xref: /trunk/main/libxmlsec/xmlsec1-customkeymanage.patch (revision 351838c4d8726bbb9f5f13e599b27a7f22b4a9bd)

--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.am 2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.am   2009-09-21 14:02:48.563253008 +0200
@@ -3,6 +3,7 @@
 xmlsecmscryptoincdir = $(includedir)/xmlsec1/xmlsec/mscrypto

 xmlsecmscryptoinc_HEADERS = \
+akmngr.h \
 app.h \
 certkeys.h \
 crypto.h \
--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.in 2009-06-25 22:53:30.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/Makefile.in   2009-09-21 14:02:48.571021349 +0200
@@ -281,6 +281,7 @@
 NULL =
 xmlsecmscryptoincdir = $(includedir)/xmlsec1/xmlsec/mscrypto
 xmlsecmscryptoinc_HEADERS = \
+akmngr.h \
 app.h \
 certkeys.h \
 crypto.h \
--- misc/xmlsec1-1.2.14/include/xmlsec/mscrypto/akmngr.h    2009-09-21 14:07:19.052318336 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/mscrypto/akmngr.h  2009-09-21 14:02:48.504966762 +0200
@@ -1 +1,71 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_MSCRYPTO_AKMNGR_H__
+#define __XMLSEC_MSCRYPTO_AKMNGR_H__
+
+#include <windows.h>
+#include <wincrypt.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr
+xmlSecMSCryptoAppliedKeysMngrCreate(
+    HCERTSTORE keyStore ,
+    HCERTSTORE certStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrSymKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   HCRYPTKEY   symKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrPubKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   HCRYPTKEY   pubKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrPriKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   HCRYPTKEY   priKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore (
+   xmlSecKeysMngrPtr   mngr ,
+   HCERTSTORE keyStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore (
+   xmlSecKeysMngrPtr   mngr ,
+   HCERTSTORE trustedStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore (
+   xmlSecKeysMngrPtr   mngr ,
+   HCERTSTORE untrustedStore
+) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_MSCRYPTO_AKMNGR_H__ */
+
+
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.am  2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.am    2009-09-21 14:02:48.577933031 +0200
@@ -10,6 +10,9 @@
 keysstore.h \
 pkikeys.h \
 x509.h \
+akmngr.h \
+tokens.h \
+ciphers.h \
 $(NULL)

 install-exec-hook:
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.in  2009-06-25 22:53:31.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/Makefile.in    2009-09-21 14:02:48.585376325 +0200
@@ -288,6 +288,9 @@
 keysstore.h \
 pkikeys.h \
 x509.h \
+akmngr.h \
+tokens.h \
+ciphers.h \
 $(NULL)

 all: all-am
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/akmngr.h 2009-09-21 14:07:19.105517659 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/akmngr.h   2009-09-21 14:02:48.510978278 +0200
@@ -1 +1,56 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_NSS_AKMNGR_H__
+#define __XMLSEC_NSS_AKMNGR_H__
+
+#include <nss.h>
+#include <nspr.h>
+#include <pk11func.h>
+#include <cert.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr
+xmlSecNssAppliedKeysMngrCreate(
+    PK11SlotInfo** slots,
+   int cSlots,
+    CERTCertDBHandle* handler
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrSymKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   PK11SymKey*         symKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrPubKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   SECKEYPublicKey*    pubKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrPriKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   SECKEYPrivateKey*   priKey
+) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_NSS_AKMNGR_H__ */
+
+
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/app.h    2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/app.h  2009-09-21 14:02:48.612847068 +0200
@@ -22,6 +22,9 @@
 #include <xmlsec/keysmngr.h>
 #include <xmlsec/transforms.h>

+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/akmngr.h>
+
 /**
  * Init/shutdown
  */
@@ -36,6 +39,8 @@
                                        xmlSecKeyPtr key);
 XMLSEC_CRYPTO_EXPORT int       xmlSecNssAppDefaultKeysMngrLoad (xmlSecKeysMngrPtr mngr,
                                     const char* uri);
+XMLSEC_CRYPTO_EXPORT int       xmlSecNssAppDefaultKeysMngrAdoptKeySlot(xmlSecKeysMngrPtr mngr,
+                                    xmlSecNssKeySlotPtr keySlot);
 XMLSEC_CRYPTO_EXPORT int       xmlSecNssAppDefaultKeysMngrSave (xmlSecKeysMngrPtr mngr,
                                     const char* filename,
                                     xmlSecKeyDataType type);
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/ciphers.h    2009-09-21 14:07:19.146496548 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/ciphers.h  2009-09-21 14:02:48.516689712 +0200
@@ -1 +1,35 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_NSS_CIPHERS_H__
+#define __XMLSEC_NSS_CIPHERS_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSymKeyDataAdoptKey( xmlSecKeyDataPtr data,
+                                   PK11SymKey* symkey ) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt( PK11SymKey* symKey ) ;
+
+XMLSEC_CRYPTO_EXPORT PK11SymKey*   xmlSecNssSymKeyDataGetKey(xmlSecKeyDataPtr data);
+
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_NSS_CIPHERS_H__ */
+
+
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/keysstore.h  2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/keysstore.h    2009-09-21 14:02:48.626261748 +0200
@@ -16,6 +16,8 @@
 #endif /* __cplusplus */

 #include <xmlsec/xmlsec.h>
+#include <xmlsec/keysmngr.h>
+#include <xmlsec/nss/tokens.h>

 /****************************************************************************
  *
@@ -31,6 +33,8 @@
 XMLSEC_CRYPTO_EXPORT xmlSecKeyStoreId  xmlSecNssKeysStoreGetKlass  (void);
 XMLSEC_CRYPTO_EXPORT int       xmlSecNssKeysStoreAdoptKey  (xmlSecKeyStorePtr store,
                                     xmlSecKeyPtr key);
+XMLSEC_CRYPTO_EXPORT int       xmlSecNssKeysStoreAdoptKeySlot(xmlSecKeyStorePtr store,
+                                    xmlSecNssKeySlotPtr keySlot);
 XMLSEC_CRYPTO_EXPORT int       xmlSecNssKeysStoreLoad  (xmlSecKeyStorePtr store,
                                 const char *uri,
                                 xmlSecKeysMngrPtr keysMngr);
--- misc/xmlsec1-1.2.14/include/xmlsec/nss/tokens.h 2009-09-21 14:07:19.172421448 +0200
+++ misc/build/xmlsec1-1.2.14/include/xmlsec/nss/tokens.h   2009-09-21 14:02:48.522913605 +0200
@@ -1 +1,182 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright (c) 2003 Sun Microsystems, Inc.  All rights reserved.
+ *
+ * Contributor(s): _____________________________
+ *
+ */
+#ifndef __XMLSEC_NSS_TOKENS_H__
+#define __XMLSEC_NSS_TOKENS_H__
+
+#include <string.h>
+
+#include <nss.h>
+#include <pk11func.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/list.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+/**
+ * xmlSecNssKeySlotListId
+ *
+ * The crypto mechanism list klass
+ */
+#define xmlSecNssKeySlotListId xmlSecNssKeySlotListGetKlass()
+XMLSEC_CRYPTO_EXPORT xmlSecPtrListId xmlSecNssKeySlotListGetKlass( void ) ;
+
+/*******************************************
+ * KeySlot interfaces
+ *******************************************/
+/**
+ * Internal NSS key slot data
+ * @mechanismList:     the mechanisms that the slot bound with.
+ * @slot:              the pkcs slot
+ *
+ * This context is located after xmlSecPtrList
+ */
+typedef struct _xmlSecNssKeySlot   xmlSecNssKeySlot ;
+typedef struct _xmlSecNssKeySlot*  xmlSecNssKeySlotPtr ;
+
+struct _xmlSecNssKeySlot {
+   CK_MECHANISM_TYPE_PTR   mechanismList ; /* mech. array, NULL ternimated */
+   PK11SlotInfo*           slot ;
+} ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSetMechList(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE_PTR mechanismList
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotEnableMech(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE mechanism
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotDisableMech(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE mechanism
+) ;
+
+XMLSEC_CRYPTO_EXPORT CK_MECHANISM_TYPE_PTR
+xmlSecNssKeySlotGetMechList(
+    xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSetSlot(
+    xmlSecNssKeySlotPtr keySlot ,
+   PK11SlotInfo* slot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotInitialize(
+    xmlSecNssKeySlotPtr keySlot ,
+   PK11SlotInfo* slot
+) ;
+
+XMLSEC_CRYPTO_EXPORT void
+xmlSecNssKeySlotFinalize(
+    xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT PK11SlotInfo*
+xmlSecNssKeySlotGetSlot(
+   xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr
+xmlSecNssKeySlotCreate() ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotCopy(
+   xmlSecNssKeySlotPtr newKeySlot ,
+   xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr
+xmlSecNssKeySlotDuplicate(
+   xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT void
+xmlSecNssKeySlotDestroy(
+       xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotBindMech(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE type
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSupportMech(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE type
+) ;
+
+
+/************************************************************************
+ * PKCS#11 crypto token interfaces
+ *
+ * A PKCS#11 slot repository will be defined internally. From the
+ * repository, a user can specify a particular slot for a certain crypto
+ * mechanism.
+ *
+ * In some situation, some cryptographic operation should act in a user
+ * designated devices. The interfaces defined here provide the way. If
+ * the user do not initialize the repository distinctly, the interfaces
+ * use the default functions provided by NSS itself.
+ *
+ ************************************************************************/
+/**
+ * Initialize NSS pkcs#11 slot repository
+ *
+ * Returns 0 if success or -1 if an error occurs.
+ */
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotInitialize( void ) ;
+
+/**
+ * Shutdown and destroy NSS pkcs#11 slot repository
+ */
+XMLSEC_CRYPTO_EXPORT void xmlSecNssSlotShutdown() ;
+
+/**
+ * Get PKCS#11 slot handler
+ * @type   the mechanism that the slot must support.
+ *
+ * Returns a pointer to PKCS#11 slot or NULL if an error occurs.
+ *
+ * Notes: The returned handler must be destroied distinctly.
+ */
+XMLSEC_CRYPTO_EXPORT PK11SlotInfo* xmlSecNssSlotGet( CK_MECHANISM_TYPE type ) ;
+
+/**
+ * Adopt a pkcs#11 slot with a mechanism into the repository
+ * @slot:  the pkcs#11 slot.
+ * @mech:  the mechanism.
+ *
+ * If @mech is available( @mech != CKM_INVALID_MECHANISM ), every operation with
+ * this mechanism only can perform on the @slot.
+ *
+ * Returns 0 if success or -1 if an error occurs.
+ */
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotAdopt( PK11SlotInfo* slot, CK_MECHANISM_TYPE mech ) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_NSS_TOKENS_H__ */
+
--- misc/xmlsec1-1.2.14/src/mscrypto/akmngr.c   2009-09-21 14:07:19.078910929 +0200
+++ misc/build/xmlsec1-1.2.14/src/mscrypto/akmngr.c 2009-09-21 14:02:48.531281225 +0200
@@ -1 +1,236 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright.........................
+ */
+#include "globals.h"
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/keysmngr.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/mscrypto/crypto.h>
+#include <xmlsec/mscrypto/keysstore.h>
+#include <xmlsec/mscrypto/akmngr.h>
+#include <xmlsec/mscrypto/x509.h>
+
+/**
+ * xmlSecMSCryptoAppliedKeysMngrCreate:
+ * @hKeyStore:     the pointer to key store.
+ * @hCertStore:        the pointer to certificate database.
+ *
+ * Create and load key store and certificate database into keys manager
+ *
+ * Returns keys manager pointer on success or NULL otherwise.
+ */
+xmlSecKeysMngrPtr
+xmlSecMSCryptoAppliedKeysMngrCreate(
+    HCERTSTORE hKeyStore ,
+    HCERTSTORE hCertStore
+) {
+   xmlSecKeyDataStorePtr   certStore = NULL ;
+   xmlSecKeysMngrPtr       keyMngr = NULL ;
+   xmlSecKeyStorePtr       keyStore = NULL ;
+
+   keyStore = xmlSecKeyStoreCreate( xmlSecMSCryptoKeysStoreId ) ;
+   if( keyStore == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeyStoreCreate" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return NULL ;
+   }
+
+   /*-
+    * At present, MS Crypto engine do not provide a way to setup a key store.
+    */
+   if( keyStore != NULL ) {
+       /*TODO: binding key store.*/
+   }
+
+   keyMngr = xmlSecKeysMngrCreate() ;
+   if( keyMngr == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrCreate" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+       xmlSecKeyStoreDestroy( keyStore ) ;
+       return NULL ;
+   }
+
+   /*-
+    * Add key store to manager, from now on keys manager destroys the store if
+    * needed
+    */
+   if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+           "xmlSecKeysMngrAdoptKeyStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+       xmlSecKeyStoreDestroy( keyStore ) ;
+       xmlSecKeysMngrDestroy( keyMngr ) ;
+       return NULL ;
+   }
+
+   /*-
+    * Initialize crypto library specific data in keys manager
+    */
+   if( xmlSecMSCryptoKeysMngrInit( keyMngr ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecMSCryptoKeysMngrInit" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+       xmlSecKeysMngrDestroy( keyMngr ) ;
+       return NULL ;
+   }
+
+   /*-
+    * Set certificate databse to X509 key data store
+    */
+   /*-
+    * At present, MS Crypto engine do not provide a way to setup a cert store.
+    */
+
+   /*-
+    * Set the getKey callback
+    */
+   keyMngr->getKey = xmlSecKeysMngrGetKey ;
+
+   return keyMngr ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrSymKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   HCRYPTKEY           symKey
+) {
+   /*TODO: import the key into keys manager.*/
+   return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrPubKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   HCRYPTKEY   pubKey
+) {
+   /*TODO: import the key into keys manager.*/
+   return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrPriKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   HCRYPTKEY   priKey
+) {
+   /*TODO: import the key into keys manager.*/
+   return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore (
+   xmlSecKeysMngrPtr   mngr ,
+   HCERTSTORE keyStore
+) {
+   xmlSecKeyDataStorePtr x509Store ;
+
+   xmlSecAssert2( mngr != NULL, -1 ) ;
+   xmlSecAssert2( keyStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+   if( x509Store == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrGetDataStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( -1 ) ;
+   }
+
+   if( xmlSecMSCryptoX509StoreAdoptKeyStore( x509Store, keyStore ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+           "xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( -1 ) ;
+   }
+
+   return( 0 ) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore (
+   xmlSecKeysMngrPtr   mngr ,
+   HCERTSTORE trustedStore
+) {
+   xmlSecKeyDataStorePtr x509Store ;
+
+   xmlSecAssert2( mngr != NULL, -1 ) ;
+   xmlSecAssert2( trustedStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+   if( x509Store == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrGetDataStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( -1 ) ;
+   }
+
+   if( xmlSecMSCryptoX509StoreAdoptTrustedStore( x509Store, trustedStore ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+           "xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( -1 ) ;
+   }
+
+   return( 0 ) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore (
+   xmlSecKeysMngrPtr   mngr ,
+   HCERTSTORE untrustedStore
+) {
+   xmlSecKeyDataStorePtr x509Store ;
+
+   xmlSecAssert2( mngr != NULL, -1 ) ;
+   xmlSecAssert2( untrustedStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+   if( x509Store == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrGetDataStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( -1 ) ;
+   }
+
+   if( xmlSecMSCryptoX509StoreAdoptUntrustedStore( x509Store, untrustedStore ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+           "xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( -1 ) ;
+   }
+
+   return( 0 ) ;
+}
+
--- misc/xmlsec1-1.2.14/src/nss/Makefile.am 2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/Makefile.am   2009-09-21 14:02:48.591560472 +0200
@@ -35,6 +35,9 @@
    kw_des.c \
    kw_aes.c \
    globals.h \
+   akmngr.c \
+   keywrapers.c \
+   tokens.c \
    $(NULL)

 if SHAREDLIB_HACK
--- misc/xmlsec1-1.2.14/src/nss/Makefile.in 2009-06-25 22:53:33.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/Makefile.in   2009-09-21 14:02:48.599339718 +0200
@@ -72,7 +72,8 @@
 am__libxmlsec1_nss_la_SOURCES_DIST = app.c bignum.c ciphers.c crypto.c \
    digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \
    x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \
-   ../strings.c
+   ../strings.c \
+   akmngr.c keywrapers.c tokens.c
 am__objects_1 =
 @SHAREDLIB_HACK_TRUE@am__objects_2 = libxmlsec1_nss_la-strings.lo
 am_libxmlsec1_nss_la_OBJECTS = libxmlsec1_nss_la-app.lo \
@@ -83,6 +84,8 @@
    libxmlsec1_nss_la-x509.lo libxmlsec1_nss_la-x509vfy.lo \
    libxmlsec1_nss_la-keysstore.lo libxmlsec1_nss_la-keytrans.lo \
    libxmlsec1_nss_la-kw_des.lo libxmlsec1_nss_la-kw_aes.lo \
+   libxmlsec1_nss_la-akmngr.lo libxmlsec1_nss_la-keywrapers.lo \
+   libxmlsec1_nss_la-tokens.lo \
    $(am__objects_1) $(am__objects_2)
 libxmlsec1_nss_la_OBJECTS = $(am_libxmlsec1_nss_la_OBJECTS)
 libxmlsec1_nss_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -333,6 +336,7 @@
 libxmlsec1_nss_la_SOURCES = app.c bignum.c ciphers.c crypto.c \
    digests.c hmac.c pkikeys.c signatures.c symkeys.c x509.c \
    x509vfy.c keysstore.c keytrans.c kw_des.c kw_aes.c globals.h \
+   akmngr.c keywrapers.c tokens.c \
    $(NULL) $(am__append_1)
 libxmlsec1_nss_la_LIBADD = \
    ../libxmlsec1.la \
@@ -439,6 +443,9 @@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-symkeys.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-x509vfy.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo@am__quote@

 .c.o:
 @am__fastdepCC_TRUE@   $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -468,6 +475,27 @@
 @AMDEP_TRUE@@am__fastdepCC_FALSE@  DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
 @am__fastdepCC_FALSE@  $(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-app.lo `test -f 'app.c' || echo '$(srcdir)/'`app.c

