merge the formfield patch from ooo-build

[ooovba.git] / libxmlsec / xmlsec1-1.2.6.patch

--- misc/xmlsec1-1.2.6/apps/Makefile.in 2004-08-26 08:00:30.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/apps/Makefile.in   2008-06-29 23:44:19.000000000 +0200
@@ -370,7 +370,7 @@
        $(CRYPTO_DEPS) \
        $(NULL)
 
-all: all-am
+all: 
 
 .SUFFIXES:
 .SUFFIXES: .c .lo .o .obj
--- misc/xmlsec1-1.2.6/configure        2004-08-26 08:00:34.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/configure  2008-06-29 23:44:19.000000000 +0200
@@ -463,7 +463,7 @@
 # include <unistd.h>
 #endif"
 
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os XMLSEC_VERSION XMLSEC_PACKAGE XMLSEC_VERSION_SAFE XMLSEC_VERSION_MAJOR XMLSEC_VERSION_MINOR XMLSEC_VERSION_SUBMINOR XMLSEC_VERSION_INFO INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXX CXXFLAGS ac_ct_CXX CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL RM CP MV TAR HELP2MAN MAN2HTML U ANSI2KNR INSTALL_LTDL_TRUE INSTALL_LTDL_FALSE CONVENIENCE_LTDL_TRUE CONVENIENCE_LTDL_FALSE LIBADD_DL PKG_CONFIG_ENABLED PKG_CONFIG LIBXML_CFLAGS LIBXML_LIBS LIBXML262_CFLAGS LIBXML262_LIBS LIBXML_CONFIG LIBXML_MIN_VERSION LIBXSLT_CFLAGS LIBXSLT_LIBS XMLSEC_NO_LIBXSLT LIBXSLT_CONFIG LIBXSLT_MIN_VERSION OPENSSL_CFLAGS OPENSSL_LIBS OPENSSL097_CFLAGS OPENSSL097_LIBS XMLSEC_NO_OPENSSL_TRUE XMLSEC_NO_OPENSSL_FALSE XMLSEC_NO_OPENSSL OPENSSL_CRYPTO_LIB OPENSSL_MIN_VERSION GNUTLS_CFLAGS GNUTLS_LIBS XMLSEC_NO_GNUTLS_TRUE XMLSEC_NO_GNUTLS_FALSE XMLSEC_NO_GNUTLS GNUTLS_CRYPTO_LIB GNUTLS_MIN_VERSION NSS_CFLAGS NSS_LIBS XMLSEC_NO_NSS_TRUE XMLSEC_NO_NSS_FALSE XMLSEC_NO_NSS NSS_CRYPTO_LIB NSS_MIN_VERSION NSPR_MIN_VERSION MOZILLA_MIN_VERSION XMLSEC_NO_SHA1_TRUE XMLSEC_NO_SHA1_FALSE XMLSEC_NO_SHA1 XMLSEC_NO_RIPEMD160_TRUE XMLSEC_NO_RIPEMD160_FALSE XMLSEC_NO_RIPEMD160 XMLSEC_NO_HMAC_TRUE XMLSEC_NO_HMAC_FALSE XMLSEC_NO_HMAC XMLSEC_NO_DSA_TRUE XMLSEC_NO_DSA_FALSE XMLSEC_NO_DSA XMLSEC_NO_RSA_TRUE XMLSEC_NO_RSA_FALSE XMLSEC_NO_RSA XMLSEC_NO_X509_TRUE XMLSEC_NO_X509_FALSE XMLSEC_NO_X509 XMLSEC_NO_DES_TRUE XMLSEC_NO_DES_FALSE XMLSEC_NO_DES XMLSEC_NO_AES_TRUE XMLSEC_NO_AES_FALSE XMLSEC_NO_AES XMLSEC_NO_XMLDSIG_TRUE XMLSEC_NO_XMLDSIG_FALSE XMLSEC_NO_XMLDSIG XMLSEC_NO_XMLENC_TRUE XMLSEC_NO_XMLENC_FALSE XMLSEC_NO_XMLENC XMLSEC_NO_XKMS_TRUE XMLSEC_NO_XKMS_FALSE XMLSEC_NO_XKMS XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_TRUE XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_FALSE XMLSEC_NO_CRYPTO_DYNAMIC_LOADING XMLSEC_DL_INCLUDES XMLSEC_DL_LIBS XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_TRUE XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_FALSE XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING XMLSEC_DOCDIR XMLSEC_STATIC_BINARIES XMLSEC_CORE_CFLAGS XMLSEC_CORE_LIBS XMLSEC_LIBDIR XMLSEC_OPENSSL_CFLAGS XMLSEC_OPENSSL_LIBS XMLSEC_GNUTLS_CFLAGS XMLSEC_GNUTLS_LIBS XMLSEC_NSS_CFLAGS XMLSEC_NSS_LIBS XMLSEC_CFLAGS XMLSEC_LIBS XMLSEC_DEFINES XMLSEC_APP_DEFINES XMLSEC_CRYPTO XMLSEC_CRYPTO_LIST XMLSEC_CRYPTO_DISABLED_LIST XMLSEC_CRYPTO_LIB XMLSEC_CRYPTO_CFLAGS XMLSEC_CRYPTO_LIBS XMLSEC_CRYPTO_PC_FILES_LIST LIBOBJS LTLIBOBJS'
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os XMLSEC_VERSION XMLSEC_PACKAGE XMLSEC_VERSION_SAFE XMLSEC_VERSION_MAJOR XMLSEC_VERSION_MINOR XMLSEC_VERSION_SUBMINOR XMLSEC_VERSION_INFO INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO AMTAR install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXX CXXFLAGS ac_ct_CXX CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL RM CP MV TAR HELP2MAN MAN2HTML U ANSI2KNR INSTALL_LTDL_TRUE INSTALL_LTDL_FALSE CONVENIENCE_LTDL_TRUE CONVENIENCE_LTDL_FALSE LIBADD_DL PKG_CONFIG_ENABLED PKG_CONFIG LIBXML_CFLAGS LIBXML_LIBS LIBXML262_CFLAGS LIBXML262_LIBS LIBXML_CONFIG LIBXML_MIN_VERSION LIBXSLT_CFLAGS LIBXSLT_LIBS XMLSEC_NO_LIBXSLT LIBXSLT_CONFIG LIBXSLT_MIN_VERSION OPENSSL_CFLAGS OPENSSL_LIBS OPENSSL097_CFLAGS OPENSSL097_LIBS XMLSEC_NO_OPENSSL_TRUE XMLSEC_NO_OPENSSL_FALSE XMLSEC_NO_OPENSSL OPENSSL_CRYPTO_LIB OPENSSL_MIN_VERSION GNUTLS_CFLAGS GNUTLS_LIBS XMLSEC_NO_GNUTLS_TRUE XMLSEC_NO_GNUTLS_FALSE XMLSEC_NO_GNUTLS GNUTLS_CRYPTO_LIB GNUTLS_MIN_VERSION NSS_CFLAGS NSS_LIBS XMLSEC_NO_NSS_TRUE XMLSEC_NO_NSS_FALSE XMLSEC_NO_NSS NSS_CRYPTO_LIB NSS_MIN_VERSION NSPR_MIN_VERSION MOZILLA_MIN_VERSION MSCRYPTO_CFLAGS MSCRYPTO_LIBS XMLSEC_NO_SHA1_TRUE XMLSEC_NO_SHA1_FALSE XMLSEC_NO_SHA1 XMLSEC_NO_RIPEMD160_TRUE XMLSEC_NO_RIPEMD160_FALSE XMLSEC_NO_RIPEMD160 XMLSEC_NO_HMAC_TRUE XMLSEC_NO_HMAC_FALSE XMLSEC_NO_HMAC XMLSEC_NO_DSA_TRUE XMLSEC_NO_DSA_FALSE XMLSEC_NO_DSA XMLSEC_NO_RSA_TRUE XMLSEC_NO_RSA_FALSE XMLSEC_NO_RSA XMLSEC_NO_X509_TRUE XMLSEC_NO_X509_FALSE XMLSEC_NO_X509 XMLSEC_NO_DES_TRUE XMLSEC_NO_DES_FALSE XMLSEC_NO_DES XMLSEC_NO_AES_TRUE XMLSEC_NO_AES_FALSE XMLSEC_NO_AES XMLSEC_NO_XMLDSIG_TRUE XMLSEC_NO_XMLDSIG_FALSE XMLSEC_NO_XMLDSIG XMLSEC_NO_XMLENC_TRUE XMLSEC_NO_XMLENC_FALSE XMLSEC_NO_XMLENC XMLSEC_NO_XKMS_TRUE XMLSEC_NO_XKMS_FALSE XMLSEC_NO_XKMS XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_TRUE XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_FALSE XMLSEC_NO_CRYPTO_DYNAMIC_LOADING XMLSEC_DL_INCLUDES XMLSEC_DL_LIBS XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_TRUE XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_FALSE XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING XMLSEC_DOCDIR XMLSEC_STATIC_BINARIES XMLSEC_CORE_CFLAGS XMLSEC_CORE_LIBS XMLSEC_LIBDIR XMLSEC_OPENSSL_CFLAGS XMLSEC_OPENSSL_LIBS XMLSEC_GNUTLS_CFLAGS XMLSEC_GNUTLS_LIBS XMLSEC_NSS_CFLAGS XMLSEC_NSS_LIBS XMLSEC_CFLAGS XMLSEC_LIBS XMLSEC_DEFINES XMLSEC_APP_DEFINES XMLSEC_CRYPTO XMLSEC_CRYPTO_LIST XMLSEC_CRYPTO_DISABLED_LIST XMLSEC_CRYPTO_LIB XMLSEC_CRYPTO_CFLAGS XMLSEC_CRYPTO_LIBS XMLSEC_CRYPTO_PC_FILES_LIST LIBOBJS LTLIBOBJS'
 ac_subst_files=''
 
 # Initialize some variables set by options.
@@ -1072,6 +1072,7 @@
   --with-nss=PFX          nss location
   --with-nspr=PFX         nspr location (needed for NSS)
   --with-mozilla-ver=VER  mozilla version (alt to --with-nss, --with-nspr)
+  --with-mscrypto         try to use mscrypto
   --with-html-dir=PATH    path to installed docs
 
 Some influential environment variables:
@@ -2045,8 +2046,8 @@
 
 ac_ext=c
 ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compile='$CC -c $ADDCFLAGS $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $ADDCFLAGS $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
 ac_compiler_gnu=$ac_cv_c_compiler_gnu
 if test -n "$ac_tool_prefix"; then
   # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
@@ -2698,15 +2699,15 @@
   CFLAGS=$ac_save_CFLAGS
 elif test $ac_cv_prog_cc_g = yes; then
   if test "$GCC" = yes; then
-    CFLAGS="-g -O2"
+    CFLAGS="$ADDCFLAGS -g -O2"
   else
-    CFLAGS="-g"
+    CFLAGS="$ADDCFLAGS -g"
   fi
 else
   if test "$GCC" = yes; then
-    CFLAGS="-O2"
+    CFLAGS="$ADDCFLAGS -O2"
   else
-    CFLAGS=
+    CFLAGS="$ADDCFLAGS"
   fi
 fi
 echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
@@ -6350,11 +6351,11 @@
       lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
       ;;
 
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | cygwin* | mingw* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | pw32* | os2*)
+    pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic='-DDLL_EXPORT'
@@ -6409,7 +6410,7 @@
       fi
       ;;
 
-    mingw* | pw32* | os2*)
+    pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic='-DDLL_EXPORT'
@@ -6752,7 +6753,7 @@
       export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--exclude-libs,ALL ${wl}--out-implib,$lib'
        # If the export-symbols file already is a .def file (1st line
        # is EXPORTS), use it as is; otherwise, prepend...
        archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -7778,7 +7779,7 @@
   ;;
 
 freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo elf`
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -9046,7 +9047,7 @@
       ;;
     esac
     output_verbose_link_cmd='echo'
-    archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
+    archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name @executable_path/$soname $verstring'
     module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
     # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
     archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
@@ -10088,7 +10089,7 @@
     enable_shared_with_static_runtimes_CXX=yes
 
     if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--exclude-libs,ALL ${wl}--out-implib,$lib'
       # If the export-symbols file already is a .def file (1st line
       # is EXPORTS), use it as is; otherwise, prepend...
       archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -10816,10 +10817,10 @@
       # like `-m68040'.
       lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4'
       ;;
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | cygwin* | mingw* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
-    mingw* | os2* | pw32*)
+    os2* | pw32*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic_CXX='-DDLL_EXPORT'
@@ -11497,7 +11498,7 @@
   ;;
 
 freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo elf`
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -13259,11 +13260,11 @@
       lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4'
       ;;
 
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | cygwin* | mingw* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | pw32* | os2*)
+    pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic_F77='-DDLL_EXPORT'
@@ -13661,7 +13662,7 @@
       export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--exclude-libs,ALL ${wl}--out-implib,$lib'
        # If the export-symbols file already is a .def file (1st line
        # is EXPORTS), use it as is; otherwise, prepend...
        archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -14667,7 +14668,7 @@
   ;;
 
 freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo elf`
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -15607,11 +15608,11 @@
       lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4'
       ;;
 
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | cygwin* | mingw* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | pw32* | os2*)
+    pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
@@ -15666,7 +15667,7 @@
       fi
       ;;
 
-    mingw* | pw32* | os2*)
+    pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
       lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
@@ -16009,7 +16010,7 @@
       export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--exclude-libs,ALL ${wl}--out-implib,$lib'
        # If the export-symbols file already is a .def file (1st line
        # is EXPORTS), use it as is; otherwise, prepend...
        archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -17035,7 +17036,7 @@
   ;;
 
 freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo elf`
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -25678,12 +25679,26 @@
 
 XMLSEC_NO_NSS="1"
 MOZILLA_MIN_VERSION="1.4"
+if test "z$MOZ_FLAVOUR" = "zfirefox" ; then
+    MOZILLA_MIN_VERSION="1.0"
+fi
 NSS_MIN_VERSION="3.2"
 NSPR_MIN_VERSION="4.0"
 NSS_CFLAGS=""
 NSS_LIBS=""
-NSS_LIBS_LIST="-lnss3 -lsmime3"
-NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
+ 
+case $host_os in
+cygwin* | mingw* | pw32*)
+  NSS_LIBS_LIST="-lnss3 -lsmime3"
+  NSPR_LIBS_LIST="-lnspr4"
+  ;;
+
+*)
+  NSS_LIBS_LIST="-lnss3 -lsoftokn3 -lsmime3"
+  NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
+  ;;
+esac
+
 NSS_CRYPTO_LIB="$PACKAGE-nss"
 NSS_FOUND="no"
 
@@ -25766,23 +25781,122 @@
   else
      PKG_CONFIG_MIN_VERSION=0.9.0
      if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
-        echo "$as_me:$LINENO: checking for mozilla-nspr >= $MOZILLA_MIN_VERSION mozilla-nss >= $MOZILLA_MIN_VERSION" >&5
-echo $ECHO_N "checking for mozilla-nspr >= $MOZILLA_MIN_VERSION mozilla-nss >= $MOZILLA_MIN_VERSION... $ECHO_C" >&6
+        echo "$as_me:$LINENO: checking for $MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR-nss >= $MOZILLA_MIN_VERSION" >&5
+echo $ECHO_N "checking for $MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR-nss >= $MOZILLA_MIN_VERSION... $ECHO_C" >&6
+
+        if $PKG_CONFIG --exists "$MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR-nss >= $MOZILLA_MIN_VERSION" ; then
+            echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+            succeeded=yes
+
+            echo "$as_me:$LINENO: checking NSS_CFLAGS" >&5
+echo $ECHO_N "checking NSS_CFLAGS... $ECHO_C" >&6
+            NSS_CFLAGS=`$PKG_CONFIG --cflags "$MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR-nss >= $MOZILLA_MIN_VERSION"`
+            echo "$as_me:$LINENO: result: $NSS_CFLAGS" >&5
+echo "${ECHO_T}$NSS_CFLAGS" >&6
+
+            echo "$as_me:$LINENO: checking NSS_LIBS" >&5
+echo $ECHO_N "checking NSS_LIBS... $ECHO_C" >&6
+            NSS_LIBS=`$PKG_CONFIG --libs "$MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR-nss >= $MOZILLA_MIN_VERSION"`
+            echo "$as_me:$LINENO: result: $NSS_LIBS" >&5
+echo "${ECHO_T}$NSS_LIBS" >&6
+        else
+            NSS_CFLAGS=""
+            NSS_LIBS=""
+            ## If we have a custom action on failure, don't print errors, but
+            ## do set a variable so people can do so.
+            NSS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR-nss >= $MOZILLA_MIN_VERSION"`
+
+        fi
+
+
+
+     else
+        echo "*** Your version of pkg-config is too old. You need version $PKG_CONFIG_MIN_VERSION or newer."
+        echo "*** See http://www.freedesktop.org/software/pkgconfig"
+     fi
+  fi
+
+  if test $succeeded = yes; then
+     NSS_FOUND=yes
+  else
+     NSS_FOUND=no
+  fi
+
+    echo "$as_me:$LINENO: result: $NSS_FOUND" >&5
+echo "${ECHO_T}$NSS_FOUND" >&6
+    if test "z$NSS_FOUND" = "zno" ; then
+
+  succeeded=no
+
+  if test -z "$PKG_CONFIG"; then
+    # Extract the first word of "pkg-config", so it can be a program name with args.
+set dummy pkg-config; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_PKG_CONFIG+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $PKG_CONFIG in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  test -z "$ac_cv_path_PKG_CONFIG" && ac_cv_path_PKG_CONFIG="no"
+  ;;
+esac
+fi
+PKG_CONFIG=$ac_cv_path_PKG_CONFIG
+
+if test -n "$PKG_CONFIG"; then
+  echo "$as_me:$LINENO: result: $PKG_CONFIG" >&5
+echo "${ECHO_T}$PKG_CONFIG" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  fi
+
+  if test "$PKG_CONFIG" = "no" ; then
+     echo "*** The pkg-config script could not be found. Make sure it is"
+     echo "*** in your path, or set the PKG_CONFIG environment variable"
+     echo "*** to the full path to pkg-config."
+     echo "*** Or see http://www.freedesktop.org/software/pkgconfig to get pkg-config."
+  else
+     PKG_CONFIG_MIN_VERSION=0.9.0
+     if $PKG_CONFIG --atleast-pkgconfig-version $PKG_CONFIG_MIN_VERSION; then
+        echo "$as_me:$LINENO: checking for nspr >= $NSPR_MIN_VERSION nss >= $NSS_MIN_VERSION" >&5
+echo $ECHO_N "checking for nspr >= $NSPR_MIN_VERSION nss >= $NSS_MIN_VERSION... $ECHO_C" >&6
 
-        if $PKG_CONFIG --exists "mozilla-nspr >= $MOZILLA_MIN_VERSION mozilla-nss >= $MOZILLA_MIN_VERSION" ; then
+        if $PKG_CONFIG --exists "nspr >= $NSPR_MIN_VERSION nss >= $NSS_MIN_VERSION" ; then
             echo "$as_me:$LINENO: result: yes" >&5
 echo "${ECHO_T}yes" >&6
             succeeded=yes
 
             echo "$as_me:$LINENO: checking NSS_CFLAGS" >&5
 echo $ECHO_N "checking NSS_CFLAGS... $ECHO_C" >&6
-            NSS_CFLAGS=`$PKG_CONFIG --cflags "mozilla-nspr >= $MOZILLA_MIN_VERSION mozilla-nss >= $MOZILLA_MIN_VERSION"`
+            NSS_CFLAGS=`$PKG_CONFIG --cflags "nspr >= $NSPR_MIN_VERSION nss >= $NSS_MIN_VERSION"`
             echo "$as_me:$LINENO: result: $NSS_CFLAGS" >&5
 echo "${ECHO_T}$NSS_CFLAGS" >&6
 
             echo "$as_me:$LINENO: checking NSS_LIBS" >&5
 echo $ECHO_N "checking NSS_LIBS... $ECHO_C" >&6
-            NSS_LIBS=`$PKG_CONFIG --libs "mozilla-nspr >= $MOZILLA_MIN_VERSION mozilla-nss >= $MOZILLA_MIN_VERSION"`
+            NSS_LIBS=`$PKG_CONFIG --libs "nspr >= $NSPR_MIN_VERSION nss >= $NSS_MIN_VERSION"`
             echo "$as_me:$LINENO: result: $NSS_LIBS" >&5
 echo "${ECHO_T}$NSS_LIBS" >&6
         else
@@ -25790,7 +25904,7 @@
             NSS_LIBS=""
             ## If we have a custom action on failure, don't print errors, but
             ## do set a variable so people can do so.
-            NSS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "mozilla-nspr >= $MOZILLA_MIN_VERSION mozilla-nss >= $MOZILLA_MIN_VERSION"`
+            NSS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "nspr >= $NSPR_MIN_VERSION nss >= $NSS_MIN_VERSION"`
 
         fi
 
@@ -25808,6 +25922,9 @@
      NSS_FOUND=no
   fi
 
+        echo "$as_me:$LINENO: result: $NSS_FOUND" >&5
+echo "${ECHO_T}$NSS_FOUND" >&6
+    fi
 fi
 
 if test "z$NSS_FOUND" = "zno" ; then
@@ -25817,8 +25934,8 @@
         ac_mozilla_name=mozilla-$MOZILLA_MIN_VERSION
     fi
 
-    ac_nss_lib_dir="/usr/lib /usr/lib64 /usr/local/lib /usr/lib/$ac_mozilla_name /usr/local/lib/$ac_mozilla_name"
-    ac_nss_inc_dir="/usr/include /usr/include/mozilla /usr/local/include /usr/local/include/mozilla /usr/include/$ac_mozilla_name /usr/local/include/$ac_mozilla_name"
+    ac_nss_lib_dir="${SOLARVERSION}/${INPATH}/lib${UPDMINOREXT}"
+    ac_nss_inc_dir="${SOLARVERSION}/${INPATH}/inc${UPDMINOREXT}/mozilla"
 
     echo "$as_me:$LINENO: checking for nspr libraries >= $NSPR_MIN_VERSION" >&5
 echo $ECHO_N "checking for nspr libraries >= $NSPR_MIN_VERSION... $ECHO_C" >&6
@@ -25853,8 +25970,11 @@
        done
 
        for dir in $ac_nss_lib_dir ; do
-           if test -f $dir/libnspr4.so ; then
-                               if test "z$dir" = "z/usr/lib" ; then
+            case $host_os in
+            cygwin* | mingw* | pw32*)
+             if test -f $dir/libnspr4.so -o -f $dir/libnspr4.dylib -o -f $dir/libnspr4.a ; then
+               # do not add -L/usr/lib because compiler does it anyway
+               if test "z$dir" = "z/usr/lib" ; then
                    NSPR_LIBS="$NSPR_LIBS_LIST"
                else
                    if test "z$with_gnu_ld" = "zyes" ; then
@@ -25865,7 +25985,26 @@
                fi
                NSPR_LIBS_FOUND="yes"
                break
-           fi
+             fi
+              ;;
+
+            *)
+             if test -f $dir/libnspr4.so -o -f $dir/libnspr4.dylib ; then
+               # do not add -L/usr/lib because compiler does it anyway
+               if test "z$dir" = "z/usr/lib" ; then
+                   NSPR_LIBS="$NSPR_LIBS_LIST"
+               else
+                   if test "z$with_gnu_ld" = "zyes" ; then
+                       NSPR_LIBS="-Wl,-rpath-link -Wl,$dir -L$dir $NSPR_LIBS_LIST"
+                   else
+                       NSPR_LIBS="-L$dir $NSPR_LIBS_LIST"
+                   fi
+               fi
+               NSPR_LIBS_FOUND="yes"
+               break
+             fi
+              ;;
+            esac
        done
     fi
 
@@ -25939,8 +26078,11 @@
         done
 
         for dir in $ac_nss_lib_dir ; do
-           if test -f $dir/libnss3.so ; then
-                               if test "z$dir" = "z/usr/lib" ; then
+            case $host_os in
+            cygwin* | mingw* | pw32*)
+             if test -f $dir/libnss3.so -o -f $dir/libnss3.dylib -o -f $dir/libnss3.a ; then
+               # do not add -L/usr/lib because compiler does it anyway
+               if test "z$dir" = "z/usr/lib" ; then
                    NSS_LIBS="$NSS_LIBS_LIST"
                 else
                    if test "z$with_gnu_ld" = "zyes" ; then
@@ -25951,7 +26093,26 @@
                fi
                NSS_LIBS_FOUND="yes"
                break
-           fi
+             fi
+              ;;
+
+            *)
+             if test -f $dir/libnss3.so -o -f $dir/libnss3.dylib ; then
+               # do not add -L/usr/lib because compiler does it anyway
+               if test "z$dir" = "z/usr/lib" ; then
+                   NSS_LIBS="$NSS_LIBS_LIST"
+                else
+                   if test "z$with_gnu_ld" = "zyes" ; then
+                       NSS_LIBS="-Wl,-rpath-link -Wl,$dir -L$dir $NSS_LIBS_LIST"
+                   else
+                       NSS_LIBS="-L$dir $NSS_LIBS_LIST"
+                   fi
+               fi
+               NSS_LIBS_FOUND="yes"
+               break
+             fi
+              ;;
+            esac
        done
     fi
 
@@ -26004,6 +26165,12 @@
     fi
 fi
 
+case $host_os in
+darwin*)
+  NSS_LIBS="$NSS_LIBS "`"$PERL" "$SOLARENV/bin/macosx-dylib-link-list.pl" $NSS_LIBS`
+  ;;
+esac
+
 if test "z$NSS_FOUND" = "zyes" ; then
     XMLSEC_NO_NSS="0"
     NSS_CFLAGS="$NSS_CFLAGS -DXMLSEC_CRYPTO_NSS=1"
@@ -26037,6 +26204,109 @@
 
 
 
+MSCRYPTO_CFLAGS=""
+MSCRYPTO_LIBS=""
+MSCRYPTO_FOUND="no"
+
+
+# Check whether --with-mscrypto or --without-mscrypto was given.
+if test "${with_mscrypto+set}" = set; then
+  withval="$with_mscrypto"
+
+fi;
+if test "z$with_mscrypto" = "zno" ; then
+    echo "$as_me:$LINENO: checking for MSCRYPTO libraries" >&5
+echo $ECHO_N "checking for MSCRYPTO libraries... $ECHO_C" >&6
+    echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+    MSCRYPTO_FOUND="without"
+else
+    ac_mscrypto_lib_dir="${PSDK_HOME}/lib"
+    ac_mscrypto_inc_dir="${SOLARVERSION}/${INPATH}/inc${UPDMINOREXT}/external/mingw/include ${COMPATH}/include ${COMPATH}/include/w32api"
+        echo "$as_me:$LINENO: checking for mscrypto libraries" >&5
+echo $ECHO_N "checking for mscrypto libraries... $ECHO_C" >&6
+    MSCRYPTO_INCLUDES_FOUND="no"
+    MSCRYPTO_LIBS_FOUND="no"
+    WINCRYPT_H=""
+
+       for dir in $ac_mscrypto_inc_dir ; do
+           if test -f $dir/wincrypt.h ; then
+                   MSCRYPTO_CFLAGS="$MSCRYPTO_CFLAGS -I$dir"
+               MSCRYPTO_INCLUDES_FOUND="yes"
+               WINCRYPT_H="$dir/wincrypt.h"
+               break
+           fi
+        done
+
+        for dir in $ac_mscrypto_lib_dir ; do
+           if test -f $dir/crypt32.lib ; then
+                   if test "z$with_gnu_ld" = "zyes" ; then
+                       MSCRYPTO_LIBS="-Wl,-rpath-link -Wl,$dir -L$dir $dir/crypt32.lib"
+                   else
+                       MSCRYPTO_LIBS="-L$dir $dir/crypt32.lib"
+                   fi
+               MSCRYPTO_LIBS_FOUND="yes"
+               break
+           fi
+       done
+
+    if test "z$MSCRYPTO_INCLUDES_FOUND" = "zyes" -a "z$MSCRYPTO_LIBS_FOUND" = "zyes" ; then
+       OLD_CPPFLAGS=$CPPFLAGS
+       CPPFLAGS="$MSCRYPTO_CFLAGS"
+       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+          #include <wincrypt.h>
+          #if defined(_WINCRYPT_H) || defined(__WINCRYPT_H__)
+             yes
+          #endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "yes" >/dev/null 2>&1; then
+
+           MSCRYPTO_FOUND=yes
+
+else
+
+           MSCRYPTO_FOUND=no
+
+fi
+rm -f conftest*
+
+       CPPFLAGS="$OLD_CPPFLAGS"
+    fi
+
+    if test "z$MSCRYPTO_FOUND" = "zyes" ; then
+       echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+    else
+       echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+    fi
+
+fi
+
+if test "z$MSCRYPTO_FOUND" = "zyes" ; then
+    MSCRYPTO_CFLAGS="$MSCRYPTO_CFLAGS -DXMLSEC_CRYPTO_MSCRYPTO=1"
+
+        if test "z$XMLSEC_CRYPTO" = "z" ;  then
+       XMLSEC_CRYPTO="mscrypto"
+       XMLSEC_CRYPTO_LIB="$PACKAGE-mscrypto"
+       XMLSEC_CRYPTO_CFLAGS="$MSCRYPTO_CFLAGS"
+       XMLSEC_CRYPTO_LIBS="$MSCRYPTO_LIBS"
+    fi
+    XMLSEC_CRYPTO_LIST="$XMLSEC_CRYPTO_LIST mscrypto"
+else
+    XMLSEC_CRYPTO_DISABLED_LIST="$XMLSEC_CRYPTO_DISABLED_LIST mscrypto"
+fi
+
+
+
 echo "$as_me:$LINENO: checking for crypto library" >&5
 echo $ECHO_N "checking for crypto library... $ECHO_C" >&6
 if test "z$XMLSEC_CRYPTO" = "z" ;  then
@@ -26604,7 +26874,7 @@
 done
 
