kz  committed 08c63a1

CWS-TOOLING: integrate CWS jl135_nss
2009-10-01 15:20:03 +0200 jl r276605 : #1004856# moved to xmlsec1-mingw32.patch
2009-10-01 10:51:24 +0200 jl r276580 : #1004856# build keymgr with mingw
2009-10-01 10:50:52 +0200 jl r276579 : #1004856# build keymgr with mingw
2009-10-01 10:37:28 +0200 jl r276578 : #1004856# do not build xmlsec1 app
2009-09-29 16:01:31 +0200 jl r276532 : #1004856# Using libxml2 from solver if available
2009-09-26 16:31:32 +0200 jl r276477 : #i104856# xmlsec1-mscrypto-1 is now xmlsec1-mscrypto
2009-09-25 17:05:26 +0200 jl r276470 : CWS-TOOLING: rebase CWS jl135_nss to trunk@276429 (milestone: DEV300:m60)
2009-09-24 12:57:10 +0200 jl r276419 : #i104856# libxmlsec update
2009-09-24 12:46:58 +0200 jl r276418 : #i104856# fixing mac configure problem in and regenerating configure
2009-09-23 16:49:54 +0200 jl r276405 : i#104856# configure failed on mac
2009-09-23 10:21:35 +0200 jl r276369 : #i104856# adapting patches to apply cleanly and readme change
2009-09-21 13:45:47 +0200 jl r276326 : #i104856 updating to 1.2.12, using changes patches from cmc made on xmlsec1_2_12
2009-09-21 11:27:46 +0200 jl r276319 : #i105183# forget to uncomment PATCH_FILES
2009-09-18 17:41:20 +0200 jl r276296 : #i105183# update of nss libs

  • Participants
  • Parent commits e8bda55

Comments (0)

Files changed (22)

File libxmlsec/download/xmlsec1-1.2.12.tar.gz

Binary file added.

File libxmlsec/download/xmlsec1-1.2.6.tar.gz

Binary file removed.

File libxmlsec/

 # --- Files --------------------------------------------------------
-PATCH_FILES=$(TARFILE_NAME).patch xmlsec1-1.2.6-mingwport24.patch
+#xmlsec1-configure.patch: Set up the build. Straightforward
+#xmlsec1-customkeymanage.patch: Could we do this alternatively outside xmlsec
+#xmlsec1-nssmangleciphers.patch: Dubious, do we still need this ?
+#xmlsec1-nssdisablecallbacks.patch: Dubious, do we still need this ?
+#xmlsec1-noverify.patch: As per readme.txt. 
+#xmlsec1-mingw32.patch: Mingw32 support. 
+#xmlsec1-mingw-customkeymanage-addmscrypto.patch builds the custom keymanager on mingw
+   xmlsec1-configure.patch \
+   xmlsec1-customkeymanage.patch \
+   xmlsec1-nssmangleciphers.patch \
+   xmlsec1-nssdisablecallbacks.patch \
+   xmlsec1-noverify.patch \
+   xmlsec1-mingw32.patch \
+   xmlsec1-mingw-keymgr-mscrypto.patch
+    include$/xmlsec$/mscrypto$/akmngr.h \
+    src$/mscrypto$/akmngr.c \
     include$/xmlsec$/nss$/akmngr.h \
     include$/xmlsec$/nss$/ciphers.h \
     include$/xmlsec$/nss$/tokens.h \
-    include$/xmlsec$/mscrypto$/akmngr.h \
     src$/nss$/akmngr.c \
-    src$/mscrypto$/akmngr.c \
-    src$/nss$/keytrans.c \
     src$/nss$/keywrapers.c \
-    src$/nss$/tokens.c \
- \
-    include$/xmlsec$/mscrypto$/ \
-    src$/mscrypto$/ \
-    libxml2-config
+    src$/nss$/tokens.c
 .IF "$(GUI)"=="WNT"
-CONFIGURE_ACTION=chmod 777 libxml2-config && .$/configure
-CONFIGURE_FLAGS=--with-libxslt=no --with-openssl=no --with-gnutls=no --with-mozilla_ver=1.7.5 --with-mscrypto --build=i586-pc-mingw32 --host=i586-pc-mingw32 CC="$(xmlsec_CC)" CFLAGS="-D_MT" LDFLAGS="-no-undefined -L$(ILIB:s/;/ -L/)" LIBS="$(xmlsec_LIBS)" LIBXML2LIB=$(LIBXML2LIB) OBJDUMP="$(WRAPCMD) objdump"
+CONFIGURE_FLAGS=--with-libxslt=no --with-openssl=no --with-gnutls=no --with-mozilla_ver=1.7.5 --enable-mscrypto --build=i586-pc-mingw32 --host=i586-pc-mingw32 CC="$(xmlsec_CC)" CFLAGS="-D_MT" LDFLAGS="-no-undefined -L$(ILIB:s/;/ -L/)" LIBS="$(xmlsec_LIBS)" LIBXML2LIB=$(LIBXML2LIB) ZLIB3RDLIB=$(ZLIB3RDLIB) OBJDUMP="$(WRAPCMD) objdump"
-CONFIGURE_ACTION=chmod 777 libxml2-config && .$/configure ADDCFLAGS="$(xmlsec_CFLAGS)" CPPFLAGS="$(xmlsec_CPPFLAGS)"
 CONFIGURE_FLAGS=--with-pic --disable-shared --with-libxslt=no --with-openssl=no --with-gnutls=no LIBXML2LIB="$(LIBXML2LIB)"
 # system-mozilla needs pkgconfig to get the information about nss
 # FIXME: This also will enable pkg-config usage for libxml2. It *seems*
 .IF "$(OS)"=="WNT"
 .IF "$(COM)"=="GCC"
 OUT2LIB+=src$/.libs$/libxmlsec1.dll.a src$/nss$/.libs$/libxmlsec1-nss.dll.a src$/mscrypto$/.libs$/libxmlsec1-mscrypto.dll.a
-OUT2BIN+=src$/.libs$/libxmlsec1-1.dll src$/nss$/.libs$/libxmlsec1-nss-1.dll src$/mscrypto$/.libs$/libxmlsec1-mscrypto-1.dll
+OUT2BIN+=src$/.libs$/libxmlsec1.dll src$/nss$/.libs$/libxmlsec1-nss.dll src$/mscrypto$/.libs$/libxmlsec1-mscrypto.dll