+libxmlsec1_nss_la-akmngr.lo: akmngr.c
+@am__fastdepCC_TRUE@   if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-akmngr.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo" -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c; \
+@am__fastdepCC_TRUE@   then mv -f "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-akmngr.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@  source='akmngr.c' object='libxmlsec1_nss_la-akmngr.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@  DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@  $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-akmngr.lo `test -f 'akmngr.c' || echo '$(srcdir)/'`akmngr.c
+
+libxmlsec1_nss_la-keywrapers.lo: keywrapers.c
+@am__fastdepCC_TRUE@   if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-keywrapers.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c; \
+@am__fastdepCC_TRUE@   then mv -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-keywrapers.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@  source='keywrapers.c' object='libxmlsec1_nss_la-keywrapers.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@  DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@  $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-keywrapers.lo `test -f 'keywrapers.c' || echo '$(srcdir)/'`keywrapers.c
+
+libxmlsec1_nss_la-tokens.lo: tokens.c
+@am__fastdepCC_TRUE@   if $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-tokens.lo -MD -MP -MF "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c; \
+@am__fastdepCC_TRUE@   then mv -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo" "$(DEPDIR)/libxmlsec1_nss_la-tokens.Plo"; else rm -f "$(DEPDIR)/libxmlsec1_nss_la-tokens.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@  source='tokens.c' object='libxmlsec1_nss_la-tokens.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@  DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@  $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_nss_la-tokens.lo `test -f 'tokens.c' || echo '$(srcdir)/'`tokens.c
+
 libxmlsec1_nss_la-bignum.lo: bignum.c
 @am__fastdepCC_TRUE@   $(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_nss_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_nss_la-bignum.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo -c -o libxmlsec1_nss_la-bignum.lo `test -f 'bignum.c' || echo '$(srcdir)/'`bignum.c
 @am__fastdepCC_TRUE@   $(am__mv) $(DEPDIR)/libxmlsec1_nss_la-bignum.Tpo $(DEPDIR)/libxmlsec1_nss_la-bignum.Plo
--- misc/xmlsec1-1.2.14/src/nss/akmngr.c    2009-09-21 14:07:19.197249962 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/akmngr.c  2009-09-21 14:02:48.539616129 +0200
@@ -1 +1,384 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright.........................
+ */
+#include "globals.h"
+
+#include <nspr.h>
+#include <nss.h>
+#include <pk11func.h>
+#include <cert.h>
+#include <keyhi.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/akmngr.h>
+#include <xmlsec/nss/pkikeys.h>
+#include <xmlsec/nss/ciphers.h>
+#include <xmlsec/nss/keysstore.h>
+
+/**
+ * xmlSecNssAppliedKeysMngrCreate:
+ * @slot:          array of pointers to NSS PKCS#11 slot information.
+ * @cSlots:            number of slots in the array
+ * @handler:       the pointer to NSS certificate database.
+ *
+ * Create and load NSS crypto slot and certificate database into keys manager
+ *
+ * Returns keys manager pointer on success or NULL otherwise.
+ */
+xmlSecKeysMngrPtr
+xmlSecNssAppliedKeysMngrCreate(
+   PK11SlotInfo** slots,
+   int cSlots,
+   CERTCertDBHandle* handler
+) {
+   xmlSecKeyDataStorePtr   certStore = NULL ;
+   xmlSecKeysMngrPtr       keyMngr = NULL ;
+   xmlSecKeyStorePtr       keyStore = NULL ;
+   int islot = 0;
+   keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ;
+   if( keyStore == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeyStoreCreate" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return NULL ;
+   }
+
+   for (islot = 0; islot < cSlots; islot++)
+   {
+       xmlSecNssKeySlotPtr     keySlot ;
+
+       /* Create a key slot */
+       keySlot = xmlSecNssKeySlotCreate() ;
+       if( keySlot == NULL ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+               "xmlSecNssKeySlotCreate" ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+           xmlSecKeyStoreDestroy( keyStore ) ;
+           return NULL ;
+       }
+
+       /* Set slot */
+       if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+               "xmlSecNssKeySlotSetSlot" ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+           xmlSecKeyStoreDestroy( keyStore ) ;
+           xmlSecNssKeySlotDestroy( keySlot ) ;
+           return NULL ;
+       }
+
+       /* Adopt keySlot */
+       if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+               "xmlSecNssKeysStoreAdoptKeySlot" ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+           xmlSecKeyStoreDestroy( keyStore ) ;
+           xmlSecNssKeySlotDestroy( keySlot ) ;
+           return NULL ;
+       }
+   }
+
+   keyMngr = xmlSecKeysMngrCreate() ;
+   if( keyMngr == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrCreate" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+       xmlSecKeyStoreDestroy( keyStore ) ;
+       return NULL ;
+   }
+
+   /*-
+    * Add key store to manager, from now on keys manager destroys the store if
+    * needed
+    */
+   if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+           "xmlSecKeysMngrAdoptKeyStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+       xmlSecKeyStoreDestroy( keyStore ) ;
+       xmlSecKeysMngrDestroy( keyMngr ) ;
+       return NULL ;
+   }
+
+   /*-
+    * Initialize crypto library specific data in keys manager
+    */
+   if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrCreate" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+       xmlSecKeysMngrDestroy( keyMngr ) ;
+       return NULL ;
+   }
+
+   /*-
+    * Set certificate databse to X509 key data store
+    */
+   /**
+    * Because Tej's implementation of certDB use the default DB, so I ignore
+    * the certDB handler at present. I'll modify the cert store sources to
+    * accept particular certDB instead of default ones.
+   certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ;
+   if( certStore == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+           "xmlSecKeysMngrGetDataStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+       xmlSecKeysMngrDestroy( keyMngr ) ;
+       return NULL ;
+   }
+
+   if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+           "xmlSecNssKeyDataStoreX509SetCertDb" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+       xmlSecKeysMngrDestroy( keyMngr ) ;
+       return NULL ;
+   }
+   */
+
+   /*-
+    * Set the getKey callback
+    */
+   keyMngr->getKey = xmlSecKeysMngrGetKey ;
+
+   return keyMngr ;
+}
+
+int
+xmlSecNssAppliedKeysMngrSymKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   PK11SymKey*         symKey
+) {
+   xmlSecKeyPtr        key ;
+   xmlSecKeyDataPtr    data ;
+   xmlSecKeyStorePtr   keyStore ;
+
+   xmlSecAssert2( mngr != NULL , -1 ) ;
+   xmlSecAssert2( symKey != NULL , -1 ) ;
+
+   keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+   if( keyStore == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrGetKeysStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1) ;
+   }
+   xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+   data = xmlSecNssSymKeyDataKeyAdopt( symKey ) ;
+   if( data == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1) ;
+   }
+
+   key = xmlSecKeyCreate() ;
+   if( key == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDataDestroy( data ) ;
+       return(-1) ;
+   }
+
+   if( xmlSecKeySetValue( key , data ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDataDestroy( data ) ;
+       return(-1) ;
+   }
+
+   if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDestroy( key ) ;
+       return(-1) ;
+   }
+
+   return(0) ;
+}
+
+int
+xmlSecNssAppliedKeysMngrPubKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   SECKEYPublicKey*    pubKey
+) {
+   xmlSecKeyPtr        key ;
+   xmlSecKeyDataPtr    data ;
+   xmlSecKeyStorePtr   keyStore ;
+
+   xmlSecAssert2( mngr != NULL , -1 ) ;
+   xmlSecAssert2( pubKey != NULL , -1 ) ;
+
+   keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+   if( keyStore == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrGetKeysStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1) ;
+   }
+   xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+   data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ;
+   if( data == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssPKIAdoptKey" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1) ;
+   }
+
+   key = xmlSecKeyCreate() ;
+   if( key == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDataDestroy( data ) ;
+       return(-1) ;
+   }
+
+   if( xmlSecKeySetValue( key , data ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDataDestroy( data ) ;
+       return(-1) ;
+   }
+
+   if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDestroy( key ) ;
+       return(-1) ;
+   }
+
+   return(0) ;
+}
+
+int
+xmlSecNssAppliedKeysMngrPriKeyLoad(
+   xmlSecKeysMngrPtr   mngr ,
+   SECKEYPrivateKey*   priKey
+) {
+   xmlSecKeyPtr        key ;
+   xmlSecKeyDataPtr    data ;
+   xmlSecKeyStorePtr   keyStore ;
+
+   xmlSecAssert2( mngr != NULL , -1 ) ;
+   xmlSecAssert2( priKey != NULL , -1 ) ;
+
+   keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+   if( keyStore == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecKeysMngrGetKeysStore" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1) ;
+   }
+   xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+   data = xmlSecNssPKIAdoptKey( priKey, NULL ) ;
+   if( data == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssPKIAdoptKey" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1) ;
+   }
+
+   key = xmlSecKeyCreate() ;
+   if( key == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDataDestroy( data ) ;
+       return(-1) ;
+   }
+
+   if( xmlSecKeySetValue( key , data ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDataDestroy( data ) ;
+       return(-1) ;
+   }
+
+   if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecNssSymKeyDataKeyAdopt" ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecKeyDestroy( key ) ;
+       return(-1) ;
+   }
+
+   return(0) ;
+}
+
--- misc/xmlsec1-1.2.14/src/nss/hmac.c  2009-06-26 06:18:13.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/hmac.c    2009-09-21 14:02:48.649065288 +0200
@@ -23,8 +23,8 @@
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>

-#include <xmlsec/nss/app.h>
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/tokens.h>

 /* sizes in bits */
 #define XMLSEC_NSS_MIN_HMAC_SIZE       80
@@ -286,13 +286,13 @@
     keyItem.data = xmlSecBufferGetData(buffer);
     keyItem.len  = xmlSecBufferGetSize(buffer);

-    slot = PK11_GetBestSlot(ctx->digestType, NULL);
+    slot = xmlSecNssSlotGet(ctx->digestType);
     if(slot == NULL) {
    xmlSecError(XMLSEC_ERRORS_HERE,
            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-           "PK11_GetBestSlot",
+           "xmlSecNssSlotGet",
            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
+           "error code=%d", PORT_GetError());
    return(-1);
     }

--- misc/xmlsec1-1.2.14/src/nss/keysstore.c 2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/keysstore.c   2009-09-21 14:02:48.633533885 +0200
@@ -1,36 +1,56 @@
 /**
  * XMLSec library
  *
- * Nss keys store that uses Simple Keys Store under the hood. Uses the
- * Nss DB as a backing store for the finding keys, but the NSS DB is
- * not written to by the keys store.
- * So, if store->findkey is done and the key is not found in the simple
- * keys store, the NSS DB is looked up.
- * If store is called to adopt a key, that key is not written to the NSS
- * DB.
- * Thus, the NSS DB can be used to pre-load keys and becomes an alternate
- * source of keys for xmlsec
- *
  * This is free software; see Copyright file in the source
  * distribution for precise wording.
  *
  * Copyright (c) 2003 America Online, Inc.  All rights reserved.
  */
+
+/**
+ * NSS key store uses a key list and a slot list as the key repository. NSS slot
+ * list is a backup repository for the finding keys. If a key is not found from
+ * the key list, the NSS slot list is looked up.
+ *
+ * Any key in the key list will not save to pkcs11 slot. When a store to called
+ * to adopt a key, the key is resident in the key list; While a store to called
+ * to set a is resident in the key list; While a store to called to set a slot
+ * list, which means that the keys in the listed slot can be used for xml sign-
+ * nature or encryption.
+ *
+ * Then, a user can adjust slot list to effect the crypto behaviors of xmlSec.
+ *
+ * The framework will decrease the user interfaces to administrate xmlSec crypto
+ * engine. He can only focus on NSS layer functions. For examples, after the
+ * user set up a slot list handler to the keys store, he do not need to do any
+ * other work atop xmlSec interfaces, his action on the slot list handler, such
+ * as add a token to, delete a token from the list, will directly effect the key
+ * store behaviors.
+ *
+ * For example, a scenariio:
+ * 0. Create a slot list;( NSS interfaces )
+ * 1. Create a keys store;( xmlSec interfaces )
+ * 2. Set slot list with the keys store;( xmlSec Interfaces )
+ * 3. Add a slot to the slot list;( NSS interfaces )
+ * 4. Perform xml signature; ( xmlSec Interfaces )
+ * 5. Deleter a slot from the slot list;( NSS interfaces )
+ * 6. Perform xml encryption; ( xmlSec Interfaces )
+ * 7. Perform xml signature;( xmlSec Interfaces )
+ * 8. Destroy the keys store;( xmlSec Interfaces )
+ * 8. Destroy the slot list.( NSS Interfaces )
+ */
 #include "globals.h"

 #include <stdlib.h>
 #include <string.h>

 #include <nss.h>
-#include <cert.h>
 #include <pk11func.h>
+#include <prinit.h>
 #include <keyhi.h>

-#include <libxml/tree.h>
-
 #include <xmlsec/xmlsec.h>
-#include <xmlsec/buffer.h>
-#include <xmlsec/base64.h>
+#include <xmlsec/keys.h>
 #include <xmlsec/errors.h>
 #include <xmlsec/xmltree.h>

@@ -38,82 +58,461 @@

 #include <xmlsec/nss/crypto.h>
 #include <xmlsec/nss/keysstore.h>
-#include <xmlsec/nss/x509.h>
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/ciphers.h>
 #include <xmlsec/nss/pkikeys.h>

 /****************************************************************************
  *
- * Nss Keys Store. Uses Simple Keys Store under the hood
+ * Internal NSS key store context
  *
- * Simple Keys Store ptr is located after xmlSecKeyStore
+ * This context is located after xmlSecKeyStore
  *
  ***************************************************************************/
+typedef struct _xmlSecNssKeysStoreCtx  xmlSecNssKeysStoreCtx ;
+typedef struct _xmlSecNssKeysStoreCtx* xmlSecNssKeysStoreCtxPtr ;
+
+struct _xmlSecNssKeysStoreCtx {
+       xmlSecPtrListPtr                keyList ;
+       xmlSecPtrListPtr                slotList ;
+} ;
+
 #define xmlSecNssKeysStoreSize \
-   (sizeof(xmlSecKeyStore) + sizeof(xmlSecKeyStorePtr))
+   ( sizeof( xmlSecKeyStore ) + sizeof( xmlSecNssKeysStoreCtx ) )

-#define xmlSecNssKeysStoreGetSS(store) \
-    ((xmlSecKeyStoreCheckSize((store), xmlSecNssKeysStoreSize)) ? \
-     (xmlSecKeyStorePtr*)(((xmlSecByte*)(store)) + sizeof(xmlSecKeyStore)) : \
-     (xmlSecKeyStorePtr*)NULL)
-
-static int         xmlSecNssKeysStoreInitialize    (xmlSecKeyStorePtr store);
-static void            xmlSecNssKeysStoreFinalize  (xmlSecKeyStorePtr store);
-static xmlSecKeyPtr        xmlSecNssKeysStoreFindKey   (xmlSecKeyStorePtr store,
-                                const xmlChar* name,
-                                xmlSecKeyInfoCtxPtr keyInfoCtx);
+#define xmlSecNssKeysStoreGetCtx( data ) \
+       ( ( xmlSecNssKeysStoreCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyStore ) ) )

-static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
-    sizeof(xmlSecKeyStoreKlass),
-    xmlSecNssKeysStoreSize,
+int xmlSecNssKeysStoreAdoptKeySlot(
+       xmlSecKeyStorePtr               store ,
+       xmlSecNssKeySlotPtr             keySlot
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( context->slotList == NULL ) {
+               if( ( context->slotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                               "xmlSecPtrListCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;
+               }
+       }
+
+       if( !xmlSecPtrListCheckId( context->slotList , xmlSecNssKeySlotListId ) ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListCheckId" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( xmlSecPtrListAdd( context->slotList , keySlot ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListAdd" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+       return 0 ;
+}

-    /* data */
-    BAD_CAST "NSS-keys-store",     /* const xmlChar* name; */
-
-    /* constructors/destructor */
-    xmlSecNssKeysStoreInitialize,  /* xmlSecKeyStoreInitializeMethod initialize; */
-    xmlSecNssKeysStoreFinalize,        /* xmlSecKeyStoreFinalizeMethod finalize; */
-    xmlSecNssKeysStoreFindKey,     /* xmlSecKeyStoreFindKeyMethod findKey; */
-
-    /* reserved for the future */
-    NULL,              /* void* reserved0; */
-    NULL,              /* void* reserved1; */
-};
+int xmlSecNssKeysStoreAdoptKey(
+       xmlSecKeyStorePtr       store ,
+       xmlSecKeyPtr            key
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( context->keyList == NULL ) {
+               if( ( context->keyList = xmlSecPtrListCreate( xmlSecKeyPtrListId ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                               "xmlSecPtrListCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;
+               }
+       }
+
+       if( !xmlSecPtrListCheckId( context->keyList , xmlSecKeyPtrListId ) ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListCheckId" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( xmlSecPtrListAdd( context->keyList , key ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListAdd" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }

-/**
- * xmlSecNssKeysStoreGetKlass:
- *
- * The Nss list based keys store klass.
+       return 0 ;
+}
+
+/*
+ * xmlSecKeyStoreInitializeMethod:
+ * @store:             the store.
+ *
+ * Keys store specific initialization method.
  *
- * Returns: Nss list based keys store klass.
+ * Returns 0 on success or a negative value if an error occurs.
  */
-xmlSecKeyStoreId
-xmlSecNssKeysStoreGetKlass(void) {
-    return(&xmlSecNssKeysStoreKlass);
+static int
+xmlSecNssKeysStoreInitialize(
+       xmlSecKeyStorePtr store
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       context->keyList = NULL ;
+       context->slotList = NULL ;
+
+       return 0 ;
 }

 /**
- * xmlSecNssKeysStoreAdoptKey:
- * @store:     the pointer to Nss keys store.
- * @key:       the pointer to key.
- *
- * Adds @key to the @store.
  *
- * Returns: 0 on success or a negative value if an error occurs.
+ * xmlSecKeyStoreFinalizeMethod:
+ * @store:             the store.
+ *
+ * Keys store specific finalization (destroy) method.
  */
-int
-xmlSecNssKeysStoreAdoptKey(xmlSecKeyStorePtr store, xmlSecKeyPtr key) {
-    xmlSecKeyStorePtr *ss;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
-    xmlSecAssert2((key != NULL), -1);
+void
+xmlSecNssKeysStoreFinalize(
+       xmlSecKeyStorePtr store
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) ) ;
+       xmlSecAssert( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return ;
+       }
+
+       if( context->keyList != NULL ) {
+               xmlSecPtrListDestroy( context->keyList ) ;
+               context->keyList = NULL ;
+       }
+
+       if( context->slotList != NULL ) {
+               xmlSecPtrListDestroy( context->slotList ) ;
+               context->slotList = NULL ;
+       }
+}
+
+xmlSecKeyPtr
+xmlSecNssKeysStoreFindKeyFromSlot(
+       PK11SlotInfo* slot,
+       const xmlChar* name,
+       xmlSecKeyInfoCtxPtr keyInfoCtx
+) {
+       xmlSecKeyPtr            key = NULL ;
+       xmlSecKeyDataPtr        data = NULL ;
+       int                                     length ;
+
+       xmlSecAssert2( slot != NULL , NULL ) ;
+       xmlSecAssert2( name != NULL , NULL ) ;
+       xmlSecAssert2( keyInfoCtx != NULL , NULL ) ;
+
+       if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSymmetric ) == xmlSecKeyDataTypeSymmetric ) {
+               PK11SymKey*                     symKey ;
+               PK11SymKey*                     curKey ;
+
+               /* Find symmetric key from the slot by name */
+               symKey = PK11_ListFixedKeysInSlot( slot , ( char* )name , NULL ) ;
+               for( curKey = symKey ; curKey != NULL ; curKey = PK11_GetNextSymKey( curKey ) ) {
+                       /* Check the key request */
+                       length = PK11_GetKeyLength( curKey ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       data = xmlSecNssSymKeyDataKeyAdopt( curKey ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+                       break ;
+               }
+
+               /* Destroy the sym key list */
+               for( curKey = symKey ; curKey != NULL ; ) {
+                       symKey = curKey ;
+                       curKey = PK11_GetNextSymKey( symKey ) ;
+                       PK11_FreeSymKey( symKey ) ;
+               }
+       } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+               SECKEYPublicKeyList*            pubKeyList ;
+               SECKEYPublicKey*                        pubKey ;
+               SECKEYPublicKeyListNode*        curPub ;
+
+               /* Find asymmetric key from the slot by name */
+               pubKeyList = PK11_ListPublicKeysInSlot( slot , ( char* )name ) ;
+               pubKey = NULL ;
+               curPub = PUBKEY_LIST_HEAD(pubKeyList);
+               for( ; !PUBKEY_LIST_END(curPub, pubKeyList) ; curPub = PUBKEY_LIST_NEXT( curPub ) ) {
+                       /* Check the key request */
+                       length = SECKEY_PublicKeyStrength( curPub->key ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       pubKey = curPub->key ;
+                       break ;
+               }
+
+               if( pubKey != NULL ) {
+                       data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+               }
+
+               /* Destroy the public key list */
+               SECKEY_DestroyPublicKeyList( pubKeyList ) ;
+       } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+               SECKEYPrivateKeyList*           priKeyList = NULL ;
+               SECKEYPrivateKey*                       priKey = NULL ;
+               SECKEYPrivateKeyListNode*       curPri ;
+
+               /* Find asymmetric key from the slot by name */
+               priKeyList = PK11_ListPrivKeysInSlot( slot , ( char* )name , NULL ) ;
+               priKey = NULL ;
+               curPri = PRIVKEY_LIST_HEAD(priKeyList);
+               for( ; !PRIVKEY_LIST_END(curPri, priKeyList) ; curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
+                       /* Check the key request */
+                       length = PK11_SignatureLen( curPri->key ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       priKey = curPri->key ;
+                       break ;
+               }
+
+               if( priKey != NULL ) {
+                       data = xmlSecNssPKIAdoptKey( priKey, NULL ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+               }
+
+               /* Destroy the private key list */
+               SECKEY_DestroyPrivateKeyList( priKeyList ) ;
+       }
+
+       /* If we have gotten the key value */
+       if( data != NULL ) {
+               if( ( key = xmlSecKeyCreate() ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "xmlSecKeyCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyDataDestroy( data ) ;
+                       return NULL ;
+               }
+
+               if( xmlSecKeySetValue( key , data ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "xmlSecKeySetValue" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyDestroy( key ) ;
+                       xmlSecKeyDataDestroy( data ) ;
+                       return NULL ;
+               }
+       }