 
-                                                                                                                                                                ac_config_files="$ac_config_files include/xmlsec/version.h Makefile include/Makefile include/xmlsec/Makefile include/xmlsec/private/Makefile src/Makefile apps/Makefile docs/Makefile docs/api/Makefile man/Makefile xmlsec1Conf.sh:xmlsecConf.sh.in xmlsec1-config:xmlsec-config.in xmlsec1-openssl.pc:xmlsec-openssl.pc.in xmlsec1-gnutls.pc:xmlsec-gnutls.pc.in xmlsec1-nss.pc:xmlsec-nss.pc.in xmlsec1.spec:xmlsec.spec.in"
+                                                                                                                                                                ac_config_files="$ac_config_files include/xmlsec/version.h Makefile include/Makefile include/xmlsec/Makefile include/xmlsec/private/Makefile src/Makefile apps/Makefile docs/Makefile docs/api/Makefile man/Makefile xmlsec1Conf.sh:xmlsecConf.sh.in xmlsec1-config:xmlsec-config.in xmlsec1-openssl.pc:xmlsec-openssl.pc.in xmlsec1-gnutls.pc:xmlsec-gnutls.pc.in xmlsec1-nss.pc:xmlsec-nss.pc.in xmlsec1-mscrypto.pc:xmlsec-mscrypto.pc.in xmlsec1.spec:xmlsec.spec.in"
 cat >confcache <<\_ACEOF
 # This file is a shell script that caches the results of configure
 # tests run on this system so they can be shared between configure
@@ -27521,6 +27791,8 @@
 s,@NSS_MIN_VERSION@,$NSS_MIN_VERSION,;t t
 s,@NSPR_MIN_VERSION@,$NSPR_MIN_VERSION,;t t
 s,@MOZILLA_MIN_VERSION@,$MOZILLA_MIN_VERSION,;t t
+s,@MSCRYPTO_CFLAGS@,$MSCRYPTO_CFLAGS,;t t
+s,@MSCRYPTO_LIBS@,$MSCRYPTO_LIBS,;t t
 s,@XMLSEC_NO_SHA1_TRUE@,$XMLSEC_NO_SHA1_TRUE,;t t
 s,@XMLSEC_NO_SHA1_FALSE@,$XMLSEC_NO_SHA1_FALSE,;t t
 s,@XMLSEC_NO_SHA1@,$XMLSEC_NO_SHA1,;t t
@@ -29231,6 +29503,8 @@
 s,@NSS_MIN_VERSION@,$NSS_MIN_VERSION,;t t
 s,@NSPR_MIN_VERSION@,$NSPR_MIN_VERSION,;t t
 s,@MOZILLA_MIN_VERSION@,$MOZILLA_MIN_VERSION,;t t
+s,@MSCRYPTO_CFLAGS@,$MSCRYPTO_CFLAGS,;t t
+s,@MSCRYPTO_LIBS@,$MSCRYPTO_LIBS,;t t
 s,@XMLSEC_NO_SHA1_TRUE@,$XMLSEC_NO_SHA1_TRUE,;t t
 s,@XMLSEC_NO_SHA1_FALSE@,$XMLSEC_NO_SHA1_FALSE,;t t
 s,@XMLSEC_NO_SHA1@,$XMLSEC_NO_SHA1,;t t
@@ -30941,6 +31215,8 @@
 s,@NSS_MIN_VERSION@,$NSS_MIN_VERSION,;t t
 s,@NSPR_MIN_VERSION@,$NSPR_MIN_VERSION,;t t
 s,@MOZILLA_MIN_VERSION@,$MOZILLA_MIN_VERSION,;t t
+s,@MSCRYPTO_CFLAGS@,$MSCRYPTO_CFLAGS,;t t
+s,@MSCRYPTO_LIBS@,$MSCRYPTO_LIBS,;t t
 s,@XMLSEC_NO_SHA1_TRUE@,$XMLSEC_NO_SHA1_TRUE,;t t
 s,@XMLSEC_NO_SHA1_FALSE@,$XMLSEC_NO_SHA1_FALSE,;t t
 s,@XMLSEC_NO_SHA1@,$XMLSEC_NO_SHA1,;t t
@@ -32653,6 +32929,1724 @@
 s,@NSS_MIN_VERSION@,$NSS_MIN_VERSION,;t t
 s,@NSPR_MIN_VERSION@,$NSPR_MIN_VERSION,;t t
 s,@MOZILLA_MIN_VERSION@,$MOZILLA_MIN_VERSION,;t t
+s,@MSCRYPTO_CFLAGS@,$MSCRYPTO_CFLAGS,;t t
+s,@MSCRYPTO_LIBS@,$MSCRYPTO_LIBS,;t t
+s,@XMLSEC_NO_SHA1_TRUE@,$XMLSEC_NO_SHA1_TRUE,;t t
+s,@XMLSEC_NO_SHA1_FALSE@,$XMLSEC_NO_SHA1_FALSE,;t t
+s,@XMLSEC_NO_SHA1@,$XMLSEC_NO_SHA1,;t t
+s,@XMLSEC_NO_RIPEMD160_TRUE@,$XMLSEC_NO_RIPEMD160_TRUE,;t t
+s,@XMLSEC_NO_RIPEMD160_FALSE@,$XMLSEC_NO_RIPEMD160_FALSE,;t t
+s,@XMLSEC_NO_RIPEMD160@,$XMLSEC_NO_RIPEMD160,;t t
+s,@XMLSEC_NO_HMAC_TRUE@,$XMLSEC_NO_HMAC_TRUE,;t t
+s,@XMLSEC_NO_HMAC_FALSE@,$XMLSEC_NO_HMAC_FALSE,;t t
+s,@XMLSEC_NO_HMAC@,$XMLSEC_NO_HMAC,;t t
+s,@XMLSEC_NO_DSA_TRUE@,$XMLSEC_NO_DSA_TRUE,;t t
+s,@XMLSEC_NO_DSA_FALSE@,$XMLSEC_NO_DSA_FALSE,;t t
+s,@XMLSEC_NO_DSA@,$XMLSEC_NO_DSA,;t t
+s,@XMLSEC_NO_RSA_TRUE@,$XMLSEC_NO_RSA_TRUE,;t t
+s,@XMLSEC_NO_RSA_FALSE@,$XMLSEC_NO_RSA_FALSE,;t t
+s,@XMLSEC_NO_RSA@,$XMLSEC_NO_RSA,;t t
+s,@XMLSEC_NO_X509_TRUE@,$XMLSEC_NO_X509_TRUE,;t t
+s,@XMLSEC_NO_X509_FALSE@,$XMLSEC_NO_X509_FALSE,;t t
+s,@XMLSEC_NO_X509@,$XMLSEC_NO_X509,;t t
+s,@XMLSEC_NO_DES_TRUE@,$XMLSEC_NO_DES_TRUE,;t t
+s,@XMLSEC_NO_DES_FALSE@,$XMLSEC_NO_DES_FALSE,;t t
+s,@XMLSEC_NO_DES@,$XMLSEC_NO_DES,;t t
+s,@XMLSEC_NO_AES_TRUE@,$XMLSEC_NO_AES_TRUE,;t t
+s,@XMLSEC_NO_AES_FALSE@,$XMLSEC_NO_AES_FALSE,;t t
+s,@XMLSEC_NO_AES@,$XMLSEC_NO_AES,;t t
+s,@XMLSEC_NO_XMLDSIG_TRUE@,$XMLSEC_NO_XMLDSIG_TRUE,;t t
+s,@XMLSEC_NO_XMLDSIG_FALSE@,$XMLSEC_NO_XMLDSIG_FALSE,;t t
+s,@XMLSEC_NO_XMLDSIG@,$XMLSEC_NO_XMLDSIG,;t t
+s,@XMLSEC_NO_XMLENC_TRUE@,$XMLSEC_NO_XMLENC_TRUE,;t t
+s,@XMLSEC_NO_XMLENC_FALSE@,$XMLSEC_NO_XMLENC_FALSE,;t t
+s,@XMLSEC_NO_XMLENC@,$XMLSEC_NO_XMLENC,;t t
+s,@XMLSEC_NO_XKMS_TRUE@,$XMLSEC_NO_XKMS_TRUE,;t t
+s,@XMLSEC_NO_XKMS_FALSE@,$XMLSEC_NO_XKMS_FALSE,;t t
+s,@XMLSEC_NO_XKMS@,$XMLSEC_NO_XKMS,;t t
+s,@XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_TRUE@,$XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_TRUE,;t t
+s,@XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_FALSE@,$XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_FALSE,;t t
+s,@XMLSEC_NO_CRYPTO_DYNAMIC_LOADING@,$XMLSEC_NO_CRYPTO_DYNAMIC_LOADING,;t t
+s,@XMLSEC_DL_INCLUDES@,$XMLSEC_DL_INCLUDES,;t t
+s,@XMLSEC_DL_LIBS@,$XMLSEC_DL_LIBS,;t t
+s,@XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_TRUE@,$XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_TRUE,;t t
+s,@XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_FALSE@,$XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_FALSE,;t t
+s,@XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING@,$XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING,;t t
+s,@XMLSEC_DOCDIR@,$XMLSEC_DOCDIR,;t t
+s,@XMLSEC_STATIC_BINARIES@,$XMLSEC_STATIC_BINARIES,;t t
+s,@XMLSEC_CORE_CFLAGS@,$XMLSEC_CORE_CFLAGS,;t t
+s,@XMLSEC_CORE_LIBS@,$XMLSEC_CORE_LIBS,;t t
+s,@XMLSEC_LIBDIR@,$XMLSEC_LIBDIR,;t t
+s,@XMLSEC_OPENSSL_CFLAGS@,$XMLSEC_OPENSSL_CFLAGS,;t t
+s,@XMLSEC_OPENSSL_LIBS@,$XMLSEC_OPENSSL_LIBS,;t t
+s,@XMLSEC_GNUTLS_CFLAGS@,$XMLSEC_GNUTLS_CFLAGS,;t t
+s,@XMLSEC_GNUTLS_LIBS@,$XMLSEC_GNUTLS_LIBS,;t t
+s,@XMLSEC_NSS_CFLAGS@,$XMLSEC_NSS_CFLAGS,;t t
+s,@XMLSEC_NSS_LIBS@,$XMLSEC_NSS_LIBS,;t t
+s,@XMLSEC_CFLAGS@,$XMLSEC_CFLAGS,;t t
+s,@XMLSEC_LIBS@,$XMLSEC_LIBS,;t t
+s,@XMLSEC_DEFINES@,$XMLSEC_DEFINES,;t t
+s,@XMLSEC_APP_DEFINES@,$XMLSEC_APP_DEFINES,;t t
+s,@XMLSEC_CRYPTO@,$XMLSEC_CRYPTO,;t t
+s,@XMLSEC_CRYPTO_LIST@,$XMLSEC_CRYPTO_LIST,;t t
+s,@XMLSEC_CRYPTO_DISABLED_LIST@,$XMLSEC_CRYPTO_DISABLED_LIST,;t t
+s,@XMLSEC_CRYPTO_LIB@,$XMLSEC_CRYPTO_LIB,;t t
+s,@XMLSEC_CRYPTO_CFLAGS@,$XMLSEC_CRYPTO_CFLAGS,;t t
+s,@XMLSEC_CRYPTO_LIBS@,$XMLSEC_CRYPTO_LIBS,;t t
+s,@XMLSEC_CRYPTO_PC_FILES_LIST@,$XMLSEC_CRYPTO_PC_FILES_LIST,;t t
+s,@LIBOBJS@,$LIBOBJS,;t t
+s,@LTLIBOBJS@,$LTLIBOBJS,;t t
+CEOF
+
+_ACEOF
+
+  cat >>$CONFIG_STATUS <<\_ACEOF
+  # Split the substitutions into bite-sized pieces for seds with
+  # small command number limits, like on Digital OSF/1 and HP-UX.
+  ac_max_sed_lines=48
+  ac_sed_frag=1 # Number of current file.
+  ac_beg=1 # First line for current file.
+  ac_end=$ac_max_sed_lines # Line after last line for current file.
+  ac_more_lines=:
+  ac_sed_cmds=
+  while $ac_more_lines; do
+    if test $ac_beg -gt 1; then
+      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
+    else
+      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
+    fi
+    if test ! -s $tmp/subs.frag; then
+      ac_more_lines=false
+    else
+      # The purpose of the label and of the branching condition is to
+      # speed up the sed processing (if there are no `@' at all, there
+      # is no need to browse any of the substitutions).
+      # These are the two extra sed commands mentioned above.
+      (echo ':t
+  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
+      if test -z "$ac_sed_cmds"; then
+       ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
+      else
+       ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
+      fi
+      ac_sed_frag=`expr $ac_sed_frag + 1`
+      ac_beg=$ac_end
+      ac_end=`expr $ac_end + $ac_max_sed_lines`
+    fi
+  done
+  if test -z "$ac_sed_cmds"; then
+    ac_sed_cmds=cat
+  fi
+fi # test -n "$CONFIG_FILES"
+
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case $ac_file in
+  - | *:- | *:-:* ) # input from stdin
+       cat >$tmp/stdin
+       ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+       ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+       ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  * )   ac_file_in=$ac_file.in ;;
+  esac
+
+  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
+  ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$ac_file" : 'X\(//\)[^/]' \| \
+        X"$ac_file" : 'X\(//\)$' \| \
+        X"$ac_file" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+  { if $as_mkdir_p; then
+    mkdir -p "$ac_dir"
+  else
+    as_dir="$ac_dir"
+    as_dirs=
+    while test ! -d "$as_dir"; do
+      as_dirs="$as_dir $as_dirs"
+      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$as_dir" : 'X\(//\)[^/]' \| \
+        X"$as_dir" : 'X\(//\)$' \| \
+        X"$as_dir" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+    done
+    test ! -n "$as_dirs" || mkdir $as_dirs
+  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
+echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+   { (exit 1); exit 1; }; }; }
+
+  ac_builddir=.
+
+if test "$ac_dir" != .; then
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A "../" for each directory in $ac_dir_suffix.
+  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
+else
+  ac_dir_suffix= ac_top_builddir=
+fi
+
+case $srcdir in
+  .)  # No --srcdir option.  We are building in place.
+    ac_srcdir=.
+    if test -z "$ac_top_builddir"; then
+       ac_top_srcdir=.
+    else
+       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
+    fi ;;
+  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir ;;
+  *) # Relative path.
+    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+esac
+
+# Do not use `cd foo && pwd` to compute absolute paths, because
+# the directories may not exist.
+case `pwd` in
+.) ac_abs_builddir="$ac_dir";;
+*)
+  case "$ac_dir" in
+  .) ac_abs_builddir=`pwd`;;
+  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
+  *) ac_abs_builddir=`pwd`/"$ac_dir";;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_top_builddir=${ac_top_builddir}.;;
+*)
+  case ${ac_top_builddir}. in
+  .) ac_abs_top_builddir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
+  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_srcdir=$ac_srcdir;;
+*)
+  case $ac_srcdir in
+  .) ac_abs_srcdir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
+  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_top_srcdir=$ac_top_srcdir;;
+*)
+  case $ac_top_srcdir in
+  .) ac_abs_top_srcdir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
+  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
+  esac;;
+esac
+
+
+  case $INSTALL in
+  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
+  *) ac_INSTALL=$ac_top_builddir$INSTALL ;;
+  esac
+
+  if test x"$ac_file" != x-; then
+    { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    rm -f "$ac_file"
+  fi
+  # Let's still pretend it is `configure' which instantiates (i.e., don't
+  # use $as_me), people would be surprised to read:
+  #    /* config.h.  Generated by config.status.  */
+  if test x"$ac_file" = x-; then
+    configure_input=
+  else
+    configure_input="$ac_file.  "
+  fi
+  configure_input=$configure_input"Generated from `echo $ac_file_in |
+                                    sed 's,.*/,,'` by configure."
+
+  # First look for the input files in the build tree, otherwise in the
+  # src tree.
+  ac_file_inputs=`IFS=:
+    for f in $ac_file_in; do
+      case $f in
+      -) echo $tmp/stdin ;;
+      [\\/$]*)
+        # Absolute (can't be DOS-style, as IFS=:)
+        test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+        echo "$f";;
+      *) # Relative
+        if test -f "$f"; then
+          # Build tree
+          echo "$f"
+        elif test -f "$srcdir/$f"; then
+          # Source tree
+          echo "$srcdir/$f"
+        else
+          # /dev/null tree
+          { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+        fi;;
+      esac
+    done` || { (exit 1); exit 1; }
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+  sed "$ac_vpsub
+$extrasub
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s,@configure_input@,$configure_input,;t t
+s,@srcdir@,$ac_srcdir,;t t
+s,@abs_srcdir@,$ac_abs_srcdir,;t t
+s,@top_srcdir@,$ac_top_srcdir,;t t
+s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
+s,@builddir@,$ac_builddir,;t t
+s,@abs_builddir@,$ac_abs_builddir,;t t
+s,@top_builddir@,$ac_top_builddir,;t t
+s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
+s,@INSTALL@,$ac_INSTALL,;t t
+" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
+  rm -f $tmp/stdin
+  if test x"$ac_file" != x-; then
+    mv $tmp/out $ac_file
+  else
+    cat $tmp/out
+    rm -f $tmp/out
+  fi
+
+done
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+#
+# CONFIG_HEADER section.
+#
+
+# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
+# NAME is the cpp macro being defined and VALUE is the value it is being given.
+#
+# ac_d sets the value in "#define NAME VALUE" lines.
+ac_dA='s,^\([   ]*\)#\([        ]*define[       ][      ]*\)'
+ac_dB='[        ].*$,\1#\2'
+ac_dC=' '
+ac_dD=',;t'
+# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_uA='s,^\([   ]*\)#\([        ]*\)undef\([    ][      ]*\)'
+ac_uB='$,\1#\2define\3'
+ac_uC=' '
+ac_uD=',;t'
+
+for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case $ac_file in
+  - | *:- | *:-:* ) # input from stdin
+       cat >$tmp/stdin
+       ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+       ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+       ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  * )   ac_file_in=$ac_file.in ;;
+  esac
+
+  test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+
+  # First look for the input files in the build tree, otherwise in the
+  # src tree.
+  ac_file_inputs=`IFS=:
+    for f in $ac_file_in; do
+      case $f in
+      -) echo $tmp/stdin ;;
+      [\\/$]*)
+        # Absolute (can't be DOS-style, as IFS=:)
+        test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+        # Do quote $f, to prevent DOS paths from being IFS'd.
+        echo "$f";;
+      *) # Relative
+        if test -f "$f"; then
+          # Build tree
+          echo "$f"
+        elif test -f "$srcdir/$f"; then
+          # Source tree
+          echo "$srcdir/$f"
+        else
+          # /dev/null tree
+          { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+        fi;;
+      esac
+    done` || { (exit 1); exit 1; }
+  # Remove the trailing spaces.
+  sed 's/[      ]*$//' $ac_file_inputs >$tmp/in
+
+_ACEOF
+
+# Transform confdefs.h into two sed scripts, `conftest.defines' and
+# `conftest.undefs', that substitutes the proper values into
+# config.h.in to produce config.h.  The first handles `#define'
+# templates, and the second `#undef' templates.
+# And first: Protect against being on the right side of a sed subst in
+# config.status.  Protect against being in an unquoted here document
+# in config.status.
+rm -f conftest.defines conftest.undefs
+# Using a here document instead of a string reduces the quoting nightmare.
+# Putting comments in sed scripts is not portable.
+#
+# `end' is used to avoid that the second main sed command (meant for
+# 0-ary CPP macros) applies to n-ary macro definitions.
+# See the Autoconf documentation for `clear'.
+cat >confdef2sed.sed <<\_ACEOF
+s/[\\&,]/\\&/g
+s,[\\$`],\\&,g
+t clear
+: clear
+s,^[    ]*#[    ]*define[       ][      ]*\([^  (][^    (]*\)\(([^)]*)\)[       ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp
+t end
+s,^[    ]*#[    ]*define[       ][      ]*\([^  ][^     ]*\)[   ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
+: end
+_ACEOF
+# If some macros were called several times there might be several times
+# the same #defines, which is useless.  Nevertheless, we may not want to
+# sort them, since we want the *last* AC-DEFINE to be honored.
+uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
+sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
+rm -f confdef2sed.sed
+
+# This sed command replaces #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+cat >>conftest.undefs <<\_ACEOF
+s,^[    ]*#[    ]*undef[        ][      ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
+_ACEOF
+
+# Break up conftest.defines because some shells have a limit on the size
+# of here documents, and old seds have small limits too (100 cmds).
+echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
+echo '  if grep "^[     ]*#[    ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
+echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
+echo '  :' >>$CONFIG_STATUS
+rm -f conftest.tail
+while grep . conftest.defines >/dev/null
+do
+  # Write a limited-size here document to $tmp/defines.sed.
+  echo '  cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
+  # Speed up: don't consider the non `#define' lines.
+  echo '/^[     ]*#[    ]*define/!b' >>$CONFIG_STATUS
+  # Work around the forget-to-reset-the-flag bug.
+  echo 't clr' >>$CONFIG_STATUS
+  echo ': clr' >>$CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
+  echo 'CEOF
+  sed -f $tmp/defines.sed $tmp/in >$tmp/out
+  rm -f $tmp/in
+  mv $tmp/out $tmp/in
+' >>$CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
+  rm -f conftest.defines
+  mv conftest.tail conftest.defines
+done
+rm -f conftest.defines
+echo '  fi # grep' >>$CONFIG_STATUS
+echo >>$CONFIG_STATUS
+
+# Break up conftest.undefs because some shells have a limit on the size
+# of here documents, and old seds have small limits too (100 cmds).
+echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
+rm -f conftest.tail
+while grep . conftest.undefs >/dev/null
+do
+  # Write a limited-size here document to $tmp/undefs.sed.
+  echo '  cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
+  # Speed up: don't consider the non `#undef'
+  echo '/^[     ]*#[    ]*undef/!b' >>$CONFIG_STATUS
+  # Work around the forget-to-reset-the-flag bug.
+  echo 't clr' >>$CONFIG_STATUS
+  echo ': clr' >>$CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
+  echo 'CEOF
+  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
+  rm -f $tmp/in
+  mv $tmp/out $tmp/in
+' >>$CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
+  rm -f conftest.undefs
+  mv conftest.tail conftest.undefs
+done
+rm -f conftest.undefs
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+  # Let's still pretend it is `configure' which instantiates (i.e., don't
+  # use $as_me), people would be surprised to read:
+  #    /* config.h.  Generated by config.status.  */
+  if test x"$ac_file" = x-; then
+    echo "/* Generated by configure.  */" >$tmp/config.h
+  else
+    echo "/* $ac_file.  Generated by configure.  */" >$tmp/config.h
+  fi
+  cat $tmp/in >>$tmp/config.h
+  rm -f $tmp/in
+  if test x"$ac_file" != x-; then
+    if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
+      { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
+echo "$as_me: $ac_file is unchanged" >&6;}
+    else
+      ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$ac_file" : 'X\(//\)[^/]' \| \
+        X"$ac_file" : 'X\(//\)$' \| \
+        X"$ac_file" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+      { if $as_mkdir_p; then
+    mkdir -p "$ac_dir"
+  else
+    as_dir="$ac_dir"
+    as_dirs=
+    while test ! -d "$as_dir"; do
+      as_dirs="$as_dir $as_dirs"
+      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$as_dir" : 'X\(//\)[^/]' \| \
+        X"$as_dir" : 'X\(//\)$' \| \
+        X"$as_dir" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+    done
+    test ! -n "$as_dirs" || mkdir $as_dirs
+  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
+echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+   { (exit 1); exit 1; }; }; }
+
+      rm -f $ac_file
+      mv $tmp/config.h $ac_file
+    fi
+  else
+    cat $tmp/config.h
+    rm -f $tmp/config.h
+  fi
+# Compute $ac_file's index in $config_headers.
+_am_stamp_count=1
+for _am_header in $config_headers :; do
+  case $_am_header in
+    $ac_file | $ac_file:* )
+      break ;;
+    * )
+      _am_stamp_count=`expr $_am_stamp_count + 1` ;;
+  esac
+done
+echo "timestamp for $ac_file" >`(dirname $ac_file) 2>/dev/null ||
+$as_expr X$ac_file : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X$ac_file : 'X\(//\)[^/]' \| \
+        X$ac_file : 'X\(//\)$' \| \
+        X$ac_file : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X$ac_file |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`/stamp-h$_am_stamp_count
+done
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+#
+# CONFIG_COMMANDS section.
+#
+for ac_file in : $CONFIG_COMMANDS; do test "x$ac_file" = x: && continue
+  ac_dest=`echo "$ac_file" | sed 's,:.*,,'`
+  ac_source=`echo "$ac_file" | sed 's,[^:]*:,,'`
+  ac_dir=`(dirname "$ac_dest") 2>/dev/null ||
+$as_expr X"$ac_dest" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$ac_dest" : 'X\(//\)[^/]' \| \
+        X"$ac_dest" : 'X\(//\)$' \| \
+        X"$ac_dest" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_dest" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+  { if $as_mkdir_p; then
+    mkdir -p "$ac_dir"
+  else
+    as_dir="$ac_dir"
+    as_dirs=
+    while test ! -d "$as_dir"; do
+      as_dirs="$as_dir $as_dirs"
+      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$as_dir" : 'X\(//\)[^/]' \| \
+        X"$as_dir" : 'X\(//\)$' \| \
+        X"$as_dir" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+    done
+    test ! -n "$as_dirs" || mkdir $as_dirs
+  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
+echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+   { (exit 1); exit 1; }; }; }
+
+  ac_builddir=.
+
+if test "$ac_dir" != .; then
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A "../" for each directory in $ac_dir_suffix.
+  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
+else
+  ac_dir_suffix= ac_top_builddir=
+fi
+
+case $srcdir in
+  .)  # No --srcdir option.  We are building in place.
+    ac_srcdir=.
+    if test -z "$ac_top_builddir"; then
+       ac_top_srcdir=.
+    else
+       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
+    fi ;;
+  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir ;;
+  *) # Relative path.
+    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+esac
+
+# Do not use `cd foo && pwd` to compute absolute paths, because
+# the directories may not exist.
+case `pwd` in
+.) ac_abs_builddir="$ac_dir";;
+*)
+  case "$ac_dir" in
+  .) ac_abs_builddir=`pwd`;;
+  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
+  *) ac_abs_builddir=`pwd`/"$ac_dir";;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_top_builddir=${ac_top_builddir}.;;
+*)
+  case ${ac_top_builddir}. in
+  .) ac_abs_top_builddir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
+  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_srcdir=$ac_srcdir;;
+*)
+  case $ac_srcdir in
+  .) ac_abs_srcdir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
+  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_top_srcdir=$ac_top_srcdir;;
+*)
+  case $ac_top_srcdir in
+  .) ac_abs_top_srcdir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
+  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
+  esac;;
+esac
+
+
+  { echo "$as_me:$LINENO: executing $ac_dest commands" >&5
+echo "$as_me: executing $ac_dest commands" >&6;}
+  case $ac_dest in
+    depfiles ) test x"$AMDEP_TRUE" != x"" || for mf in $CONFIG_FILES; do
+  # Strip MF so we end up with the name of the file.
+  mf=`echo "$mf" | sed -e 's/:.*$//'`
+  # Check whether this is an Automake generated Makefile or not.
+  # We used to match only the files named `Makefile.in', but
+  # some people rename them; so instead we look at the file content.
+  # Grep'ing the first line is not enough: some people post-process
+  # each Makefile.in and add a new line on top of each file to say so.
+  # So let's grep whole file.
+  if grep '^#.*generated by automake' $mf > /dev/null 2>&1; then
+    dirpart=`(dirname "$mf") 2>/dev/null ||
+$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$mf" : 'X\(//\)[^/]' \| \
+        X"$mf" : 'X\(//\)$' \| \
+        X"$mf" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$mf" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+  else
+    continue
+  fi
+  grep '^DEP_FILES *= *[^ #]' < "$mf" > /dev/null || continue
+  # Extract the definition of DEP_FILES from the Makefile without
+  # running `make'.
+  DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"`
+  test -z "$DEPDIR" && continue
+  # When using ansi2knr, U may be empty or an underscore; expand it
+  U=`sed -n 's/^U = //p' < "$mf"`
+  test -d "$dirpart/$DEPDIR" || mkdir "$dirpart/$DEPDIR"
+  # We invoke sed twice because it is the simplest approach to
+  # changing $(DEPDIR) to its actual value in the expansion.
+  for file in `sed -n '
+    /^DEP_FILES = .*\\\\$/ {
+      s/^DEP_FILES = //
+      :loop
+       s/\\\\$//
+       p
+       n
+       /\\\\$/ b loop
+      p
+    }
+    /^DEP_FILES = / s/^DEP_FILES = //p' < "$mf" | \
+       sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do
+    # Make sure the directory exists.
+    test -f "$dirpart/$file" && continue
+    fdir=`(dirname "$file") 2>/dev/null ||
+$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$file" : 'X\(//\)[^/]' \| \
+        X"$file" : 'X\(//\)$' \| \
+        X"$file" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+    { if $as_mkdir_p; then
+    mkdir -p $dirpart/$fdir
+  else
+    as_dir=$dirpart/$fdir
+    as_dirs=
+    while test ! -d "$as_dir"; do
+      as_dirs="$as_dir $as_dirs"
+      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+        X"$as_dir" : 'X\(//\)[^/]' \| \
+        X"$as_dir" : 'X\(//\)$' \| \
+        X"$as_dir" : 'X\(/\)' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+         /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+         /^X\(\/\/\)$/{ s//\1/; q; }
+         /^X\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+    done
+    test ! -n "$as_dirs" || mkdir $as_dirs
+  fi || { { echo "$as_me:$LINENO: error: cannot create directory $dirpart/$fdir" >&5
+echo "$as_me: error: cannot create directory $dirpart/$fdir" >&2;}
+   { (exit 1); exit 1; }; }; }
+
+    # echo "creating $dirpart/$file"
