		*p++='\"';
-		memcpy(p, value, valueLen);
-		p+=valueLen;
-		*p++='\"';
-	    } else if((*str) == '#') {
-		/* TODO: read octect values */
-		xmlSecError(XMLSEC_ERRORS_HERE,
-			    NULL,
-			    NULL,
-			    XMLSEC_ERRORS_R_INVALID_DATA,
-			    "reading octect values is not implemented yet");
-		goto done;
-	    } else {
-		valueLen = xmlSecNssX509NameStringRead(&str, &len, 
-					value, sizeof(value), ',', 1);	
-		if(valueLen < 0) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				"xmlSecNssX509NameStringRead",
-				XMLSEC_ERRORS_R_XMLSEC_FAILED,
-				XMLSEC_ERRORS_NO_MESSAGE);
-		    goto done;
-    		}
-		memcpy(p, value, valueLen);
-		p+=valueLen;
-		if (len > 0)
-		    *p++=',';
-	    } 			
-	} else {
-	    valueLen = 0;
-	}
-	if(len > 0) {
-	    ++str; --len;
-	}	
-    }
-
-    *p = 0;
-    return(retval);
-    
-done:
-    PORT_Free(retval);
-    return (NULL);
-}
-
-static int 
-xmlSecNssX509NameStringRead(xmlSecByte **str, int *strLen, 
-			    xmlSecByte *res, int resLen,
-			    xmlSecByte delim, int ingoreTrailingSpaces) {
-    xmlSecByte *p, *q, *nonSpace; 
-
-    xmlSecAssert2(str != NULL, -1);
-    xmlSecAssert2(strLen != NULL, -1);
-    xmlSecAssert2(res != NULL, -1);
-    
-    p = (*str);
-    nonSpace = q = res;
-    while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) { 
-	if((*p) != '\\') {
-	    if(ingoreTrailingSpaces && !isspace(*p)) {
-		nonSpace = q;	
-	    }
-	    *(q++) = *(p++);
-	} else {
-	    ++p;
-	    nonSpace = q;    
-	    if(xmlSecIsHex((*p))) {
-		if((p - (*str) + 1) >= (*strLen)) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				NULL,
-				XMLSEC_ERRORS_R_INVALID_DATA,
-				"two hex digits expected");
-	    	    return(-1);
-		}
-		*(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]);
-		p += 2;
-	    } else {
-		if(((++p) - (*str)) >= (*strLen)) {
-		    xmlSecError(XMLSEC_ERRORS_HERE,
-				NULL,
-				NULL,
-				XMLSEC_ERRORS_R_INVALID_DATA,
-				"escaped symbol missed");
-		    return(-1);
-		}
-		*(q++) = *(p++); 
-	    }
-	}	    
-    }
-    if(((p - (*str)) < (*strLen)) && ((*p) != delim)) {
-	xmlSecError(XMLSEC_ERRORS_HERE,
-		    NULL,
-		    NULL,
-		    XMLSEC_ERRORS_R_INVALID_SIZE,
-		    "buffer is too small");
-	return(-1);
-    }
-    (*strLen) -= (p - (*str));
-    (*str) = p;
-    return((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res);
-}
-
 /* code lifted from NSS */
 static void
 xmlSecNssNumToItem(SECItem *it, unsigned long ui)
@@ -699,6 +501,77 @@
     it->len = len;
     PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
 }
+
+static int
+xmlSecNssIntegerToItem(
+       const xmlChar* integer ,
+       SECItem *item
+) {
+    xmlSecBn bn ;
+    xmlSecSize i, length ;
+    const xmlSecByte* bnInteger ;
+
+    xmlSecAssert2( integer != NULL, -1 ) ;
+    xmlSecAssert2( item != NULL, -1 ) ;
+
+    if( xmlSecBnInitialize( &bn, 0 ) < 0 ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnInitialize",
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+           return -1 ;
+    }
+
+    if( xmlSecBnFromDecString( &bn, integer ) < 0 ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecBnFromDecString",
+                               XMLSEC_ERRORS_R_INVALID_DATA,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+        xmlSecBnFinalize( &bn ) ;
+        return -1 ;
+    }
+
+    length = xmlSecBnGetSize( &bn ) ;
+    if( length <= 0 ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecBnGetSize",
+                               XMLSEC_ERRORS_R_INVALID_DATA,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+    }
+
+    bnInteger = xmlSecBnGetData( &bn ) ;
+    if( bnInteger == NULL ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecBnGetData",
+                               XMLSEC_ERRORS_R_INVALID_DATA,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+        xmlSecBnFinalize( &bn ) ;
+        return -1 ;
+    }
+
+    item->data = ( unsigned char * )PORT_Alloc( length );
+    if( item->data == NULL ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "PORT_Alloc",
+                               XMLSEC_ERRORS_R_INVALID_DATA,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+        xmlSecBnFinalize( &bn ) ;
+        return -1 ;
+    }
+
+    item->len = length;
+    for( i = 0 ; i < length ; i ++ )
+        item->data[i] = *( bnInteger + i ) ;
+
+    xmlSecBnFinalize( &bn ) ;
+
+    return 0 ;
+}
 #endif /* XMLSEC_NO_X509 */
 
 
--- misc/xmlsec1-1.2.14/win32/Makefile.msvc	2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/win32/Makefile.msvc	2009-09-21 14:02:48.607277908 +0200
@@ -218,6 +218,9 @@
 	$(XMLSEC_OPENSSL_INTDIR_A)\x509vfy.obj 
 
 XMLSEC_NSS_OBJS = \
+	$(XMLSEC_NSS_INTDIR)\akmngr.obj\
+	$(XMLSEC_NSS_INTDIR)\keywrapers.obj\
+	$(XMLSEC_NSS_INTDIR)\tokens.obj\
 	$(XMLSEC_NSS_INTDIR)\app.obj\
 	$(XMLSEC_NSS_INTDIR)\bignum.obj\
 	$(XMLSEC_NSS_INTDIR)\ciphers.obj \
@@ -253,6 +256,7 @@
 	$(XMLSEC_NSS_INTDIR_A)\strings.obj
 
 XMLSEC_MSCRYPTO_OBJS = \
+	$(XMLSEC_MSCRYPTO_INTDIR)\akmngr.obj\
 	$(XMLSEC_MSCRYPTO_INTDIR)\app.obj\
 	$(XMLSEC_MSCRYPTO_INTDIR)\crypto.obj \
 	$(XMLSEC_MSCRYPTO_INTDIR)\ciphers.obj \