-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL) &&
-          (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1);
+    return(key);
+}
+
+/**
+ * xmlSecKeyStoreFindKeyMethod:
+ * @store:             the store.
+ * @name:              the desired key name.
+ * @keyInfoCtx:        the pointer to key info context.
+ *
+ * Keys store specific find method. The caller is responsible for destroying
+ * the returned key using #xmlSecKeyDestroy method.
+ *
+ * Returns the pointer to a key or NULL if key is not found or an error occurs.
+ */
+static xmlSecKeyPtr
+xmlSecNssKeysStoreFindKey(
+       xmlSecKeyStorePtr store ,
+       const xmlChar* name ,
+       xmlSecKeyInfoCtxPtr keyInfoCtx
+) {
+    xmlSecNssKeysStoreCtxPtr context = NULL ;
+    xmlSecKeyPtr    key = NULL ;
+    xmlSecNssKeySlotPtr     keySlot = NULL ;
+    xmlSecSize              pos ;
+    xmlSecSize              size ;
+
+    xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , NULL ) ;
+    xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , NULL ) ;
+    xmlSecAssert2( keyInfoCtx != NULL , NULL ) ;
+
+    context = xmlSecNssKeysStoreGetCtx( store ) ;
+    if( context == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                    "xmlSecNssKeysStoreGetCtx" ,
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return NULL ;
+    }
+
+    /*-
+     * Look for key at keyList at first.
+     */
+    if( context->keyList != NULL ) {
+            size = xmlSecPtrListGetSize( context->keyList ) ;
+            for( pos = 0 ; pos < size ; pos ++ ) {
+                    key = ( xmlSecKeyPtr )xmlSecPtrListGetItem( context->keyList , pos ) ;
+                    if( key != NULL && xmlSecKeyMatch( key , name , &( keyInfoCtx->keyReq ) ) ) {
+                            return xmlSecKeyDuplicate( key ) ;
+                    }
+            }
+    }
+
+    /*-
+     * Find the key from slotList
+     */
+    if( context->slotList != NULL ) {
+            PK11SlotInfo*                   slot = NULL ;
+
+            size = xmlSecPtrListGetSize( context->slotList ) ;
+            for( pos = 0 ; pos < size ; pos ++ ) {
+                    keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( context->slotList , pos ) ;
+                    slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+                    if( slot == NULL ) {
+                            continue ;
+                    } else {
+                            key = xmlSecNssKeysStoreFindKeyFromSlot( slot, name, keyInfoCtx ) ;
+                            if( key == NULL ) {
+                                    continue ;
+                            } else {
+                                    return( key ) ;
+                            }
+                    }
+            }
+    }
+
+    /*-
+     * Create a session key if we can not find the key from keyList and slotList
+     */
+    if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSession ) == xmlSecKeyDataTypeSession ) {
+            key = xmlSecKeyGenerate( keyInfoCtx->keyReq.keyId , keyInfoCtx->keyReq.keyBitsSize , xmlSecKeyDataTypeSession ) ;
+            if( key == NULL ) {
+                    xmlSecError( XMLSEC_ERRORS_HERE ,
+                            xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                            "xmlSecKeySetValue" ,
+                            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                            XMLSEC_ERRORS_NO_MESSAGE ) ;
+                    return NULL ;
+            }
+
+            return key ;
+    }
+
+   /**
+    * We have no way to find the key any more.
+    */
+    return NULL ;
+}
+
+static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
+       sizeof( xmlSecKeyStoreKlass ) ,
+       xmlSecNssKeysStoreSize ,
+       BAD_CAST "implicit_nss_keys_store" ,
+       xmlSecNssKeysStoreInitialize ,
+       xmlSecNssKeysStoreFinalize ,
+       xmlSecNssKeysStoreFindKey ,
+       NULL ,
+       NULL
+} ;

-    return (xmlSecSimpleKeysStoreAdoptKey(*ss, key));
+/**
+ * xmlSecNssKeysStoreGetKlass:
+ *
+ * The simple list based keys store klass.
+ *
+ */
+xmlSecKeyStoreId
+xmlSecNssKeysStoreGetKlass( void ) {
+    return &xmlSecNssKeysStoreKlass ;
 }

+/**************************
+ * Application routines
+ */
+
 /**
  * xmlSecNssKeysStoreLoad:
  * @store:     the pointer to Nss keys store.
@@ -252,234 +651,147 @@
  */
 int
 xmlSecNssKeysStoreSave(xmlSecKeyStorePtr store, const char *filename, xmlSecKeyDataType type) {
-    xmlSecKeyStorePtr *ss;
+    xmlSecKeyInfoCtx keyInfoCtx;
+    xmlSecNssKeysStoreCtxPtr context ;
+    xmlSecPtrListPtr list;
+    xmlSecKeyPtr key;
+    xmlSecSize i, keysSize;
+    xmlDocPtr doc;
+    xmlNodePtr cur;
+    xmlSecKeyDataPtr data;
+    xmlSecPtrListPtr idsList;
+    xmlSecKeyDataId dataId;
+    xmlSecSize idsSize, j;
+    int ret;

     xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
-    xmlSecAssert2((filename != NULL), -1);
-
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL) &&
-          (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1);
-
-    return (xmlSecSimpleKeysStoreSave(*ss, filename, type));
-}
-
-static int
-xmlSecNssKeysStoreInitialize(xmlSecKeyStorePtr store) {
-    xmlSecKeyStorePtr *ss;
+    xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ), -1 ) ;
+    xmlSecAssert2(filename != NULL, -1);

-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
+    context = xmlSecNssKeysStoreGetCtx( store ) ;
+    xmlSecAssert2( context != NULL, -1 );

-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2((*ss == NULL), -1);
+    list = context->keyList ;
+       xmlSecAssert2( list != NULL, -1 );
+    xmlSecAssert2(xmlSecPtrListCheckId(list, xmlSecKeyPtrListId), -1);

-    *ss = xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId);
-    if(*ss == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
+    /* create doc */
+    doc = xmlSecCreateTree(BAD_CAST "Keys", xmlSecNs);
+    if(doc == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
            xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
-           "xmlSecKeyStoreCreate",
+           "xmlSecCreateTree",
            XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "xmlSecSimpleKeysStoreId");
+           XMLSEC_ERRORS_NO_MESSAGE);
    return(-1);
     }

-    return(0);
-}
-
-static void
-xmlSecNssKeysStoreFinalize(xmlSecKeyStorePtr store) {
-    xmlSecKeyStorePtr *ss;
-
-    xmlSecAssert(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId));
-
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert((ss != NULL) && (*ss != NULL));
-
-    xmlSecKeyStoreDestroy(*ss);
-}
-
-static xmlSecKeyPtr
-xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name,
-                 xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecKeyStorePtr* ss;
-    xmlSecKeyPtr key = NULL;
-    xmlSecKeyPtr retval = NULL;
-    xmlSecKeyReqPtr keyReq = NULL;
-    CERTCertificate *cert = NULL;
-    SECKEYPublicKey *pubkey = NULL;
-    SECKEYPrivateKey *privkey = NULL;
-    xmlSecKeyDataPtr data = NULL;
-    xmlSecKeyDataPtr x509Data = NULL;
-    int ret;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), NULL);
-    xmlSecAssert2(keyInfoCtx != NULL, NULL);
-
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL)), NULL);
-
-    key = xmlSecKeyStoreFindKey(*ss, name, keyInfoCtx);
-    if (key != NULL) {
-   return (key);
-    }
-
-    /* Try to find the key in the NSS DB, and construct an xmlSecKey.
-     * we must have a name to lookup keys in NSS DB.
-     */
-    if (name == NULL) {
-   goto done;
-    }
+    idsList = xmlSecKeyDataIdsGet();
+    xmlSecAssert2(idsList != NULL, -1);

-    /* what type of key are we looking for?
-     * TBD: For now, we'll look only for public/private keys using the
-     * name as a cert nickname. Later on, we can attempt to find
-     * symmetric keys using PK11_FindFixedKey
-     */
-    keyReq = &(keyInfoCtx->keyReq);
-    if (keyReq->keyType &
-   (xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate)) {
-   cert = CERT_FindCertByNickname (CERT_GetDefaultCertDB(), (char *)name);
-   if (cert == NULL) {
-       goto done;
-   }
+    keysSize = xmlSecPtrListGetSize(list);
+    idsSize = xmlSecPtrListGetSize(idsList);
+    for(i = 0; i < keysSize; ++i) {
+        key = (xmlSecKeyPtr)xmlSecPtrListGetItem(list, i);
+        xmlSecAssert2(key != NULL, -1);

-   if (keyReq->keyType & xmlSecKeyDataTypePublic) {
-       pubkey = CERT_ExtractPublicKey(cert);
-       if (pubkey == NULL) {
+        cur = xmlSecAddChild(xmlDocGetRootElement(doc), xmlSecNodeKeyInfo, xmlSecDSigNs);
+        if(cur == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               "CERT_ExtractPublicKey",
-               XMLSEC_ERRORS_R_CRYPTO_FAILED,
-               XMLSEC_ERRORS_NO_MESSAGE);
-       goto done;
-       }
+                    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                    "xmlSecAddChild",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    "node=%s",
+                    xmlSecErrorsSafeString(xmlSecNodeKeyInfo));
+            xmlFreeDoc(doc);
+            return(-1);
    }

-   if (keyReq->keyType & xmlSecKeyDataTypePrivate) {
-       privkey = PK11_FindKeyByAnyCert(cert, NULL);
-       if (privkey == NULL) {
+        /* special data key name */
+        if(xmlSecKeyGetName(key) != NULL) {
+            if(xmlSecAddChild(cur, xmlSecNodeKeyName, xmlSecDSigNs) == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               "PK11_FindKeyByAnyCert",
-               XMLSEC_ERRORS_R_CRYPTO_FAILED,
-               XMLSEC_ERRORS_NO_MESSAGE);
-       goto done;
+                xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                "xmlSecAddChild",
+                XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                "node=%s",
+                xmlSecErrorsSafeString(xmlSecNodeKeyName));
+            xmlFreeDoc(doc);
+            return(-1);
        }
    }

-   data = xmlSecNssPKIAdoptKey(privkey, pubkey);
-   if(data == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssPKIAdoptKey",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-       goto done;
-   }
-   privkey = NULL;
-   pubkey = NULL;
-
-        key = xmlSecKeyCreate();
-        if (key == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecKeyCreate",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-       return (NULL);
-        }
-
-   x509Data = xmlSecKeyDataCreate(xmlSecNssKeyDataX509Id);
-   if(x509Data == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecKeyDataCreate",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "transform=%s",
-           xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecNssKeyDataX509Id)));
-       goto done;
-   }
+        /* create nodes for other keys data */
+        for(j = 0; j < idsSize; ++j) {
+            dataId = (xmlSecKeyDataId)xmlSecPtrListGetItem(idsList, j);
+            xmlSecAssert2(dataId != xmlSecKeyDataIdUnknown, -1);
+
+            if(dataId->dataNodeName == NULL) {
+                continue;
+            }
+
+            data = xmlSecKeyGetData(key, dataId);
+            if(data == NULL) {
+                continue;
+       }

-   ret = xmlSecNssKeyDataX509AdoptKeyCert(x509Data, cert);
-   if (ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssKeyDataX509AdoptKeyCert",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "data=%s",
-           xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-       goto done;
-   }
-   cert = CERT_DupCertificate(cert);
-   if (cert == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "CERT_DupCertificate",
-           XMLSEC_ERRORS_R_CRYPTO_FAILED,
-           "data=%s",
-           xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-       goto done;
+            if(xmlSecAddChild(cur, dataId->dataNodeName, dataId->dataNodeNs) == NULL) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+                xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                "xmlSecAddChild",
+       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                "node=%s",
+                xmlSecErrorsSafeString(dataId->dataNodeName));
+                xmlFreeDoc(doc);
+                return(-1);
+       }
    }

-   ret = xmlSecNssKeyDataX509AdoptCert(x509Data, cert);
+   ret = xmlSecKeyInfoCtxInitialize(&keyInfoCtx, NULL);
    if (ret < 0) {
        xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssKeyDataX509AdoptCert",
+            xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+            "xmlSecKeyInfoCtxInitialize",
            XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "data=%s",
-           xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-       goto done;
+            XMLSEC_ERRORS_NO_MESSAGE);
+            xmlFreeDoc(doc);
+            return(-1);
    }
-   cert = NULL;

-   ret = xmlSecKeySetValue(key, data);
-   if (ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecKeySetValue",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "data=%s",
-           xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)));
-       goto done;
-   }
-   data = NULL;
+        keyInfoCtx.mode                 = xmlSecKeyInfoModeWrite;
+        keyInfoCtx.keyReq.keyId         = xmlSecKeyDataIdUnknown;
+        keyInfoCtx.keyReq.keyType       = type;
+        keyInfoCtx.keyReq.keyUsage      = xmlSecKeyDataUsageAny;

-   ret = xmlSecKeyAdoptData(key, x509Data);
+        /* finally write key in the node */
+        ret = xmlSecKeyInfoNodeWrite(cur, key, &keyInfoCtx);
    if (ret < 0) {
        xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecKeyAdoptData",
+            xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+            "xmlSecKeyInfoNodeWrite",
            XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "data=%s",
-           xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-       goto done;
-   }
-   x509Data = NULL;
+            XMLSEC_ERRORS_NO_MESSAGE);
+        xmlSecKeyInfoCtxFinalize(&keyInfoCtx);
+        xmlFreeDoc(doc);
+        return(-1);
+        }

-   retval = key;
-   key = NULL;
+        xmlSecKeyInfoCtxFinalize(&keyInfoCtx);
     }

-done:
-    if (cert != NULL) {
-   CERT_DestroyCertificate(cert);
-    }
-    if (pubkey != NULL) {
-   SECKEY_DestroyPublicKey(pubkey);
-    }
-    if (privkey != NULL) {
-   SECKEY_DestroyPrivateKey(privkey);
-    }
-    if (data != NULL) {
-   xmlSecKeyDataDestroy(data);
-    }
-    if (x509Data != NULL) {
-   xmlSecKeyDataDestroy(x509Data);
-    }
-    if (key != NULL) {
-   xmlSecKeyDestroy(key);
+    /* now write result */
+    ret = xmlSaveFormatFile(filename, doc, 1);
+    if (ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+            "xmlSaveFormatFile",
+            XMLSEC_ERRORS_R_XML_FAILED,
+            "filename=%s",
+            xmlSecErrorsSafeString(filename));
+        xmlFreeDoc(doc);
+        return(-1);
     }