+    echo '# dummy' > "$dirpart/$file"
+  done
+done
+ ;;
+  esac
+done
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+{ (exit 0); exit 0; }
+_ACEOF
+chmod +x $CONFIG_STATUS
+ac_clean_files=$ac_clean_files_save
+
+
+# configure is writing to config.log, and then calls config.status.
+# config.status does its own redirection, appending to config.log.
+# Unfortunately, on DOS this fails, as config.log is still kept open
+# by configure, so config.status won't be able to write to it; its
+# output is simply discarded.  So we exec the FD to /dev/null,
+# effectively closing config.log, so it can be properly (re)opened and
+# appended to by config.status.  When coming back to configure, we
+# need to make the FD available again.
+if test "$no_create" != yes; then
+  ac_cs_success=:
+  ac_config_status_args=
+  test "$silent" = yes &&
+    ac_config_status_args="$ac_config_status_args --quiet"
+  exec 5>/dev/null
+  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
+  exec 5>>config.log
+  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+  # would make configure fail if this is the last instruction.
+  $ac_cs_success || { (exit 1); exit 1; }
+fi
+
+fi
+
+if test "z$MSCRYPTO_FOUND" = "zyes" ; then
+                    ac_config_files="$ac_config_files include/xmlsec/mscrypto/Makefile src/mscrypto/Makefile"
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+{
+  (set) 2>&1 |
+    case `(ac_space=' '; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+       "s/'/'\\\\''/g;
+         s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;;
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n \
+       "s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+} |
+  sed '
+     t clear
+     : clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     : end' >>confcache
+if diff $cache_file confcache >/dev/null 2>&1; then :; else
+  if test -w $cache_file; then
+    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+    cat confcache >$cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[         ]*VPATH[        ]*=/{
+s/:*\$(srcdir):*/:/;
+s/:*\${srcdir}:*/:/;
+s/:*@srcdir@:*/:/;
+s/^\([^=]*=[    ]*\):*/\1/;
+s/:*$//;
+s/^[^=]*=[      ]*$//;
+}'
+fi
+
+DEFS=-DHAVE_CONFIG_H
+
+ac_libobjs=
+ac_ltlibobjs=
+for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+  # 1. Remove the extension, and $U if already installed.
+  ac_i=`echo "$ac_i" |
+        sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
+  # 2. Add them.
+  ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
+  ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
+done
+LIBOBJS=$ac_libobjs
+
+LTLIBOBJS=$ac_ltlibobjs
+
+
+if test -z "${MAINTAINER_MODE_TRUE}" && test -z "${MAINTAINER_MODE_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"MAINTAINER_MODE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"MAINTAINER_MODE\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"AMDEP\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${am__fastdepCXX_TRUE}" && test -z "${am__fastdepCXX_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"am__fastdepCXX\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"am__fastdepCXX\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${INSTALL_LTDL_TRUE}" && test -z "${INSTALL_LTDL_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"INSTALL_LTDL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"INSTALL_LTDL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${CONVENIENCE_LTDL_TRUE}" && test -z "${CONVENIENCE_LTDL_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"CONVENIENCE_LTDL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"CONVENIENCE_LTDL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_OPENSSL_TRUE}" && test -z "${XMLSEC_NO_OPENSSL_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_OPENSSL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_OPENSSL\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_GNUTLS_TRUE}" && test -z "${XMLSEC_NO_GNUTLS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_GNUTLS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_GNUTLS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_NSS_TRUE}" && test -z "${XMLSEC_NO_NSS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_NSS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_NSS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_SHA1_TRUE}" && test -z "${XMLSEC_NO_SHA1_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_SHA1\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_SHA1\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_RIPEMD160_TRUE}" && test -z "${XMLSEC_NO_RIPEMD160_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_RIPEMD160\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_RIPEMD160\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_HMAC_TRUE}" && test -z "${XMLSEC_NO_HMAC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_HMAC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_HMAC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_DSA_TRUE}" && test -z "${XMLSEC_NO_DSA_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_DSA\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_DSA\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_RSA_TRUE}" && test -z "${XMLSEC_NO_RSA_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_RSA\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_RSA\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_X509_TRUE}" && test -z "${XMLSEC_NO_X509_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_X509\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_X509\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_DES_TRUE}" && test -z "${XMLSEC_NO_DES_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_DES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_DES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_AES_TRUE}" && test -z "${XMLSEC_NO_AES_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_AES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_AES\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_XMLDSIG_TRUE}" && test -z "${XMLSEC_NO_XMLDSIG_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_XMLDSIG\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_XMLDSIG\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_XMLENC_TRUE}" && test -z "${XMLSEC_NO_XMLENC_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_XMLENC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_XMLENC\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_XKMS_TRUE}" && test -z "${XMLSEC_NO_XKMS_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_XKMS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_XKMS\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_TRUE}" && test -z "${XMLSEC_NO_CRYPTO_DYNAMIC_LOADING_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_CRYPTO_DYNAMIC_LOADING\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_CRYPTO_DYNAMIC_LOADING\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+if test -z "${XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_TRUE}" && test -z "${XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING_FALSE}"; then
+  { { echo "$as_me:$LINENO: error: conditional \"XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING\" was never defined.
+Usually this means the macro was only invoked conditionally." >&5
+echo "$as_me: error: conditional \"XMLSEC_NO_APPS_CRYPTO_DYNAMIC_LOADING\" was never defined.
+Usually this means the macro was only invoked conditionally." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+: ${CONFIG_STATUS=./config.status}
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<_ACEOF
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+ac_cs_recheck=false
+ac_cs_silent=false
+SHELL=\${CONFIG_SHELL-$SHELL}
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+## --------------------- ##
+## M4sh Initialization.  ##
+## --------------------- ##
+
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
+  set -o posix
+fi
+DUALCASE=1; export DUALCASE # for MKS sh
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+
+# Work around bugs in pre-3.0 UWIN ksh.
+$as_unset ENV MAIL MAILPATH
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    $as_unset $as_var
+  fi
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+        X"$0" : 'X\(//\)$' \| \
+        X"$0" : 'X\(/\)$' \| \
+        .     : '\(.\)' 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
+         /^X\/\(\/\/\)$/{ s//\1/; q; }
+         /^X\/\(\/\).*/{ s//\1/; q; }
+         s/.*/./; q'`
+
+
+# PATH needs CR, and LINENO needs CR and PATH.
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
+fi
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
+  # Find who we are.  Look in the path if we contain no path at all
+  # relative or not.
+  case $0 in
+    *[\\/]* ) as_myself=$0 ;;
+    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+
+       ;;
+  esac
+  # We did not find ourselves, most probably we were run as `sh COMMAND'
+  # in which case we are not to be found in the path.
+  if test "x$as_myself" = x; then
+    as_myself=$0
+  fi
+  if test ! -f "$as_myself"; then
+    { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
+echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+  case $CONFIG_SHELL in
+  '')
+    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for as_base in sh bash ksh sh5; do
+        case $as_dir in
+        /*)
+          if ("$as_dir/$as_base" -c '
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
+            $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
+            $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
+            CONFIG_SHELL=$as_dir/$as_base
+            export CONFIG_SHELL
+            exec "$CONFIG_SHELL" "$0" ${1+"$@"}
+          fi;;
+        esac
+       done
+done
+;;
+  esac
+
+  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+  # uniformly replaced by the line number.  The first 'sed' inserts a
+  # line-number line before each line; the second 'sed' does the real
+  # work.  The second script uses 'N' to pair each line-number line
+  # with the numbered line, and appends trailing '-' during
+  # substitution so that $LINENO is not a special case at line end.
+  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
+  sed '=' <$as_myself |
+    sed '
+      N
+      s,$,-,
+      : loop
+      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      t loop
+      s,-$,,
+      s,^['$as_cr_digits']*\n,,
+    ' >$as_me.lineno &&
+  chmod +x $as_me.lineno ||
+    { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
+echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
+   { (exit 1); exit 1; }; }
+
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensible to this).
+  . ./$as_me.lineno
+  # Exit status is that of the last command.
+  exit
+}
+
+
+case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
+  *c*,-n*) ECHO_N= ECHO_C='
+' ECHO_T='     ' ;;
+  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
+  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+esac
+
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  # We could just check for DJGPP; but this test a) works b) is more generic
+  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
+  if test -f conf$$.exe; then
+    # Don't use ln at all; we don't have any links
+    as_ln_s='cp -p'
+  else
+    as_ln_s='ln -s'
+  fi
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.file
+
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p=:
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+as_executable_p="test -f"
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.
+as_nl='
+'
+IFS="  $as_nl"
+
+# CDPATH.
+$as_unset CDPATH
+
+exec 6>&1
+
+# Open the log real soon, to keep \$[0] and so on meaningful, and to
+# report actual input values of CONFIG_FILES etc. instead of their
+# values after options handling.  Logging --version etc. is OK.
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+} >&5
+cat >&5 <<_CSEOF
+
+This file was extended by $as_me, which was
+generated by GNU Autoconf 2.59.  Invocation command line was
+
+  CONFIG_FILES    = $CONFIG_FILES
+  CONFIG_HEADERS  = $CONFIG_HEADERS
+  CONFIG_LINKS    = $CONFIG_LINKS
+  CONFIG_COMMANDS = $CONFIG_COMMANDS
+  $ $0 $@
+
+_CSEOF
+echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
+echo >&5
+_ACEOF
+
+# Files that config.status was made for.
+if test -n "$ac_config_files"; then
+  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_headers"; then
+  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_links"; then
+  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_commands"; then
+  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
+fi
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+ac_cs_usage="\
+\`$as_me' instantiates files from templates according to the
+current configuration.
+
+Usage: $0 [OPTIONS] [FILE]...
+
+  -h, --help       print this help, then exit
+  -V, --version    print version number, then exit
+  -q, --quiet      do not print progress messages
+  -d, --debug      don't remove temporary files
+      --recheck    update $as_me by reconfiguring in the same conditions
+  --file=FILE[:TEMPLATE]
+                  instantiate the configuration file FILE
+  --header=FILE[:TEMPLATE]
+                  instantiate the configuration header FILE
+
+Configuration files:
+$config_files
+
+Configuration headers:
+$config_headers
+
+Configuration commands:
+$config_commands
+
+Report bugs to <bug-autoconf@gnu.org>."
+_ACEOF
+
+cat >>$CONFIG_STATUS <<_ACEOF
+ac_cs_version="\\
+config.status
+configured by $0, generated by GNU Autoconf 2.59,
+  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
+
+Copyright (C) 2003 Free Software Foundation, Inc.
+This config.status script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it."
+srcdir=$srcdir
+INSTALL="$INSTALL"
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If no file are specified by the user, then we need to provide default
+# value.  By we need to know if files were specified by the user.
+ac_need_defaults=:
+while test $# != 0
+do
+  case $1 in
+  --*=*)
+    ac_option=`expr "x$1" : 'x\([^=]*\)='`
+    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
+    ac_shift=:
+    ;;
+  -*)
+    ac_option=$1
+    ac_optarg=$2
+    ac_shift=shift
+    ;;
+  *) # This is not an option, so the user has probably given explicit
+     # arguments.
+     ac_option=$1
+     ac_need_defaults=false;;
+  esac
+
+  case $ac_option in
+  # Handling of the options.
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    ac_cs_recheck=: ;;
+  --version | --vers* | -V )
+    echo "$ac_cs_version"; exit 0 ;;
+  --he | --h)
+    # Conflict between --help and --header
+    { { echo "$as_me:$LINENO: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&5
+echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2;}
+   { (exit 1); exit 1; }; };;
+  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit 0 ;;
+  --debug | --d* | -d )
+    debug=: ;;
+  --file | --fil | --fi | --f )
+    $ac_shift
+    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
+    ac_need_defaults=false;;
+  --header | --heade | --head | --hea )
+    $ac_shift
+    CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
+    ac_need_defaults=false;;
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil | --si | --s)
+    ac_cs_silent=: ;;
+
+  # This is an error.
+  -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&5
+echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2;}
+   { (exit 1); exit 1; }; } ;;
+
+  *) ac_config_targets="$ac_config_targets $1" ;;
+
+  esac
+  shift
+done
+
+ac_configure_extra_args=
+
+if $ac_cs_silent; then
+  exec 6>/dev/null
+  ac_configure_extra_args="$ac_configure_extra_args --silent"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+if \$ac_cs_recheck; then
+  echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+fi
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<_ACEOF
+#
+# INIT-COMMANDS section.
+#
+
+AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"
+
+_ACEOF
+
+
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+for ac_config_target in $ac_config_targets
+do
+  case "$ac_config_target" in
+  # Handling of arguments.
+  "include/xmlsec/version.h" ) CONFIG_FILES="$CONFIG_FILES include/xmlsec/version.h" ;;
+  "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+  "include/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
+  "include/xmlsec/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/xmlsec/Makefile" ;;
+  "include/xmlsec/private/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/xmlsec/private/Makefile" ;;
+  "src/Makefile" ) CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
+  "apps/Makefile" ) CONFIG_FILES="$CONFIG_FILES apps/Makefile" ;;
+  "docs/Makefile" ) CONFIG_FILES="$CONFIG_FILES docs/Makefile" ;;
+  "docs/api/Makefile" ) CONFIG_FILES="$CONFIG_FILES docs/api/Makefile" ;;
+  "man/Makefile" ) CONFIG_FILES="$CONFIG_FILES man/Makefile" ;;
+  "xmlsec1Conf.sh" ) CONFIG_FILES="$CONFIG_FILES xmlsec1Conf.sh:xmlsecConf.sh.in" ;;
+  "xmlsec1-config" ) CONFIG_FILES="$CONFIG_FILES xmlsec1-config:xmlsec-config.in" ;;
+  "xmlsec1-openssl.pc" ) CONFIG_FILES="$CONFIG_FILES xmlsec1-openssl.pc:xmlsec-openssl.pc.in" ;;
+  "xmlsec1-gnutls.pc" ) CONFIG_FILES="$CONFIG_FILES xmlsec1-gnutls.pc:xmlsec-gnutls.pc.in" ;;
+  "xmlsec1-nss.pc" ) CONFIG_FILES="$CONFIG_FILES xmlsec1-nss.pc:xmlsec-nss.pc.in" ;;
+  "xmlsec1.spec" ) CONFIG_FILES="$CONFIG_FILES xmlsec1.spec:xmlsec.spec.in" ;;
+  "include/xmlsec/openssl/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/xmlsec/openssl/Makefile" ;;
+  "src/openssl/Makefile" ) CONFIG_FILES="$CONFIG_FILES src/openssl/Makefile" ;;
+  "include/xmlsec/gnutls/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/xmlsec/gnutls/Makefile" ;;
+  "src/gnutls/Makefile" ) CONFIG_FILES="$CONFIG_FILES src/gnutls/Makefile" ;;
+  "include/xmlsec/nss/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/xmlsec/nss/Makefile" ;;
+  "src/nss/Makefile" ) CONFIG_FILES="$CONFIG_FILES src/nss/Makefile" ;;
+  "include/xmlsec/mscrypto/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/xmlsec/mscrypto/Makefile" ;;
+  "src/mscrypto/Makefile" ) CONFIG_FILES="$CONFIG_FILES src/mscrypto/Makefile" ;;
+  "depfiles" ) CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;;
+  "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+   { (exit 1); exit 1; }; };;
+  esac
+done
+
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used.  Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
+  test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands
+fi
+
+# Have a temporary directory for convenience.  Make it in the build tree
+# simply because there is no reason to put it here, and in addition,
+# creating and moving files from /tmp can sometimes cause problems.
+# Create a temporary directory, and hook for its removal unless debugging.
+$debug ||
+{
+  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
+  trap '{ (exit 1); exit 1; }' 1 2 13 15
+}
+
+# Create a (secure) tmp directory for tmp files.
+
+{
+  tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
+  test -n "$tmp" && test -d "$tmp"
+}  ||
+{
+  tmp=./confstat$$-$RANDOM
+  (umask 077 && mkdir $tmp)
+} ||
+{
+   echo "$me: cannot create a temporary directory in ." >&2
+   { (exit 1); exit 1; }
+}
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<_ACEOF
+
+#
+# CONFIG_FILES section.
+#
+
+# No need to generate the scripts if there are no CONFIG_FILES.
+# This happens for instance when ./config.status config.h
+if test -n "\$CONFIG_FILES"; then
+  # Protect against being on the right side of a sed subst in config.status.
+  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
+   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
+s,@SHELL@,$SHELL,;t t
+s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
+s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
+s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
+s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
+s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
+s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
+s,@exec_prefix@,$exec_prefix,;t t
+s,@prefix@,$prefix,;t t
+s,@program_transform_name@,$program_transform_name,;t t
+s,@bindir@,$bindir,;t t
+s,@sbindir@,$sbindir,;t t
+s,@libexecdir@,$libexecdir,;t t
+s,@datadir@,$datadir,;t t
+s,@sysconfdir@,$sysconfdir,;t t
+s,@sharedstatedir@,$sharedstatedir,;t t
+s,@localstatedir@,$localstatedir,;t t
+s,@libdir@,$libdir,;t t
+s,@includedir@,$includedir,;t t
+s,@oldincludedir@,$oldincludedir,;t t
+s,@infodir@,$infodir,;t t
+s,@mandir@,$mandir,;t t
+s,@build_alias@,$build_alias,;t t
+s,@host_alias@,$host_alias,;t t
+s,@target_alias@,$target_alias,;t t
+s,@DEFS@,$DEFS,;t t
+s,@ECHO_C@,$ECHO_C,;t t
+s,@ECHO_N@,$ECHO_N,;t t
+s,@ECHO_T@,$ECHO_T,;t t
+s,@LIBS@,$LIBS,;t t
+s,@build@,$build,;t t
+s,@build_cpu@,$build_cpu,;t t
+s,@build_vendor@,$build_vendor,;t t
+s,@build_os@,$build_os,;t t
+s,@host@,$host,;t t
+s,@host_cpu@,$host_cpu,;t t
+s,@host_vendor@,$host_vendor,;t t
+s,@host_os@,$host_os,;t t
+s,@XMLSEC_VERSION@,$XMLSEC_VERSION,;t t
+s,@XMLSEC_PACKAGE@,$XMLSEC_PACKAGE,;t t
+s,@XMLSEC_VERSION_SAFE@,$XMLSEC_VERSION_SAFE,;t t
+s,@XMLSEC_VERSION_MAJOR@,$XMLSEC_VERSION_MAJOR,;t t
+s,@XMLSEC_VERSION_MINOR@,$XMLSEC_VERSION_MINOR,;t t
+s,@XMLSEC_VERSION_SUBMINOR@,$XMLSEC_VERSION_SUBMINOR,;t t
+s,@XMLSEC_VERSION_INFO@,$XMLSEC_VERSION_INFO,;t t
+s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
+s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
+s,@INSTALL_DATA@,$INSTALL_DATA,;t t
+s,@CYGPATH_W@,$CYGPATH_W,;t t
+s,@PACKAGE@,$PACKAGE,;t t
+s,@VERSION@,$VERSION,;t t
+s,@ACLOCAL@,$ACLOCAL,;t t
+s,@AUTOCONF@,$AUTOCONF,;t t
+s,@AUTOMAKE@,$AUTOMAKE,;t t
+s,@AUTOHEADER@,$AUTOHEADER,;t t
+s,@MAKEINFO@,$MAKEINFO,;t t
+s,@AMTAR@,$AMTAR,;t t
+s,@install_sh@,$install_sh,;t t
+s,@STRIP@,$STRIP,;t t
+s,@ac_ct_STRIP@,$ac_ct_STRIP,;t t
+s,@INSTALL_STRIP_PROGRAM@,$INSTALL_STRIP_PROGRAM,;t t
+s,@mkdir_p@,$mkdir_p,;t t
+s,@AWK@,$AWK,;t t
+s,@SET_MAKE@,$SET_MAKE,;t t
+s,@am__leading_dot@,$am__leading_dot,;t t
+s,@MAINTAINER_MODE_TRUE@,$MAINTAINER_MODE_TRUE,;t t
+s,@MAINTAINER_MODE_FALSE@,$MAINTAINER_MODE_FALSE,;t t
+s,@MAINT@,$MAINT,;t t
+s,@CC@,$CC,;t t
+s,@CFLAGS@,$CFLAGS,;t t
+s,@LDFLAGS@,$LDFLAGS,;t t
+s,@CPPFLAGS@,$CPPFLAGS,;t t
+s,@ac_ct_CC@,$ac_ct_CC,;t t
+s,@EXEEXT@,$EXEEXT,;t t
+s,@OBJEXT@,$OBJEXT,;t t
+s,@DEPDIR@,$DEPDIR,;t t
+s,@am__include@,$am__include,;t t
+s,@am__quote@,$am__quote,;t t
+s,@AMDEP_TRUE@,$AMDEP_TRUE,;t t
+s,@AMDEP_FALSE@,$AMDEP_FALSE,;t t
+s,@AMDEPBACKSLASH@,$AMDEPBACKSLASH,;t t
+s,@CCDEPMODE@,$CCDEPMODE,;t t
+s,@am__fastdepCC_TRUE@,$am__fastdepCC_TRUE,;t t
+s,@am__fastdepCC_FALSE@,$am__fastdepCC_FALSE,;t t
+s,@EGREP@,$EGREP,;t t
+s,@LN_S@,$LN_S,;t t
+s,@ECHO@,$ECHO,;t t
+s,@AR@,$AR,;t t
+s,@ac_ct_AR@,$ac_ct_AR,;t t
+s,@RANLIB@,$RANLIB,;t t
+s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
+s,@CPP@,$CPP,;t t
+s,@CXX@,$CXX,;t t
+s,@CXXFLAGS@,$CXXFLAGS,;t t
+s,@ac_ct_CXX@,$ac_ct_CXX,;t t
+s,@CXXDEPMODE@,$CXXDEPMODE,;t t
+s,@am__fastdepCXX_TRUE@,$am__fastdepCXX_TRUE,;t t
+s,@am__fastdepCXX_FALSE@,$am__fastdepCXX_FALSE,;t t
+s,@CXXCPP@,$CXXCPP,;t t
+s,@F77@,$F77,;t t
+s,@FFLAGS@,$FFLAGS,;t t
+s,@ac_ct_F77@,$ac_ct_F77,;t t
+s,@LIBTOOL@,$LIBTOOL,;t t
+s,@RM@,$RM,;t t
+s,@CP@,$CP,;t t
+s,@MV@,$MV,;t t
+s,@TAR@,$TAR,;t t
+s,@HELP2MAN@,$HELP2MAN,;t t
+s,@MAN2HTML@,$MAN2HTML,;t t
+s,@U@,$U,;t t
+s,@ANSI2KNR@,$ANSI2KNR,;t t
+s,@INSTALL_LTDL_TRUE@,$INSTALL_LTDL_TRUE,;t t
+s,@INSTALL_LTDL_FALSE@,$INSTALL_LTDL_FALSE,;t t
+s,@CONVENIENCE_LTDL_TRUE@,$CONVENIENCE_LTDL_TRUE,;t t
+s,@CONVENIENCE_LTDL_FALSE@,$CONVENIENCE_LTDL_FALSE,;t t
+s,@LIBADD_DL@,$LIBADD_DL,;t t
+s,@PKG_CONFIG_ENABLED@,$PKG_CONFIG_ENABLED,;t t
+s,@PKG_CONFIG@,$PKG_CONFIG,;t t
+s,@LIBXML_CFLAGS@,$LIBXML_CFLAGS,;t t
+s,@LIBXML_LIBS@,$LIBXML_LIBS,;t t
+s,@LIBXML262_CFLAGS@,$LIBXML262_CFLAGS,;t t
+s,@LIBXML262_LIBS@,$LIBXML262_LIBS,;t t
+s,@LIBXML_CONFIG@,$LIBXML_CONFIG,;t t
+s,@LIBXML_MIN_VERSION@,$LIBXML_MIN_VERSION,;t t
+s,@LIBXSLT_CFLAGS@,$LIBXSLT_CFLAGS,;t t
+s,@LIBXSLT_LIBS@,$LIBXSLT_LIBS,;t t
+s,@XMLSEC_NO_LIBXSLT@,$XMLSEC_NO_LIBXSLT,;t t
+s,@LIBXSLT_CONFIG@,$LIBXSLT_CONFIG,;t t
+s,@LIBXSLT_MIN_VERSION@,$LIBXSLT_MIN_VERSION,;t t
+s,@OPENSSL_CFLAGS@,$OPENSSL_CFLAGS,;t t
+s,@OPENSSL_LIBS@,$OPENSSL_LIBS,;t t
+s,@OPENSSL097_CFLAGS@,$OPENSSL097_CFLAGS,;t t
+s,@OPENSSL097_LIBS@,$OPENSSL097_LIBS,;t t
+s,@XMLSEC_NO_OPENSSL_TRUE@,$XMLSEC_NO_OPENSSL_TRUE,;t t
+s,@XMLSEC_NO_OPENSSL_FALSE@,$XMLSEC_NO_OPENSSL_FALSE,;t t
+s,@XMLSEC_NO_OPENSSL@,$XMLSEC_NO_OPENSSL,;t t
+s,@OPENSSL_CRYPTO_LIB@,$OPENSSL_CRYPTO_LIB,;t t
+s,@OPENSSL_MIN_VERSION@,$OPENSSL_MIN_VERSION,;t t
+s,@GNUTLS_CFLAGS@,$GNUTLS_CFLAGS,;t t
+s,@GNUTLS_LIBS@,$GNUTLS_LIBS,;t t
+s,@XMLSEC_NO_GNUTLS_TRUE@,$XMLSEC_NO_GNUTLS_TRUE,;t t
+s,@XMLSEC_NO_GNUTLS_FALSE@,$XMLSEC_NO_GNUTLS_FALSE,;t t
+s,@XMLSEC_NO_GNUTLS@,$XMLSEC_NO_GNUTLS,;t t
+s,@GNUTLS_CRYPTO_LIB@,$GNUTLS_CRYPTO_LIB,;t t
+s,@GNUTLS_MIN_VERSION@,$GNUTLS_MIN_VERSION,;t t
+s,@NSS_CFLAGS@,$NSS_CFLAGS,;t t
+s,@NSS_LIBS@,$NSS_LIBS,;t t
+s,@XMLSEC_NO_NSS_TRUE@,$XMLSEC_NO_NSS_TRUE,;t t
+s,@XMLSEC_NO_NSS_FALSE@,$XMLSEC_NO_NSS_FALSE,;t t
+s,@XMLSEC_NO_NSS@,$XMLSEC_NO_NSS,;t t
+s,@NSS_CRYPTO_LIB@,$NSS_CRYPTO_LIB,;t t
+s,@NSS_MIN_VERSION@,$NSS_MIN_VERSION,;t t
+s,@NSPR_MIN_VERSION@,$NSPR_MIN_VERSION,;t t
+s,@MOZILLA_MIN_VERSION@,$MOZILLA_MIN_VERSION,;t t
+s,@MSCRYPTO_CFLAGS@,$MSCRYPTO_CFLAGS,;t t
+s,@MSCRYPTO_LIBS@,$MSCRYPTO_LIBS,;t t
 s,@XMLSEC_NO_SHA1_TRUE@,$XMLSEC_NO_SHA1_TRUE,;t t
 s,@XMLSEC_NO_SHA1_FALSE@,$XMLSEC_NO_SHA1_FALSE,;t t
 s,@XMLSEC_NO_SHA1@,$XMLSEC_NO_SHA1,;t t
@@ -34368,6 +36362,8 @@
 s,@NSS_MIN_VERSION@,$NSS_MIN_VERSION,;t t
 s,@NSPR_MIN_VERSION@,$NSPR_MIN_VERSION,;t t
 s,@MOZILLA_MIN_VERSION@,$MOZILLA_MIN_VERSION,;t t
+s,@MSCRYPTO_CFLAGS@,$MSCRYPTO_CFLAGS,;t t
+s,@MSCRYPTO_LIBS@,$MSCRYPTO_LIBS,;t t
 s,@XMLSEC_NO_SHA1_TRUE@,$XMLSEC_NO_SHA1_TRUE,;t t
 s,@XMLSEC_NO_SHA1_FALSE@,$XMLSEC_NO_SHA1_FALSE,;t t
 s,@XMLSEC_NO_SHA1@,$XMLSEC_NO_SHA1,;t t
--- misc/xmlsec1-1.2.6/configure.in     2004-08-26 04:49:24.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/configure.in       2008-06-29 23:44:19.000000000 +0200
@@ -503,12 +503,26 @@
     