File libxmlsec/readme.txt

-The XML Security library has been modified, so that there is NO verification
-of the certificate during sign or verification operation. On Windows this was 
-done in the function xmlSecMSCryptoX509StoreVerify (file 
-src/mscrypto/x509vfy.c) and on UNIX in xmlSecNssX509StoreVerify 
-(file src/nss/x509vfy.c).
+The XML Security library has been modified, so that there is NO verification of
+the certificate during sign or verification operation. On Windows this was done
+in the function xmlSecMSCryptoX509StoreVerify (file src/mscrypto/x509vfy.c) and
+on UNIX in xmlSecNssX509StoreVerify (file src/nss/x509vfy.c).
-This change requires that the XML Signature contains in 
-Signature/KeyInfo/X509Data only entries which represent the same 
-The implementation creates certificates from all of the X509Data children
-(X509IssuerSerial, X509Certificate) and used to iterate over all certificates,
-verify them and return the first "good" certificate. Now the first one is 
+The implementation creates certificates from all of the X509Data children, such
+as X509IssuerSerial and X509Certificate and stores them in a certificate store
+(see xmlsec/src/mscrypto/x509.c:xmlSecMSCryptoX509DataNodeRead). It must then
+find the certificate containing the public key which is used for validation
+within that store. This is done in xmlSecMSCryptoX509StoreVerify. This function
+however only takes those certificates into account which can be validated. This
+was changed by the patch xmlsec1-noverify.patch, which prevents this certificate
-The X509IssuerSerial information is used by XML Security Library to find the 
-certificate in the certificate store on the machine. The X509Certificate entry
-is used to create a certificate no matter if this is already contained in the
-certificate store.
+xmlSecMSCryptoX509StoreVerify iterates over all certificates contained or
+referenced in the X509Data elements and selects one which is no issuer of any of
+the other certificates. This certificate is not necessarily the one which was
+used for signing but it must contain the proper validation key, which is
+sufficient to validate the signature. See 
+for details.
-Do not forget: Suggest to XML Security Library to provide a way to carry out 
-signature operations without verification of certificates. There is flag
-xmlSecKeyInfoCtx (see function xmlSecNssKeyDataX509XmlRead, in file src/nss/x509.c),
-which indicates such a possibility but it does not work.
+There is a flag XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS that can be set
+in a xmlSecKeyInfoCtx (see function xmlSecNssKeyDataX509XmlRead, in file
+src/nss/x509.c), which indicates that one can turn of the validation. However,
+setting it will cause that the validation key is not found. If the flag is set,
+then the key is not extracted from the certificate store which contains all the
+certificates of the X509Data elements. In other words, the certificates which
+are delivered within the XML signature are not used when looking for suitable
+validation key.

File libxmlsec/xmlsec1-1.2.6-mingwport24.patch

---- misc/xmlsec1-1.2.6/configure	2009-09-18 17:19:00.000000000 +0200
-+++ misc/build/xmlsec1-1.2.6/configure	2009-09-18 17:18:43.000000000 +0200
-@@ -21749,6 +21749,10 @@
- ac_compiler_gnu=$ac_cv_c_compiler_gnu
-+case $host_os in
- echo "$as_me:$LINENO: checking for shl_load" >&5
- echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
- if test "${ac_cv_func_shl_load+set}" = set; then
-@@ -22299,7 +22303,8 @@
- fi
- if test x"$libltdl_cv_func_dlopen" = xyes || test x"$libltdl_cv_lib_dl_dlopen" = xyes
- then