-    return (retval);
+    xmlFreeDoc(doc);
+    return(0);
 }
--- misc/xmlsec1-1.2.14/src/nss/keywrapers.c    2009-09-21 14:07:19.223802688 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/keywrapers.c  2009-09-21 14:02:48.548869372 +0200
@@ -1 +1,1213 @@
-dummy
+/**
+ *
+ * XMLSec library
+ *
+ * AES Algorithm support
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright .................................
+ */
+#include "globals.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <nss.h>
+#include <pk11func.h>
+#include <hasht.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
+
+#define XMLSEC_NSS_AES128_KEY_SIZE     16
+#define XMLSEC_NSS_AES192_KEY_SIZE     24
+#define XMLSEC_NSS_AES256_KEY_SIZE     32
+#define XMLSEC_NSS_DES3_KEY_SIZE       24
+#define XMLSEC_NSS_DES3_KEY_LENGTH      24
+#define XMLSEC_NSS_DES3_IV_LENGTH       8
+#define XMLSEC_NSS_DES3_BLOCK_LENGTH    8
+
+static xmlSecByte xmlSecNssKWDes3Iv[XMLSEC_NSS_DES3_IV_LENGTH] = {
+    0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05
+};
+
+/*********************************************************************
+ *
+ * key wrap transforms
+ *
+ ********************************************************************/
+typedef struct _xmlSecNssKeyWrapCtx            xmlSecNssKeyWrapCtx ;
+typedef struct _xmlSecNssKeyWrapCtx*       xmlSecNssKeyWrapCtxPtr ;
+
+#define xmlSecNssKeyWrapSize   \
+   ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssKeyWrapCtx ) )
+
+#define xmlSecNssKeyWrapGetCtx( transform ) \
+   ( ( xmlSecNssKeyWrapCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) )
+
+struct _xmlSecNssKeyWrapCtx {
+   CK_MECHANISM_TYPE       cipher ;
+   PK11SymKey*             symkey ;
+   xmlSecKeyDataId         keyId ;
+   xmlSecBufferPtr         material ; /* to be encrypted/decrypted key material */
+} ;
+
+static int         xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform);
+static void    xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform);
+static int     xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform,
+                            xmlSecKeyReqPtr keyReq);
+static int     xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform,
+                            xmlSecKeyPtr key);
+static int     xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform,
+                            int last,
+                            xmlSecTransformCtxPtr transformCtx);
+static xmlSecSize      xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform);
+
+static int
+xmlSecNssKeyWrapCheckId(
+   xmlSecTransformPtr transform
+) {
+   #ifndef XMLSEC_NO_DES
+   if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) {
+       return(1);
+   }
+   #endif /* XMLSEC_NO_DES */
+
+   #ifndef XMLSEC_NO_AES
+   if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes128Id ) ||
+       xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes192Id ) ||
+       xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes256Id ) ) {
+
+       return(1);
+    }
+   #endif /* XMLSEC_NO_AES */
+
+    return(0);
+}
+
+static xmlSecSize
+xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform) {
+#ifndef XMLSEC_NO_DES
+   if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) {
+       return(XMLSEC_NSS_DES3_KEY_SIZE);
+   } else
+#endif /* XMLSEC_NO_DES */
+
+#ifndef XMLSEC_NO_AES
+    if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes128Id)) {
+       return(XMLSEC_NSS_AES128_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes192Id)) {
+       return(XMLSEC_NSS_AES192_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) {
+       return(XMLSEC_NSS_AES256_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) {
+       return(XMLSEC_NSS_AES256_KEY_SIZE);
+    } else
+#endif /* XMLSEC_NO_AES */
+
+   if(1)
+           return(0);
+}
+
+
+static int
+xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform) {
+   xmlSecNssKeyWrapCtxPtr context ;
+    int ret;
+
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+
+   context = xmlSecNssKeyWrapGetCtx( transform ) ;
+   xmlSecAssert2( context != NULL , -1 ) ;
+
+   #ifndef XMLSEC_NO_DES
+   if( transform->id == xmlSecNssTransformKWDes3Id ) {
+       context->cipher = CKM_DES3_CBC ;
+       context->keyId = xmlSecNssKeyDataDesId ;
+   } else
+   #endif      /* XMLSEC_NO_DES */
+
+   #ifndef XMLSEC_NO_AES
+   if( transform->id == xmlSecNssTransformKWAes128Id ) {
+   /*  context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+       context->cipher = CKM_AES_CBC ;
+       context->keyId = xmlSecNssKeyDataAesId ;
+   } else
+   if( transform->id == xmlSecNssTransformKWAes192Id ) {
+   /*  context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+       context->cipher = CKM_AES_CBC ;
+       context->keyId = xmlSecNssKeyDataAesId ;
+   } else
+   if( transform->id == xmlSecNssTransformKWAes256Id ) {
+   /*  context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+       context->cipher = CKM_AES_CBC ;
+       context->keyId = xmlSecNssKeyDataAesId ;
+   } else
+   #endif      /* XMLSEC_NO_AES */
+
+
+   if( 1 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+           NULL ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   context->symkey = NULL ;
+   context->material = NULL ;
+
+    return(0);
+}
+
+static void
+xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform) {
+   xmlSecNssKeyWrapCtxPtr context ;
+
+    xmlSecAssert(xmlSecNssKeyWrapCheckId(transform));
+    xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize));
+
+   context = xmlSecNssKeyWrapGetCtx( transform ) ;
+   xmlSecAssert( context != NULL ) ;
+
+   if( context->symkey != NULL ) {
+       PK11_FreeSymKey( context->symkey ) ;
+       context->symkey = NULL ;
+   }
+
+   if( context->material != NULL ) {
+       xmlSecBufferDestroy(context->material);
+       context->material = NULL ;
+   }
+}
+
+static int
+xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform,  xmlSecKeyReqPtr keyReq) {
+   xmlSecNssKeyWrapCtxPtr context ;
+   xmlSecSize cipherSize = 0 ;
+
+
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
+    xmlSecAssert2(keyReq != NULL, -1);
+
+   context = xmlSecNssKeyWrapGetCtx( transform ) ;
+   xmlSecAssert2( context != NULL , -1 ) ;
+
+    keyReq->keyId   = context->keyId;
+    keyReq->keyType  = xmlSecKeyDataTypeSymmetric;
+    if(transform->operation == xmlSecTransformOperationEncrypt) {
+       keyReq->keyUsage = xmlSecKeyUsageEncrypt;
+    } else {
+       keyReq->keyUsage = xmlSecKeyUsageDecrypt;
+    }
+
+   keyReq->keyBitsSize = xmlSecNssKeyWrapGetKeySize( transform ) ;
+
+    return(0);
+}
+
+static int
+xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
+   xmlSecNssKeyWrapCtxPtr context = NULL ;
+   xmlSecKeyDataPtr    keyData = NULL ;
+   PK11SymKey*         symkey = NULL ;
+
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
+    xmlSecAssert2(key != NULL, -1);
+
+   context = xmlSecNssKeyWrapGetCtx( transform ) ;
+   if( context == NULL || context->keyId == NULL || context->symkey != NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+           "xmlSecNssKeyWrapGetCtx" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+   xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ;
+
+   keyData = xmlSecKeyGetValue( key ) ;
+   if( keyData == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) ,
+           "xmlSecKeyGetValue" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
+           "xmlSecNssSymKeyDataGetKey" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   context->symkey = symkey ;
+
+   return(0) ;
+}
+
+/**
+ * key wrap transform
+ */
+static int
+xmlSecNssKeyWrapCtxInit(
+   xmlSecNssKeyWrapCtxPtr      ctx ,
+   xmlSecBufferPtr             in ,
+   xmlSecBufferPtr             out ,
+   int                         encrypt ,
+   xmlSecTransformCtxPtr       transformCtx
+) {
+   xmlSecSize          blockSize ;
+
+   xmlSecAssert2( ctx != NULL , -1 ) ;
+   xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+   xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+   xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+   xmlSecAssert2( in != NULL , -1 ) ;
+   xmlSecAssert2( out != NULL , -1 ) ;
+   xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+   if( ctx->material != NULL ) {
+       xmlSecBufferDestroy( ctx->material ) ;
+       ctx->material = NULL ;
+   }
+
+   if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "PK11_GetBlockSize" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   ctx->material = xmlSecBufferCreate( blockSize ) ;
+   if( ctx->material == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferCreate" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   /* read raw key material into context */
+   if( xmlSecBufferSetData( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferSetData" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferRemoveHead" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   return(0);
+}
+
+/**
+ * key wrap transform update
+ */
+static int
+xmlSecNssKeyWrapCtxUpdate(
+   xmlSecNssKeyWrapCtxPtr      ctx ,
+   xmlSecBufferPtr             in ,
+   xmlSecBufferPtr             out ,
+   int                         encrypt ,
+   xmlSecTransformCtxPtr       transformCtx
+) {
+   xmlSecAssert2( ctx != NULL , -1 ) ;
+   xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+   xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+   xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+   xmlSecAssert2( ctx->material != NULL , -1 ) ;
+   xmlSecAssert2( in != NULL , -1 ) ;
+   xmlSecAssert2( out != NULL , -1 ) ;
+   xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+   /* read raw key material and append into context */
+   if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferAppend" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferRemoveHead" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   return(0);
+}
+
+static int
+xmlSecNssKWDes3BufferReverse(xmlSecByte *buf, xmlSecSize size) {
+    xmlSecSize s;
+    xmlSecSize i;
+    xmlSecByte c;
+
+    xmlSecAssert2(buf != NULL, -1);
+
+    s = size / 2;
+    --size;
+    for(i = 0; i < s; ++i) {
+   c = buf[i];
+   buf[i] = buf[size - i];
+   buf[size - i] = c;
+    }
+    return(0);
+}
+
+static xmlSecByte *
+xmlSecNssComputeSHA1(const xmlSecByte *in, xmlSecSize inSize,
+            xmlSecByte *out, xmlSecSize outSize)
+{
+    PK11Context *context = NULL;
+    SECStatus s;
+    xmlSecByte *digest = NULL;
+    unsigned int len;
+
+    xmlSecAssert2(in != NULL, NULL);
+    xmlSecAssert2(out != NULL, NULL);
+    xmlSecAssert2(outSize >= SHA1_LENGTH, NULL);
+
+    /* Create a context for hashing (digesting) */
+    context = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (context == NULL) {
+   xmlSecError(XMLSEC_ERRORS_HERE,
+           NULL,
+           "PK11_CreateDigestContext",
+           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+           "error code = %d", PORT_GetError());
+   goto done;
+    }
+
+    s = PK11_DigestBegin(context);
+    if (s != SECSuccess) {
+   xmlSecError(XMLSEC_ERRORS_HERE,
+           NULL,
+           "PK11_DigestBegin",
+           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+           "error code = %d", PORT_GetError());
+   goto done;
+    }
+
+    s = PK11_DigestOp(context, in, inSize);
+    if (s != SECSuccess) {
+   xmlSecError(XMLSEC_ERRORS_HERE,
+           NULL,
+           "PK11_DigestOp",
+           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+           "error code = %d", PORT_GetError());
+   goto done;
+    }
+
+    s = PK11_DigestFinal(context, out, &len, outSize);
+    if (s != SECSuccess) {
+   xmlSecError(XMLSEC_ERRORS_HERE,
+           NULL,
+           "PK11_DigestFinal",
+           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+           "error code = %d", PORT_GetError());
+   goto done;
+    }
+    xmlSecAssert2(len == SHA1_LENGTH, NULL);
+
+    digest = out;
+
+done:
+    if (context != NULL) {
+   PK11_DestroyContext(context, PR_TRUE);
+    }
+    return (digest);
+}
+
+static int
+xmlSecNssKWDes3Encrypt(
+   PK11SymKey*                 symKey ,
+   CK_MECHANISM_TYPE           cipherMech ,
+    const xmlSecByte*          iv ,
+   xmlSecSize                  ivSize ,
+    const xmlSecByte*          in ,
+   xmlSecSize                  inSize ,
+    xmlSecByte*                out ,
+   xmlSecSize                  outSize ,
+   int                         enc
+) {
+    PK11Context*        EncContext = NULL;
+   SECItem             ivItem ;
+   SECItem*            secParam = NULL ;
+    int                    tmp1_outlen;
+    unsigned int       tmp2_outlen;
+   int                 result_len = -1;
+   SECStatus           rv;
+
+   xmlSecAssert2( cipherMech != CKM_INVALID_MECHANISM , -1 ) ;
+   xmlSecAssert2( symKey != NULL , -1 ) ;
+    xmlSecAssert2(iv != NULL, -1);
+    xmlSecAssert2(ivSize == XMLSEC_NSS_DES3_IV_LENGTH, -1);
+    xmlSecAssert2(in != NULL, -1);
+    xmlSecAssert2(inSize > 0, -1);
+    xmlSecAssert2(out != NULL, -1);
+    xmlSecAssert2(outSize >= inSize, -1);
+
+   /* Prepare IV */
+   ivItem.data = ( unsigned char* )iv ;
+   ivItem.len = ivSize ;
+
+    secParam = PK11_ParamFromIV(cipherMech, &ivItem);
+    if (secParam == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+           NULL,
+           "PK11_ParamFromIV",
+           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+           "Error code = %d", PORT_GetError());
+       goto done;
+    }
+
+    EncContext = PK11_CreateContextBySymKey(cipherMech,
+                           enc ? CKA_ENCRYPT : CKA_DECRYPT,
+                       symKey, secParam);
+    if (EncContext == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+           NULL,
+           "PK11_CreateContextBySymKey",
+           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+           "Error code = %d", PORT_GetError());
+       goto done;
+    }
+
+    tmp1_outlen = tmp2_outlen = 0;
+    rv = PK11_CipherOp(EncContext, out, &tmp1_outlen, outSize,
+              (unsigned char *)in, inSize);
+    if (rv != SECSuccess) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+           NULL,
+           "PK11_CipherOp",
+           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+           "Error code = %d", PORT_GetError());
+       goto done;
+    }
+
+    rv = PK11_DigestFinal(EncContext, out+tmp1_outlen,
+                 &tmp2_outlen, outSize-tmp1_outlen);
+    if (rv != SECSuccess) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+           NULL,
+           "PK11_DigestFinal",
+           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+           "Error code = %d", PORT_GetError());
+       goto done;
+    }
+
+    result_len = tmp1_outlen + tmp2_outlen;
+
+done:
+    if (secParam) {
+       SECITEM_FreeItem(secParam, PR_TRUE);
+    }
+    if (EncContext) {
+   PK11_DestroyContext(EncContext, PR_TRUE);
+    }
+
+    return(result_len);
+}
+
+static int
+xmlSecNssKeyWrapDesOp(
+   xmlSecNssKeyWrapCtxPtr      ctx ,
+   int                         encrypt ,
+   xmlSecBufferPtr             result
+) {
+    xmlSecByte sha1[SHA1_LENGTH];
+    xmlSecByte iv[XMLSEC_NSS_DES3_IV_LENGTH];
+    xmlSecByte* in;
+    xmlSecSize inSize;
+    xmlSecByte* out;
+    xmlSecSize outSize;
+    xmlSecSize s;
+    int ret;
+    SECStatus status;
+
+   xmlSecAssert2( ctx != NULL , -1 ) ;
+   xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+   xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+   xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+   xmlSecAssert2( ctx->material != NULL , -1 ) ;
+   xmlSecAssert2( result != NULL , -1 ) ;
+
+   in = xmlSecBufferGetData(ctx->material);
+   inSize = xmlSecBufferGetSize(ctx->material) ;
+   out = xmlSecBufferGetData(result);
+   outSize = xmlSecBufferGetMaxSize(result) ;
+   if( encrypt ) {
+       /* step 2: calculate sha1 and CMS */
+       if(xmlSecNssComputeSHA1(in, inSize, sha1, SHA1_LENGTH) == NULL) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecNssComputeSHA1",
+               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+
+       /* step 3: construct WKCKS */
+       memcpy(out, in, inSize);
+       memcpy(out + inSize, sha1, XMLSEC_NSS_DES3_BLOCK_LENGTH);
+
+       /* step 4: generate random iv */
+       status = PK11_GenerateRandom(iv, XMLSEC_NSS_DES3_IV_LENGTH);
+       if(status != SECSuccess) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "PK11_GenerateRandom",
+               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+               "error code = %d", PORT_GetError());
+           return(-1);
+       }
+
+       /* step 5: first encryption, result is TEMP1 */
+       ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+                   iv, XMLSEC_NSS_DES3_IV_LENGTH,
+                   out, inSize + XMLSEC_NSS_DES3_IV_LENGTH,
+                   out, outSize, 1);
+       if(ret < 0) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecNssKWDes3Encrypt",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+
+       /* step 6: construct TEMP2=IV || TEMP1 */
+       memmove(out + XMLSEC_NSS_DES3_IV_LENGTH, out,
+           inSize + XMLSEC_NSS_DES3_IV_LENGTH);
+       memcpy(out, iv, XMLSEC_NSS_DES3_IV_LENGTH);
+           s = ret + XMLSEC_NSS_DES3_IV_LENGTH;
+
+       /* step 7: reverse octets order, result is TEMP3 */
+       ret = xmlSecNssKWDes3BufferReverse(out, s);
+           if(ret < 0) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecNssKWDes3BufferReverse",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+
+       /* step 8: second encryption with static IV */
+       ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+                   xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH,
+                   out, s,
+                   out, outSize, 1);
+       if(ret < 0) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecNssKWDes3Encrypt",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+       s = ret;
+
+       if( xmlSecBufferSetSize( result , s ) < 0 ) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecBufferSetSize",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+   } else {
+       /* step 2: first decryption with static IV, result is TEMP3 */
+       ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+                   xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH,
+                   in, inSize,
+                   out, outSize, 0);
+       if((ret < 0) || (ret < XMLSEC_NSS_DES3_IV_LENGTH)) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecNssKWDes3Encrypt",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+       s = ret;
+
+       /* step 3: reverse octets order in TEMP3, result is TEMP2 */
+       ret = xmlSecNssKWDes3BufferReverse(out, s);
+       if(ret < 0) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecNssKWDes3BufferReverse",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+
+       /* steps 4 and 5: get IV and decrypt second time, result is WKCKS */
+       ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+                   out, XMLSEC_NSS_DES3_IV_LENGTH,
+                   out+XMLSEC_NSS_DES3_IV_LENGTH, s-XMLSEC_NSS_DES3_IV_LENGTH,
+                   out, outSize, 0);
+       if((ret < 0) || (ret < XMLSEC_NSS_DES3_BLOCK_LENGTH)) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecNssKWDes3Encrypt",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+       s = ret - XMLSEC_NSS_DES3_IV_LENGTH;
+
+       /* steps 6 and 7: calculate SHA1 and validate it */
+       if(xmlSecNssComputeSHA1(out, s, sha1, SHA1_LENGTH) == NULL) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecNssComputeSHA1",
+               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+            }
+
+       if(memcmp(sha1, out + s, XMLSEC_NSS_DES3_BLOCK_LENGTH) != 0) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+                NULL,
+               XMLSEC_ERRORS_R_INVALID_DATA,
+               "SHA1 does not match");
+           return(-1);
+       }
+
+       if( xmlSecBufferSetSize( result , s ) < 0 ) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+               NULL,
+               "xmlSecBufferSetSize",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
+       }
+   }
+
+   return(0);
+}
+
+static int
+xmlSecNssKeyWrapAesOp(
+   xmlSecNssKeyWrapCtxPtr      ctx ,
+   int                         encrypt ,
+   xmlSecBufferPtr             result
+) {
+    PK11Context*        cipherCtx = NULL;
+   SECItem             ivItem ;
+   SECItem*            secParam = NULL ;
+   xmlSecSize          inSize ;
+   xmlSecSize          inBlocks ;
+   int                 blockSize ;
+   int                 midSize ;
+   int                 finSize ;
+   xmlSecByte*         out ;
+    xmlSecSize         outSize;
+
+   xmlSecAssert2( ctx != NULL , -1 ) ;
+   xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+   xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+   xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+   xmlSecAssert2( ctx->material != NULL , -1 ) ;
+   xmlSecAssert2( result != NULL , -1 ) ;
+
+   /* Do not set any IV */
+    memset(&ivItem, 0, sizeof(ivItem));
+
+   /* Get block size */
+   if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "PK11_GetBlockSize" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   inSize = xmlSecBufferGetSize( ctx->material ) ;
+   if( xmlSecBufferSetMaxSize( result , inSize + blockSize ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferSetMaxSize" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   /* Get Param for context initialization */
+   if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "PK11_ParamFromIV" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ;
+   if( cipherCtx == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "PK11_CreateContextBySymKey" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       SECITEM_FreeItem( secParam , PR_TRUE ) ;
+       return(-1);
+   }
+
+   out = xmlSecBufferGetData(result) ;
+   outSize = xmlSecBufferGetMaxSize(result) ;
+   if( PK11_CipherOp( cipherCtx , out, &midSize , outSize , xmlSecBufferGetData( ctx->material ) , inSize ) != SECSuccess ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "PK11_CipherOp" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   if( PK11_DigestFinal( cipherCtx , out + midSize , &finSize , outSize - midSize ) != SECSuccess ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "PK11_DigestFinal" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   if( xmlSecBufferSetSize( result , midSize + finSize ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferSetSize" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   return 0 ;
+}
+
+/**
+ * Block cipher transform final
+ */
+static int
+xmlSecNssKeyWrapCtxFinal(
+   xmlSecNssKeyWrapCtxPtr      ctx ,
+   xmlSecBufferPtr             in ,
+   xmlSecBufferPtr             out ,
+   int                         encrypt ,
+   xmlSecTransformCtxPtr       transformCtx
+) {
+   PK11SymKey*         targetKey ;
+   xmlSecSize          blockSize ;
+   xmlSecBufferPtr     result ;
+
+   xmlSecAssert2( ctx != NULL , -1 ) ;
+   xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+   xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+   xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+   xmlSecAssert2( ctx->material != NULL , -1 ) ;
+   xmlSecAssert2( in != NULL , -1 ) ;
+   xmlSecAssert2( out != NULL , -1 ) ;
+   xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+   /* read raw key material and append into context */
+   if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferAppend" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferRemoveHead" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   /* Now we get all of the key material */
+   /* from now on we will wrap or unwrap the key */
+   if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "PK11_GetBlockSize" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   result = xmlSecBufferCreate( blockSize ) ;
+   if( result == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferCreate" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   switch( ctx->cipher ) {
+       case CKM_DES3_CBC :
+           if( xmlSecNssKeyWrapDesOp(ctx, encrypt, result) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   NULL ,
+                   "xmlSecNssKeyWrapDesOp" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecBufferDestroy(result);
+               return(-1);
+           }
+           break ;
+   /*  case CKM_NETSCAPE_AES_KEY_WRAP :*/
+       case CKM_AES_CBC :
+           if( xmlSecNssKeyWrapAesOp(ctx, encrypt, result) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   NULL ,
+                   "xmlSecNssKeyWrapAesOp" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecBufferDestroy(result);
+               return(-1);
+           }
+           break ;
+   }
+
+   /* Write output */
+   if( xmlSecBufferAppend( out, xmlSecBufferGetData(result), xmlSecBufferGetSize(result) ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           "xmlSecBufferAppend" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       xmlSecBufferDestroy(result);
+       return(-1);
+   }
+   xmlSecBufferDestroy(result);
+
+   return(0);
+}
+
+static int
+xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) {
+   xmlSecNssKeyWrapCtxPtr  context = NULL ;
+   xmlSecBufferPtr         inBuf, outBuf ;
+   int                     operation ;
+   int                     rtv ;
+
+   xmlSecAssert2( xmlSecNssKeyWrapCheckId( transform ), -1 ) ;
+   xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssKeyWrapSize ), -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+   xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+   context = xmlSecNssKeyWrapGetCtx( transform ) ;
+   if( context == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+           "xmlSecNssKeyWrapGetCtx" ,
+           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return(-1);
+   }
+
+   inBuf = &( transform->inBuf ) ;
+   outBuf = &( transform->outBuf ) ;
+
+   if( transform->status == xmlSecTransformStatusNone ) {
+       transform->status = xmlSecTransformStatusWorking ;
+   }
+
+   operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ;
+   if( transform->status == xmlSecTransformStatusWorking ) {
+       if( context->material == NULL ) {
+           rtv = xmlSecNssKeyWrapCtxInit( context, inBuf , outBuf , operation , transformCtx ) ;
+           if( rtv < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssKeyWrapCtxInit" ,
+                   XMLSEC_ERRORS_R_INVALID_STATUS ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);
+           }
+       }
+
+       if( context->material == NULL && last != 0 ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+               NULL ,
+               XMLSEC_ERRORS_R_INVALID_STATUS ,
+               "No enough data to initialize transform" ) ;
+           return(-1);
+       }
+
+       if( context->material != NULL ) {
+           rtv = xmlSecNssKeyWrapCtxUpdate( context, inBuf , outBuf , operation , transformCtx ) ;
+           if( rtv < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssKeyWrapCtxUpdate" ,
+                   XMLSEC_ERRORS_R_INVALID_STATUS ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);
+           }
+       }
+
+       if( last ) {
+           rtv = xmlSecNssKeyWrapCtxFinal( context, inBuf , outBuf , operation , transformCtx ) ;
+           if( rtv < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssKeyWrapCtxFinal" ,
+                   XMLSEC_ERRORS_R_INVALID_STATUS ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);
+           }
+           transform->status = xmlSecTransformStatusFinished ;
+       }
+   } else if( transform->status == xmlSecTransformStatusFinished ) {
+       if( xmlSecBufferGetSize( inBuf ) != 0 ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+               NULL ,
+               XMLSEC_ERRORS_R_INVALID_STATUS ,
+               "status=%d", transform->status ) ;
+           return(-1);
+       }
+   } else {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+           NULL ,
+           XMLSEC_ERRORS_R_INVALID_STATUS ,
+           "status=%d", transform->status ) ;
+       return(-1);
+   }
+
+   return(0);
+}
+
+#ifndef XMLSEC_NO_AES
+
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes128Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes128Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),      /* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,              /* xmlSecSize objSize */
+
+    xmlSecNameKWAes128,                /* const xmlChar* name; */
+    xmlSecHrefKWAes128,                /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,  /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize,            /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,          /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                  /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                  /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,         /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,            /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                  /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,     /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,     /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,      /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                  /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                  /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,           /* xmlSecTransformExecuteMethod execute; */
+
+    NULL,                  /* void* reserved0; */
+    NULL,                  /* void* reserved1; */
+};
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes192Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes192Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),      /* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,              /* xmlSecSize objSize */
+
+    xmlSecNameKWAes192,                /* const xmlChar* name; */
+    xmlSecHrefKWAes192,                /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,  /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize,            /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,          /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                  /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                  /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,         /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,            /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                  /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,     /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,     /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,      /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                  /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                  /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,           /* xmlSecTransformExecuteMethod execute; */
+
+    NULL,                  /* void* reserved0; */
+    NULL,                  /* void* reserved1; */
+};
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes256Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes256Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),      /* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,              /* xmlSecSize objSize */
+
+    xmlSecNameKWAes256,                /* const xmlChar* name; */
+    xmlSecHrefKWAes256,                /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,  /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize,            /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,          /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                  /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                  /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,         /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,            /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                  /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,     /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,     /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,      /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                  /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                  /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,           /* xmlSecTransformExecuteMethod execute; */
+
+    NULL,                  /* void* reserved0; */
+    NULL,                  /* void* reserved1; */
+};
+
+/**
+ * xmlSecNssTransformKWAes128GetKlass:
+ *
+ * The AES-128 key wrapper transform klass.
+ *
+ * Returns AES-128 key wrapper transform klass.
+ */
+xmlSecTransformId
+xmlSecNssTransformKWAes128GetKlass(void) {
+    return(&xmlSecNssKWAes128Klass);
+}
+
+/**
+ * xmlSecNssTransformKWAes192GetKlass:
+ *
+ * The AES-192 key wrapper transform klass.
+ *
+ * Returns AES-192 key wrapper transform klass.
+ */
+xmlSecTransformId
+xmlSecNssTransformKWAes192GetKlass(void) {
+    return(&xmlSecNssKWAes192Klass);
+}
+
+/**
+ *
+ * The AES-256 key wrapper transform klass.
+ *
+ * Returns AES-256 key wrapper transform klass.
+ */
+xmlSecTransformId
+xmlSecNssTransformKWAes256GetKlass(void) {
+    return(&xmlSecNssKWAes256Klass);
+}
+
+#endif /* XMLSEC_NO_AES */
+
+
+#ifndef XMLSEC_NO_DES
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWDes3Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWDes3Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),      /* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,          /* xmlSecSize objSize */
+
+    xmlSecNameKWDes3,              /* const xmlChar* name; */
+    xmlSecHrefKWDes3,              /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,  /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize,            /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,          /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                  /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                  /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,         /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,            /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                  /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,     /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,     /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,      /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                  /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                  /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,           /* xmlSecTransformExecuteMethod execute; */
+
+    NULL,                  /* void* reserved0; */
+    NULL,                  /* void* reserved1; */
+};
+
+/**
+ * xmlSecNssTransformKWDes3GetKlass:
+ *
+ * The Triple DES key wrapper transform klass.
+ *
+ * Returns Triple DES key wrapper transform klass.
+ */
+xmlSecTransformId
+xmlSecNssTransformKWDes3GetKlass(void) {
+    return(&xmlSecNssKWDes3Klass);
+}
+
+#endif /* XMLSEC_NO_DES */
+
--- misc/xmlsec1-1.2.14/src/nss/pkikeys.c   2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/pkikeys.c 2009-09-21 14:02:48.657352624 +0200
@@ -24,6 +24,7 @@
 #include <xmlsec/nss/crypto.h>
 #include <xmlsec/nss/bignum.h>
 #include <xmlsec/nss/pkikeys.h>
+#include <xmlsec/nss/tokens.h>