 XMLSEC_NO_NSS="1"
 MOZILLA_MIN_VERSION="1.4"
+if test "z$MOZ_FLAVOUR" = "zfirefox" ; then
+    MOZILLA_MIN_VERSION="1.0"
+fi
 NSS_MIN_VERSION="3.2"
 NSPR_MIN_VERSION="4.0"
 NSS_CFLAGS=""
 NSS_LIBS=""
-NSS_LIBS_LIST="-lnss3 -lsmime3"
-NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
+ 
+case $host_os in
+cygwin* | mingw* | pw32*)
+  NSS_LIBS_LIST="-lnss3 -lsmime3"
+  NSPR_LIBS_LIST="-lnspr4"
+  ;;
+
+*)
+  NSS_LIBS_LIST="-lnss3 -lsoftokn3 -lsmime3"
+  NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4"
+  ;;
+esac
+
 NSS_CRYPTO_LIB="$PACKAGE-nss"
 NSS_FOUND="no"
 
@@ -521,9 +535,16 @@
     AC_MSG_RESULT(no)
     NSS_FOUND="without"
 elif test "z$with_nss" = "z" -a "z$with_nspr" = "z" -a "z$with_mozilla_ver" = "z" -a "z$PKG_CONFIG_ENABLED" = "zyes" ; then
-    PKG_CHECK_MODULES(NSS, mozilla-nspr >= $MOZILLA_MIN_VERSION mozilla-nss >= $MOZILLA_MIN_VERSION,
+    PKG_CHECK_MODULES(NSS, $MOZ_FLAVOUR-nspr >= $MOZILLA_MIN_VERSION $MOZ_FLAVOUR-nss >= $MOZILLA_MIN_VERSION,
        [NSS_FOUND=yes],
        [NSS_FOUND=no])
+    AC_MSG_RESULT($NSS_FOUND)
+    if test "z$NSS_FOUND" = "zno" ; then 
+        PKG_CHECK_MODULES(NSS, nspr >= $NSPR_MIN_VERSION nss >= $NSS_MIN_VERSION,
+           [NSS_FOUND=yes],
+           [NSS_FOUND=no])
+        AC_MSG_RESULT($NSS_FOUND)
+    fi
 fi
 
 if test "z$NSS_FOUND" = "zno" ; then 
@@ -534,8 +555,8 @@
         ac_mozilla_name=mozilla-$MOZILLA_MIN_VERSION
     fi
 
-    ac_nss_lib_dir="/usr/lib /usr/lib64 /usr/local/lib /usr/lib/$ac_mozilla_name /usr/local/lib/$ac_mozilla_name"
-    ac_nss_inc_dir="/usr/include /usr/include/mozilla /usr/local/include /usr/local/include/mozilla /usr/include/$ac_mozilla_name /usr/local/include/$ac_mozilla_name"
+    ac_nss_lib_dir="${SOLARVERSION}/${INPATH}/lib${UPDMINOREXT}"
+    ac_nss_inc_dir="${SOLARVERSION}/${INPATH}/inc${UPDMINOREXT}/mozilla"
 
     AC_MSG_CHECKING(for nspr libraries >= $NSPR_MIN_VERSION)
     NSPR_INCLUDES_FOUND="no"
@@ -570,7 +591,9 @@
        done
        
        for dir in $ac_nss_lib_dir ; do
-           if test -f $dir/libnspr4.so ; then
+            case $host_os in
+            cygwin* | mingw* | pw32*)
+             if test -f $dir/libnspr4.so -o -f $dir/libnspr4.dylib -o -f $dir/libnspr4.a ; then
                dnl do not add -L/usr/lib because compiler does it anyway
                if test "z$dir" = "z/usr/lib" ; then
                    NSPR_LIBS="$NSPR_LIBS_LIST"
@@ -583,7 +606,26 @@
                fi
                NSPR_LIBS_FOUND="yes"
                break
-           fi
+             fi
+              ;;
+
+            *)
+             if test -f $dir/libnspr4.so -o -f $dir/libnspr4.dylib ; then
+               dnl do not add -L/usr/lib because compiler does it anyway
+               if test "z$dir" = "z/usr/lib" ; then
+                   NSPR_LIBS="$NSPR_LIBS_LIST"
+               else
+                   if test "z$with_gnu_ld" = "zyes" ; then
+                       NSPR_LIBS="-Wl,-rpath-link -Wl,$dir -L$dir $NSPR_LIBS_LIST"
+                   else
+                       NSPR_LIBS="-L$dir $NSPR_LIBS_LIST"
+                   fi
+               fi
+               NSPR_LIBS_FOUND="yes"
+               break
+             fi
+              ;;
+            esac
        done
     fi
 
@@ -641,7 +683,9 @@
         done
        
         for dir in $ac_nss_lib_dir ; do
-           if test -f $dir/libnss3.so ; then
+            case $host_os in
+            cygwin* | mingw* | pw32*)
+             if test -f $dir/libnss3.so -o -f $dir/libnss3.dylib -o -f $dir/libnss3.a ; then
                dnl do not add -L/usr/lib because compiler does it anyway
                if test "z$dir" = "z/usr/lib" ; then
                    NSS_LIBS="$NSS_LIBS_LIST"
@@ -654,7 +698,26 @@
                fi
                NSS_LIBS_FOUND="yes"
                break
-           fi
+             fi
+              ;;
+
+            *)
+             if test -f $dir/libnss3.so -o -f $dir/libnss3.dylib ; then
+               dnl do not add -L/usr/lib because compiler does it anyway
+               if test "z$dir" = "z/usr/lib" ; then
+                   NSS_LIBS="$NSS_LIBS_LIST"
+                else
+                   if test "z$with_gnu_ld" = "zyes" ; then
+                       NSS_LIBS="-Wl,-rpath-link -Wl,$dir -L$dir $NSS_LIBS_LIST"
+                   else
+                       NSS_LIBS="-L$dir $NSS_LIBS_LIST"
+                   fi
+               fi
+               NSS_LIBS_FOUND="yes"
+               break
+             fi
+              ;;
+            esac
        done
     fi
 
--- misc/xmlsec1-1.2.6/include/xmlsec/mscrypto/Makefile.in      2008-06-29 23:44:40.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/mscrypto/Makefile.in        2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,58 @@
-dummy
+# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+HEADERS = $(xmlsecmscryptoinc_HEADERS)
+NULL = 
+xmlsecmscryptoinc_HEADERS = \
+akmngr.h \
+app.h \
+crypto.h \
+symbols.h \
+certkeys.h \
+keysstore.h \
+x509.h \
+$(NULL)
+
+all: all-am
+
+mostlyclean-libtool:
+       -rm -f *.lo
+
+clean-libtool:
+       -rm -rf .libs _libs
+
+all-am: Makefile $(HEADERS)
+
+mostlyclean-generic:
+
+clean-generic:
+
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+.PHONY: all all-am clean clean-generic \
+       clean-libtool \
+       mostlyclean mostlyclean-generic mostlyclean-libtool
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
--- misc/xmlsec1-1.2.6/include/xmlsec/mscrypto/akmngr.h 2008-06-29 23:44:39.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/mscrypto/akmngr.h   2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,71 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_MSCRYPTO_AKMNGR_H__
+#define __XMLSEC_MSCRYPTO_AKMNGR_H__    
+
+#include <windows.h>
+#include <wincrypt.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */ 
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr
+xmlSecMSCryptoAppliedKeysMngrCreate(
+    HCERTSTORE keyStore ,
+    HCERTSTORE certStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrSymKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       HCRYPTKEY       symKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrPubKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       HCRYPTKEY       pubKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrPriKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       HCRYPTKEY       priKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore (
+       xmlSecKeysMngrPtr       mngr ,
+       HCERTSTORE keyStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore (
+       xmlSecKeysMngrPtr       mngr ,
+       HCERTSTORE trustedStore
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore (
+       xmlSecKeysMngrPtr       mngr ,
+       HCERTSTORE untrustedStore
+) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_MSCRYPTO_AKMNGR_H__ */
+
+
--- misc/xmlsec1-1.2.6/include/xmlsec/mscrypto/x509.h   2003-09-26 08:12:46.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/mscrypto/x509.h     2008-06-29 23:44:19.000000000 +0200
@@ -77,6 +77,21 @@
                                                                                 PCCERT_CONTEXT cert,
                                                                                 xmlSecKeyDataType type);
 
+XMLSEC_CRYPTO_EXPORT int               xmlSecMSCryptoX509StoreAdoptKeyStore (
+                                                                               xmlSecKeyDataStorePtr store,
+                                                                               HCERTSTORE keyStore
+                                                               ) ;
+
+XMLSEC_CRYPTO_EXPORT int               xmlSecMSCryptoX509StoreAdoptTrustedStore (
+                                                                               xmlSecKeyDataStorePtr store,
+                                                                               HCERTSTORE trustedStore
+                                                               ) ;
+
+XMLSEC_CRYPTO_EXPORT int               xmlSecMSCryptoX509StoreAdoptUntrustedStore (
+                                                                               xmlSecKeyDataStorePtr store,
+                                                                               HCERTSTORE untrustedStore
+                                                               ) ;
+
 
 #endif /* XMLSEC_NO_X509 */
 
--- misc/xmlsec1-1.2.6/include/xmlsec/nss/Makefile.am   2003-07-30 04:46:35.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/Makefile.am     2008-06-29 23:44:19.000000000 +0200
@@ -3,6 +3,7 @@
 xmlsecnssincdir = $(includedir)/xmlsec1/xmlsec/nss
 
 xmlsecnssinc_HEADERS = \
+akmngr.h \
 app.h \
 crypto.h \
 symbols.h \
@@ -10,6 +11,8 @@
 keysstore.h \
 pkikeys.h \
 x509.h \
+tokens.h \
+ciphers.h \
 $(NULL)
 
 install-exec-hook:
--- misc/xmlsec1-1.2.6/include/xmlsec/nss/Makefile.in   2004-08-26 08:00:31.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/Makefile.in     2008-06-29 23:44:19.000000000 +0200
@@ -273,6 +273,7 @@
 NULL = 
 xmlsecnssincdir = $(includedir)/xmlsec1/xmlsec/nss
 xmlsecnssinc_HEADERS = \
+akmngr.h \
 app.h \
 crypto.h \
 symbols.h \
@@ -280,6 +281,8 @@
 keysstore.h \
 pkikeys.h \
 x509.h \
+tokens.h \
+ciphers.h \
 $(NULL)
 
 all: all-am
--- misc/xmlsec1-1.2.6/include/xmlsec/nss/akmngr.h      2008-06-29 23:44:39.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/akmngr.h        2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,56 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_NSS_AKMNGR_H__
+#define __XMLSEC_NSS_AKMNGR_H__    
+
+#include <nss.h>
+#include <nspr.h>
+#include <pk11func.h>
+#include <cert.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */ 
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeysMngrPtr
+xmlSecNssAppliedKeysMngrCreate(
+    PK11SlotInfo** slots,
+       int cSlots,
+    CERTCertDBHandle* handler
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrSymKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       PK11SymKey*                     symKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrPubKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       SECKEYPublicKey*        pubKey
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssAppliedKeysMngrPriKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       SECKEYPrivateKey*       priKey
+) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_NSS_AKMNGR_H__ */
+
+
--- misc/xmlsec1-1.2.6/include/xmlsec/nss/app.h 2004-01-12 22:06:14.000000000 +0100
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/app.h   2008-06-29 23:44:19.000000000 +0200
@@ -22,6 +22,9 @@
 #include <xmlsec/keysmngr.h>
 #include <xmlsec/transforms.h>
 
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/akmngr.h>
+
 /**
  * Init/shutdown
  */
@@ -34,6 +37,8 @@
 XMLSEC_CRYPTO_EXPORT int               xmlSecNssAppDefaultKeysMngrInit (xmlSecKeysMngrPtr mngr);
 XMLSEC_CRYPTO_EXPORT int               xmlSecNssAppDefaultKeysMngrAdoptKey(xmlSecKeysMngrPtr mngr,
                                                                            xmlSecKeyPtr key);
+XMLSEC_CRYPTO_EXPORT int               xmlSecNssAppDefaultKeysMngrAdoptKeySlot(xmlSecKeysMngrPtr mngr,
+                                                                           xmlSecNssKeySlotPtr keySlot);
 XMLSEC_CRYPTO_EXPORT int               xmlSecNssAppDefaultKeysMngrLoad (xmlSecKeysMngrPtr mngr,
                                                                         const char* uri);
 XMLSEC_CRYPTO_EXPORT int               xmlSecNssAppDefaultKeysMngrSave (xmlSecKeysMngrPtr mngr,
--- misc/xmlsec1-1.2.6/include/xmlsec/nss/ciphers.h     2008-06-29 23:44:39.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/ciphers.h       2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,35 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright ..........................
+ */
+#ifndef __XMLSEC_NSS_CIPHERS_H__
+#define __XMLSEC_NSS_CIPHERS_H__    
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */ 
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+
+
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSymKeyDataAdoptKey( xmlSecKeyDataPtr data,
+                                                                       PK11SymKey* symkey ) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt( PK11SymKey* symKey ) ;
+
+XMLSEC_CRYPTO_EXPORT PK11SymKey*   xmlSecNssSymKeyDataGetKey(xmlSecKeyDataPtr data);
+
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_NSS_CIPHERS_H__ */
+
+
--- misc/xmlsec1-1.2.6/include/xmlsec/nss/crypto.h      2004-01-12 22:06:14.000000000 +0100
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/crypto.h        2008-06-29 23:44:19.000000000 +0200
@@ -264,6 +264,15 @@
         xmlSecNssTransformRsaPkcs1GetKlass()
 XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformRsaPkcs1GetKlass(void);
 
+/**
+ * xmlSecNssTransformRsaOaepId:
+ * 
+ * The RSA OAEP key transport transform klass.
+ */
+#define xmlSecNssTransformRsaOaepId \
+        xmlSecNssTransformRsaOaepGetKlass()
+XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformRsaOaepGetKlass(void);
+
 #endif /* XMLSEC_NO_RSA */
 
 
--- misc/xmlsec1-1.2.6/include/xmlsec/nss/keysstore.h   2003-07-30 04:46:35.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/keysstore.h     2008-06-29 23:44:19.000000000 +0200
@@ -16,6 +16,8 @@
 #endif /* __cplusplus */ 
 
 #include <xmlsec/xmlsec.h>
+#include <xmlsec/keysmngr.h>
+#include <xmlsec/nss/tokens.h>
 
 /****************************************************************************
  *
@@ -31,6 +33,8 @@
 XMLSEC_CRYPTO_EXPORT xmlSecKeyStoreId  xmlSecNssKeysStoreGetKlass      (void);
 XMLSEC_CRYPTO_EXPORT int               xmlSecNssKeysStoreAdoptKey      (xmlSecKeyStorePtr store,
                                                                         xmlSecKeyPtr key);
+XMLSEC_CRYPTO_EXPORT int               xmlSecNssKeysStoreAdoptKeySlot(xmlSecKeyStorePtr store,
+                                                                        xmlSecNssKeySlotPtr keySlot);
 XMLSEC_CRYPTO_EXPORT int               xmlSecNssKeysStoreLoad  (xmlSecKeyStorePtr store,
                                                                 const char *uri,
                                                                 xmlSecKeysMngrPtr keysMngr);
--- misc/xmlsec1-1.2.6/include/xmlsec/nss/tokens.h      2008-06-29 23:44:39.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/include/xmlsec/nss/tokens.h        2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,182 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright (c) 2003 Sun Microsystems, Inc.  All rights reserved.
+ * 
+ * Contributor(s): _____________________________
+ * 
+ */
+#ifndef __XMLSEC_NSS_TOKENS_H__
+#define __XMLSEC_NSS_TOKENS_H__
+
+#include <string.h>
+
+#include <nss.h>
+#include <pk11func.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/list.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */ 
+
+/**
+ * xmlSecNssKeySlotListId
+ *
+ * The crypto mechanism list klass
+ */
+#define xmlSecNssKeySlotListId xmlSecNssKeySlotListGetKlass()
+XMLSEC_CRYPTO_EXPORT xmlSecPtrListId xmlSecNssKeySlotListGetKlass( void ) ;
+
+/*******************************************
+ * KeySlot interfaces
+ *******************************************/ 
+/**
+ * Internal NSS key slot data
+ * @mechanismList:             the mechanisms that the slot bound with.
+ * @slot:                              the pkcs slot
+ *
+ * This context is located after xmlSecPtrList
+ */
+typedef struct _xmlSecNssKeySlot       xmlSecNssKeySlot ;
+typedef struct _xmlSecNssKeySlot*      xmlSecNssKeySlotPtr ;
+
+struct _xmlSecNssKeySlot {
+       CK_MECHANISM_TYPE_PTR   mechanismList ; /* mech. array, NULL ternimated */
+       PK11SlotInfo*                   slot ;
+} ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSetMechList(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE_PTR mechanismList
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotEnableMech(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE mechanism
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotDisableMech(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE mechanism
+) ;
+
+XMLSEC_CRYPTO_EXPORT CK_MECHANISM_TYPE_PTR
+xmlSecNssKeySlotGetMechList(
+    xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSetSlot(
+    xmlSecNssKeySlotPtr keySlot ,
+       PK11SlotInfo* slot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotInitialize(
+    xmlSecNssKeySlotPtr keySlot ,
+       PK11SlotInfo* slot
+) ;
+
+XMLSEC_CRYPTO_EXPORT void
+xmlSecNssKeySlotFinalize(
+    xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT PK11SlotInfo*
+xmlSecNssKeySlotGetSlot(
+       xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr
+xmlSecNssKeySlotCreate() ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotCopy(
+       xmlSecNssKeySlotPtr newKeySlot ,
+       xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT xmlSecNssKeySlotPtr
+xmlSecNssKeySlotDuplicate(
+       xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT void
+xmlSecNssKeySlotDestroy(
+           xmlSecNssKeySlotPtr keySlot
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotBindMech(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE type
+) ;
+
+XMLSEC_CRYPTO_EXPORT int
+xmlSecNssKeySlotSupportMech(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE type
+) ;
+
+
+/************************************************************************
+ * PKCS#11 crypto token interfaces
+ *
+ * A PKCS#11 slot repository will be defined internally. From the
+ * repository, a user can specify a particular slot for a certain crypto
+ * mechanism.
+ *
+ * In some situation, some cryptographic operation should act in a user
+ * designated devices. The interfaces defined here provide the way. If 
+ * the user do not initialize the repository distinctly, the interfaces
+ * use the default functions provided by NSS itself.
+ *
+ ************************************************************************/
+/**
+ * Initialize NSS pkcs#11 slot repository
+ *
+ * Returns 0 if success or -1 if an error occurs.
+ */
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotInitialize( void ) ;
+
+/**
+ * Shutdown and destroy NSS pkcs#11 slot repository
+ */
+XMLSEC_CRYPTO_EXPORT void xmlSecNssSlotShutdown() ;
+
+/**
+ * Get PKCS#11 slot handler
+ * @type       the mechanism that the slot must support.
+ *
+ * Returns a pointer to PKCS#11 slot or NULL if an error occurs.
+ *
+ * Notes: The returned handler must be destroied distinctly.
+ */
+XMLSEC_CRYPTO_EXPORT PK11SlotInfo* xmlSecNssSlotGet( CK_MECHANISM_TYPE type ) ;
+
+/**
+ * Adopt a pkcs#11 slot with a mechanism into the repository
+ * @slot:      the pkcs#11 slot.
+ * @mech:      the mechanism.
+ *
+ * If @mech is available( @mech != CKM_INVALID_MECHANISM ), every operation with
+ * this mechanism only can perform on the @slot.
+ * 
+ * Returns 0 if success or -1 if an error occurs.
+ */
+XMLSEC_CRYPTO_EXPORT int xmlSecNssSlotAdopt( PK11SlotInfo* slot, CK_MECHANISM_TYPE mech ) ;
+
+#ifdef __cplusplus
+}
+#endif /* __cplusplus */
+
+#endif /* __XMLSEC_NSS_TOKENS_H__ */
+
--- misc/xmlsec1-1.2.6/ltmain.sh        2004-08-26 08:00:15.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/ltmain.sh  2008-06-29 23:44:19.000000000 +0200
@@ -1661,6 +1661,11 @@
        fi
        ;;
 
+      *.lib)
+       deplibs="$deplibs $arg"
+       continue
+       ;;
+
       *.$libext)
        # An archive.
        deplibs="$deplibs $arg"
@@ -1974,6 +1979,10 @@
          continue
          ;;
        *.la) lib="$deplib" ;;
+       *.lib)
+         deplibs="$deplib $deplibs"
+         continue
+         ;;
        *.$libext)
          if test "$pass" = conv; then
            deplibs="$deplib $deplibs"
@@ -2994,13 +3003,13 @@
          ;;
 
        freebsd-aout)
-         major=".$current"
-         versuffix=".$current.$revision";
+         major=.`expr $current - $age`
+         versuffix="$major.$age.$revision"
          ;;
 
        freebsd-elf)
-         major=".$current"
-         versuffix=".$current";
+         major=.`expr $current - $age`
+         versuffix="$major.$age.$revision"
          ;;
 
        irix | nonstopux)
@@ -3564,7 +3573,8 @@
                fi
              else
                eval flag=\"$hardcode_libdir_flag_spec\"
-               dep_rpath="$dep_rpath $flag"
+#      what the ...            
+#              dep_rpath="$dep_rpath $flag"
              fi
            elif test -n "$runpath_var"; then
              case "$perm_rpath " in
--- misc/xmlsec1-1.2.6/src/bn.c 2004-06-21 20:33:27.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/bn.c   2008-06-29 23:44:19.000000000 +0200
@@ -170,8 +170,10 @@
  */
 int 
 xmlSecBnFromString(xmlSecBnPtr bn, const xmlChar* str, xmlSecSize base) {
-    xmlSecSize i, len;
+    xmlSecSize i, len, size;
     xmlSecByte ch;
+    xmlSecByte* data;
+    int positive;
     int nn;
     int ret;
 
@@ -183,7 +185,7 @@
     /* trivial case */
     len = xmlStrlen(str);
     if(len == 0) {
-       return(0);
+        return(0);
     }
     
     /* The result size could not exceed the input string length
@@ -191,54 +193,131 @@
      * In truth, it would be likely less than 1/2 input string length
      * because each byte is represented by 2 chars. If needed, 
      * buffer size would be increased by Mul/Add functions.
+     * Finally, we can add one byte for 00 or 10 prefix.
      */
-    ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 1);
+    ret = xmlSecBufferSetMaxSize(bn, xmlSecBufferGetSize(bn) + len / 2 + 1 + 1);
     if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecBnRevLookupTable",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "size=%d", len / 2 + 1);
-       return (-1);
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnRevLookupTable",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       "size=%d", len / 2 + 1);
+        return (-1);
+    }
+
+    /* figure out if it is positive or negative number */
+    positive = 1;
+    i = 0;
+    while(i < len) {
+        ch = str[i++];
+
+        /* skip spaces */
+        if(isspace(ch)) {
+               continue;
+        } 
+        
+        /* check if it is + or - */
+        if(ch == '+') {
+            positive = 1;
+            break;
+        } else if(ch == '-') {
+            positive = 0;
+            break;
+        }
+
+        /* otherwise, it must be start of the number */
+        nn = xmlSecBnLookupTable[ch];
+        if((nn >= 0) && ((xmlSecSize)nn < base)) {
+            xmlSecAssert2(i > 0, -1);
+
+            /* no sign, positive by default */
+            positive = 1;
+            --i; /* make sure that we will look at this character in next loop */
+            break;
+        } else {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       NULL,
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       "char=%c;base=%d", 
+                       ch, base);
+               return (-1);
+        }
+    }
+
+    /* now parse the number itself */
+    while(i < len) {
+        ch = str[i++];
+        if(isspace(ch)) {
+               continue;
+        }
+
+        xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
+        nn = xmlSecBnLookupTable[ch];
+        if((nn < 0) || ((xmlSecSize)nn > base)) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       NULL,
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       "char=%c;base=%d", 
+                       ch, base);
+               return (-1);
+        }
+
+        ret = xmlSecBnMul(bn, base);
+        if(ret < 0) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnMul",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       "base=%d", base);
+               return (-1);
+        }
+
+        ret = xmlSecBnAdd(bn, nn);
+        if(ret < 0) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnAdd",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       "base=%d", base);
+               return (-1);
+}      
     }
 
-    for(i = 0; i < len; i++) {
-       ch = str[i];
-       if(isspace(ch)) {
-           continue;
-       }
-
-       xmlSecAssert2(ch <= sizeof(xmlSecBnLookupTable), -1);
-       nn = xmlSecBnLookupTable[ch];
-       if((nn < 0) || ((xmlSecSize)nn > base)) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       NULL,
-                       XMLSEC_ERRORS_R_INVALID_DATA,
-                       "char=%c;base=%d", 
-                       ch, base);
-           return (-1);
-       }
-       
-       ret = xmlSecBnMul(bn, base);
-       if(ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecBnMul",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "base=%d", base);
-           return (-1);
-       }
-
-       ret = xmlSecBnAdd(bn, nn);
-       if(ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecBnAdd",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "base=%d", base);
-           return (-1);
-       }       
+    /* check if we need to add 00 prefix */
+    data = xmlSecBufferGetData(bn);
+    size = xmlSecBufferGetSize(bn);
+    if((size > 0 && data[0] > 127)||(size==0)) {
+        ch = 0;
+        ret = xmlSecBufferPrepend(bn, &ch, 1);
+        if(ret < 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                NULL,
+                "xmlSecBufferPrepend",
+                XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                "base=%d", base);
+            return (-1);
+        }
+    }
+
+    /* do 2's compliment and add 1 to represent negative value */
+    if(positive == 0) {
+        data = xmlSecBufferGetData(bn);
+        size = xmlSecBufferGetSize(bn);
+        for(i = 0; i < size; ++i) {
+            data[i] ^= 0xFF;
+        }
+        
+        ret = xmlSecBnAdd(bn, 1);
+        if(ret < 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                NULL,
+                "xmlSecBnAdd",
+                XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                "base=%d", base);
+            return (-1);
+        }
     }
 
     return(0);
@@ -256,8 +335,12 @@
  */
 xmlChar* 
 xmlSecBnToString(xmlSecBnPtr bn, xmlSecSize base) {
+    xmlSecBn bn2;
+    int positive = 1;
     xmlChar* res;
-    xmlSecSize i, len;
+    xmlSecSize i, len, size;
+    xmlSecByte* data;
+    int ret;
     int nn;
     xmlChar ch;
 
@@ -265,35 +348,86 @@
     xmlSecAssert2(base > 1, NULL);
     xmlSecAssert2(base <= sizeof(xmlSecBnRevLookupTable), NULL);
 
+
+    /* copy bn */
+    data = xmlSecBufferGetData(bn);
+    size = xmlSecBufferGetSize(bn);
+    ret = xmlSecBnInitialize(&bn2, size);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            NULL,
+            "xmlSecBnCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            "size=%d", size);
+        return (NULL);
+    }
+    
+    ret = xmlSecBnSetData(&bn2, data, size);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            NULL,
+            "xmlSecBnSetData",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            "size=%d", size);
+        xmlSecBnFinalize(&bn2);
+        return (NULL);
+    }
+
+    /* check if it is a negative number or not */
+    data = xmlSecBufferGetData(&bn2);
+    size = xmlSecBufferGetSize(&bn2);
+    if((size > 0) && (data[0] > 127)) {
+        /* subtract 1 and do 2's compliment */
+        ret = xmlSecBnAdd(&bn2, -1);
+        if(ret < 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnAdd",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "size=%d", size);
+            xmlSecBnFinalize(&bn2);
+            return (NULL);
+        }
+        for(i = 0; i < size; ++i) {
+            data[i] ^= 0xFF;
+        }
+
+        positive = 0;
+    } else {
+        positive = 1;
+    }
+
     /* Result string len is
      *     len = log base (256) * <bn size>
      * Since the smallest base == 2 then we can get away with 
      *     len = 8 * <bn size>
      */
-    len = 8 * xmlSecBufferGetSize(bn) + 1;
+    len = 8 * size + 1 + 1;
     res = (xmlChar*)xmlMalloc(len + 1);
     if(res == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   NULL,
-                   XMLSEC_ERRORS_R_MALLOC_FAILED,
-                   "len=%d", len);
-       return (NULL);
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                           NULL,
+                           XMLSEC_ERRORS_R_MALLOC_FAILED,
+                           "len=%d", len);
+        xmlSecBnFinalize(&bn2);
+        return (NULL);
     }
     memset(res, 0, len + 1);
 
-    for(i = 0; (xmlSecBufferGetSize(bn) > 0) && (i < len); i++) {
-       if(xmlSecBnDiv(bn, base, &nn) < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecBnDiv",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "base=%d", base);
-           xmlFree(res);
-           return (NULL);
-       }
-       xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
-       res[i] = xmlSecBnRevLookupTable[nn];
+    for(i = 0; (xmlSecBufferGetSize(&bn2) > 0) && (i < len); i++) {
+        if(xmlSecBnDiv(&bn2, base, &nn) < 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "xmlSecBnDiv",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "base=%d", base);
+            xmlFree(res);
+            xmlSecBnFinalize(&bn2);
+            return (NULL);
+        }
+        xmlSecAssert2((size_t)nn < sizeof(xmlSecBnRevLookupTable), NULL);
+        res[i] = xmlSecBnRevLookupTable[nn];
     }
     xmlSecAssert2(i < len, NULL);
 
@@ -301,13 +435,20 @@
     for(len = i; (len > 1) && (res[len - 1] == '0'); len--);
     res[len] = '\0';
 
+    /* add "-" for negative numbers */
+    if(positive == 0) {
+        res[len] = '-';
+        res[++len] = '\0';
+    }
+
     /* swap the string because we wrote it in reverse order */
     for(i = 0; i < len / 2; i++) {
-       ch = res[i];
-       res[i] = res[len - i - 1];
-       res[len - i - 1] = ch;
+        ch = res[i];
+        res[i] = res[len - i - 1];
+        res[len - i - 1] = ch;
     }
 
+    xmlSecBnFinalize(&bn2);
     return(res);
 }
 
@@ -392,7 +533,9 @@
     }
 
     data = xmlSecBufferGetData(bn);
-    for(over = 0, i = xmlSecBufferGetSize(bn); i > 0;) {
+    i = xmlSecBufferGetSize(bn);
+    over = 0; 
+    while(i > 0) {
        xmlSecAssert2(data != NULL, -1);
 
        over    = over + multiplier * data[--i];
@@ -487,43 +630,57 @@
  */
 int 
 xmlSecBnAdd(xmlSecBnPtr bn, int delta) {
-    int over;
+    int over, tmp;
     xmlSecByte* data;
     xmlSecSize i;
     xmlSecByte ch;
     int ret;
 
     xmlSecAssert2(bn != NULL, -1);
-    xmlSecAssert2(delta >= 0, -1);
 
     if(delta == 0) {
-       return(0);
+       return(0);
     }
 
     data = xmlSecBufferGetData(bn);
-    for(over = delta, i = xmlSecBufferGetSize(bn); i > 0;) {
-       xmlSecAssert2(data != NULL, -1);
+    if(delta > 0) {
+        for(over = delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0) ;) {
+               xmlSecAssert2(data != NULL, -1);
        
-       over   += data[--i];
-       data[i] = over % 256;
-       over    = over / 256;
-    }
+            tmp     = data[--i];
+               over   += tmp;
+               data[i] = over % 256;
+               over    = over / 256;
+        }
     
-    while(over > 0) {
-       ch      = over % 256;
-       over    = over / 256;
+        while(over > 0) {
+               ch      = over % 256;
+               over    = over / 256;
        
-       ret = xmlSecBufferPrepend(bn, &ch, 1);
-       if(ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecBufferPrepend",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "size=1");
-           return (-1);
-       }
+               ret = xmlSecBufferPrepend(bn, &ch, 1);
+               if(ret < 0) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecBufferPrepend",
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                               "size=1");
+                   return (-1);
+               }
+        }
+    } else {
+        for(over = -delta, i = xmlSecBufferGetSize(bn); (i > 0) && (over > 0);) {
+               xmlSecAssert2(data != NULL, -1);
+       
+            tmp     = data[--i];
+            if(tmp < over) {
+                data[i]        = 0;
+                over = (over - tmp) / 256;
+            } else {
+                data[i] = tmp - over;
+                over = 0;
+            }
+        }
     }
-    
     return(0);
 }
 
@@ -787,7 +944,7 @@
     }
 
     if(addLineBreaks) {
-       xmlNodeAddContent(cur, BAD_CAST "\n");
+       xmlNodeAddContent(cur, xmlSecStringCR);
     }
 
     switch(format) {
@@ -833,7 +990,7 @@
     }
 
     if(addLineBreaks) {
-       xmlNodeAddContent(cur, BAD_CAST "\n");
+       xmlNodeAddContent(cur, xmlSecStringCR);
     }
 
     return(0);
--- misc/xmlsec1-1.2.6/src/dl.c 2003-10-29 16:57:20.000000000 +0100
+++ misc/build/xmlsec1-1.2.6/src/dl.c   2008-06-29 23:44:19.000000000 +0200
@@ -329,6 +329,10 @@
 xmlSecCryptoDLInit(void) {
     int ret;
     
+    /* use xmlMalloc/xmlFree */
+    xmlsec_lt_dlmalloc = xmlSecCryptoDLMalloc;
+    xmlsec_lt_dlfree   = xmlSecCryptoDLFree;
+
     ret = xmlSecPtrListInitialize(&gXmlSecCryptoDLLibraries, xmlSecCryptoDLLibrariesListGetKlass());
     if(ret < 0) {
        xmlSecError(XMLSEC_ERRORS_HERE,
@@ -350,9 +354,6 @@
     }
     /* TODO: LTDL_SET_PRELOADED_SYMBOLS(); */
     
-    /* use xmlMalloc/xmlFree */
-    xmlsec_lt_dlmalloc = xmlSecCryptoDLMalloc;
-    xmlsec_lt_dlfree   = xmlSecCryptoDLFree;
     return(0);
 }
 
--- misc/xmlsec1-1.2.6/src/mscrypto/Makefile.in 2008-06-29 23:44:40.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/Makefile.in   2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,178 @@
-dummy
+# Makefile.in generated by automake 1.8.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004  Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+top_builddir = ../..
+LTLIBRARIES = $(lib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libxmlsec1_mscrypto_la_DEPENDENCIES = ../libxmlsec1.la \
+       $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+       $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+am__objects_1 =
+am_libxmlsec1_mscrypto_la_OBJECTS = akmngr.lo app.lo certkeys.lo ciphers.lo crypto.lo \
+       digests.lo keysstore.lo kt_rsa.lo signatures.lo symkeys.lo \
+       x509.lo x509vfy.lo $(am__objects_1)
+libxmlsec1_mscrypto_la_OBJECTS = $(am_libxmlsec1_mscrypto_la_OBJECTS)
+DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+@AMDEP_TRUE@DEP_FILES = ./$(DEPDIR)/app.Plo ./$(DEPDIR)/certkeys.Plo \
+@AMDEP_TRUE@   ./$(DEPDIR)/ciphers.Plo ./$(DEPDIR)/crypto.Plo \
+@AMDEP_TRUE@    ./$(DEPDIR)/digests.Plo ./$(DEPDIR)/keysstore.Plo \
+@AMDEP_TRUE@   ./$(DEPDIR)/kt_rsa.Plo ./$(DEPDIR)/signatures.Plo \
+@AMDEP_TRUE@   ./$(DEPDIR)/symkeys.Plo ./$(DEPDIR)/x509.Plo \
+@AMDEP_TRUE@   ./$(DEPDIR)/x509vfy.Plo ./$(DEPDIR)/akmngr.Plo
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+       $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
+       $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+       $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+       $(AM_LDFLAGS) $(LDFLAGS) -o $@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+LDFLAGS = @LDFLAGS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIBXML_CFLAGS = @LIBXML_CFLAGS@
+LIBXML_LIBS = @LIBXML_LIBS@
+MSCRYPTO_CFLAGS = @MSCRYPTO_CFLAGS@
+MSCRYPTO_LIBS = @MSCRYPTO_LIBS@
+OBJEXT = @OBJEXT@
+SHELL = @SHELL@
+XMLSEC_DEFINES = @XMLSEC_DEFINES@
+exec_prefix = @exec_prefix@
+libdir = @libdir@
+prefix = @prefix@
+NULL = 
+
+INCLUDES = \
+       -DPACKAGE=\"@PACKAGE@\" \
+       -I$(top_srcdir) \
+       -I$(top_srcdir)/include \
+       $(XMLSEC_DEFINES) \
+       $(MSCRYPTO_CFLAGS) \
+       $(LIBXSLT_CFLAGS) \
+       $(LIBXML_CFLAGS) \
+       $(NULL)
+
+lib_LTLIBRARIES = \
+       libxmlsec1-mscrypto.la \
+       $(NULL)
+
+libxmlsec1_mscrypto_la_LIBADD = \
+       ../libxmlsec1.la \
+       $(MSCRYPTO_LIBS) \
+       $(LIBXSLT_LIBS) \
+       $(LIBXML_LIBS) \
+       $(NULL)
+
+libxmlsec1_mscrypto_la_LDFLAGS = \
+       -version-info @XMLSEC_VERSION_INFO@ \
+       $(NULL)
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+
+clean-libLTLIBRARIES:
+       -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
+       @list='$(lib_LTLIBRARIES)'; for p in $$list; do \
+         dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+         test "$$dir" = "$$p" && dir=.; \
+         echo "rm -f \"$${dir}/so_locations\""; \
+         rm -f "$${dir}/so_locations"; \
+       done
+libxmlsec1-mscrypto.la: $(libxmlsec1_mscrypto_la_OBJECTS) $(libxmlsec1_mscrypto_la_DEPENDENCIES) 
+       $(LINK) -rpath $(libdir) $(libxmlsec1_mscrypto_la_LDFLAGS) $(libxmlsec1_mscrypto_la_OBJECTS) $(libxmlsec1_mscrypto_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+       -rm -f *.$(OBJEXT)
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/akmngr.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/app.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certkeys.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ciphers.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/digests.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keysstore.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kt_rsa.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signatures.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/symkeys.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509vfy.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@   if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@   then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      depfile='$(DEPDIR)/$*.Po' tmpdepfile='$(DEPDIR)/$*.TPo' @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@  $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@   if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@   then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      depfile='$(DEPDIR)/$*.Po' tmpdepfile='$(DEPDIR)/$*.TPo' @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@  $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@   if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@   then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      depfile='$(DEPDIR)/$*.Plo' tmpdepfile='$(DEPDIR)/$*.TPlo' @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@      $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@  $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+       -rm -f *.lo
+
+clean-libtool:
+       -rm -rf .libs _libs
+
+all-am: Makefile $(LTLIBRARIES)
+
+mostlyclean-generic:
+
+clean-generic:
+
+clean: clean-am
+
+clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
+       mostlyclean-am
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+       mostlyclean-libtool
+
+.PHONY: all all-am clean clean-generic \
+       clean-libLTLIBRARIES clean-libtool \
+       maintainer-clean-generic mostlyclean mostlyclean-compile \
+       mostlyclean-generic mostlyclean-libtool
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
--- misc/xmlsec1-1.2.6/src/mscrypto/akmngr.c    2008-06-29 23:44:39.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/akmngr.c      2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,235 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright.........................
+ */
+#include "globals.h"
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/mscrypto/crypto.h>
+#include <xmlsec/mscrypto/keysstore.h>
+#include <xmlsec/mscrypto/akmngr.h>
+#include <xmlsec/mscrypto/x509.h>
+
+/**
+ * xmlSecMSCryptoAppliedKeysMngrCreate:
+ * @hKeyStore:         the pointer to key store.
+ * @hCertStore:                the pointer to certificate database.
+ *
+ * Create and load key store and certificate database into keys manager
+ *
+ * Returns keys manager pointer on success or NULL otherwise.
+ */
+xmlSecKeysMngrPtr
+xmlSecMSCryptoAppliedKeysMngrCreate(
+    HCERTSTORE hKeyStore ,
+    HCERTSTORE hCertStore
+) {
+       xmlSecKeyDataStorePtr   certStore = NULL ;
+       xmlSecKeysMngrPtr               keyMngr = NULL ;
+       xmlSecKeyStorePtr               keyStore = NULL ;
+
+       keyStore = xmlSecKeyStoreCreate( xmlSecMSCryptoKeysStoreId ) ;
+       if( keyStore == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeyStoreCreate" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return NULL ;
+       }
+
+       /*-
+        * At present, MS Crypto engine do not provide a way to setup a key store.
+        */
+       if( keyStore != NULL ) {
+               /*TODO: binding key store.*/
+       }
+
+       keyMngr = xmlSecKeysMngrCreate() ;
+       if( keyMngr == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrCreate" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeyStoreDestroy( keyStore ) ;
+               return NULL ;
+       }
+
+       /*-
+        * Add key store to manager, from now on keys manager destroys the store if
+        * needed
+        */
+       if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+                       "xmlSecKeysMngrAdoptKeyStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeyStoreDestroy( keyStore ) ;
+               xmlSecKeysMngrDestroy( keyMngr ) ;
+               return NULL ;
+       }
+
+       /*-
+        * Initialize crypto library specific data in keys manager
+        */
+       if( xmlSecMSCryptoKeysMngrInit( keyMngr ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecMSCryptoKeysMngrInit" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeysMngrDestroy( keyMngr ) ;
+               return NULL ;
+       }
+
+       /*-
+        * Set certificate databse to X509 key data store
+        */
+       /*-
+        * At present, MS Crypto engine do not provide a way to setup a cert store.
+        */
+
+       /*-
+        * Set the getKey callback
+        */
+       keyMngr->getKey = xmlSecKeysMngrGetKey ;
+
+       return keyMngr ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrSymKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       HCRYPTKEY                       symKey
+) {
+       /*TODO: import the key into keys manager.*/
+       return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrPubKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       HCRYPTKEY       pubKey
+) {
+       /*TODO: import the key into keys manager.*/
+       return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrPriKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       HCRYPTKEY       priKey
+) {
+       /*TODO: import the key into keys manager.*/
+       return(0) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptKeyStore (
+       xmlSecKeysMngrPtr       mngr ,
+       HCERTSTORE keyStore
+) {
+       xmlSecKeyDataStorePtr x509Store ;
+
+       xmlSecAssert2( mngr != NULL, -1 ) ;
+       xmlSecAssert2( keyStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+       if( x509Store == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrGetDataStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( -1 ) ;
+       }
+
+       if( xmlSecMSCryptoX509StoreAdoptKeyStore( x509Store, keyStore ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+                       "xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( -1 ) ;
+       }
+
+       return( 0 ) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptTrustedStore (
+       xmlSecKeysMngrPtr       mngr ,
+       HCERTSTORE trustedStore
+) {
+       xmlSecKeyDataStorePtr x509Store ;
+
+       xmlSecAssert2( mngr != NULL, -1 ) ;
+       xmlSecAssert2( trustedStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+       if( x509Store == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrGetDataStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( -1 ) ;
+       }
+
+       if( xmlSecMSCryptoX509StoreAdoptTrustedStore( x509Store, trustedStore ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+                       "xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( -1 ) ;
+       }
+
+       return( 0 ) ;
+}
+
+int
+xmlSecMSCryptoAppliedKeysMngrAdoptUntrustedStore (
+       xmlSecKeysMngrPtr       mngr ,
+       HCERTSTORE untrustedStore
+) {
+       xmlSecKeyDataStorePtr x509Store ;
+
+       xmlSecAssert2( mngr != NULL, -1 ) ;
+       xmlSecAssert2( untrustedStore != NULL, -1 ) ;
+
+    x509Store = xmlSecKeysMngrGetDataStore( mngr, xmlSecMSCryptoX509StoreId ) ;
+       if( x509Store == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrGetDataStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( -1 ) ;
+       }
+
+       if( xmlSecMSCryptoX509StoreAdoptUntrustedStore( x509Store, untrustedStore ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyDataStoreGetName( x509Store ) ) ,
+                       "xmlSecMSCryptoX509StoreAdoptKeyStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( -1 ) ;
+       }
+
+       return( 0 ) ;
+}
+
--- misc/xmlsec1-1.2.6/src/mscrypto/certkeys.c  2004-03-17 06:06:43.000000000 +0100
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/certkeys.c    2008-06-29 23:44:19.000000000 +0200
@@ -41,6 +41,7 @@
  * a public key from xml document is provided, we need HCRYPTKEY.... The focus
  * now is however directed to certificates.  Wouter
  */
+/** replaced by a wrapper style for WINNT 4.0
 struct _xmlSecMSCryptoKeyDataCtx {
     HCRYPTPROV         hProv;
     BOOL               fCallerFreeProv;
@@ -51,6 +52,124 @@
     HCRYPTKEY          hKey;
     xmlSecKeyDataType  type;
 };         
+*/
+/*-
+ * A wrapper of HCRYPTKEY, a reference countor is introduced, the function is
+ * the same as CryptDuplicateKey. Because the CryptDuplicateKey is not support
+ * by WINNT 4.0, the wrapper will enable the library work on WINNT 4.0
+ */
+struct _mscrypt_key {
+       HCRYPTKEY hKey ;
+       int     refcnt ;
+} ;
+
+/*-
+ * A wrapper of HCRYPTPROV, a reference countor is introduced, the function is
+ * the same as CryptContextAddRef. Because the CryptContextAddRef is not support
+ * by WINNT 4.0, the wrapper will enable the library work on WINNT 4.0
+ */
+struct _mscrypt_prov {
+       HCRYPTPROV hProv ;
+    BOOL freeprov ;
+       int     refcnt ;
+} ;
+
+struct _xmlSecMSCryptoKeyDataCtx {
+       struct _mscrypt_prov*   p_prov ;
+    LPCTSTR            providerName;
+    DWORD              providerType;
+    PCCERT_CONTEXT     pCert;
+    DWORD              dwKeySpec;
+       struct _mscrypt_key* p_key ;
+    xmlSecKeyDataType  type;
+};         
+
+struct _mscrypt_key* mscrypt_create_key( HCRYPTKEY key ) {
+       struct _mscrypt_key* pkey ;
+
+       pkey = ( struct _mscrypt_key* )xmlMalloc( sizeof( struct _mscrypt_key ) ) ;
+       if( pkey == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE,
+                       "mscrypt_create_key" ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_MALLOC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE
+               ) ;
+       }
+
+       pkey->hKey = key ;
+       pkey->refcnt = 1 ;
+
+       return pkey ;
+}
+
+struct _mscrypt_key* mscrypt_acquire_key( struct _mscrypt_key* key ) {
+       if( key )
+               key->refcnt ++ ;
+
+       return key ;
+}
+
+int mscrypt_release_key( struct _mscrypt_key* key ) {
+       if( key ) {
+               key->refcnt -- ;
+               if( !key->refcnt ) {
+                       if( key->hKey ) {
+                               CryptDestroyKey( key->hKey ) ;
+                               key->hKey = 0 ;
+                       }
+                       xmlFree( key ) ;
+               } else {
+                       return key->refcnt ;
+               }
+       }
+
+       return 0 ;
+}
+
+struct _mscrypt_prov* mscrypt_create_prov( HCRYPTPROV prov, BOOL callerFree ) {
+       struct _mscrypt_prov* pprov ;
+
+       pprov = ( struct _mscrypt_prov* )xmlMalloc( sizeof( struct _mscrypt_prov ) ) ;
+       if( pprov == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE,
+                       "mscrypt_create_prov" ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_MALLOC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE
+               ) ;
+       }
+
+       pprov->hProv = prov ;
+       pprov->freeprov = callerFree ;
+       pprov->refcnt = 1 ;
+
+       return pprov ;
+}
+
+struct _mscrypt_prov* mscrypt_acquire_prov( struct _mscrypt_prov* prov ) {
+       if( prov )
+               prov->refcnt ++ ;
+
+       return prov ;
+}
+
+int mscrypt_release_prov( struct _mscrypt_prov* prov ) {
+       if( prov ) {
+               prov->refcnt -- ;
+               if( !prov->refcnt ) {
+                       if( prov->hProv && prov->freeprov ) {
+                               CryptReleaseContext( prov->hProv, 0 ) ;
+                               prov->hProv = 0 ;
+                       }
+                       xmlFree( prov ) ;
+               } else {
+                       return prov->refcnt ;
+               }
+       }
+
+       return 0 ;
+}
 
 /******************************************************************************
  *
@@ -88,24 +207,20 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
 
-    if (ctx->hKey != 0) {
-       CryptDestroyKey(ctx->hKey);
-       ctx->hKey = 0;
-    }
+       if( ctx->p_key != 0 ) {
+               mscrypt_release_key( ctx->p_key ) ;
+       }
+       ctx->p_key = mscrypt_create_key( 0 ) ;
 
     if(ctx->pCert != NULL) {
        CertFreeCertificateContext(ctx->pCert);
        ctx->pCert = NULL;
     }
 
-    if ((ctx->hProv != 0) && (ctx->fCallerFreeProv)) {
-       CryptReleaseContext(ctx->hProv, 0);
-       ctx->hProv = 0;
-       ctx->fCallerFreeProv = FALSE;
-    } else {
-       ctx->hProv = 0;
-       ctx->fCallerFreeProv = FALSE;
-    }
+       if( ( ctx->p_prov ) ) {
+               mscrypt_release_prov( ctx->p_prov ) ;
+       }
+       ctx->p_prov = mscrypt_create_prov( 0, FALSE ) ;
 
     ctx->type = type;
 
@@ -116,9 +231,9 @@
         if (!CryptAcquireCertificatePrivateKey(pCert, 
                                               CRYPT_ACQUIRE_USE_PROV_INFO_FLAG, 
                                               NULL, 
-                                              &(ctx->hProv), 
+                                              &(ctx->p_prov->hProv), 
                                               &(ctx->dwKeySpec), 
-                                              &(ctx->fCallerFreeProv))) {
+                                              &(ctx->p_prov->freeprov))) {
            xmlSecError(XMLSEC_ERRORS_HERE,
                        NULL,
                        "CryptAcquireCertificatePrivateKey",
@@ -127,46 +242,39 @@
            return(-1);
        }
     } else if((type & xmlSecKeyDataTypePublic) != 0){
-       if (!CryptAcquireContext(&(ctx->hProv), 
+               if (!CryptAcquireContext(&(ctx->p_prov->hProv), 
                                 NULL, 
-                                ctx->providerName, 
+                                NULL,  /*AF: replaces "ctx->providerName" with "NULL" */
                                 ctx->providerType, 
                                 CRYPT_VERIFYCONTEXT)) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "CryptAcquireContext",
-                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           return(-1);
-       }
-       ctx->dwKeySpec = 0;
-       ctx->fCallerFreeProv = TRUE;
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "CryptAcquireContext",
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+                   return(-1);
+               }
+               ctx->dwKeySpec = 0;
+               ctx->p_prov->freeprov = TRUE;
+
+               if( !CryptImportPublicKeyInfo( ctx->p_prov->hProv, 
+                               X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
+                               &(pCert->pCertInfo->SubjectPublicKeyInfo), 
+                               &(ctx->p_key->hKey) ) ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "CryptImportPublicKeyInfo",
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+                   return(-1);
+               }
     } else {
-       xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecError(XMLSEC_ERRORS_HERE,
                    NULL,
                    NULL,
                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
                    "Unsupported keytype");
-       return(-1);
-    }
-
-    /* CryptImportPublicKeyInfo is only needed when a real key handle
-     * is needed. The key handle is needed for de/encrypting and for
-     * verifying of a signature, *not* for signing. We could call
-     * CryptImportPublicKeyInfo in xmlSecMSCryptoKeyDataGetKey instead
-     * so no unnessecary calls to CryptImportPublicKeyInfo are being
-     * made. WK
-     */
-    if(!CryptImportPublicKeyInfo(ctx->hProv, 
-       X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
-       &(pCert->pCertInfo->SubjectPublicKeyInfo), 
-       &(ctx->hKey))) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "CryptImportPublicKeyInfo",
-                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           return(-1);
+               return(-1);
     }
     ctx->pCert = pCert;
 
@@ -190,29 +298,26 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
 
-    if(ctx->hKey != 0) {
-       CryptDestroyKey(ctx->hKey);
-       ctx->hKey = 0;
-    }
+       if( ctx->p_key != 0 ) {
+               mscrypt_release_key( ctx->p_key ) ;
+               ctx->p_key = NULL ;
+       }
 
     if(ctx->pCert != NULL) {
        CertFreeCertificateContext(ctx->pCert);
        ctx->pCert = NULL;
     }
     
-    if((ctx->hProv != 0) && ctx->fCallerFreeProv) {
-       CryptReleaseContext(ctx->hProv, 0);
-       ctx->hProv = 0;
-       ctx->fCallerFreeProv = FALSE;
-    } else {
-       ctx->hProv = 0;
-       ctx->fCallerFreeProv = FALSE;
-    }
+       if( ( ctx->p_prov ) ) {
+               mscrypt_release_prov( ctx->p_prov ) ;
+               ctx->p_prov = NULL ;
+       } else {
+               ctx->p_prov = NULL ;
+       }
 