 /**************************************************************************
  *
@@ -115,6 +116,8 @@
                           xmlSecNssPKIKeyDataCtxPtr ctxSrc)
 {
     xmlSecNSSPKIKeyDataCtxFree(ctxDst);
+    ctxDst->privkey = NULL ;
+    ctxDst->pubkey = NULL ;
     if (ctxSrc->privkey != NULL) {
    ctxDst->privkey = SECKEY_CopyPrivateKey(ctxSrc->privkey);
    if(ctxDst->privkey == NULL) {
@@ -588,13 +591,13 @@
    goto done;
     }

-    slot = PK11_GetBestSlot(CKM_DSA, NULL);
+    slot = xmlSecNssSlotGet(CKM_DSA);
     if(slot == NULL) {
    xmlSecError(XMLSEC_ERRORS_HERE,
            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-           "PK11_GetBestSlot",
+           "xmlSecNssSlotGet",
            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
+           "error code=%d", PORT_GetError());
    ret = -1;
    goto done;
     }
@@ -792,14 +795,14 @@
     if (slot != NULL) {
    PK11_FreeSlot(slot);
     }
-    if (ret != 0) {
+
    if (pubkey != NULL) {
        SECKEY_DestroyPublicKey(pubkey);
    }
    if (data != NULL) {
        xmlSecKeyDataDestroy(data);
    }
-    }
+
     return(ret);
 }

@@ -818,7 +821,7 @@

     ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/

     if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) {
    /* we can have only private key or public key */
@@ -940,7 +943,8 @@
            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
            "PK11_PQG_ParamGen",
            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-           "size=%d", sizeBits);
+           "size=%d, error code=%d", sizeBits, PORT_GetError());
+   ret = -1;
    goto done;
     }

@@ -950,11 +954,12 @@
            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
            "PK11_PQG_VerifyParams",
            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-           "size=%d", sizeBits);
+           "size=%d, error code=%d", sizeBits, PORT_GetError());
+   ret = -1;
    goto done;
     }

-    slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL);
+    slot = xmlSecNssSlotGet(CKM_DSA_KEY_PAIR_GEN);
     PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */);
     privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, pqgParams,
                   &pubkey, PR_FALSE, PR_TRUE, NULL);
@@ -964,8 +969,9 @@
            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
            "PK11_GenerateKeyPair",
            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
+           "error code=%d", PORT_GetError());

+   ret = -1;
    goto done;
     }

@@ -979,6 +985,8 @@
    goto done;
     }

+    privkey = NULL ;
+    pubkey = NULL ;
     ret = 0;

 done:
@@ -991,16 +999,13 @@
     if (pqgVerify != NULL) {
    PK11_PQG_DestroyVerify(pqgVerify);
     }
-    if (ret == 0) {
-   return (0);
-    }
     if (pubkey != NULL) {
    SECKEY_DestroyPublicKey(pubkey);
     }
     if (privkey != NULL) {
    SECKEY_DestroyPrivateKey(privkey);
     }
-    return(-1);
+    return(ret);
 }

 static xmlSecKeyDataType
@@ -1010,10 +1015,10 @@
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), xmlSecKeyDataTypeUnknown);
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/
     if (ctx->privkey != NULL) {
    return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
-    } else {
+    } else if( ctx->pubkey != NULL ) {
    return(xmlSecKeyDataTypePublic);
     }

@@ -1027,7 +1032,7 @@
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), 0);
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/

     return(8 * SECKEY_PublicKeyStrength(ctx->pubkey));
 }
@@ -1216,13 +1221,13 @@
    goto done;
     }

-    slot = PK11_GetBestSlot(CKM_RSA_PKCS, NULL);
+    slot = xmlSecNssSlotGet(CKM_RSA_PKCS);
     if(slot == NULL) {
         xmlSecError(XMLSEC_ERRORS_HERE,
                     xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                    "PK11_GetBestSlot",
+                    "xmlSecNssSlotGet",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
         ret = -1;
         goto done;
     }
@@ -1384,7 +1389,7 @@

     ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/


     if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) {
@@ -1455,7 +1460,7 @@
     params.keySizeInBits = sizeBits;
     params.pe = 65537;

-    slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, NULL);
+    slot = xmlSecNssSlotGet(CKM_RSA_PKCS_KEY_PAIR_GEN);
     PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */);
     privkey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &params,
                   &pubkey, PR_FALSE, PR_TRUE, NULL);
@@ -1525,7 +1530,7 @@

     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/

     return(8 * SECKEY_PublicKeyStrength(ctx->pubkey));
 }
--- misc/xmlsec1-1.2.14/src/nss/symkeys.c   2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/symkeys.c 2009-09-21 14:02:48.620574832 +0200
@@ -15,20 +15,41 @@
 #include <stdio.h>
 #include <string.h>

+#include <pk11func.h>
+#include <nss.h>
+
 #include <xmlsec/xmlsec.h>
 #include <xmlsec/xmltree.h>
+#include <xmlsec/base64.h>
 #include <xmlsec/keys.h>
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>

 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
+#include <xmlsec/nss/tokens.h>

 /*****************************************************************************
  *
- * Symmetic (binary) keys - just a wrapper for xmlSecKeyDataBinary
+ * Symmetic (binary) keys - a wrapper over slot information and PK11SymKey
  *
  ****************************************************************************/
+typedef struct _xmlSecNssSymKeyDataCtx      xmlSecNssSymKeyDataCtx ;
+typedef struct _xmlSecNssSymKeyDataCtx*     xmlSecNssSymKeyDataCtxPtr ;
+
+struct _xmlSecNssSymKeyDataCtx {
+    CK_MECHANISM_TYPE       cipher ;    /* the symmetic key mechanism */
+    PK11SlotInfo*           slot ;      /* the key resident slot */
+    PK11SymKey*             symkey ;    /* the symmetic key */
+} ;
+
+#define xmlSecNssSymKeyDataSize \
+    ( sizeof( xmlSecKeyData ) + sizeof( xmlSecNssSymKeyDataCtx ) )
+
+#define xmlSecNssSymKeyDataGetCtx( data ) \
+    ( ( xmlSecNssSymKeyDataCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyData ) ) )
+
 static int xmlSecNssSymKeyDataInitialize       (xmlSecKeyDataPtr data);
 static int xmlSecNssSymKeyDataDuplicate        (xmlSecKeyDataPtr dst,
                             xmlSecKeyDataPtr src);
@@ -67,107 +88,743 @@
     (xmlSecKeyDataIsValid((data)) && \
      xmlSecNssSymKeyDataKlassCheck((data)->id))

+/**
+ * xmlSecNssSymKeyDataAdoptKey:
+ * @data:                              the pointer to symmetric key data.
+ * @symkey:                            the symmetric key
+ *
+ * Set the value of symmetric key data.
+ *
+ * Returns 0 on success or a negative value if an error occurs.
+ */
+int
+xmlSecNssSymKeyDataAdoptKey(
+       xmlSecKeyDataPtr data ,
+       PK11SymKey* symkey
+) {
+       xmlSecNssSymKeyDataCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecNssSymKeyDataCheckId( data ), -1 ) ;
+       xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), -1 ) ;
+       xmlSecAssert2( symkey != NULL, -1 ) ;
+
+       context = xmlSecNssSymKeyDataGetCtx( data ) ;
+       xmlSecAssert2(context != NULL, -1);
+
+       context->cipher = PK11_GetMechanism( symkey ) ;
+
+       if( context->slot != NULL ) {
+               PK11_FreeSlot( context->slot ) ;
+               context->slot = NULL ;
+       }
+       context->slot = PK11_GetSlotFromKey( symkey ) ;
+
+       if( context->symkey != NULL ) {
+               PK11_FreeSymKey( context->symkey ) ;
+               context->symkey = NULL ;
+       }
+       context->symkey = PK11_ReferenceSymKey( symkey ) ;
+
+       return 0 ;
+}
+
+xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt(
+    PK11SymKey*     symKey
+) {
+       xmlSecKeyDataPtr        data = NULL ;
+       CK_MECHANISM_TYPE       mechanism = CKM_INVALID_MECHANISM ;
+
+       xmlSecAssert2( symKey != NULL , NULL ) ;
+
+       mechanism = PK11_GetMechanism( symKey ) ;
+       switch( mechanism ) {
+               case CKM_DES3_KEY_GEN :
+               case CKM_DES3_CBC :
+               case CKM_DES3_MAC :
+                       data = xmlSecKeyDataCreate( xmlSecNssKeyDataDesId ) ;
+                       if( data == NULL ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecKeyDataCreate" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       "xmlSecNssKeyDataDesId" ) ;
+                               return NULL ;
+                       }
+                       break ;
+               case CKM_AES_KEY_GEN :
+               case CKM_AES_CBC :
+               case CKM_AES_MAC :
+                       data = xmlSecKeyDataCreate( xmlSecNssKeyDataAesId ) ;
+                       if( data == NULL ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecKeyDataCreate" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       "xmlSecNssKeyDataDesId" ) ;
+                               return NULL ;
+                       }
+                       break ;
+               default :
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               "Unsupported mechanism" ) ;
+                       return NULL ;
+       }
+
+       if( xmlSecNssSymKeyDataAdoptKey( data , symKey ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataAdoptKey" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeyDataDestroy( data ) ;
+               return NULL ;
+       }
+
+       return data ;
+}
+
+
+PK11SymKey*
+xmlSecNssSymKeyDataGetKey(
+    xmlSecKeyDataPtr data
+) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    PK11SymKey* symkey ;
+
+    xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), NULL);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), NULL);
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, NULL);
+
+    if( ctx->symkey != NULL ) {
+        symkey = PK11_ReferenceSymKey( ctx->symkey ) ;
+    } else {
+        symkey = NULL ;
+    }
+
+    return(symkey);
+}
+
 static int
 xmlSecNssSymKeyDataInitialize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1);
-
-    return(xmlSecKeyDataBinaryValueInitialize(data));
+    xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), -1);
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    memset( ctx, 0, sizeof(xmlSecNssSymKeyDataCtx));
+
+    /* Set the block cipher mechanism */
+#ifndef XMLSEC_NO_DES
+    if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) {
+        ctx->cipher = CKM_DES3_KEY_GEN;
+    } else
+#endif  /* XMLSEC_NO_DES */
+
+#ifndef XMLSEC_NO_AES
+    if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) {
+        ctx->cipher = CKM_AES_KEY_GEN;
+    } else
+#endif  /* XMLSEC_NO_AES */
+
+    if(1) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            NULL ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            "Unsupported block cipher" ) ;
+        return(-1) ;
+    }
+
+    return(0);
 }