-    ctx->hProv          = hProv;
-    ctx->fCallerFreeProv = fCallerFreeProv;
+    ctx->p_prov                 = mscrypt_create_prov( hProv, FALSE ) ;
     ctx->dwKeySpec      = dwKeySpec;
-    ctx->hKey           = hKey;
+    ctx->p_key          = mscrypt_create_key( hKey ) ;
     ctx->type           = type;
 
     return(0);
@@ -238,7 +343,7 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, 0);
  
-    return(ctx->hKey);
+    return( ctx->p_key ? ctx->p_key->hKey : 0 );
 }
 
 /**
@@ -273,7 +378,7 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, 0);
 
-    return(ctx->hProv);
+    return( ctx->p_prov ? ctx->p_prov->hProv : 0 );
 }
 
 DWORD
@@ -316,25 +421,36 @@
                        XMLSEC_ERRORS_NO_MESSAGE);
            return(-1);
        }
-    } 
-
-    if (ctxSrc->hKey != 0) {
-       if (!CryptDuplicateKey(ctxSrc->hKey, NULL, 0, &(ctxDst->hKey))) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
-                       "CryptDuplicateKey",
-                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           return(-1);
-       }
     }
-    if(ctxSrc->hProv != 0) {
-       CryptContextAddRef(ctxSrc->hProv, NULL, 0);
-       ctxDst->hProv           = ctxSrc->hProv;
-       ctxDst->fCallerFreeProv = TRUE;
-    } else {
-        ctxDst->hProv          = 0;
-       ctxDst->fCallerFreeProv = FALSE;
+
+    if( ctxSrc->p_key ) {
+               if( ctxDst->p_key )
+                       mscrypt_release_key( ctxDst->p_key ) ;
+
+               ctxDst->p_key = mscrypt_acquire_key( ctxSrc->p_key ) ;
+               if( !ctxDst->p_key ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
+                               "mscrypt_acquire_key",
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+                   return(-1);
+               }
+    }
+
+    if( ctxSrc->p_prov ) {
+               if( ctxDst->p_prov )
+                       mscrypt_release_prov( ctxDst->p_prov ) ;
+
+               ctxDst->p_prov = mscrypt_acquire_prov( ctxSrc->p_prov ) ;
+               if( !ctxDst->p_prov ) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
+                               "mscrypt_acquire_prov",
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+                   return(-1);
+               }
     }
     
     ctxDst->dwKeySpec      = ctxSrc->dwKeySpec;
@@ -355,16 +471,16 @@
     ctx = xmlSecMSCryptoKeyDataGetCtx(data);
     xmlSecAssert(ctx != NULL);
     
-    if (ctx->hKey != 0) {
-       CryptDestroyKey(ctx->hKey);
+    if( ctx->p_key ) {
+               mscrypt_release_key( ctx->p_key ) ;
     }
 
     if(ctx->pCert != NULL) {
        CertFreeCertificateContext(ctx->pCert);
     }
 
-    if ((ctx->hProv != 0) && ctx->fCallerFreeProv) {
-       CryptReleaseContext(ctx->hProv, 0);
+    if( ctx->p_prov ) {
+               mscrypt_release_prov( ctx->p_prov ) ;
     }
 
     memset(ctx, 0, sizeof(xmlSecMSCryptoKeyDataCtx));
@@ -384,14 +500,14 @@
         xmlSecAssert2(ctx->pCert->pCertInfo != NULL, 0);
        return (CertGetPublicKeyLength(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 
                &(ctx->pCert->pCertInfo->SubjectPublicKeyInfo)));
-    } else if (ctx->hKey != 0) {
+    } else if (ctx->p_key != 0 && ctx->p_key->hKey != 0 ) {
         DWORD length = 0;
        DWORD lenlen = sizeof(DWORD);
-       
-       if (!CryptGetKeyParam(ctx->hKey, KP_KEYLEN, (BYTE *)&length, &lenlen, 0)) {
+
+       if (!CryptGetKeyParam(ctx->p_key->hKey, KP_KEYLEN, (BYTE *)&length, &lenlen, 0)) {
            xmlSecError(XMLSEC_ERRORS_HERE,
                        NULL,
-                       "CertDuplicateCertificateContext",
+                       "CryptGetKeyParam",
                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
                        XMLSEC_ERRORS_NO_MESSAGE);
            return(0);
@@ -581,7 +697,11 @@
 static void                xmlSecMSCryptoKeyDataRsaDebugDump(xmlSecKeyDataPtr data, FILE* output);
 static void                xmlSecMSCryptoKeyDataRsaDebugXmlDump(xmlSecKeyDataPtr data, FILE* output);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecMSCryptoKeyDataRsaKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecMSCryptoKeyDataRsaKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     xmlSecMSCryptoKeyDataSize,
 
@@ -938,9 +1058,10 @@
 
     ctx = xmlSecMSCryptoKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->hKey != 0, -1);
+    xmlSecAssert2(ctx->p_key != 0, -1);
+    xmlSecAssert2(ctx->p_key->hKey != 0, -1);
 
-    if (!CryptExportKey(ctx->hKey, 0, PUBLICKEYBLOB, 0, NULL, &dwBlobLen)) {
+    if (!CryptExportKey(ctx->p_key->hKey, 0, PUBLICKEYBLOB, 0, NULL, &dwBlobLen)) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                    "CryptExportKey",
@@ -960,7 +1081,7 @@
     }
 
     blob = xmlSecBufferGetData(&buf);
-    if (!CryptExportKey(ctx->hKey, 0, PUBLICKEYBLOB, 0, blob, &dwBlobLen)) {
+    if (!CryptExportKey(ctx->p_key->hKey, 0, PUBLICKEYBLOB, 0, blob, &dwBlobLen)) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                    "CryptExportKey",
@@ -1295,7 +1416,11 @@
 static void            xmlSecMSCryptoKeyDataDsaDebugXmlDump(xmlSecKeyDataPtr data,
                                                         FILE* output);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecMSCryptoKeyDataDsaKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecMSCryptoKeyDataDsaKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     xmlSecMSCryptoKeyDataSize,
 
@@ -1797,9 +1922,10 @@
 
     ctx = xmlSecMSCryptoKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->hKey != 0, -1);
+    xmlSecAssert2(ctx->p_key != 0, -1);
+    xmlSecAssert2(ctx->p_key->hKey != 0, -1);
     
-    if (!CryptExportKey(ctx->hKey, 0, PUBLICKEYBLOB, 0, NULL, &dwBlobLen)) {
+    if (!CryptExportKey(ctx->p_key->hKey, 0, PUBLICKEYBLOB, 0, NULL, &dwBlobLen)) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                    "CryptExportKey",
@@ -1819,7 +1945,7 @@
     }
 
     blob = xmlSecBufferGetData(&buf);
-    if (!CryptExportKey(ctx->hKey, 0, PUBLICKEYBLOB, 0, blob, &dwBlobLen)) {
+    if (!CryptExportKey(ctx->p_key->hKey, 0, PUBLICKEYBLOB, 0, blob, &dwBlobLen)) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                    "CryptExportKey",
@@ -2010,7 +2136,6 @@
     HCRYPTKEY hKey = 0;
     DWORD dwKeySpec;
     DWORD dwSize;
-    int res = -1;
     int ret;
 
     xmlSecAssert2(xmlSecKeyDataIsValid(data), xmlSecKeyDataTypeUnknown);
@@ -2043,12 +2168,14 @@
     dwKeySpec = AT_SIGNATURE;
     dwSize = ((sizeBits << 16) | CRYPT_EXPORTABLE);
     if (!CryptGenKey(hProv, CALG_DSS_SIGN, dwSize, &hKey)) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                    "CryptGenKey",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
                    XMLSEC_ERRORS_NO_MESSAGE);
-       goto done;
+       if (hProv != 0)
+                       CryptReleaseContext(hProv, 0);
+               return -1 ;
     }
 
     ret = xmlSecMSCryptoKeyDataAdoptKey(data, hProv, TRUE, hKey, dwKeySpec, 
@@ -2059,24 +2186,17 @@
                    "xmlSecMSCryptoKeyDataAdoptKey",
                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
                    XMLSEC_ERRORS_NO_MESSAGE);
-       goto done;
-    }
-    hProv = 0;
-    hKey = 0;
+           if( hKey != 0 )
+                       CryptDestroyKey( hKey ) ;
+       if( hProv != 0 )
+                       CryptReleaseContext( hProv, 0 ) ;
 
-    /* success */
-    res = 0;
-
-done:
-    if (hProv != 0) {
-       CryptReleaseContext(ctx->hProv, 0);
+               return -1 ;
     }
+    hProv = 0 ;
+    hKey = 0 ;
 
-    if (hKey != 0) {
-       CryptDestroyKey(hKey);
-    }
-
-    return(res);
+    return 0 ;
 }
 
 static xmlSecKeyDataType
--- misc/xmlsec1-1.2.6/src/mscrypto/ciphers.c   2003-09-26 08:12:51.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/ciphers.c     2008-06-29 23:44:19.000000000 +0200
@@ -785,7 +785,11 @@
  * AES CBC cipher transforms
  *
  ********************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecMSCryptoAes128CbcKlass = {
+#else
 static xmlSecTransformKlass xmlSecMSCryptoAes128CbcKlass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecMSCryptoBlockCipherSize,             /* xmlSecSize objSize */
@@ -824,7 +828,11 @@
     return(&xmlSecMSCryptoAes128CbcKlass);
 }
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecMSCryptoAes192CbcKlass = {
+#else
 static xmlSecTransformKlass xmlSecMSCryptoAes192CbcKlass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecMSCryptoBlockCipherSize,             /* xmlSecSize objSize */
@@ -863,7 +871,11 @@
     return(&xmlSecMSCryptoAes192CbcKlass);
 }
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecMSCryptoAes256CbcKlass = {
+#else
 static xmlSecTransformKlass xmlSecMSCryptoAes256CbcKlass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecMSCryptoBlockCipherSize,             /* xmlSecSize objSize */
@@ -906,7 +918,11 @@
 
 
 #ifndef XMLSEC_NO_DES
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecMSCryptoDes3CbcKlass = {
+#else
 static xmlSecTransformKlass xmlSecMSCryptoDes3CbcKlass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),      /* size_t klassSize */
     xmlSecMSCryptoBlockCipherSize,     /* size_t objSize */
--- misc/xmlsec1-1.2.6/src/mscrypto/crypto.c    2003-11-12 03:38:51.000000000 +0100
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/crypto.c      2008-06-29 23:44:19.000000000 +0200
@@ -330,13 +330,15 @@
 BYTE* 
 xmlSecMSCryptoCertStrToName(DWORD dwCertEncodingType, LPCTSTR pszX500, DWORD dwStrType, DWORD* len) {
     BYTE* str = NULL; 
-    
+    LPCTSTR ppszError = NULL;
+
     xmlSecAssert2(pszX500 != NULL, NULL);
     xmlSecAssert2(len != NULL, NULL);
 
     if (!CertStrToName(dwCertEncodingType, pszX500, dwStrType, 
-                       NULL, NULL, len, NULL)) {
+                       NULL, NULL, len, &ppszError)) {
        /* this might not be an error, string might just not exist */
+                DWORD dw = GetLastError();
        return(NULL);
     }
        
--- misc/xmlsec1-1.2.6/src/mscrypto/digests.c   2003-09-30 04:09:51.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/digests.c     2008-06-29 23:44:19.000000000 +0200
@@ -96,12 +96,15 @@
 
     /* TODO: Check what provider is best suited here.... */
     if (!CryptAcquireContext(&ctx->provider, NULL, MS_STRONG_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                   NULL,
-                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
+        //#i57942# This is also committed in rev 1.4 of this file in the xmlsec project
+        if (!CryptAcquireContext(&ctx->provider, NULL, MS_ENHANCED_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
+            xmlSecError(XMLSEC_ERRORS_HERE, 
+                xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+                       NULL,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+        }
+        return(0);
     }
 
     return(0);
@@ -298,7 +301,11 @@
  * SHA1
  *
  *****************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecMSCryptoSha1Klass = {
+#else
 static xmlSecTransformKlass xmlSecMSCryptoSha1Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* size_t klassSize */
     xmlSecMSCryptoDigestSize,                  /* size_t objSize */
--- misc/xmlsec1-1.2.6/src/mscrypto/keysstore.c 2003-09-27 05:12:22.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/keysstore.c   2008-06-29 23:44:19.000000000 +0200
@@ -62,7 +62,11 @@
                                                                     const xmlChar* name, 
                                                                     xmlSecKeyInfoCtxPtr keyInfoCtx);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyStoreKlass xmlSecMSCryptoKeysStoreKlass = {
+#else
 static xmlSecKeyStoreKlass xmlSecMSCryptoKeysStoreKlass = {
+#endif
     sizeof(xmlSecKeyStoreKlass),
     xmlSecMSCryptoKeysStoreSize,
 
--- misc/xmlsec1-1.2.6/src/mscrypto/kt_rsa.c    2003-09-26 22:29:25.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/kt_rsa.c      2008-06-29 23:44:19.000000000 +0200
@@ -66,7 +66,11 @@
 static int     xmlSecMSCryptoRsaPkcs1Process                   (xmlSecTransformPtr transform, 
                                                                 xmlSecTransformCtxPtr transformCtx);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecMSCryptoRsaPkcs1Klass = {
+#else
 static xmlSecTransformKlass xmlSecMSCryptoRsaPkcs1Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecMSCryptoRsaPkcs1Size,                        /* xmlSecSize objSize */
--- misc/xmlsec1-1.2.6/src/mscrypto/signatures.c        2003-09-26 22:29:25.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/signatures.c  2008-06-29 23:44:19.000000000 +0200
@@ -483,7 +483,11 @@
  * RSA-SHA1 signature transform
  *
  ***************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecMSCryptoRsaSha1Klass = {
+#else
 static xmlSecTransformKlass xmlSecMSCryptoRsaSha1Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecMSCryptoSignatureSize,               /* xmlSecSize objSize */
@@ -531,7 +535,11 @@
  *
  ***************************************************************************/
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecMSCryptoDsaSha1Klass = {
+#else
 static xmlSecTransformKlass xmlSecMSCryptoDsaSha1Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecMSCryptoSignatureSize,               /* xmlSecSize objSize */
--- misc/xmlsec1-1.2.6/src/mscrypto/symkeys.c   2003-09-26 02:58:13.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/symkeys.c     2008-06-29 23:44:19.000000000 +0200
@@ -72,7 +72,11 @@
  * <xmlsec:AESKeyValue> processing
  *
  *************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecMSCryptoKeyDataAesKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecMSCryptoKeyDataAesKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     xmlSecKeyDataBinarySize,
 
@@ -153,7 +157,11 @@
  * <xmlsec:DESKeyValue> processing
  *
  *************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecMSCryptoKeyDataDesKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecMSCryptoKeyDataDesKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     xmlSecKeyDataBinarySize,
 
--- misc/xmlsec1-1.2.6/src/mscrypto/x509.c      2003-09-26 02:58:13.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/x509.c        2008-06-29 23:44:19.000000000 +0200
@@ -240,7 +240,11 @@
 
 
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecMSCryptoKeyDataX509Klass = {
+#else
 static xmlSecKeyDataKlass xmlSecMSCryptoKeyDataX509Klass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     xmlSecMSCryptoX509DataSize,
 
@@ -1572,6 +1576,7 @@
                                             xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecMSCryptoX509DataCtxPtr ctx;
     xmlSecKeyDataStorePtr x509Store;
+       PCCERT_CONTEXT pCert ;
     int ret;
     
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecMSCryptoKeyDataX509Id), -1);
@@ -1610,6 +1615,53 @@
                return(-1);
            }
 
+               /*
+                * I'll search key according to KeyReq.
+                */
+               pCert = CertDuplicateCertificateContext( ctx->keyCert ) ;
+               if( pCert == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE,
+                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                               "CertDuplicateCertificateContext",
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+
+                       return(-1);
+               }
+
+               if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+                       keyValue = xmlSecMSCryptoCertAdopt( pCert, xmlSecKeyDataTypePrivate ) ;
+                       if(keyValue == NULL) {
+                               xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                                               "xmlSecMSCryptoCertAdopt",
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                               XMLSEC_ERRORS_NO_MESSAGE);
+
+                               CertFreeCertificateContext( pCert ) ;
+                               return(-1);
+                       }
+                       pCert = NULL ;
+               } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+                       keyValue = xmlSecMSCryptoCertAdopt( pCert, xmlSecKeyDataTypePublic ) ;
+                       if(keyValue == NULL) {
+                               xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                                               "xmlSecMSCryptoCertAdopt",
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                               XMLSEC_ERRORS_NO_MESSAGE);
+
+                               CertFreeCertificateContext( pCert ) ;
+                               return(-1);
+                       }
+                       pCert = NULL ;
+               }
+
+
+
+               /*-
+                * Get Public key from cert, which does not always work for sign action.
+         *
            keyValue = xmlSecMSCryptoX509CertGetKey(ctx->keyCert);
            if(keyValue == NULL) {
                xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1619,6 +1671,51 @@
                            XMLSEC_ERRORS_NO_MESSAGE);
                return(-1);
            }
+               */
+
+               /*-
+                * I'll search key according to KeyReq.
+                */
+               pCert = CertDuplicateCertificateContext( ctx->keyCert ) ;
+               if( pCert == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE,
+                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                               "CertDuplicateCertificateContext",
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                               XMLSEC_ERRORS_NO_MESSAGE);
+
+                       return(-1);
+               }
+
+               if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+                       keyValue = xmlSecMSCryptoCertAdopt( pCert, xmlSecKeyDataTypePrivate ) ;
+                       if(keyValue == NULL) {
+                               xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                                               "xmlSecMSCryptoCertAdopt",
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                               XMLSEC_ERRORS_NO_MESSAGE);
+
+                               CertFreeCertificateContext( pCert ) ;
+                               return(-1);
+                       }
+                       pCert = NULL ;
+               } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+                       keyValue = xmlSecMSCryptoCertAdopt( pCert, xmlSecKeyDataTypePublic ) ;
+                       if(keyValue == NULL) {
+                               xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                                               "xmlSecMSCryptoCertAdopt",
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                               XMLSEC_ERRORS_NO_MESSAGE);
+
+                               CertFreeCertificateContext( pCert ) ;
+                               return(-1);
+                       }
+                       pCert = NULL ;
+               }
+
+
 
            /* verify that the key matches our expectations */
            if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) {
@@ -1882,7 +1979,7 @@
     xmlSecAssert2(nm->pbData != NULL, NULL);
     xmlSecAssert2(nm->cbData > 0, NULL);
 
-    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, NULL, 0);
+    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, NULL, 0);
     str = (char *)xmlMalloc(csz);
     if (NULL == str) {
        xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1893,7 +1990,7 @@
        return (NULL);
     }
 
-    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR, str, csz);
+    csz = CertNameToStr(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, nm, CERT_X500_NAME_STR | CERT_NAME_STR_REVERSE_FLAG, str, csz);
     if (csz < 1) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    NULL,
@@ -1904,17 +2001,37 @@
        return(NULL);
     }
 
-    res = xmlStrdup(BAD_CAST str);
-    if(res == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlStrdup",
-                   XMLSEC_ERRORS_R_MALLOC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       xmlFree(str);
-       return(NULL);
+    /* aleksey: this is a hack, but mscrypto can not read E= flag and wants Email= instead.
+     * don't ask me how is it possible not to read something you wrote yourself but also
+     * see comment in the xmlSecMSCryptoX509FindCert function. 
+     */
+    if(strncmp(str, "E=", 2) == 0) {
+        res = xmlMalloc(strlen(str) + 13 + 1);
+        if(res == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                           "xmlMalloc",
+                           XMLSEC_ERRORS_R_MALLOC_FAILED,
+                           "size=%d",
+                    strlen(str) + 13 + 1);
+            xmlFree(str);
+            return(NULL);
+        }
+
+        memcpy(res, "emailAddress=", 13);
+        strcpy(res + 13, BAD_CAST (str + 2)); 
+    } else {
+        res = xmlStrdup(BAD_CAST str);
+        if(res == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                           "xmlStrdup",
+                           XMLSEC_ERRORS_R_MALLOC_FAILED,
+                           XMLSEC_ERRORS_NO_MESSAGE);
+            xmlFree(str);
+            return(NULL);
+        }
     }
-
     xmlFree(str);
     return(res);
 }
@@ -2153,7 +2270,11 @@
                                                                 xmlSecSize bufSize,
                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecMSCryptoKeyDataRawX509CertKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecMSCryptoKeyDataRawX509CertKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     sizeof(xmlSecKeyData),
 
--- misc/xmlsec1-1.2.6/src/mscrypto/x509vfy.c   2003-09-27 05:12:22.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/mscrypto/x509vfy.c     2008-06-29 23:44:19.000000000 +0200
@@ -70,7 +70,11 @@
 static xmlSecByte *    xmlSecMSCryptoX509NameRead      (xmlSecByte *str, 
                                                         int len);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataStoreKlass xmlSecMSCryptoX509StoreKlass = {
+#else
 static xmlSecKeyDataStoreKlass xmlSecMSCryptoX509StoreKlass = {
+#endif
     sizeof(xmlSecKeyDataStoreKlass),
     xmlSecMSCryptoX509StoreSize,
 
@@ -125,6 +129,7 @@
                                xmlChar *issuerName, xmlChar *issuerSerial,
                                xmlChar *ski, xmlSecKeyInfoCtx* keyInfoCtx) {
     xmlSecMSCryptoX509StoreCtxPtr ctx;
+       PCCERT_CONTEXT pCert ;
     
     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), NULL);
     xmlSecAssert2(keyInfoCtx != NULL, NULL);
@@ -132,10 +137,17 @@
     ctx = xmlSecMSCryptoX509StoreGetCtx(store);
     xmlSecAssert2(ctx != NULL, NULL);
     xmlSecAssert2(ctx->untrusted != NULL, NULL);
+    xmlSecAssert2(ctx->trusted != NULL, NULL);
 
-    return(xmlSecMSCryptoX509FindCert(ctx->untrusted, subjectName, issuerName, issuerSerial, ski));
-}
+       pCert = NULL ;
+       if( ctx->untrusted != NULL )
+               pCert = xmlSecMSCryptoX509FindCert( ctx->untrusted, subjectName, issuerName, issuerSerial, ski ) ;
+
+       if( ctx->trusted != NULL && pCert == NULL )
+               pCert = xmlSecMSCryptoX509FindCert( ctx->trusted, subjectName, issuerName, issuerSerial, ski ) ;
 
+    return( pCert ) ;
+}
 
 static void 
 xmlSecMSCryptoUnixTimeToFileTime(time_t t, LPFILETIME pft) {
@@ -252,17 +264,22 @@
 }
 
 static BOOL
-xmlSecMSCryptoX509StoreConstructCertsChain(xmlSecKeyDataStorePtr store, PCCERT_CONTEXT cert, HCERTSTORE certs, 
-                             xmlSecKeyInfoCtx* keyInfoCtx) {
+xmlSecMSCryptoX509StoreConstructCertsChain(
+       xmlSecKeyDataStorePtr store ,
+       PCCERT_CONTEXT cert ,
+       HCERTSTORE certStore , 
+       xmlSecKeyInfoCtx* keyInfoCtx
+) {
     xmlSecMSCryptoX509StoreCtxPtr ctx;
     PCCERT_CONTEXT issuerCert = NULL;
     FILETIME fTime;
     DWORD flags;
+    BOOL selfSigned ;
     
     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), FALSE);
     xmlSecAssert2(cert != NULL, FALSE);
     xmlSecAssert2(cert->pCertInfo != NULL, FALSE);
-    xmlSecAssert2(certs != NULL, FALSE);
+    xmlSecAssert2(certStore != NULL, FALSE);
     xmlSecAssert2(keyInfoCtx != NULL, FALSE);
 
     ctx = xmlSecMSCryptoX509StoreGetCtx(store);
@@ -283,60 +300,85 @@
        return(FALSE);
     }
 
-    if (!xmlSecMSCryptoCheckRevocation(certs, cert)) {
+    if (!xmlSecMSCryptoCheckRevocation(certStore, cert)) {
        return(FALSE);
     }
 
-    /* try the untrusted certs in the chain */
-    issuerCert = CertFindCertificateInStore(certs, 
+    /*-
+        * Firstly try to find the cert in the trusted cert store. We will trust
+        * the certificate in the trusted store.
+        */
+    issuerCert = CertFindCertificateInStore(ctx->trusted, 
                            X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                            0,
                            CERT_FIND_SUBJECT_NAME,
-                           &(cert->pCertInfo->Issuer),
+                           &(cert->pCertInfo->Subject),
                            NULL);
-    if(issuerCert == cert) {
-       /* self signed cert, forget it */
-       CertFreeCertificateContext(issuerCert);
-    } else if(issuerCert != NULL) {
-        flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG;
-       if(!CertVerifySubjectCertificateContext(cert, issuerCert, &flags)) {
-           xmlSecMSCryptoX509StoreCertError(store, issuerCert, flags);
-           CertFreeCertificateContext(issuerCert);
-           return(FALSE);
-        }
-       if(!xmlSecMSCryptoX509StoreConstructCertsChain(store, issuerCert, certs, keyInfoCtx)) {
-           xmlSecMSCryptoX509StoreCertError(store, issuerCert, flags);
-           CertFreeCertificateContext(issuerCert);
-           return(FALSE);
-       }
-       CertFreeCertificateContext(issuerCert);
-       return(TRUE);
+    if( issuerCert != NULL ) {
+               /* We have found the trusted cert, so return true */
+               CertFreeCertificateContext( issuerCert ) ;
+               return( TRUE ) ;
     }
 
-    /* try the untrusted certs in the store */
-    issuerCert = CertFindCertificateInStore(ctx->untrusted, 
+       /* Check whether the certificate is self signed certificate */
+       selfSigned = CertCompareCertificateName( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &(cert->pCertInfo->Subject), &(cert->pCertInfo->Issuer) ) ;
+
+    /* try the untrusted certs in the chain */
+       if( !selfSigned ) {
+           issuerCert = CertFindCertificateInStore(certStore, 
                            X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                            0,
                            CERT_FIND_SUBJECT_NAME,
                            &(cert->pCertInfo->Issuer),
                            NULL);
-    if(issuerCert == cert) {
-       /* self signed cert, forget it */
-       CertFreeCertificateContext(issuerCert);
-    } else if(issuerCert != NULL) {
-        flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG;
-       if(!CertVerifySubjectCertificateContext(cert, issuerCert, &flags)) {
-           xmlSecMSCryptoX509StoreCertError(store, issuerCert, flags);
-           CertFreeCertificateContext(issuerCert);
-           return(FALSE);
-        }
-       if(!xmlSecMSCryptoX509StoreConstructCertsChain(store, issuerCert, certs, keyInfoCtx)) {
-           CertFreeCertificateContext(issuerCert);
-           return(FALSE);
+           if( issuerCert != NULL && CertCompareCertificate( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo, issuerCert->pCertInfo ) ) {
+                       /* self signed cert, forget it */
+                       CertFreeCertificateContext(issuerCert);
+           } else if(issuerCert != NULL) {
+               flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG;
+                       if(!CertVerifySubjectCertificateContext(cert, issuerCert, &flags)) {
+                           xmlSecMSCryptoX509StoreCertError(store, issuerCert, flags);
+                           CertFreeCertificateContext(issuerCert);
+                           return(FALSE);
+               }
+                       if(!xmlSecMSCryptoX509StoreConstructCertsChain(store, issuerCert, certStore, keyInfoCtx)) {
+                           xmlSecMSCryptoX509StoreCertError(store, issuerCert, flags);
+                           CertFreeCertificateContext(issuerCert);
+                           return(FALSE);
+                       }
+
+                       CertFreeCertificateContext(issuerCert);
+                       return(TRUE);
+           }
+       }
+
+    /* try the untrusted certs in the store */
+       if( !selfSigned ) {
+           issuerCert = CertFindCertificateInStore(ctx->untrusted, 
+                                   X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                                   0,
+                                   CERT_FIND_SUBJECT_NAME,
+                                   &(cert->pCertInfo->Issuer),
+                                   NULL);
+           if( issuerCert != NULL && CertCompareCertificate( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo, issuerCert->pCertInfo ) ) {
+                       /* self signed cert, forget it */
+                       CertFreeCertificateContext(issuerCert);
+           } else if(issuerCert != NULL) {
+               flags = CERT_STORE_REVOCATION_FLAG | CERT_STORE_SIGNATURE_FLAG;
+                       if(!CertVerifySubjectCertificateContext(cert, issuerCert, &flags)) {
+                           xmlSecMSCryptoX509StoreCertError(store, issuerCert, flags);
+                           CertFreeCertificateContext(issuerCert);
+                           return(FALSE);
+               }
+                       if(!xmlSecMSCryptoX509StoreConstructCertsChain(store, issuerCert, certStore, keyInfoCtx)) {
+                           CertFreeCertificateContext(issuerCert);
+                           return(FALSE);
+                       }
+
+                       CertFreeCertificateContext(issuerCert);
+                       return(TRUE);
+           }
        }
-       CertFreeCertificateContext(issuerCert);
-       return(TRUE);
-    }
 
     /* try to find issuer cert in the trusted cert in the store */
     issuerCert = CertFindCertificateInStore(ctx->trusted, 
@@ -379,26 +421,61 @@
     xmlSecAssert2(certs != NULL, NULL);
     xmlSecAssert2(keyInfoCtx != NULL, NULL);
 
-    while((cert = CertEnumCertificatesInStore(certs, cert)) != NULL){
-       PCCERT_CONTEXT nextCert = NULL;
+    while( ( cert = CertEnumCertificatesInStore( certs, cert ) ) != NULL ) {
+               PCCERT_CONTEXT nextCert ;
+               unsigned char selected ;
     
-       xmlSecAssert2(cert->pCertInfo != NULL, NULL);
+               xmlSecAssert2( cert->pCertInfo != NULL, NULL ) ;
 
-       /* if cert is the issuer of any other cert in the list, then it is 
-       * to be skipped */
-       nextCert = CertFindCertificateInStore(certs,
+               /* if cert is the issuer of any other cert in the list, then it is 
+                * to be skipped except that the cert list only have one self-signed
+                * certificate.
+                */
+               for( selected = 0, nextCert = NULL ; ; ) {
+                       nextCert = CertFindCertificateInStore( certs,
                                X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                                0,
                                CERT_FIND_ISSUER_NAME,
                                &(cert->pCertInfo->Subject),
-                               NULL);
-       if(nextCert != NULL) {
-           CertFreeCertificateContext(nextCert);
-           continue;
-       }
-       if(xmlSecMSCryptoX509StoreConstructCertsChain(store, cert, certs, keyInfoCtx)) {
-           return(cert);
-       }
+                               nextCert ) ;
+                       if( nextCert != NULL ) {
+                               if( CertCompareCertificate( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert->pCertInfo, nextCert->pCertInfo ) ) {
+                                       selected = 1 ;
+                                       continue ;
+                               } else {
+                                       selected = 0 ;
+                                       break ;
+                               }
+                       } else {
+                               selected = 1 ;
+                               break ;
+                       }
+               }
+
+               if( nextCert != NULL )
+                       CertFreeCertificateContext( nextCert ) ;
+
+               if( !selected ) {
+                       continue ;
+               }
+
+      /* JL: OpenOffice.org implements its own certificate verification routine. 
+                 The goal is to seperate validation of the signature
+                 and the certificate. For example, OOo could show that the document signature is valid,
+                 but the certificate could not be verified. If we do not prevent the verification of
+                 the certificate by libxmlsec and the verification fails, then the XML signature will not be 
+                 verified. This would happen, for example, if the root certificate is not installed.
+                 
+                 In the store schould only be the certificate from the X509Certificate element 
+                 and the X509IssuerSerial element. The latter is only there
+                 if the certificate is installed. Both certificates must be the same!
+                 In case of writing the signature, the store contains only the certificate that
+                 was created based on the information from the X509IssuerSerial element. */
+        return cert;
+        
+/*             if( xmlSecMSCryptoX509StoreConstructCertsChain( store, cert, certs, keyInfoCtx ) ) {
+                   return( cert ) ;
+               } */
     }
 
     return (NULL);
@@ -458,9 +535,126 @@
     return(0);
 }
 
+int    
+xmlSecMSCryptoX509StoreAdoptKeyStore (
+       xmlSecKeyDataStorePtr store,
+       HCERTSTORE keyStore
+) {
+    xmlSecMSCryptoX509StoreCtxPtr ctx;
+    int ret;
+
+    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), -1);
+    xmlSecAssert2( keyStore != NULL, -1);
+
+    ctx = xmlSecMSCryptoX509StoreGetCtx(store);
+    xmlSecAssert2(ctx != NULL, -1);
+    xmlSecAssert2(ctx->trusted != NULL, -1);
+
+       if( !CertAddStoreToCollection ( ctx->trusted , keyStore , CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , 2 ) ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "CertAddStoreToCollection",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+               return(-1);
+       }
+
+       {
+               PCCERT_CONTEXT ptCert ;
+
+               ptCert = NULL ;
+               while( 1 ) {
+                       ptCert = CertEnumCertificatesInStore( ctx->trusted, ptCert ) ;
+                       if( ptCert == NULL )
+                               break ;
+               }
+       }
+
+    return(0);
+}
+
+int
+xmlSecMSCryptoX509StoreAdoptTrustedStore (
+       xmlSecKeyDataStorePtr store,
+       HCERTSTORE trustedStore
+) {
+    xmlSecMSCryptoX509StoreCtxPtr ctx;
+    int ret;
+
+    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), -1);
+    xmlSecAssert2( trustedStore != NULL, -1);
+
+    ctx = xmlSecMSCryptoX509StoreGetCtx(store);
+    xmlSecAssert2(ctx != NULL, -1);
+    xmlSecAssert2(ctx->trusted != NULL, -1);
+
+       if( !CertAddStoreToCollection ( ctx->trusted , trustedStore , CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , 3 ) ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "CertAddStoreToCollection",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+               return(-1);
+       }
+
+       {
+               PCCERT_CONTEXT ptCert ;
+
+               ptCert = NULL ;
+               while( 1 ) {
+                       ptCert = CertEnumCertificatesInStore( ctx->trusted, ptCert ) ;
+                       if( ptCert == NULL )
+                               break ;
+               }
+       }
+
+    return(0);
+}
+
+int
+xmlSecMSCryptoX509StoreAdoptUntrustedStore (
+       xmlSecKeyDataStorePtr store,
+       HCERTSTORE untrustedStore
+) {
+    xmlSecMSCryptoX509StoreCtxPtr ctx;
+    int ret;
+
+    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), -1);
+    xmlSecAssert2( untrustedStore != NULL, -1);
+
+    ctx = xmlSecMSCryptoX509StoreGetCtx(store);
+    xmlSecAssert2(ctx != NULL, -1);
+    xmlSecAssert2(ctx->untrusted != NULL, -1);
+
+       if( !CertAddStoreToCollection ( ctx->untrusted , untrustedStore , CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG , 2 ) ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "CertAddStoreToCollection",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+               return(-1);
+       }
+
+       {
+               PCCERT_CONTEXT ptCert ;
+
+               ptCert = NULL ;
+               while( 1 ) {
+                       ptCert = CertEnumCertificatesInStore( ctx->untrusted, ptCert ) ;
+                       if( ptCert == NULL )
+                               break ;
+               }
+       }
+
+       return(0);
+}
+
 static int
 xmlSecMSCryptoX509StoreInitialize(xmlSecKeyDataStorePtr store) {
     xmlSecMSCryptoX509StoreCtxPtr ctx;
+       HCERTSTORE hTrustedMemStore ;
+       HCERTSTORE hUntrustedMemStore ;
+
     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecMSCryptoX509StoreId), -1);
 
     ctx = xmlSecMSCryptoX509StoreGetCtx(store);
@@ -468,36 +662,104 @@
 
     memset(ctx, 0, sizeof(xmlSecMSCryptoX509StoreCtx));
 
+    /* create trusted certs store collection */
+    ctx->trusted = CertOpenStore(CERT_STORE_PROV_COLLECTION,
+                              0,
+                              NULL,
+                              0,
+                              NULL);
+    if(ctx->trusted == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "CertOpenStore",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+       return(-1);
+       }
+
     /* create trusted certs store */
-    ctx->trusted = CertOpenStore(CERT_STORE_PROV_MEMORY,
+    hTrustedMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY,
                               X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                               0,
                               CERT_STORE_CREATE_NEW_FLAG,
                               NULL);
-    if(ctx->trusted == NULL) {
+    if(hTrustedMemStore == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
                    "CertOpenStore",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
                    XMLSEC_ERRORS_NO_MESSAGE);
+       CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+       ctx->trusted = NULL ;
        return(-1);
     }
 
-    /* create trusted certs store */
-    ctx->untrusted = CertOpenStore(CERT_STORE_PROV_MEMORY,
+       /* add the memory trusted certs store to trusted certs store collection */
+       if( !CertAddStoreToCollection( ctx->trusted, hTrustedMemStore, CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 1 ) ) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "CertAddStoreToCollection",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+       CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+       CertCloseStore(hTrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG);
+       ctx->trusted = NULL ;
+       return(-1);
+       }
+       CertCloseStore(hTrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG);
+
+    /* create untrusted certs store collection */
+    ctx->untrusted = CertOpenStore(CERT_STORE_PROV_COLLECTION,
+                              0,
+                              NULL,
+                              0,
+                              NULL);
+    if(ctx->untrusted == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "CertOpenStore",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+       CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+       ctx->trusted = NULL ;
+       return(-1);
+       }
+
+    /* create untrusted certs store */
+    hUntrustedMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY,
                               X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
                               0,
                               CERT_STORE_CREATE_NEW_FLAG,
                               NULL);
-    if(ctx->untrusted == NULL) {
+    if(hUntrustedMemStore == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
                    "CertOpenStore",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
                    XMLSEC_ERRORS_NO_MESSAGE);
+       CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+       CertCloseStore(ctx->untrusted, CERT_CLOSE_STORE_FORCE_FLAG);
+       ctx->trusted = NULL ;
+       ctx->untrusted = NULL ;
        return(-1);
     }
 
+       /* add the memory trusted certs store to untrusted certs store collection */
+       if( !CertAddStoreToCollection( ctx->untrusted, hUntrustedMemStore, CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 1 ) ) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                   "CertAddStoreToCollection",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+       CertCloseStore(ctx->untrusted, CERT_CLOSE_STORE_FORCE_FLAG);
+       CertCloseStore(ctx->trusted, CERT_CLOSE_STORE_FORCE_FLAG);
+       CertCloseStore(hUntrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG);
+       ctx->trusted = NULL ;
+       ctx->untrusted = NULL ;
+       return(-1);
+       }
+       CertCloseStore(hUntrustedMemStore, CERT_CLOSE_STORE_CHECK_FLAG);
+
     return(0);    
 }
 
@@ -567,10 +829,41 @@
 
     if((pCert == NULL) && (NULL != issuerName) && (NULL != issuerSerial)) {
        xmlSecBn issuerSerialBn;        
+    xmlChar * p;
        CERT_NAME_BLOB cnb;
+    CRYPT_INTEGER_BLOB cib;
         BYTE *cName = NULL; 
        DWORD cNameLen = 0;     
+    
+    /* aleksey: for some unknown to me reasons, mscrypto wants Email
+     * instead of emailAddress. This code is not bullet proof and may 
+     * produce incorrect results if someone has "emailAddress=" string
+     * in one of the fields, but it is best I can suggest to fix this problem.
+     * Also see xmlSecMSCryptoX509NameWrite function.
+     */
+    while( (p = (xmlChar*)xmlStrstr(issuerName, BAD_CAST "emailAddress=")) != NULL) {
+        memcpy(p, "       Email=", 13);
+    }
+
+
+
+    /* get issuer name */
+       cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                                          issuerName,
+                                          CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG | CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
+                                          &cNameLen);
+       if(cName == NULL) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecMSCryptoCertStrToName",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+           return (NULL);
+       }
+       cnb.pbData = cName;
+       cnb.cbData = cNameLen;
 
+    /* get serial number */
        ret = xmlSecBnInitialize(&issuerSerialBn, 0);
        if(ret < 0) {
            xmlSecError(XMLSEC_ERRORS_HERE,
@@ -578,6 +871,7 @@
                        "xmlSecBnInitialize",
                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
                        XMLSEC_ERRORS_NO_MESSAGE);
+       xmlFree(cName);
            return(NULL);
        }
 
@@ -589,26 +883,30 @@
                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
                        XMLSEC_ERRORS_NO_MESSAGE);
            xmlSecBnFinalize(&issuerSerialBn);
-           return(NULL);
+               xmlFree(cName);
+        return(NULL);
        }
 
-       cName = xmlSecMSCryptoCertStrToName(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                          issuerName,
-                                          CERT_OID_NAME_STR | CERT_NAME_STR_REVERSE_FLAG,
-                                          &cNameLen);
-       if(cName == NULL) {
+       /* I have no clue why at a sudden a swap is needed to 
+     * convert from lsb... This code is purely based upon 
+        * trial and error :( WK
+        */
+    ret = xmlSecBnReverse(&issuerSerialBn);
+       if(ret < 0) {
            xmlSecError(XMLSEC_ERRORS_HERE,
                        NULL,
-                       "xmlSecMSCryptoCertStrToName",
+                       "xmlSecBnReverse",
                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
                        XMLSEC_ERRORS_NO_MESSAGE);
            xmlSecBnFinalize(&issuerSerialBn);
-           return (NULL);
+               xmlFree(cName);
+        return(NULL);
        }
 
-       cnb.pbData = cName;
-       cnb.cbData = cNameLen;
-       while((pCert = CertFindCertificateInStore(store, 
+    cib.pbData = xmlSecBufferGetData(&issuerSerialBn);
+    cib.cbData = xmlSecBufferGetSize(&issuerSerialBn);
+
+    while((pCert = CertFindCertificateInStore(store, 
                                                  PKCS_7_ASN_ENCODING | X509_ASN_ENCODING,
                                                  0,
                                                  CERT_FIND_ISSUER_NAME,
@@ -622,10 +920,9 @@
            if((pCert->pCertInfo != NULL) && 
               (pCert->pCertInfo->SerialNumber.pbData != NULL) && 
               (pCert->pCertInfo->SerialNumber.cbData > 0) && 
-              (0 == xmlSecBnCompareReverse(&issuerSerialBn, pCert->pCertInfo->SerialNumber.pbData, 
-                                    pCert->pCertInfo->SerialNumber.cbData))) {
-               
-               break;
+           (CertCompareIntegerBlob(&(pCert->pCertInfo->SerialNumber), &cib) == TRUE)
+           ) {         
+                   break;
            }
        }
        xmlFree(cName);
--- misc/xmlsec1-1.2.6/src/nss/Makefile.am      2003-09-16 11:43:03.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/Makefile.am        2008-06-29 23:44:19.000000000 +0200
@@ -20,21 +20,22 @@
        $(NULL)
 
 libxmlsec1_nss_la_SOURCES =\
+       akmngr.c \
        app.c \
        bignum.c \
        ciphers.c \
        crypto.c \
        digests.c \
        hmac.c \
+       keysstore.c \
+       keytrans.c \
+       keywrapers.c \
        pkikeys.c \
        signatures.c \
        symkeys.c \
+       tokens.c \
        x509.c \
        x509vfy.c \
-       keysstore.c \
-       kt_rsa.c \
-       kw_des.c \
-       kw_aes.c \
        $(NULL)
 
 libxmlsec1_nss_la_LIBADD = \
--- misc/xmlsec1-1.2.6/src/nss/Makefile.in      2004-08-26 08:00:32.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/Makefile.in        2008-06-29 23:44:19.000000000 +0200
@@ -54,9 +54,9 @@
        $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
        $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 am__objects_1 =
-am_libxmlsec1_nss_la_OBJECTS = app.lo bignum.lo ciphers.lo crypto.lo \
+am_libxmlsec1_nss_la_OBJECTS = akmngr.lo app.lo bignum.lo ciphers.lo crypto.lo \
        digests.lo hmac.lo pkikeys.lo signatures.lo symkeys.lo x509.lo \
-       x509vfy.lo keysstore.lo kt_rsa.lo kw_des.lo kw_aes.lo \
+       x509vfy.lo keysstore.lo tokens.lo keytrans.lo keywrapers.lo \
        $(am__objects_1)
 libxmlsec1_nss_la_OBJECTS = $(am_libxmlsec1_nss_la_OBJECTS)
 DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)
@@ -65,11 +65,11 @@
 @AMDEP_TRUE@DEP_FILES = ./$(DEPDIR)/app.Plo ./$(DEPDIR)/bignum.Plo \
 @AMDEP_TRUE@   ./$(DEPDIR)/ciphers.Plo ./$(DEPDIR)/crypto.Plo \
 @AMDEP_TRUE@   ./$(DEPDIR)/digests.Plo ./$(DEPDIR)/hmac.Plo \
-@AMDEP_TRUE@   ./$(DEPDIR)/keysstore.Plo ./$(DEPDIR)/kt_rsa.Plo \
-@AMDEP_TRUE@   ./$(DEPDIR)/kw_aes.Plo ./$(DEPDIR)/kw_des.Plo \
+@AMDEP_TRUE@   ./$(DEPDIR)/keysstore.Plo ./$(DEPDIR)/tokens.Plo \
+@AMDEP_TRUE@   ./$(DEPDIR)/keywrapers.Plo ./$(DEPDIR)/keytrans.Plo \
 @AMDEP_TRUE@   ./$(DEPDIR)/pkikeys.Plo ./$(DEPDIR)/signatures.Plo \
 @AMDEP_TRUE@   ./$(DEPDIR)/symkeys.Plo ./$(DEPDIR)/x509.Plo \
-@AMDEP_TRUE@   ./$(DEPDIR)/x509vfy.Plo
+@AMDEP_TRUE@   ./$(DEPDIR)/x509vfy.Plo ./$(DEPDIR)/akmngr.Plo
 COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
        $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) \
@@ -321,21 +321,22 @@
        $(NULL)
 
 libxmlsec1_nss_la_SOURCES = \
+       akmngr.c \
        app.c \
        bignum.c \
        ciphers.c \
        crypto.c \
        digests.c \
        hmac.c \
+       keysstore.c \
+       keytrans.c \
+       keywrappers.c \
        pkikeys.c \
        signatures.c \
        symkeys.c \
+       tokens.c \
        x509.c \
        x509vfy.c \
-       keysstore.c \
-       kt_rsa.c \
-       kw_des.c \
-       kw_aes.c \
        $(NULL)
 
 libxmlsec1_nss_la_LIBADD = \
@@ -418,6 +419,7 @@
 distclean-compile:
        -rm -f *.tab.c
 
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/akmngr.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/app.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bignum.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ciphers.Plo@am__quote@
@@ -425,9 +427,9 @@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/digests.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmac.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keysstore.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kt_rsa.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kw_aes.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kw_des.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tokens.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keywrapers.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keytrans.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkikeys.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signatures.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/symkeys.Plo@am__quote@
--- misc/xmlsec1-1.2.6/src/nss/akmngr.c 2008-06-29 23:44:39.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/akmngr.c   2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,384 @@
-dummy
+/** 
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright.........................
+ */
+#include "globals.h"
+
+#include <nspr.h>
+#include <nss.h>
+#include <pk11func.h>
+#include <cert.h>
+#include <keyhi.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/akmngr.h>
+#include <xmlsec/nss/pkikeys.h>
+#include <xmlsec/nss/ciphers.h>
+#include <xmlsec/nss/keysstore.h>
+
+/**
+ * xmlSecNssAppliedKeysMngrCreate:
+ * @slot:                      array of pointers to NSS PKCS#11 slot infomation.
+ * @cSlots:                    number of slots in the array
+ * @handler:           the pointer to NSS certificate database.
+ *
+ * Create and load NSS crypto slot and certificate database into keys manager
+ *
+ * Returns keys manager pointer on success or NULL otherwise.
+ */
+xmlSecKeysMngrPtr
+xmlSecNssAppliedKeysMngrCreate(
+       PK11SlotInfo** slots, 
+       int cSlots,
+       CERTCertDBHandle* handler
+) {
+       xmlSecKeyDataStorePtr   certStore = NULL ;
+       xmlSecKeysMngrPtr               keyMngr = NULL ;
+       xmlSecKeyStorePtr               keyStore = NULL ;
+       int islot = 0;
+       keyStore = xmlSecKeyStoreCreate( xmlSecNssKeysStoreId ) ;
+       if( keyStore == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeyStoreCreate" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return NULL ;
+       }
+
+       for (islot = 0; islot < cSlots; islot++)
+       {
+               xmlSecNssKeySlotPtr             keySlot ;
+
+               /* Create a key slot */
+               keySlot = xmlSecNssKeySlotCreate() ;
+               if( keySlot == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+                               "xmlSecNssKeySlotCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyStoreDestroy( keyStore ) ;
+                       return NULL ;
+               }
+
+               /* Set slot */
+               if( xmlSecNssKeySlotSetSlot( keySlot , slots[islot] ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+                               "xmlSecNssKeySlotSetSlot" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyStoreDestroy( keyStore ) ;
+                       xmlSecNssKeySlotDestroy( keySlot ) ;
+                       return NULL ;
+               }
+
+               /* Adopt keySlot */
+               if( xmlSecNssKeysStoreAdoptKeySlot( keyStore , keySlot ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+                               "xmlSecNssKeysStoreAdoptKeySlot" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyStoreDestroy( keyStore ) ;
+                       xmlSecNssKeySlotDestroy( keySlot ) ;
+                       return NULL ;
+               }
+       }
+
+       keyMngr = xmlSecKeysMngrCreate() ;
+       if( keyMngr == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrCreate" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeyStoreDestroy( keyStore ) ;
+               return NULL ;
+       }
+
+       /*-
+        * Add key store to manager, from now on keys manager destroys the store if
+        * needed
+        */
+       if( xmlSecKeysMngrAdoptKeysStore( keyMngr, keyStore ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+                       "xmlSecKeysMngrAdoptKeyStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeyStoreDestroy( keyStore ) ;
+               xmlSecKeysMngrDestroy( keyMngr ) ;
+               return NULL ;
+       }
+
+       /*-
+        * Initialize crypto library specific data in keys manager
+        */
+       if( xmlSecNssKeysMngrInit( keyMngr ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrCreate" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeysMngrDestroy( keyMngr ) ;
+               return NULL ;
+       }
+
+       /*-
+        * Set certificate databse to X509 key data store
+        */
+       /**
+        * Because Tej's implementation of certDB use the default DB, so I ignore
+        * the certDB handler at present. I'll modify the cert store sources to
+        * accept particular certDB instead of default ones.
+       certStore = xmlSecKeysMngrGetDataStore( keyMngr , xmlSecNssKeyDataStoreX509Id ) ;
+       if( certStore == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+                       "xmlSecKeysMngrGetDataStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeysMngrDestroy( keyMngr ) ;
+               return NULL ;
+       }
+
+       if( xmlSecNssKeyDataStoreX509SetCertDb( certStore , handler ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( keyStore ) ) ,
+                       "xmlSecNssKeyDataStoreX509SetCertDb" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeysMngrDestroy( keyMngr ) ;
+               return NULL ;
+       }
+       */
+
+       /*-
+        * Set the getKey callback
+        */
+       keyMngr->getKey = xmlSecKeysMngrGetKey ;
+
+       return keyMngr ;
+}
+
+int
+xmlSecNssAppliedKeysMngrSymKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       PK11SymKey*                     symKey
+) {
+       xmlSecKeyPtr            key ;
+       xmlSecKeyDataPtr        data ;
+       xmlSecKeyStorePtr       keyStore ;
+
+       xmlSecAssert2( mngr != NULL , -1 ) ;
+       xmlSecAssert2( symKey != NULL , -1 ) ;
+
+       keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+       if( keyStore == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrGetKeysStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1) ;
+       }
+       xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+       data = xmlSecNssSymKeyDataKeyAdopt( symKey ) ;
+       if( data == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1) ;
+       }
+
+       key = xmlSecKeyCreate() ;
+       if( key == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+               return(-1) ;
+       }
+
+       if( xmlSecKeySetValue( key , data ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+               return(-1) ;
+       }
+
+       if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDestroy( key ) ;
+               return(-1) ;
+       }
+
+       return(0) ;
+}
+
+int
+xmlSecNssAppliedKeysMngrPubKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       SECKEYPublicKey*        pubKey
+) {
+       xmlSecKeyPtr            key ;
+       xmlSecKeyDataPtr        data ;
+       xmlSecKeyStorePtr       keyStore ;
+
+       xmlSecAssert2( mngr != NULL , -1 ) ;
+       xmlSecAssert2( pubKey != NULL , -1 ) ;
+
+       keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+       if( keyStore == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrGetKeysStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1) ;
+       }
+       xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+       data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ;
+       if( data == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssPKIAdoptKey" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1) ;
+       }
+
+       key = xmlSecKeyCreate() ;
+       if( key == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+               return(-1) ;
+       }
+
+       if( xmlSecKeySetValue( key , data ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+               return(-1) ;
+       }
+
+       if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDestroy( key ) ;
+               return(-1) ;
+       }
+
+       return(0) ;
+}
+
+int
+xmlSecNssAppliedKeysMngrPriKeyLoad(
+       xmlSecKeysMngrPtr       mngr ,
+       SECKEYPrivateKey*       priKey
+) {
+       xmlSecKeyPtr            key ;
+       xmlSecKeyDataPtr        data ;
+       xmlSecKeyStorePtr       keyStore ;
+
+       xmlSecAssert2( mngr != NULL , -1 ) ;
+       xmlSecAssert2( priKey != NULL , -1 ) ;
+
+       keyStore = xmlSecKeysMngrGetKeysStore( mngr ) ;
+       if( keyStore == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecKeysMngrGetKeysStore" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1) ;
+       }
+       xmlSecAssert2( xmlSecKeyStoreCheckId( keyStore , xmlSecNssKeysStoreId ) , -1 ) ;
+
+       data = xmlSecNssPKIAdoptKey( priKey, NULL ) ;
+       if( data == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssPKIAdoptKey" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1) ;
+       }
+
+       key = xmlSecKeyCreate() ;
+       if( key == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+               return(-1) ;
+       }
+
+       if( xmlSecKeySetValue( key , data ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+               return(-1) ;
+       }
+
+       if( xmlSecNssKeysStoreAdoptKey( keyStore, key ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataKeyAdopt" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDestroy( key ) ;
+               return(-1) ;
+       }
+
+       return(0) ;
+}
+
--- misc/xmlsec1-1.2.6/src/nss/ciphers.c        2003-09-26 02:58:15.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/ciphers.c  2008-06-29 23:44:19.000000000 +0200
@@ -1,838 +1,967 @@
-/** 
- * XMLSec library
- *
- * This is free software; see Copyright file in the source
- * distribution for preciese wording.
- * 
- * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com>
- * Copyright (c) 2003 America Online, Inc.  All rights reserved.
- */
+/* -- C Source File -- **/
 #include "globals.h"
 
+#include <stdlib.h>
 #include <string.h>
 
-#include <nspr.h>
 #include <nss.h>
-#include <secoid.h>
 #include <pk11func.h>
 
 #include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/base64.h>
 #include <xmlsec/keys.h>
+#include <xmlsec/keyinfo.h>
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
 