 static int
 xmlSecNssSymKeyDataDuplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) {
+    xmlSecNssSymKeyDataCtxPtr ctxDst;
+    xmlSecNssSymKeyDataCtxPtr ctxSrc;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(dst), -1);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(dst, xmlSecNssSymKeyDataSize), -1);
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(src), -1);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(src, xmlSecNssSymKeyDataSize), -1);
     xmlSecAssert2(dst->id == src->id, -1);
-
-    return(xmlSecKeyDataBinaryValueDuplicate(dst, src));
+
+    ctxDst = xmlSecNssSymKeyDataGetCtx(dst);
+    xmlSecAssert2(ctxDst != NULL, -1);
+
+    ctxSrc = xmlSecNssSymKeyDataGetCtx(src);
+    xmlSecAssert2(ctxSrc != NULL, -1);
+
+    ctxDst->cipher = ctxSrc->cipher ;
+
+    if( ctxSrc->slot != NULL ) {
+        if( ctxDst->slot != NULL && ctxDst->slot != ctxSrc->slot ) {
+            PK11_FreeSlot( ctxDst->slot ) ;
+            ctxDst->slot = NULL ;
+        }
+
+        if( ctxDst->slot == NULL && ctxSrc->slot != NULL )
+            ctxDst->slot = PK11_ReferenceSlot( ctxSrc->slot ) ;
+    } else {
+        if( ctxDst->slot != NULL ) {
+            PK11_FreeSlot( ctxDst->slot ) ;
+            ctxDst->slot = NULL ;
+        }
+    }
+
+    if( ctxSrc->symkey != NULL ) {
+        if( ctxDst->symkey != NULL && ctxDst->symkey != ctxSrc->symkey ) {
+            PK11_FreeSymKey( ctxDst->symkey ) ;
+            ctxDst->symkey = NULL ;
+        }
+
+        if( ctxDst->symkey == NULL && ctxSrc->symkey != NULL )
+            ctxDst->symkey = PK11_ReferenceSymKey( ctxSrc->symkey ) ;
+    } else {
+        if( ctxDst->symkey != NULL ) {
+            PK11_FreeSymKey( ctxDst->symkey ) ;
+            ctxDst->symkey = NULL ;
+        }
+    }
+
+    return(0);
 }

 static void
 xmlSecNssSymKeyDataFinalize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
-
-    xmlSecKeyDataBinaryValueFinalize(data);
+    xmlSecAssert(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize));
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert(ctx != NULL);
+
+    if( ctx->slot != NULL ) {
+        PK11_FreeSlot( ctx->slot ) ;
+        ctx->slot = NULL ;
+    }
+
+    if( ctx->symkey != NULL ) {
+        PK11_FreeSymKey( ctx->symkey ) ;
+        ctx->symkey = NULL ;
+    }
+
+    ctx->cipher = CKM_INVALID_MECHANISM ;
 }

 static int
 xmlSecNssSymKeyDataXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
                   xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    PK11SymKey* symKey ;
+    PK11SlotInfo* slot ;
+    xmlSecBufferPtr keyBuf;
+    xmlSecSize len;
+    xmlSecKeyDataPtr data;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    SECItem keyItem ;
+    int ret;
+
+    xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* Create a new KeyData from a id */
+    data = xmlSecKeyDataCreate(id);
+    if(data == NULL ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    /* Create a buffer for raw symmetric key value */
+    if( ( keyBuf = xmlSecBufferCreate( 128 ) ) == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecBufferCreate" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Read the raw key value */
+    if( xmlSecBufferBase64NodeContentRead( keyBuf , node ) < 0 ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Wrap the raw key value SECItem */
+    keyItem.type = siBuffer ;
+    keyItem.data = xmlSecBufferGetData( keyBuf ) ;
+    keyItem.len = xmlSecBufferGetSize( keyBuf ) ;
+
+    /* Import the raw key into slot temporalily and get the key handler*/
+    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ;
+    if( symKey == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "PK11_ImportSymKey" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               PK11_FreeSlot( slot ) ;
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+       PK11_FreeSlot( slot ) ;
+
+    /* raw key material has been copied into symKey, it isn't used any more */
+    xmlSecBufferDestroy( keyBuf ) ;
+
+    /* Adopt the symmetric key into key data */
+    ret = xmlSecNssSymKeyDataAdoptKey(data, symKey);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataBinaryValueSetBuffer",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        PK11_FreeSymKey( symKey ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+    /* symKey has been duplicated into data, it isn't used any more */
+    PK11_FreeSymKey( symKey ) ;
+
+    /* Check value */
+    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyReqMatchKeyValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(0);
+    }

-    return(xmlSecKeyDataBinaryValueXmlRead(id, key, node, keyInfoCtx));
+    ret = xmlSecKeySetValue(key, data);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeySetValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+
+    return(0);
 }

 static int
 xmlSecNssSymKeyDataXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
                    xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
-
-    return(xmlSecKeyDataBinaryValueXmlWrite(id, key, node, keyInfoCtx));
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+       /* Get symmetric key from "key" */
+    symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key));
+    if( symKey != NULL ) {
+        SECItem* keyItem ;
+               xmlSecBufferPtr keyBuf ;
+
+               /* Extract raw key data from symmetric key */
+               if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_ExtractKeyValue",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+
+               /* Get raw key data from "symKey" */
+        keyItem = PK11_GetKeyData( symKey ) ;
+           if(keyItem == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_GetKeyData",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               /* Create key data buffer with raw kwy material */
+               keyBuf = xmlSecBufferCreate(keyItem->len) ;
+           if(keyBuf == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "xmlSecBufferCreate",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               xmlSecBufferSetData( keyBuf , keyItem->data , keyItem->len ) ;
+
+               /* Write raw key material into current xml node */
+               if( xmlSecBufferBase64NodeContentWrite( keyBuf, node, XMLSEC_BASE64_LINESIZE ) < 0 ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "xmlSecBufferBase64NodeContentWrite",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       xmlSecBufferDestroy(keyBuf);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+               xmlSecBufferDestroy(keyBuf);
+               PK11_FreeSymKey( symKey ) ;
+    }
+
+    return 0 ;
 }

 static int
 xmlSecNssSymKeyDataBinRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
                    const xmlSecByte* buf, xmlSecSize bufSize,
                    xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    PK11SymKey* symKey ;
+    PK11SlotInfo* slot ;
+    xmlSecKeyDataPtr data;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    SECItem keyItem ;
+    int ret;
+
+    xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(buf != NULL, -1);
+    xmlSecAssert2(bufSize != 0, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* Create a new KeyData from a id */
+    data = xmlSecKeyDataCreate(id);
+    if(data == NULL ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Wrap the raw key value SECItem */
+    keyItem.type = siBuffer ;
+    keyItem.data = buf ;
+    keyItem.len = bufSize ;
+
+    /* Import the raw key into slot temporalily and get the key handler*/
+    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ;
+    if( symKey == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "PK11_ImportSymKey" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               PK11_FreeSlot( slot ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Adopt the symmetric key into key data */
+    ret = xmlSecNssSymKeyDataAdoptKey(data, symKey);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataBinaryValueSetBuffer",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        PK11_FreeSymKey( symKey ) ;
+               PK11_FreeSlot( slot ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+    /* symKey has been duplicated into data, it isn't used any more */
+    PK11_FreeSymKey( symKey ) ;
+       PK11_FreeSlot( slot ) ;
+
+    /* Check value */
+    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyReqMatchKeyValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(0);
+    }

-    return(xmlSecKeyDataBinaryValueBinRead(id, key, buf, bufSize, keyInfoCtx));
+    ret = xmlSecKeySetValue(key, data);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeySetValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+
+    return(0);
 }

 static int
 xmlSecNssSymKeyDataBinWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
                    xmlSecByte** buf, xmlSecSize* bufSize,
                    xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(buf != NULL, -1);
+    xmlSecAssert2(bufSize != 0, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+       /* Get symmetric key from "key" */
+    symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key));
+    if( symKey != NULL ) {
+        SECItem* keyItem ;
+
+               /* Extract raw key data from symmetric key */
+               if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_ExtractKeyValue",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+
+               /* Get raw key data from "symKey" */
+        keyItem = PK11_GetKeyData( symKey ) ;
+           if(keyItem == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_GetKeyData",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               *bufSize = keyItem->len;
+               *buf = ( xmlSecByte* )xmlMalloc( *bufSize );
+               if( *buf == NULL ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               NULL,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+       memcpy((*buf), keyItem->data, (*bufSize));
+       PK11_FreeSymKey( symKey ) ;
+    }

-    return(xmlSecKeyDataBinaryValueBinWrite(id, key, buf, bufSize, keyInfoCtx));
+    return 0 ;
 }

 static int
 xmlSecNssSymKeyDataGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlSecKeyDataType type ATTRIBUTE_UNUSED) {
-    xmlSecBufferPtr buffer;
+    PK11SymKey* symkey ;
+    PK11SlotInfo* slot ;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    int ret;

     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1);
     xmlSecAssert2(sizeBits > 0, -1);

-    buffer = xmlSecKeyDataBinaryValueGetBuffer(data);
-    xmlSecAssert2(buffer != NULL, -1);
-
-    return(xmlSecNssGenerateRandom(buffer, (sizeBits + 7) / 8));
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    if( sizeBits % 8 != 0 ) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+         xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+         NULL,
+         XMLSEC_ERRORS_R_XMLSEC_FAILED,
+         "Symmetric key size must be octuple");
+     return(-1);
+    }
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        return(-1) ;
+    }
+
+    if( PK11_Authenticate( slot, PR_FALSE , NULL ) != SECSuccess ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "PK11_Authenticate" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+            PK11_FreeSlot( slot ) ;
+            return -1 ;
+    }
+
+    symkey = PK11_KeyGen( slot , ctx->cipher , NULL , sizeBits/8 , NULL ) ;
+    if( symkey == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "PK11_KeyGen" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+            PK11_FreeSlot( slot ) ;
+            return -1 ;
+    }
+
+    if( ctx->slot != NULL ) {
+            PK11_FreeSlot( ctx->slot ) ;
+            ctx->slot = NULL ;
+    }
+    ctx->slot = slot ;
+
+    if( ctx->symkey != NULL ) {
+            PK11_FreeSymKey( ctx->symkey ) ;
+            ctx->symkey = NULL ;
+    }
+    ctx->symkey = symkey ;
+
+    return 0;
 }

 static xmlSecKeyDataType
 xmlSecNssSymKeyDataGetType(xmlSecKeyDataPtr data) {
-    xmlSecBufferPtr buffer;
+    xmlSecNssSymKeyDataCtxPtr context = NULL ;
+    xmlSecKeyDataType type = xmlSecKeyDataTypeUnknown ;

     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), xmlSecKeyDataTypeUnknown);
+    xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), xmlSecKeyDataTypeUnknown ) ;

-    buffer = xmlSecKeyDataBinaryValueGetBuffer(data);
-    xmlSecAssert2(buffer != NULL, xmlSecKeyDataTypeUnknown);
+    context = xmlSecNssSymKeyDataGetCtx( data ) ;
+    if( context == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "xmlSecNssSymKeyDataGetCtx" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return xmlSecKeyDataTypeUnknown ;
+    }

-    return((xmlSecBufferGetSize(buffer) > 0) ? xmlSecKeyDataTypeSymmetric : xmlSecKeyDataTypeUnknown);
+    if( context->symkey != NULL ) {
+            type |= xmlSecKeyDataTypeSymmetric ;
+    } else {
+            type |= xmlSecKeyDataTypeUnknown ;
+    }
+
+    return type ;
 }

 static xmlSecSize
 xmlSecNssSymKeyDataGetSize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr context ;
+    unsigned int    length = 0 ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), 0);
+    xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), 0 ) ;
+    context = xmlSecNssSymKeyDataGetCtx( data ) ;
+    if( context == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "xmlSecNssSymKeyDataGetCtx" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+            return 0 ;
+    }
+
+    if( context->symkey != NULL ) {
+            length = PK11_GetKeyLength( context->symkey ) ;
+            length *= 8 ;
+    }

-    return(xmlSecKeyDataBinaryValueGetSize(data));
+    return length ;
 }

 static void
 xmlSecNssSymKeyDataDebugDump(xmlSecKeyDataPtr data, FILE* output) {
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));

-    xmlSecKeyDataBinaryValueDebugDump(data, output);
+    /* print only size, everything else is sensitive */
+    fprintf( output , "=== %s: size=%d\n" , data->id->dataNodeName ,
+        xmlSecKeyDataGetSize(data)) ;
 }

 static void
 xmlSecNssSymKeyDataDebugXmlDump(xmlSecKeyDataPtr data, FILE* output) {
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
-
-    xmlSecKeyDataBinaryValueDebugXmlDump(data, output);
+
+    /* print only size, everything else is sensitive */
+    fprintf( output , "<%s size=\"%d\" />\n" , data->id->dataNodeName ,
+        xmlSecKeyDataGetSize(data)) ;
 }

 static int
@@ -201,7 +858,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataAesKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,

     /* data */
     xmlSecNameAESKeyValue,
@@ -282,7 +939,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataDesKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,

     /* data */
     xmlSecNameDESKeyValue,
@@ -364,7 +1021,7 @@
  *************************************************************************/
 static xmlSecKeyDataKlass xmlSecNssKeyDataHmacKlass = {
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,

     /* data */
     xmlSecNameHMACKeyValue,
--- misc/xmlsec1-1.2.14/src/nss/tokens.c    2009-09-21 14:07:19.249145861 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/tokens.c  2009-09-21 14:02:48.556772442 +0200
@@ -1 +1,548 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright..................................
+ *
+ * Contributor(s): _____________________________
+ *
+ */
+
+/**
+ * In order to ensure that particular crypto operation is performed on
+ * particular crypto device, a subclass of xmlSecList is used to store slot and
+ * mechanism information.
+ *
+ * In the list, a slot is bound with a mechanism. If the mechanism is available,
+ * this mechanism only can perform on the slot; otherwise, it can perform on
+ * every eligibl slot in the list.
+ *
+ * When try to find a slot for a particular mechanism, the slot bound with
+ * available mechanism will be looked up firstly.
+ */
+#include "globals.h"
+#include <string.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/errors.h>
+#include <xmlsec/list.h>
+
+#include <xmlsec/nss/tokens.h>
+
+int
+xmlSecNssKeySlotSetMechList(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE_PTR mechanismList
+) {
+   int counter ;
+
+   xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+   if( keySlot->mechanismList != CK_NULL_PTR ) {
+       xmlFree( keySlot->mechanismList ) ;
+
+       for( counter = 0 ; *( mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+       keySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+       if( keySlot->mechanismList == NULL ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               NULL ,
+               NULL ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+           return( -1 );
+       }
+       for( ; counter >= 0 ; counter -- )
+           *( keySlot->mechanismList + counter ) = *(  mechanismList + counter ) ;
+   }
+
+   return( 0 );
+}
+
+int
+xmlSecNssKeySlotEnableMech(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE mechanism
+) {
+   int counter ;
+   CK_MECHANISM_TYPE_PTR newList ;
+
+   xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+   if( mechanism != CKM_INVALID_MECHANISM ) {
+       for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+       newList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+       if( newList == NULL ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               NULL ,
+               NULL ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+           return( -1 );
+       }
+       *( newList + counter + 1 ) = CKM_INVALID_MECHANISM ;
+       *( newList + counter ) = mechanism ;
+       for( counter -= 1 ; counter >= 0 ; counter -- )
+           *( newList + counter ) = *(  keySlot->mechanismList + counter ) ;
+
+       xmlFree( keySlot->mechanismList ) ;
+       keySlot->mechanismList = newList ;
+   }
+
+   return(0);
+}
+
+int
+xmlSecNssKeySlotDisableMech(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE mechanism
+) {
+   int counter ;
+
+   xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+   for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+       if( *( keySlot->mechanismList + counter ) == mechanism ) {
+           for( ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+               *( keySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter + 1 ) ;
+           }
+
+           break ;
+       }
+   }
+
+   return(0);
+}
+
+CK_MECHANISM_TYPE_PTR
+xmlSecNssKeySlotGetMechList(
+    xmlSecNssKeySlotPtr keySlot
+) {
+   if( keySlot != NULL )
+       return keySlot->mechanismList ;
+   else
+       return NULL ;
+}
+
+int
+xmlSecNssKeySlotSetSlot(
+    xmlSecNssKeySlotPtr keySlot ,
+   PK11SlotInfo* slot
+) {
+   xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+   if( slot != NULL && keySlot->slot != slot ) {
+       if( keySlot->slot != NULL )
+           PK11_FreeSlot( keySlot->slot ) ;
+
+       if( keySlot->mechanismList != NULL ) {
+           xmlFree( keySlot->mechanismList ) ;
+           keySlot->mechanismList = NULL ;
+       }
+
+       keySlot->slot = PK11_ReferenceSlot( slot ) ;
+   }
+
+   return(0);
+}
+
+int
+xmlSecNssKeySlotInitialize(
+    xmlSecNssKeySlotPtr keySlot ,
+   PK11SlotInfo* slot
+) {
+   xmlSecAssert2( keySlot != NULL , -1 ) ;
+   xmlSecAssert2( keySlot->slot == NULL , -1 ) ;
+   xmlSecAssert2( keySlot->mechanismList == NULL , -1 ) ;
+
+   if( slot != NULL ) {
+       keySlot->slot = PK11_ReferenceSlot( slot ) ;
+   }
+
+   return(0);
+}
+
+void
+xmlSecNssKeySlotFinalize(
+    xmlSecNssKeySlotPtr keySlot
+) {
+   xmlSecAssert( keySlot != NULL ) ;
+
+   if( keySlot->mechanismList != NULL ) {
+       xmlFree( keySlot->mechanismList ) ;
+       keySlot->mechanismList = NULL ;
+   }
+
+   if( keySlot->slot != NULL ) {
+       PK11_FreeSlot( keySlot->slot ) ;
+       keySlot->slot = NULL ;
+   }
+
+}
+
+PK11SlotInfo*
+xmlSecNssKeySlotGetSlot(
+   xmlSecNssKeySlotPtr keySlot
+) {
+   if( keySlot != NULL )
+       return keySlot->slot ;
+   else
+       return NULL ;
+}
+
+xmlSecNssKeySlotPtr
+xmlSecNssKeySlotCreate() {
+   xmlSecNssKeySlotPtr keySlot ;
+
+   /* Allocates a new xmlSecNssKeySlot and fill the fields */
+   keySlot = ( xmlSecNssKeySlotPtr )xmlMalloc( sizeof( xmlSecNssKeySlot ) ) ;
+   if( keySlot == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           NULL ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( NULL );
+   }
+   memset( keySlot, 0, sizeof( xmlSecNssKeySlot ) ) ;
+
+   return( keySlot ) ;
+}
+
+int
+xmlSecNssKeySlotCopy(
+   xmlSecNssKeySlotPtr newKeySlot ,
+   xmlSecNssKeySlotPtr keySlot
+) {
+   CK_MECHANISM_TYPE_PTR mech ;
+   int counter ;
+
+   xmlSecAssert2( newKeySlot != NULL , -1 ) ;
+   xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+   if( keySlot->slot != NULL && newKeySlot->slot != keySlot->slot ) {
+       if( newKeySlot->slot != NULL )
+           PK11_FreeSlot( newKeySlot->slot ) ;
+
+       newKeySlot->slot = PK11_ReferenceSlot( keySlot->slot ) ;
+   }
+
+   if( keySlot->mechanismList != CK_NULL_PTR ) {
+       xmlFree( newKeySlot->mechanismList ) ;
+
+       for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+       newKeySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+       if( newKeySlot->mechanismList == NULL ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               NULL ,
+               NULL ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+           return( -1 );
+       }
+       for( ; counter >= 0 ; counter -- )
+           *( newKeySlot->mechanismList + counter ) = *(  keySlot->mechanismList + counter ) ;
+   }
+
+   return( 0 );
+}
+
+xmlSecNssKeySlotPtr
+xmlSecNssKeySlotDuplicate(
+   xmlSecNssKeySlotPtr keySlot
+) {
+   xmlSecNssKeySlotPtr newKeySlot ;
+   int ret ;
+
+   xmlSecAssert2( keySlot != NULL , NULL ) ;
+
+   newKeySlot = xmlSecNssKeySlotCreate() ;
+   if( newKeySlot == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           NULL ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( NULL );
+   }
+
+   if( xmlSecNssKeySlotCopy( newKeySlot, keySlot ) < 0 ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           NULL ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( NULL );
+   }
+
+   return( newKeySlot );
+}
+
+void
+xmlSecNssKeySlotDestroy(
+       xmlSecNssKeySlotPtr keySlot
+) {
+   xmlSecAssert( keySlot != NULL ) ;
+
+   if( keySlot->mechanismList != NULL )
+       xmlFree( keySlot->mechanismList ) ;
+
+   if( keySlot->slot != NULL )
+       PK11_FreeSlot( keySlot->slot ) ;
+
+   xmlFree( keySlot ) ;
+}
+
+int
+xmlSecNssKeySlotBindMech(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE type
+) {
+   int counter ;
+
+   xmlSecAssert2( keySlot != NULL , 0 ) ;
+   xmlSecAssert2( keySlot->slot != NULL , 0 ) ;
+   xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ;
+
+   for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+       if( *( keySlot->mechanismList + counter ) == type )
+           return(1) ;
+   }
+
+   return( 0 ) ;
+}
+
+int
+xmlSecNssKeySlotSupportMech(
+   xmlSecNssKeySlotPtr keySlot ,
+   CK_MECHANISM_TYPE type
+) {
+   xmlSecAssert2( keySlot != NULL , 0 ) ;
+   xmlSecAssert2( keySlot->slot != NULL , 0 ) ;
+   xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ;
+
+   if( PK11_DoesMechanism( keySlot->slot , type ) == PR_TRUE ) {
+       return(1);
+   } else
+       return(0);
+}
+
+void
+xmlSecNssKeySlotDebugDump(
+   xmlSecNssKeySlotPtr keySlot ,
+   FILE* output
+) {
+   xmlSecAssert( keySlot != NULL ) ;
+   xmlSecAssert( output != NULL ) ;
+
+   fprintf( output, "== KEY SLOT\n" );
+}
+
+void
+xmlSecNssKeySlotDebugXmlDump(
+   xmlSecNssKeySlotPtr keySlot ,
+   FILE* output
+) {
+}
+
+/**
+ * Key Slot List
+ */
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = {
+#else
+static xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = {
+#endif
+    BAD_CAST "mechanism-list",
+    (xmlSecPtrDuplicateItemMethod)xmlSecNssKeySlotDuplicate,
+    (xmlSecPtrDestroyItemMethod)xmlSecNssKeySlotDestroy,
+    (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugDump,
+    (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugXmlDump,
+};
+
+xmlSecPtrListId
+xmlSecNssKeySlotListGetKlass(void) {
+    return(&xmlSecNssKeySlotPtrListKlass);
+}
+
+
+/*-
+ * Global PKCS#11 crypto token repository -- Key slot list
+ */
+static xmlSecPtrListPtr _xmlSecNssKeySlotList = NULL ;
+
+PK11SlotInfo*
+xmlSecNssSlotGet(
+   CK_MECHANISM_TYPE type
+) {
+   PK11SlotInfo*           slot = NULL ;
+   xmlSecNssKeySlotPtr     keySlot ;
+   xmlSecSize              ksSize ;
+   xmlSecSize              ksPos ;
+   char                    flag ;
+
+   if( _xmlSecNssKeySlotList == NULL ) {
+       slot = PK11_GetBestSlot( type , NULL ) ;
+   } else {
+       ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ;
+
+       /*-
+        * Firstly, checking whether the mechanism is bound with a special slot.
+        * If no bound slot, we try to find the first eligible slot in the list.
+        */
+       for( flag = 0, ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) {
+           keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ;
+           if( keySlot != NULL && xmlSecNssKeySlotBindMech( keySlot, type ) ) {
+               slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+               flag = 2 ;
+           } else if( flag == 0 && xmlSecNssKeySlotSupportMech( keySlot, type ) ) {
+               slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+               flag = 1 ;
+           }
+
+           if( flag == 2 )
+               break ;
+       }
+       if( slot != NULL )
+           slot = PK11_ReferenceSlot( slot ) ;
+   }
+
+   if( slot != NULL && PK11_NeedLogin( slot ) ) {
+       if( PK11_Authenticate( slot , PR_TRUE , NULL ) != SECSuccess ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               NULL ,
+               NULL ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+           PK11_FreeSlot( slot ) ;
+           return( NULL );
+       }
+   }
+
+   return slot ;
+}
+
+int
+xmlSecNssSlotInitialize(
+   void
+) {
+   if( _xmlSecNssKeySlotList != NULL ) {
+       xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ;
+       _xmlSecNssKeySlotList = NULL ;
+   }
+
+   _xmlSecNssKeySlotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ;
+   if( _xmlSecNssKeySlotList == NULL ) {
+       xmlSecError( XMLSEC_ERRORS_HERE ,
+           NULL ,
+           NULL ,
+           XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+           XMLSEC_ERRORS_NO_MESSAGE ) ;
+       return( -1 );
+   }
+
+   return(0);
+}
+
+void
+xmlSecNssSlotShutdown(
+   void
+) {
+   if( _xmlSecNssKeySlotList != NULL ) {
+       xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ;
+       _xmlSecNssKeySlotList = NULL ;
+   }
+}
+
+int
+xmlSecNssSlotAdopt(
+   PK11SlotInfo* slot,
+   CK_MECHANISM_TYPE type
+) {
+   xmlSecNssKeySlotPtr     keySlot ;
+   xmlSecSize              ksSize ;
+   xmlSecSize              ksPos ;
+   char                    flag ;
+
+   xmlSecAssert2( _xmlSecNssKeySlotList != NULL, -1 ) ;
+   xmlSecAssert2( slot != NULL, -1 ) ;
+
+   ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ;
+
+   /*-
+    * Firstly, checking whether the slot is in the repository already.
+    */
+   flag = 0 ;
+   for( ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) {
+       keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ;
+       /* If find the slot in the list */
+       if( keySlot != NULL && xmlSecNssKeySlotGetSlot( keySlot ) == slot ) {
+           /* If mechanism type is valid, bind the slot with the mechanism */
+           if( type != CKM_INVALID_MECHANISM ) {
+               if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) {
+                   xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                   return(-1);
+               }
+           }
+
+           flag = 1 ;
+       }
+   }
+
+   /* If the slot do not in the list, add a new item to the list */
+   if( flag == 0 ) {
+       /* Create a new KeySlot */
+       keySlot = xmlSecNssKeySlotCreate() ;
+       if( keySlot == NULL ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               NULL ,
+               NULL ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+           return(-1);
+       }
+
+       /* Initialize the keySlot with a slot */
+       if( xmlSecNssKeySlotInitialize( keySlot, slot ) < 0 ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               NULL ,
+               NULL ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+           xmlSecNssKeySlotDestroy( keySlot ) ;
+           return(-1);
+       }
+
+       /* If mechanism type is valid, bind the slot with the mechanism */
+       if( type != CKM_INVALID_MECHANISM ) {
+           if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   NULL ,
+                   NULL ,
+                   XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecNssKeySlotDestroy( keySlot ) ;
+               return(-1);
+           }
+       }
+
+       /* Add keySlot into the list */
+       if( xmlSecPtrListAdd( _xmlSecNssKeySlotList, keySlot ) < 0 ) {
+           xmlSecError( XMLSEC_ERRORS_HERE ,
+               NULL ,
+               NULL ,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+               XMLSEC_ERRORS_NO_MESSAGE ) ;
+           xmlSecNssKeySlotDestroy( keySlot ) ;
+           return(-1);
+       }
+   }
+
+   return(0);
+}
+
--- misc/xmlsec1-1.2.14/src/nss/x509.c  2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/x509.c    2009-09-21 14:02:48.642312431 +0200
@@ -34,7 +34,6 @@
 #include <xmlsec/keys.h>
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/keysmngr.h>
-#include <xmlsec/x509.h>
 #include <xmlsec/base64.h>
 #include <xmlsec/errors.h>

@@ -61,33 +60,18 @@
 static int     xmlSecNssX509CertificateNodeRead    (xmlSecKeyDataPtr data,
                                 xmlNodePtr node,
                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssX509CertificateNodeWrite   (CERTCertificate* cert,
-                                xmlNodePtr node,
-                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int     xmlSecNssX509SubjectNameNodeRead    (xmlSecKeyDataPtr data,
                                 xmlNodePtr node,
                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssX509SubjectNameNodeWrite   (CERTCertificate* cert,
-                                xmlNodePtr node,
-                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int     xmlSecNssX509IssuerSerialNodeRead   (xmlSecKeyDataPtr data,
                                 xmlNodePtr node,
                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssX509IssuerSerialNodeWrite  (CERTCertificate* cert,
-                                xmlNodePtr node,
-                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int     xmlSecNssX509SKINodeRead        (xmlSecKeyDataPtr data,
                                 xmlNodePtr node,
                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssX509SKINodeWrite       (CERTCertificate* cert,
-                                xmlNodePtr node,
-                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int     xmlSecNssX509CRLNodeRead        (xmlSecKeyDataPtr data,
                                 xmlNodePtr node,
                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssX509CRLNodeWrite       (CERTSignedCrl* crl,
-                                xmlNodePtr node,
-                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int     xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data,
                                xmlSecKeyPtr key,
                                xmlSecKeyInfoCtxPtr keyInfoCtx);
@@ -104,9 +88,6 @@
                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static xmlChar*        xmlSecNssX509CrlBase64DerWrite      (CERTSignedCrl* crl,
                                 int base64LineWrap);
-static xmlChar*        xmlSecNssX509NameWrite          (CERTName* nm);
-static xmlChar*        xmlSecNssASN1IntegerWrite       (SECItem *num);
-static xmlChar*        xmlSecNssX509SKIWrite           (CERTCertificate* cert);
 static void        xmlSecNssX509CertDebugDump      (CERTCertificate* cert,
                                 FILE* output);
 static void        xmlSecNssX509CertDebugXmlDump       (CERTCertificate* cert,
@@ -752,31 +733,22 @@
 xmlSecNssKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
                xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataPtr data;
+    xmlNodePtr cur;
+    xmlChar* buf;
     CERTCertificate* cert;
     CERTSignedCrl* crl;
     xmlSecSize size, pos;
-    int content = 0;
-    int ret;

     xmlSecAssert2(id == xmlSecNssKeyDataX509Id, -1);
     xmlSecAssert2(key != NULL, -1);
     xmlSecAssert2(node != NULL, -1);
     xmlSecAssert2(keyInfoCtx != NULL, -1);

-    content = xmlSecX509DataGetNodeContent (node, 1, keyInfoCtx);
-    if (content < 0) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-           "xmlSecX509DataGetNodeContent",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "content=%d", content);
-   return(-1);
-    } else if(content == 0) {
-   /* by default we are writing certificates and crls */
-   content = XMLSEC_X509DATA_DEFAULT;
+    /* todo: flag in ctx remove all existing content */
+    if(0) {
+        xmlNodeSetContent(node, NULL);
     }

-    /* get x509 data */
     data = xmlSecKeyGetData(key, id);
     if(data == NULL) {
    /* no x509 data in the key */
@@ -796,79 +768,74 @@
        return(-1);
    }

-   if((content & XMLSEC_X509DATA_CERTIFICATE_NODE) != 0) {
-       ret = xmlSecNssX509CertificateNodeWrite(cert, node, keyInfoCtx);
-       if(ret < 0) {
+   /* set base64 lines size from context */
+   buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize);
+   if(buf == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-               "xmlSecNssX509CertificateNodeWrite",
+               "xmlSecNssX509CertBase64DerWrite",
                XMLSEC_ERRORS_R_XMLSEC_FAILED,
-               "pos=%d", pos);
+               XMLSEC_ERRORS_NO_MESSAGE);
        return(-1);
-       }
    }

-   if((content & XMLSEC_X509DATA_SUBJECTNAME_NODE) != 0) {
-       ret = xmlSecNssX509SubjectNameNodeWrite(cert, node, keyInfoCtx);
-       if(ret < 0) {
+   cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
+   if(cur == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-               "xmlSecNssX509SubjectNameNodeWrite",
+               "xmlSecAddChild",
                XMLSEC_ERRORS_R_XMLSEC_FAILED,
-               "pos=%d", pos);
+               "node=%s",
+               xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
+       xmlFree(buf);
        return(-1);
-       }
    }
+   /* todo: add \n around base64 data - from context */
+   /* todo: add errors check */
+   xmlNodeSetContent(cur, xmlSecStringCR);
+   xmlNodeSetContent(cur, buf);
+   xmlFree(buf);
+    }

-   if((content & XMLSEC_X509DATA_ISSUERSERIAL_NODE) != 0) {
-       ret = xmlSecNssX509IssuerSerialNodeWrite(cert, node, keyInfoCtx);
-       if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-               "xmlSecNssX509IssuerSerialNodeWrite",
-               XMLSEC_ERRORS_R_XMLSEC_FAILED,
-               "pos=%d", pos);
-       return(-1);
-       }
+    /* write crls */
+    size = xmlSecNssKeyDataX509GetCrlsSize(data);
+    for(pos = 0; pos < size; ++pos) {
+   crl = xmlSecNssKeyDataX509GetCrl(data, pos);
+   if(crl == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+       xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+       "xmlSecNssKeyDataX509GetCrl",
+       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+       "pos=%d", pos);
+       return(-1);
    }

-   if((content & XMLSEC_X509DATA_SKI_NODE) != 0) {
-       ret = xmlSecNssX509SKINodeWrite(cert, node, keyInfoCtx);
-       if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-               "xmlSecNssX509SKINodeWrite",
-               XMLSEC_ERRORS_R_XMLSEC_FAILED,
-               "pos=%d", pos);
-       return(-1);
-       }
+        /* set base64 lines size from context */
+        buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize);
+        if(buf == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+       xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+       "xmlSecNssX509CrlBase64DerWrite",
+       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+       XMLSEC_ERRORS_NO_MESSAGE);
+       return(-1);
    }
-    }

-    /* write crls if needed */
-    if((content & XMLSEC_X509DATA_CRL_NODE) != 0) {
-   size = xmlSecNssKeyDataX509GetCrlsSize(data);
-   for(pos = 0; pos < size; ++pos) {
-       crl = xmlSecNssKeyDataX509GetCrl(data, pos);
-       if(crl == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-               "xmlSecNssKeyDataX509GetCrl",
-               XMLSEC_ERRORS_R_XMLSEC_FAILED,
-               "pos=%d", pos);
-       return(-1);
-       }
-
-       ret = xmlSecNssX509CRLNodeWrite(crl, node, keyInfoCtx);
-       if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-               "xmlSecNssX509CRLNodeWrite",
-               XMLSEC_ERRORS_R_XMLSEC_FAILED,
-               "pos=%d", pos);
-       return(-1);
-       }
-   }
+        cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
+        if(cur == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                        "xmlSecAddChild",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "new_node=%s",
+                        xmlSecErrorsSafeString(xmlSecNodeX509CRL));
+            xmlFree(buf);
+            return(-1);
+        }
+        /* todo: add \n around base64 data - from context */
+        /* todo: add errors check */
+        xmlNodeSetContent(cur, xmlSecStringCR);
+        xmlNodeSetContent(cur, buf);
     }

     return(0);
@@ -1057,46 +1024,6 @@
     return(0);
 }

-static int
-xmlSecNssX509CertificateNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlChar* buf;
-    xmlNodePtr cur;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-    xmlSecAssert2(keyInfoCtx != NULL, -1);
-
-    /* set base64 lines size from context */
-    buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize);
-    if(buf == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssX509CertBase64DerWrite",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
-    if(cur == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecAddChild",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "node=%s",
-           xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
-   xmlFree(buf);
-   return(-1);
-    }
-
-    /* todo: add \n around base64 data - from context */
-    /* todo: add errors check */
-    xmlNodeSetContent(cur, xmlSecStringCR);
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-    return(0);
-}
-
 static int
 xmlSecNssX509SubjectNameNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
@@ -1120,19 +1047,13 @@
     }

     subject = xmlNodeGetContent(node);
-    if((subject == NULL) || (xmlSecIsEmptyString(subject) == 1)) {
-   if(subject != NULL) {
-       xmlFree(subject);
-   }
-   if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
+    if(subject == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
            xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
            XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
            XMLSEC_ERRORS_NO_MESSAGE);
        return(-1);
-   }
-   return(0);
     }

     cert = xmlSecNssX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx);
@@ -1169,40 +1090,6 @@
     return(0);
 }

-static int
-xmlSecNssX509SubjectNameNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlChar* buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    buf = xmlSecNssX509NameWrite(&(cert->subject));
-    if(buf == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-       NULL,
-       "xmlSecNssX509NameWrite(&(cert->subject))",
-       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-       XMLSEC_ERRORS_NO_MESSAGE);
-   return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509SubjectName, xmlSecDSigNs);
-    if(cur == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-       NULL,
-       "xmlSecAddChild",
-       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-       "node=%s",
-       xmlSecErrorsSafeString(xmlSecNodeX509SubjectName));
-   xmlFree(buf);
-   return(-1);
-    }
-    xmlSecNodeEncodeAndSetContent(cur, buf);
-    xmlFree(buf);
-    return(0);
-}
-
 static int
 xmlSecNssX509IssuerSerialNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
@@ -1228,21 +1115,9 @@
     }

     cur = xmlSecGetNextElementNode(node->children);
-    if(cur == NULL) {
-   if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-           xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
-           XMLSEC_ERRORS_R_NODE_NOT_FOUND,
-           "node=%s",
-           xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
-       return(-1);
-   }
-   return(0);
-    }

     /* the first is required node X509IssuerName */
-    if(!xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
+    if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
    xmlSecError(XMLSEC_ERRORS_HERE,
            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
            xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
@@ -1336,78 +1211,6 @@
     return(0);
 }

-static int
-xmlSecNssX509IssuerSerialNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlNodePtr cur;
-    xmlNodePtr issuerNameNode;
-    xmlNodePtr issuerNumberNode;
-    xmlChar* buf;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    /* create xml nodes */
-    cur = xmlSecAddChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs);
-    if(cur == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecAddChild",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "node=%s",
-           xmlSecErrorsSafeString(xmlSecNodeX509IssuerSerial));
-   return(-1);
-    }
-
-    issuerNameNode = xmlSecAddChild(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs);
-    if(issuerNameNode == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecAddChild",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "node=%s",
-           xmlSecErrorsSafeString(xmlSecNodeX509IssuerName));
-   return(-1);
-    }
-
-    issuerNumberNode = xmlSecAddChild(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs);
-    if(issuerNumberNode == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecAddChild",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "node=%s",
-           xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber));
-   return(-1);
-    }
-
-    /* write data */
-    buf = xmlSecNssX509NameWrite(&(cert->issuer));
-    if(buf == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssX509NameWrite(&(cert->issuer))",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   return(-1);
-    }
-    xmlSecNodeEncodeAndSetContent(issuerNameNode, buf);
-    xmlFree(buf);
-
-    buf = xmlSecNssASN1IntegerWrite(&(cert->serialNumber));
-    if(buf == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssASN1IntegerWrite(&(cert->serialNumber))",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   return(-1);
-    }
-    xmlNodeSetContent(issuerNumberNode, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
 static int
 xmlSecNssX509SKINodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
@@ -1431,11 +1234,7 @@
     }

     ski = xmlNodeGetContent(node);
-    if((ski == NULL) || (xmlSecIsEmptyString(ski) == 1)) {
-   if(ski != NULL) {
-       xmlFree(ski);
-   }
-   if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
+    if(ski == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
            xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
@@ -1443,8 +1242,6 @@
            "node=%s",
            xmlSecErrorsSafeString(xmlSecNodeX509SKI));
        return(-1);
-   }
-   return(0);
     }

     cert = xmlSecNssX509StoreFindCert(x509Store, NULL, NULL, NULL, ski, keyInfoCtx);
@@ -1479,41 +1276,6 @@
     return(0);
 }

-static int
-xmlSecNssX509SKINodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlChar *buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    buf = xmlSecNssX509SKIWrite(cert);
-    if(buf == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssX509SKIWrite",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509SKI, xmlSecDSigNs);
-    if(cur == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecAddChild",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "new_node=%s",
-           xmlSecErrorsSafeString(xmlSecNodeX509SKI));
-   xmlFree(buf);
-   return(-1);
-    }
-    xmlSecNodeEncodeAndSetContent(cur, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
 static int
 xmlSecNssX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlChar *content;
@@ -1524,19 +1286,13 @@
     xmlSecAssert2(keyInfoCtx != NULL, -1);

     content = xmlNodeGetContent(node);
-   if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
-   if(content != NULL) {
-       xmlFree(content);
-   }
-   if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
+    if(content == NULL){
        xmlSecError(XMLSEC_ERRORS_HERE,
            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
            xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
            XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
            XMLSEC_ERRORS_NO_MESSAGE);
        return(-1);
-   }
-   return(0);
     }

     crl = xmlSecNssX509CrlBase64DerRead(content, keyInfoCtx);
@@ -1556,47 +1312,6 @@
 }

 static int
-xmlSecNssX509CRLNodeWrite(CERTSignedCrl* crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlChar* buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(crl != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-    xmlSecAssert2(keyInfoCtx != NULL, -1);
-
-    /* set base64 lines size from context */
-    buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize);
-    if(buf == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssX509CrlBase64DerWrite",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
-    if(cur == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecAddChild",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "new_node=%s",
-           xmlSecErrorsSafeString(xmlSecNodeX509CRL));
-   xmlFree(buf);
-   return(-1);
-    }
-    /* todo: add \n around base64 data - from context */
-    /* todo: add errors check */
-    xmlNodeSetContent(cur, xmlSecStringCR);
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
-
-static int
 xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key,
                    xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecNssX509DataCtxPtr ctx;
@@ -1604,6 +1319,10 @@
     int ret;
     SECStatus status;
     PRTime notBefore, notAfter;
+
+    PK11SlotInfo* slot ;
+    SECKEYPublicKey *pubKey = NULL;
+    SECKEYPrivateKey *priKey = NULL;

     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
     xmlSecAssert2(key != NULL, -1);
@@ -1636,10 +1355,14 @@
                xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                "CERT_DupCertificate",
                XMLSEC_ERRORS_R_CRYPTO_FAILED,
-               XMLSEC_ERRORS_NO_MESSAGE);
+               "error code=%d", PORT_GetError());
        return(-1);
        }
-
+
+          /*-
+      * Get Public key from cert, which does not always work for sign
+      * action.
+           *
        keyValue = xmlSecNssX509CertGetKey(ctx->keyCert);
        if(keyValue == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1649,6 +1372,54 @@
                XMLSEC_ERRORS_NO_MESSAGE);
        return(-1);
        }
+      */
+            /*-
+             * I'll search key according to KeyReq.
+             */
+       slot = cert->slot ;
+       if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+           if( ( priKey = PK11_FindPrivateKeyFromCert( slot , cert , NULL ) ) == NULL ) {
+                   xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                       "PK11_FindPrivateKeyFromCert" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                   return -1 ;
+               }
+       }
+
+            if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+                if( ( pubKey = CERT_ExtractPublicKey( cert ) ) == NULL ) {
+                    xmlSecError( XMLSEC_ERRORS_HERE ,
+                        xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                        "CERT_ExtractPublicKey" ,
+                        XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                        XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+
+                    if( priKey != NULL )
+                        SECKEY_DestroyPrivateKey( priKey ) ;
+                    return -1 ;
+                }
+            }
+
+            keyValue = xmlSecNssPKIAdoptKey(priKey, pubKey);
+            if( keyValue == NULL ) {
+                xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "xmlSecNssPKIAdoptKey" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                if( priKey != NULL )
+                    SECKEY_DestroyPrivateKey( priKey ) ;
+
+                if( pubKey != NULL )
+                    SECKEY_DestroyPublicKey( pubKey ) ;
+
+                return -1 ;
+            }
+            /* Modify keyValue get Done */

        /* verify that the key matches our expectations */
        if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) {
@@ -1950,86 +1721,6 @@
     return(res);
 }

-static xmlChar*
-xmlSecNssX509NameWrite(CERTName* nm) {
-    xmlChar *res = NULL;
-    char *str;
-
-    xmlSecAssert2(nm != NULL, NULL);
-
-    str = CERT_NameToAscii(nm);
-    if (str == NULL) {
-        xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               "CERT_NameToAscii",
-               XMLSEC_ERRORS_R_CRYPTO_FAILED,
-               XMLSEC_ERRORS_NO_MESSAGE);
-        return(NULL);
-    }
-
-    res = xmlStrdup(BAD_CAST str);
-    if(res == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlStrdup",
-           XMLSEC_ERRORS_R_MALLOC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   PORT_Free(str);
-   return(NULL);
-    }
-    PORT_Free(str);
-    return(res);
-}
-
-static xmlChar*
-xmlSecNssASN1IntegerWrite(SECItem *num) {
-    xmlChar *res = NULL;
-
-    xmlSecAssert2(num != NULL, NULL);
-
-    /* TODO : to be implemented after
-     * NSS bug http://bugzilla.mozilla.org/show_bug.cgi?id=212864 is fixed
-     */
-    return(res);
-}
-
-static xmlChar*
-xmlSecNssX509SKIWrite(CERTCertificate* cert) {
-    xmlChar *res = NULL;
-    SECItem ski;
-    SECStatus rv;
-
-    xmlSecAssert2(cert != NULL, NULL);
-
-    memset(&ski, 0, sizeof(ski));
-
-    rv = CERT_FindSubjectKeyIDExtension(cert, &ski);
-    if (rv != SECSuccess) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "CERT_FindSubjectKeyIDExtension",
-           XMLSEC_ERRORS_R_CRYPTO_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   SECITEM_FreeItem(&ski, PR_FALSE);
-   return(NULL);
-    }
-
-    res = xmlSecBase64Encode(ski.data, ski.len, 0);
-    if(res == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecBase64Encode",
-               XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   SECITEM_FreeItem(&ski, PR_FALSE);
-   return(NULL);
-    }
-    SECITEM_FreeItem(&ski, PR_FALSE);
-
-    return(res);
-}
-
-
 static void
 xmlSecNssX509CertDebugDump(CERTCertificate* cert, FILE* output) {
     SECItem *sn;
--- misc/xmlsec1-1.2.14/src/nss/x509vfy.c   2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/src/nss/x509vfy.c 2009-09-21 14:02:48.669245207 +0200
@@ -30,6 +30,7 @@
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/keysmngr.h>
 #include <xmlsec/base64.h>
+#include <xmlsec/bn.h>
 #include <xmlsec/errors.h>

 #include <xmlsec/nss/crypto.h>
@@ -61,17 +62,7 @@

 static int     xmlSecNssX509StoreInitialize    (xmlSecKeyDataStorePtr store);
 static void        xmlSecNssX509StoreFinalize  (xmlSecKeyDataStorePtr store);
-static int         xmlSecNssX509NameStringRead (xmlSecByte **str,
-                            int *strLen,
-                            xmlSecByte *res,
-                            int resLen,
-                            xmlSecByte delim,
-                            int ingoreTrailingSpaces);
-static xmlSecByte *    xmlSecNssX509NameRead       (xmlSecByte *str,
-                            int len);
-
-static void        xmlSecNssNumToItem(SECItem *it, unsigned long num);
-
+static int     xmlSecNssIntegerToItem( const xmlChar* integer , SECItem *it ) ;

 static xmlSecKeyDataStoreKlass xmlSecNssX509StoreKlass = {
     sizeof(xmlSecKeyDataStoreKlass),
@@ -339,40 +330,28 @@
 xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName,
              xmlChar *issuerSerial, xmlChar *ski) {
     CERTCertificate *cert = NULL;
-    xmlChar         *p = NULL;
     CERTName *name = NULL;
     SECItem *nameitem = NULL;
     PRArenaPool *arena = NULL;

     if (subjectName != NULL) {
-   p = xmlSecNssX509NameRead(subjectName, xmlStrlen(subjectName));
-   if (p == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecNssX509NameRead",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "subject=%s",
-                        xmlSecErrorsSafeString(subjectName));
-       goto done;
-   }
-
    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "PORT_NewArena",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
        goto done;
    }

-   name = CERT_AsciiToName((char*)p);
+   name = CERT_AsciiToName((char*)subjectName);
    if (name == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "CERT_AsciiToName",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
        goto done;
    }

@@ -394,34 +373,23 @@
     if((issuerName != NULL) && (issuerSerial != NULL)) {
    CERTIssuerAndSN issuerAndSN;

-   p = xmlSecNssX509NameRead(issuerName, xmlStrlen(issuerName));
-   if (p == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecNssX509NameRead",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "issuer=%s",
-                        xmlSecErrorsSafeString(issuerName));
-       goto done;
-   }
-
    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "PORT_NewArena",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
        goto done;
    }

-   name = CERT_AsciiToName((char*)p);
+   name = CERT_AsciiToName((char*)issuerName);
    if (name == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
                         NULL,
                         "CERT_AsciiToName",
                         XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
        goto done;
    }

@@ -441,8 +409,15 @@
    issuerAndSN.derIssuer.data = nameitem->data;
    issuerAndSN.derIssuer.len = nameitem->len;

-   /* TBD: serial num can be arbitrarily long */
-   xmlSecNssNumToItem(&issuerAndSN.serialNumber, PORT_Atoi((char *)issuerSerial));
+        if( xmlSecNssIntegerToItem( issuerSerial, &issuerAndSN.serialNumber ) < 0 ) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecNssIntegerToItem",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "serial number=%s",
+                        xmlSecErrorsSafeString(issuerSerial));
+                goto done;
+        }

    cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(),
                      &issuerAndSN);
@@ -473,9 +448,6 @@
     }

 done:
-    if (p != NULL) {
-   PORT_Free(p);
-    }
     if (arena != NULL) {
    PORT_FreeArena(arena, PR_FALSE);
     }
@@ -486,176 +458,6 @@
     return(cert);
 }

-static xmlSecByte *
-xmlSecNssX509NameRead(xmlSecByte *str, int len) {
-    xmlSecByte name[256];
-    xmlSecByte value[256];
-    xmlSecByte *retval = NULL;
-    xmlSecByte *p = NULL;
-    int nameLen, valueLen;
-
-    xmlSecAssert2(str != NULL, NULL);
-
-    /* return string should be no longer than input string */
-    retval = (xmlSecByte *)PORT_Alloc(len+1);
-    if(retval == NULL) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "PORT_Alloc",
-           XMLSEC_ERRORS_R_MALLOC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-   return(NULL);
-    }
-    p = retval;
-
-    while(len > 0) {
-   /* skip spaces after comma or semicolon */
-   while((len > 0) && isspace(*str)) {
-       ++str; --len;
-   }
-
-   nameLen = xmlSecNssX509NameStringRead(&str, &len, name, sizeof(name), '=', 0);
-   if(nameLen < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssX509NameStringRead",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-       goto done;
-   }
-   memcpy(p, name, nameLen);
-   p+=nameLen;
-   *p++='=';
-   if(len > 0) {
-       ++str; --len;
-       if((*str) == '\"') {
-       valueLen = xmlSecNssX509NameStringRead(&str, &len,
-                   value, sizeof(value), '"', 1);
-       if(valueLen < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               "xmlSecNssX509NameStringRead",
-               XMLSEC_ERRORS_R_XMLSEC_FAILED,
-               XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-           }
-       /* skip spaces before comma or semicolon */
-       while((len > 0) && isspace(*str)) {
-           ++str; --len;
-       }
-       if((len > 0) && ((*str) != ',')) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               NULL,
-               XMLSEC_ERRORS_R_INVALID_DATA,
-               "comma is expected");
-           goto done;
-       }
-       if(len > 0) {
-           ++str; --len;
-       }
-       *p++='\"';
-       memcpy(p, value, valueLen);
-       p+=valueLen;
-       *p++='\"';
-       } else if((*str) == '#') {
-       /* TODO: read octect values */
-       xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               NULL,
-               XMLSEC_ERRORS_R_INVALID_DATA,
-               "reading octect values is not implemented yet");
-       goto done;
-       } else {
-       valueLen = xmlSecNssX509NameStringRead(&str, &len,
-                   value, sizeof(value), ',', 1);
-       if(valueLen < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               "xmlSecNssX509NameStringRead",
-               XMLSEC_ERRORS_R_XMLSEC_FAILED,
-               XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-           }
-       memcpy(p, value, valueLen);
-       p+=valueLen;
-       if (len > 0)
-           *p++=',';
-       }
-   } else {
-       valueLen = 0;
-   }
-   if(len > 0) {
-       ++str; --len;
-   }
-    }
-
-    *p = 0;
-    return(retval);
-
-done:
-    PORT_Free(retval);
-    return (NULL);
-}
-
-static int
-xmlSecNssX509NameStringRead(xmlSecByte **str, int *strLen,
-               xmlSecByte *res, int resLen,
-               xmlSecByte delim, int ingoreTrailingSpaces) {
-    xmlSecByte *p, *q, *nonSpace;
-
-    xmlSecAssert2(str != NULL, -1);
-    xmlSecAssert2(strLen != NULL, -1);
-    xmlSecAssert2(res != NULL, -1);
-
-    p = (*str);
-    nonSpace = q = res;
-    while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) {
-   if((*p) != '\\') {
-       if(ingoreTrailingSpaces && !isspace(*p)) {
-       nonSpace = q;
-       }
-       *(q++) = *(p++);
-   } else {
-       ++p;
-       nonSpace = q;
-       if(xmlSecIsHex((*p))) {
-       if((p - (*str) + 1) >= (*strLen)) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               NULL,
-               XMLSEC_ERRORS_R_INVALID_DATA,
-               "two hex digits expected");
-               return(-1);
-       }
-       *(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]);
-       p += 2;
-       } else {
-       if(((++p) - (*str)) >= (*strLen)) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-               NULL,
-               NULL,
-               XMLSEC_ERRORS_R_INVALID_DATA,
-               "escaped symbol missed");
-           return(-1);
-       }
-       *(q++) = *(p++);
-       }
-   }
-    }
-    if(((p - (*str)) < (*strLen)) && ((*p) != delim)) {
-   xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           NULL,
-           XMLSEC_ERRORS_R_INVALID_SIZE,
-           "buffer is too small");
-   return(-1);
-    }
-    (*strLen) -= (p - (*str));
-    (*str) = p;
-    return((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res);
-}
-
 /* code lifted from NSS */
 static void
 xmlSecNssNumToItem(SECItem *it, unsigned long ui)
@@ -699,6 +501,77 @@
     it->len = len;
     PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
 }
+
+static int
+xmlSecNssIntegerToItem(
+       const xmlChar* integer ,
+       SECItem *item
+) {
+    xmlSecBn bn ;
+    xmlSecSize i, length ;
+    const xmlSecByte* bnInteger ;
+
+    xmlSecAssert2( integer != NULL, -1 ) ;
+    xmlSecAssert2( item != NULL, -1 ) ;
+
+    if( xmlSecBnInitialize( &bn, 0 ) < 0 ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnInitialize",
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+           return -1 ;
+    }
+
+    if( xmlSecBnFromDecString( &bn, integer ) < 0 ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecBnFromDecString",
+                               XMLSEC_ERRORS_R_INVALID_DATA,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+        xmlSecBnFinalize( &bn ) ;
+        return -1 ;
+    }
+
+    length = xmlSecBnGetSize( &bn ) ;
+    if( length <= 0 ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecBnGetSize",
+                               XMLSEC_ERRORS_R_INVALID_DATA,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+    }
+
+    bnInteger = xmlSecBnGetData( &bn ) ;
+    if( bnInteger == NULL ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecBnGetData",
+                               XMLSEC_ERRORS_R_INVALID_DATA,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+        xmlSecBnFinalize( &bn ) ;
+        return -1 ;
+    }
+
+    item->data = ( unsigned char * )PORT_Alloc( length );
+    if( item->data == NULL ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "PORT_Alloc",
+                               XMLSEC_ERRORS_R_INVALID_DATA,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+        xmlSecBnFinalize( &bn ) ;
+        return -1 ;
+    }
+
+    item->len = length;
+    for( i = 0 ; i < length ; i ++ )
+        item->data[i] = *( bnInteger + i ) ;
+
+    xmlSecBnFinalize( &bn ) ;
+
+    return 0 ;
+}
 #endif /* XMLSEC_NO_X509 */


--- misc/xmlsec1-1.2.14/win32/Makefile.msvc 2009-06-25 22:53:18.000000000 +0200
+++ misc/build/xmlsec1-1.2.14/win32/Makefile.msvc   2009-09-21 14:02:48.607277908 +0200
@@ -218,6 +218,9 @@
    $(XMLSEC_OPENSSL_INTDIR_A)\x509vfy.obj

 XMLSEC_NSS_OBJS = \
+   $(XMLSEC_NSS_INTDIR)\akmngr.obj\
+   $(XMLSEC_NSS_INTDIR)\keywrapers.obj\
+   $(XMLSEC_NSS_INTDIR)\tokens.obj\
    $(XMLSEC_NSS_INTDIR)\app.obj\
    $(XMLSEC_NSS_INTDIR)\bignum.obj\
    $(XMLSEC_NSS_INTDIR)\ciphers.obj \
@@ -253,6 +256,7 @@
    $(XMLSEC_NSS_INTDIR_A)\strings.obj

 XMLSEC_MSCRYPTO_OBJS = \
+   $(XMLSEC_MSCRYPTO_INTDIR)\akmngr.obj\
    $(XMLSEC_MSCRYPTO_INTDIR)\app.obj\
    $(XMLSEC_MSCRYPTO_INTDIR)\crypto.obj \
    $(XMLSEC_MSCRYPTO_INTDIR)\ciphers.obj \