-#define XMLSEC_NSS_MAX_KEY_SIZE                32
-#define XMLSEC_NSS_MAX_IV_SIZE         32
-#define XMLSEC_NSS_MAX_BLOCK_SIZE      32
-
-/**************************************************************************
- *
- * Internal Nss Block cipher CTX
+/**
+ * Internal Nss Block Cipher Context
  *
- *****************************************************************************/
-typedef struct _xmlSecNssBlockCipherCtx                xmlSecNssBlockCipherCtx,
-                                                       *xmlSecNssBlockCipherCtxPtr;
+ * This context is designed for repositing a block cipher for transform
+ */
+typedef struct _xmlSecNssBlockCipherCtx                xmlSecNssBlockCipherCtx ;
+typedef struct _xmlSecNssBlockCipherCtx*       xmlSecNssBlockCipherCtxPtr ;
+
 struct _xmlSecNssBlockCipherCtx {
-    CK_MECHANISM_TYPE  cipher;
-    PK11Context*       cipherCtx;
-    xmlSecKeyDataId    keyId;
-    int                        keyInitialized;
-    int                        ctxInitialized;
-    xmlSecByte         key[XMLSEC_NSS_MAX_KEY_SIZE];
-    xmlSecSize         keySize;
-    xmlSecByte         iv[XMLSEC_NSS_MAX_IV_SIZE];
-    xmlSecSize         ivSize;
-};
-static int     xmlSecNssBlockCipherCtxInit             (xmlSecNssBlockCipherCtxPtr ctx,
-                                                        xmlSecBufferPtr in,
-                                                        xmlSecBufferPtr out,
-                                                        int encrypt,
-                                                        const xmlChar* cipherName,
-                                                        xmlSecTransformCtxPtr transformCtx);
-static int     xmlSecNssBlockCipherCtxUpdate   (xmlSecNssBlockCipherCtxPtr ctx,
-                                                        xmlSecBufferPtr in,
-                                                        xmlSecBufferPtr out,
-                                                        int encrypt,
-                                                        const xmlChar* cipherName,
-                                                        xmlSecTransformCtxPtr transformCtx);
-static int     xmlSecNssBlockCipherCtxFinal            (xmlSecNssBlockCipherCtxPtr ctx,
-                                                        xmlSecBufferPtr in,
-                                                        xmlSecBufferPtr out,
-                                                        int encrypt,
-                                                        const xmlChar* cipherName,
-                                                        xmlSecTransformCtxPtr transformCtx);
-static int 
-xmlSecNssBlockCipherCtxInit(xmlSecNssBlockCipherCtxPtr ctx,
-                               xmlSecBufferPtr in, xmlSecBufferPtr out,
-                               int encrypt,
-                               const xmlChar* cipherName,
-                               xmlSecTransformCtxPtr transformCtx) {
-    SECItem keyItem;
-    SECItem ivItem;
-    PK11SlotInfo* slot;
-    PK11SymKey* symKey;
-    int ivLen;
-    SECStatus rv;
-    int ret;
-
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->cipherCtx == NULL, -1);
-    xmlSecAssert2(ctx->keyInitialized != 0, -1);
-    xmlSecAssert2(ctx->ctxInitialized == 0, -1);
-    xmlSecAssert2(in != NULL, -1);
-    xmlSecAssert2(out != NULL, -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
-
-    ivLen = PK11_GetIVLength(ctx->cipher);
-    xmlSecAssert2(ivLen > 0, -1);
-    xmlSecAssert2((xmlSecSize)ivLen <= sizeof(ctx->iv), -1);
-    
-    if(encrypt) {
-        /* generate random iv */
-        rv = PK11_GenerateRandom(ctx->iv, ivLen);
-       if(rv != SECSuccess) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       xmlSecErrorsSafeString(cipherName),
-                       "PK11_GenerateRandom",
-                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       "size=%d", ivLen);
-           return(-1);    
-       }
-       
-       /* write iv to the output */
-       ret = xmlSecBufferAppend(out, ctx->iv, ivLen);
-       if(ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE, 
-                       xmlSecErrorsSafeString(cipherName),
-                       "xmlSecBufferAppend",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "size=%d", ivLen);
-           return(-1);
-       }
-       
-    } else {
-       /* if we don't have enough data, exit and hope that 
-        * we'll have iv next time */
-       if(xmlSecBufferGetSize(in) < (xmlSecSize)ivLen) {
-           return(0);
-       }
-       
-       /* copy iv to our buffer*/
-       xmlSecAssert2(xmlSecBufferGetData(in) != NULL, -1);
-       memcpy(ctx->iv, xmlSecBufferGetData(in), ivLen);
-       
-       /* and remove from input */
-       ret = xmlSecBufferRemoveHead(in, ivLen);
-       if(ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE, 
-                       xmlSecErrorsSafeString(cipherName),
-                       "xmlSecBufferRemoveHead",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "size=%d", ivLen);
-           return(-1);
+       CK_MECHANISM_TYPE               cipher ;
+       PK11SymKey*                             symkey ;
+       PK11Context*                    cipherCtx ;
+       xmlSecKeyDataId                 keyId ;
+} ;
+
+#define xmlSecNssBlockCipherSize       \
+       ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssBlockCipherCtx ) )
+
+#define xmlSecNssBlockCipherGetCtx( transform ) \
+       ( ( xmlSecNssBlockCipherCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) )
+
+static int
+xmlSecNssBlockCipherCheckId(
+       xmlSecTransformPtr transform
+) {
+       #ifndef XMLSEC_NO_DES
+       if( xmlSecTransformCheckId( transform, xmlSecNssTransformDes3CbcId ) ) {
+               return 1 ;
        }
-    }
+       #endif /* XMLSEC_NO_DES */
 
-    memset(&keyItem, 0, sizeof(keyItem));
-    keyItem.data = ctx->key;
-    keyItem.len  = ctx->keySize; 
-    memset(&ivItem, 0, sizeof(ivItem));
-    ivItem.data = ctx->iv;
-    ivItem.len  = ctx->ivSize; 
-
-    slot = PK11_GetBestSlot(ctx->cipher, NULL);
-    if(slot == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "PK11_GetBestSlot",
-                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-       
-    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginDerive, 
-                              CKA_SIGN, &keyItem, NULL);
-    if(symKey == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "PK11_ImportSymKey",
-                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-        PK11_FreeSlot(slot);
-       return(-1);
-    }
+       #ifndef XMLSEC_NO_AES
+       if( xmlSecTransformCheckId( transform, xmlSecNssTransformAes128CbcId ) ||
+               xmlSecTransformCheckId( transform, xmlSecNssTransformAes192CbcId ) ||
+               xmlSecTransformCheckId( transform, xmlSecNssTransformAes256CbcId ) ) {
 
-    ctx->cipherCtx = PK11_CreateContextBySymKey(ctx->cipher, 
-                       (encrypt) ? CKA_ENCRYPT : CKA_DECRYPT, 
-                       symKey, &ivItem);
-    if(ctx->cipherCtx == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "PK11_CreateContextBySymKey",
-                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       PK11_FreeSymKey(symKey);
-        PK11_FreeSlot(slot);
-       return(-1);
+               return 1 ;
     }
-
-    ctx->ctxInitialized = 1;
-    PK11_FreeSymKey(symKey);
-    PK11_FreeSlot(slot);
-    return(0);
+       #endif /* XMLSEC_NO_AES */
+    
+    return 0 ;
 }
 
-static int 
-xmlSecNssBlockCipherCtxUpdate(xmlSecNssBlockCipherCtxPtr ctx,
-                                 xmlSecBufferPtr in, xmlSecBufferPtr out,
-                                 int encrypt,
-                                 const xmlChar* cipherName,
-                                 xmlSecTransformCtxPtr transformCtx) {
-    xmlSecSize inSize, inBlocks, outSize;
-    int blockLen;
-    int outLen = 0;
-    xmlSecByte* outBuf;
-    SECStatus rv;
-    int ret;
-    
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->cipherCtx != NULL, -1);
-    xmlSecAssert2(ctx->ctxInitialized != 0, -1);
-    xmlSecAssert2(in != NULL, -1);
-    xmlSecAssert2(out != NULL, -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
+static int
+xmlSecNssBlockCipherFetchCtx(
+       xmlSecNssBlockCipherCtxPtr              context ,
+       xmlSecTransformId                               id
+) {
+       xmlSecAssert2( context != NULL, -1 ) ;
+
+       #ifndef XMLSEC_NO_DES
+       if( id == xmlSecNssTransformDes3CbcId ) {
+               context->cipher = CKM_DES3_CBC ;
+               context->keyId = xmlSecNssKeyDataDesId ;
+       } else
+       #endif          /* XMLSEC_NO_DES */
+
+       #ifndef XMLSEC_NO_AES
+       if( id == xmlSecNssTransformAes128CbcId ) {
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       if( id == xmlSecNssTransformAes192CbcId ) {
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       if( id == xmlSecNssTransformAes256CbcId ) {
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       #endif          /* XMLSEC_NO_AES */
+
+       if( 1 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   NULL ,
+                   NULL ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
 
-    blockLen = PK11_GetBlockSize(ctx->cipher, NULL);
-    xmlSecAssert2(blockLen > 0, -1);
+       return 0 ;
+}
 
-    inSize = xmlSecBufferGetSize(in);
-    outSize = xmlSecBufferGetSize(out);
-    
-    if(inSize < (xmlSecSize)blockLen) {
-       return(0);
-    }
+/**
+ * xmlSecTransformInitializeMethod:
+ * @transform:                 the pointer to transform object.
+ *
+ * The transform specific initialization method.
+ *
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int
+xmlSecNssBlockCipherInitialize(
+       xmlSecTransformPtr transform
+) {
+       xmlSecNssBlockCipherCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( xmlSecNssBlockCipherFetchCtx( context , transform->id ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherFetchCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
 
-    if(encrypt) {
-        inBlocks = inSize / ((xmlSecSize)blockLen);
-    } else {
-       /* we want to have the last block in the input buffer 
-        * for padding check */
-        inBlocks = (inSize - 1) / ((xmlSecSize)blockLen);
-    }
-    inSize = inBlocks * ((xmlSecSize)blockLen);
+       context->symkey = NULL ;
+       context->cipherCtx = NULL ;
 
-    /* we write out the input size plus may be one block */
-    ret = xmlSecBufferSetMaxSize(out, outSize + inSize + blockLen);
-    if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "xmlSecBufferSetMaxSize",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "size=%d", outSize + inSize + blockLen);
-       return(-1);
-    }
-    outBuf = xmlSecBufferGetData(out) + outSize;
-    
-    rv = PK11_CipherOp(ctx->cipherCtx, outBuf, &outLen, inSize + blockLen,
-                       xmlSecBufferGetData(in), inSize);
-    if(rv != SECSuccess) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "PK11_CipherOp",
-                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-    xmlSecAssert2((xmlSecSize)outLen == inSize, -1);
-    
-    /* set correct output buffer size */
-    ret = xmlSecBufferSetSize(out, outSize + outLen);
-    if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "xmlSecBufferSetSize",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "size=%d", outSize + outLen);
-       return(-1);
-    }
-        
-    /* remove the processed block from input */
-    ret = xmlSecBufferRemoveHead(in, inSize);
-    if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "xmlSecBufferRemoveHead",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "size=%d", inSize);
-       return(-1);
-    }
-    return(0);
+       return 0 ;
 }
 
-static int 
-xmlSecNssBlockCipherCtxFinal(xmlSecNssBlockCipherCtxPtr ctx,
-                                xmlSecBufferPtr in,
-                                xmlSecBufferPtr out,
-                                int encrypt,
-                                const xmlChar* cipherName,
-                                xmlSecTransformCtxPtr transformCtx) {
-    xmlSecSize inSize, outSize;
-    int blockLen, outLen = 0;
-    xmlSecByte* inBuf;
-    xmlSecByte* outBuf;
-    SECStatus rv;
-    int ret;
-    
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->cipherCtx != NULL, -1);
-    xmlSecAssert2(ctx->ctxInitialized != 0, -1);
-    xmlSecAssert2(in != NULL, -1);
-    xmlSecAssert2(out != NULL, -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
-
-    blockLen = PK11_GetBlockSize(ctx->cipher, NULL);
-    xmlSecAssert2(blockLen > 0, -1);
+/**
+ * xmlSecTransformFinalizeMethod:
+ * @transform:                 the pointer to transform object.
+ *
+ * The transform specific destroy method.
+ */
+static void 
+xmlSecNssBlockCipherFinalize(
+       xmlSecTransformPtr transform
+) {
+       xmlSecNssBlockCipherCtxPtr context = NULL ;
 
-    inSize = xmlSecBufferGetSize(in);
-    outSize = xmlSecBufferGetSize(out);
+       xmlSecAssert( xmlSecNssBlockCipherCheckId( transform ) ) ;
+       xmlSecAssert( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ) ) ;
 
-    if(encrypt != 0) {
-        xmlSecAssert2(inSize < (xmlSecSize)blockLen, -1);        
-    
-       /* create padding */
-        ret = xmlSecBufferSetMaxSize(in, blockLen);
-       if(ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE, 
-                       xmlSecErrorsSafeString(cipherName),
-                       "xmlSecBufferSetMaxSize",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "size=%d", blockLen);
-           return(-1);
-       }
-       inBuf = xmlSecBufferGetData(in);
-
-        /* generate random padding */
-       if((xmlSecSize)blockLen > (inSize + 1)) {
-           rv = PK11_GenerateRandom(inBuf + inSize, blockLen - inSize - 1);
-           if(rv != SECSuccess) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           xmlSecErrorsSafeString(cipherName),
-                           "PK11_GenerateRandom",
-                           XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           "size=%d", blockLen - inSize - 1); 
-               return(-1);    
-           }
-       }
-       inBuf[blockLen - 1] = blockLen - inSize;
-       inSize = blockLen;
-    } else {
-       if(inSize != (xmlSecSize)blockLen) {
-           xmlSecError(XMLSEC_ERRORS_HERE, 
-                       xmlSecErrorsSafeString(cipherName),
-                       NULL,
-                       XMLSEC_ERRORS_R_INVALID_DATA,
-                       "data=%d;block=%d", inSize, blockLen);
-           return(-1);
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return ;    
        }
-    }
-    
-    /* process last block */
-    ret = xmlSecBufferSetMaxSize(out, outSize + 2 * blockLen);
-    if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "xmlSecBufferSetMaxSize",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "size=%d", outSize + 2 * blockLen);
-       return(-1);
-    }
-    outBuf = xmlSecBufferGetData(out) + outSize;
 
-    rv = PK11_CipherOp(ctx->cipherCtx, outBuf, &outLen, 2 * blockLen,
-                       xmlSecBufferGetData(in), inSize);
-    if(rv != SECSuccess) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "PK11_CipherOp",
-                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-    xmlSecAssert2((xmlSecSize)outLen == inSize, -1);
-    
-    if(encrypt == 0) {
-       /* check padding */
-       if(outLen < outBuf[blockLen - 1]) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       xmlSecErrorsSafeString(cipherName),
-                       NULL,
-                       XMLSEC_ERRORS_R_INVALID_DATA,
-                       "padding=%d;buffer=%d",
-                       outBuf[blockLen - 1], outLen);
-           return(-1); 
-       }
-       outLen -= outBuf[blockLen - 1];
-    } 
-
-    /* set correct output buffer size */
-    ret = xmlSecBufferSetSize(out, outSize + outLen);
-    if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "xmlSecBufferSetSize",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "size=%d", outSize + outLen);
-       return(-1);
-    }
+       if( context->cipherCtx != NULL ) {
+               PK11_DestroyContext( context->cipherCtx, PR_TRUE ) ;
+               context->cipherCtx = NULL ;
+       }
 
-    /* remove the processed block from input */
-    ret = xmlSecBufferRemoveHead(in, inSize);
-    if(ret < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(cipherName),
-                   "xmlSecBufferRemoveHead",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "size=%d", inSize);
-       return(-1);
-    }
+       if( context->symkey != NULL ) {
+               PK11_FreeSymKey( context->symkey ) ;
+               context->symkey = NULL ;
+       }
 
-    return(0);
+       context->cipher = CKM_INVALID_MECHANISM ;
+       context->keyId = NULL ;
 }
 
-
-/******************************************************************************
- *
- * EVP Block Cipher transforms
+/**
+ * xmlSecTransformSetKeyRequirementsMethod:
+ * @transform:                 the pointer to transform object.
+ * @keyReq:                            the pointer to key requirements structure.
  *
- * xmlSecNssBlockCipherCtx block is located after xmlSecTransform structure
+ * Transform specific method to set transform's key requirements.
  * 
- *****************************************************************************/
-#define xmlSecNssBlockCipherSize       \
-    (sizeof(xmlSecTransform) + sizeof(xmlSecNssBlockCipherCtx))
-#define xmlSecNssBlockCipherGetCtx(transform) \
-    ((xmlSecNssBlockCipherCtxPtr)(((xmlSecByte*)(transform)) + sizeof(xmlSecTransform)))
-
-static int     xmlSecNssBlockCipherInitialize  (xmlSecTransformPtr transform);
-static void    xmlSecNssBlockCipherFinalize            (xmlSecTransformPtr transform);
-static int     xmlSecNssBlockCipherSetKeyReq   (xmlSecTransformPtr transform, 
-                                                        xmlSecKeyReqPtr keyReq);
-static int     xmlSecNssBlockCipherSetKey              (xmlSecTransformPtr transform,
-                                                        xmlSecKeyPtr key);
-static int     xmlSecNssBlockCipherExecute             (xmlSecTransformPtr transform,
-                                                        int last,
-                                                        xmlSecTransformCtxPtr transformCtx);
-static int     xmlSecNssBlockCipherCheckId             (xmlSecTransformPtr transform);
-                                                        
-
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int  
+xmlSecNssBlockCipherSetKeyReq(
+       xmlSecTransformPtr transform ,
+       xmlSecKeyReqPtr keyReq
+) {
+       xmlSecNssBlockCipherCtxPtr context = NULL ;
+       xmlSecSize cipherSize = 0 ;
+
+       xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+       xmlSecAssert2( keyReq != NULL , -1 ) ;
+       xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       keyReq->keyId = context->keyId ;
+       keyReq->keyType = xmlSecKeyDataTypeSymmetric ;
+
+       if( transform->operation == xmlSecTransformOperationEncrypt ) {
+               keyReq->keyUsage = xmlSecKeyUsageEncrypt ;
+       } else {
+               keyReq->keyUsage = xmlSecKeyUsageDecrypt ;
+       }
+
+       /*
+       if( context->symkey != NULL )
+               cipherSize = PK11_GetKeyLength( context->symkey ) ; 
 
-static int
-xmlSecNssBlockCipherCheckId(xmlSecTransformPtr transform) {
-#ifndef XMLSEC_NO_DES
-    if(xmlSecTransformCheckId(transform, xmlSecNssTransformDes3CbcId)) {
-       return(1);
-    }
-#endif /* XMLSEC_NO_DES */
+       keyReq->keyBitsSize = cipherSize * 8 ;
+       */
 
-#ifndef XMLSEC_NO_AES
-    if(xmlSecTransformCheckId(transform, xmlSecNssTransformAes128CbcId) ||
-       xmlSecTransformCheckId(transform, xmlSecNssTransformAes192CbcId) ||
-       xmlSecTransformCheckId(transform, xmlSecNssTransformAes256CbcId)) {
-       
-       return(1);
-    }
-#endif /* XMLSEC_NO_AES */
-    
-    return(0);
+       return 0 ;
 }
 
-static int 
-xmlSecNssBlockCipherInitialize(xmlSecTransformPtr transform) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
+/**
+ * xmlSecTransformSetKeyMethod:
+ * @transform:                 the pointer to transform object.
+ * @key:                               the pointer to key.
+ *
+ * The transform specific method to set the key for use.
+ * 
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int
+xmlSecNssBlockCipherSetKey(
+       xmlSecTransformPtr transform ,
+       xmlSecKeyPtr key
+) {
+       xmlSecNssBlockCipherCtxPtr context = NULL ;
+       xmlSecKeyDataPtr        keyData = NULL ;
+       PK11SymKey*                     symkey = NULL ;
+       CK_ATTRIBUTE_TYPE       operation ;
+       int                                     ivLen ;
+
+       xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+       xmlSecAssert2( key != NULL , -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL || context->keyId == NULL || context->symkey != NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+       xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ;
+
+       keyData = xmlSecKeyGetValue( key ) ;
+       if( keyData == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) ,
+                   "xmlSecKeyGetValue" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
+                   "xmlSecNssSymKeyDataGetKey" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
 
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    
-    memset(ctx, 0, sizeof(xmlSecNssBlockCipherCtx));
+       context->symkey = symkey ;
 
-#ifndef XMLSEC_NO_DES
-    if(transform->id == xmlSecNssTransformDes3CbcId) {
-       ctx->cipher     = CKM_DES3_CBC;
-       ctx->keyId      = xmlSecNssKeyDataDesId;
-       ctx->keySize    = 24;
-    } else 
-#endif /* XMLSEC_NO_DES */
-
-#ifndef XMLSEC_NO_AES
-    if(transform->id == xmlSecNssTransformAes128CbcId) {
-       ctx->cipher     = CKM_AES_CBC;  
-       ctx->keyId      = xmlSecNssKeyDataAesId;
-       ctx->keySize    = 16;
-    } else if(transform->id == xmlSecNssTransformAes192CbcId) {
-       ctx->cipher     = CKM_AES_CBC;  
-       ctx->keyId      = xmlSecNssKeyDataAesId;
-       ctx->keySize    = 24;
-    } else if(transform->id == xmlSecNssTransformAes256CbcId) {
-       ctx->cipher     = CKM_AES_CBC;  
-       ctx->keyId      = xmlSecNssKeyDataAesId;
-       ctx->keySize    = 32;
-    } else 
-#endif /* XMLSEC_NO_AES */
-
-    if(1) {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                   NULL,
-                   XMLSEC_ERRORS_R_INVALID_TRANSFORM,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }        
-    
-    return(0);
+       return 0 ;
 }
 
-static void 
-xmlSecNssBlockCipherFinalize(xmlSecTransformPtr transform) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-
-    xmlSecAssert(xmlSecNssBlockCipherCheckId(transform));
-    xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize));
+/**
+ * Block cipher transform init
+ */
+static int 
+xmlSecNssBlockCipherCtxInit(
+       xmlSecNssBlockCipherCtxPtr      ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       const xmlChar*                          cipherName ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       SECItem                         ivItem ;
+       SECItem*                        secParam = NULL ;
+       xmlSecBufferPtr         ivBuf = NULL ;
+       int                                     ivLen ;
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipherCtx == NULL , -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       ivLen = PK11_GetIVLength( ctx->cipher ) ;
+       if( ivLen < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_GetIVLength" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( ( ivBuf = xmlSecBufferCreate( ivLen ) ) == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferCreate" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( encrypt ) {
+               if( PK11_GenerateRandom( ivBuf->data , ivLen ) != SECSuccess ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( cipherName ) ,
+                               "PK11_GenerateRandom" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecBufferDestroy( ivBuf ) ;
+                       return -1 ;    
+               }
+               if( xmlSecBufferSetSize( ivBuf , ivLen ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "xmlSecBufferSetSize" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecBufferDestroy( ivBuf ) ;
+                       return -1 ;    
+               }
+
+               if( xmlSecBufferAppend( out , ivBuf->data , ivLen ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( cipherName ) ,
+                               "xmlSecBufferAppend" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecBufferDestroy( ivBuf ) ;
+                       return -1 ;    
+               }
+       } else {
+               if( xmlSecBufferSetData( ivBuf , in->data , ivLen ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( cipherName ) ,
+                               "xmlSecBufferSetData" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecBufferDestroy( ivBuf ) ;
+                       return -1 ;    
+               }
+
+               if( xmlSecBufferRemoveHead( in , ivLen ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( cipherName ) ,
+                               "xmlSecBufferRemoveHead" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecBufferDestroy( ivBuf ) ;
+                       return -1 ;    
+               }
+       }
+
+       ivItem.data = xmlSecBufferGetData( ivBuf ) ;
+       ivItem.len = xmlSecBufferGetSize( ivBuf ) ;
+       if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "PK11_ParamFromIV" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecBufferDestroy( ivBuf ) ;
+               return -1 ;    
+       }
+
+       ctx->cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ;
+       if( ctx->cipherCtx == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               SECITEM_FreeItem( secParam , PR_TRUE ) ;
+               xmlSecBufferDestroy( ivBuf ) ;
+               return -1 ;    
+       }
 
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert(ctx != NULL);
+       SECITEM_FreeItem( secParam , PR_TRUE ) ;
+       xmlSecBufferDestroy( ivBuf ) ;
 
-    if(ctx->cipherCtx != NULL) {
-        PK11_DestroyContext(ctx->cipherCtx, PR_TRUE);
-    }
-    
-    memset(ctx, 0, sizeof(xmlSecNssBlockCipherCtx));
+       return 0 ;
 }
 
-static int  
-xmlSecNssBlockCipherSetKeyReq(xmlSecTransformPtr transform,  xmlSecKeyReqPtr keyReq) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(keyReq != NULL, -1);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->keyId != NULL, -1);
-
-    keyReq->keyId      = ctx->keyId;
-    keyReq->keyType    = xmlSecKeyDataTypeSymmetric;
-    if(transform->operation == xmlSecTransformOperationEncrypt) {
-       keyReq->keyUsage = xmlSecKeyUsageEncrypt;
-    } else {
-       keyReq->keyUsage = xmlSecKeyUsageDecrypt;
-    }
-    keyReq->keyBitsSize = 8 * ctx->keySize;
-    return(0);
-}
+/**
+ * Block cipher transform update
+ */
+static int 
+xmlSecNssBlockCipherCtxUpdate(
+       xmlSecNssBlockCipherCtxPtr      ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       const xmlChar*                          cipherName ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       xmlSecSize                      inSize ;
+       xmlSecSize                      outSize ;
+       xmlSecSize                      inBlocks ;
+       int                                     blockSize ;
+       int                                     outLen ;
+       xmlSecByte*                     outBuf ;
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipherCtx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "PK11_GetBlockSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       inSize = xmlSecBufferGetSize( in ) ;
+       outSize = xmlSecBufferGetSize( out ) ;
+
+       inBlocks = ( encrypt != 0 ? inSize : ( inSize - 1 ) ) / blockSize ;
+       inSize = inBlocks * blockSize ;
+
+       if( inSize < blockSize ) {
+               return 0 ;
+       }
+
+       if( xmlSecBufferSetMaxSize( out , outSize + inSize + blockSize ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "xmlSecBufferSetMaxSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+       outBuf = xmlSecBufferGetData( out ) + outSize ;
+
+       if( PK11_CipherOp( ctx->cipherCtx , outBuf , &outLen , inSize + blockSize , xmlSecBufferGetData( in ) , inSize ) != SECSuccess ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "PK11_CipherOp" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( xmlSecBufferSetSize( out , outSize + outLen ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "xmlSecBufferSetSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( xmlSecBufferRemoveHead( in , inSize ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
 
-static int
-xmlSecNssBlockCipherSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    xmlSecBufferPtr buffer;
-    
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(key != NULL, -1);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(ctx->cipher != 0, -1);
-    xmlSecAssert2(ctx->keyInitialized == 0, -1);
-    xmlSecAssert2(ctx->keyId != NULL, -1);
-    xmlSecAssert2(xmlSecKeyCheckId(key, ctx->keyId), -1);
-
-    xmlSecAssert2(ctx->keySize > 0, -1);
-    xmlSecAssert2(ctx->keySize <= sizeof(ctx->key), -1);
-
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(xmlSecKeyGetValue(key));
-    xmlSecAssert2(buffer != NULL, -1);
-
-    if(xmlSecBufferGetSize(buffer) < ctx->keySize) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                   NULL,
-                   XMLSEC_ERRORS_R_INVALID_KEY_DATA_SIZE,
-                   "keySize=%d;expected=%d",
-                   xmlSecBufferGetSize(buffer), ctx->keySize);
-       return(-1);
-    }
-    
-    xmlSecAssert2(xmlSecBufferGetData(buffer) != NULL, -1);
-    memcpy(ctx->key, xmlSecBufferGetData(buffer), ctx->keySize);
-    
-    ctx->keyInitialized = 1;
-    return(0);
+       return 0 ;
 }
 
+/**
+ * Block cipher transform final
+ */
 static int 
-xmlSecNssBlockCipherExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) {
-    xmlSecNssBlockCipherCtxPtr ctx;
-    xmlSecBufferPtr in, out;
-    int ret;
-    
-    xmlSecAssert2(xmlSecNssBlockCipherCheckId(transform), -1);
-    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
-    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssBlockCipherSize), -1);
-    xmlSecAssert2(transformCtx != NULL, -1);
-
-    in = &(transform->inBuf);
-    out = &(transform->outBuf);
-
-    ctx = xmlSecNssBlockCipherGetCtx(transform);
-    xmlSecAssert2(ctx != NULL, -1);
+xmlSecNssBlockCipherCtxFinal(
+       xmlSecNssBlockCipherCtxPtr      ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       const xmlChar*                          cipherName ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       xmlSecSize                      inSize ;
+       xmlSecSize                      outSize ;
+       int                                     blockSize ;
+       int                                     outLen ;
+       xmlSecByte*                     inBuf ;
+       xmlSecByte*                     outBuf ;
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipherCtx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "PK11_GetBlockSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       inSize = xmlSecBufferGetSize( in ) ;
+       outSize = xmlSecBufferGetSize( out ) ;
+
+       /******************************************************************/
+       if( encrypt != 0 ) {
+               xmlSecAssert2( inSize < blockSize, -1 ) ;
+
+               /* create padding */
+               if( xmlSecBufferSetMaxSize( in , blockSize ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( cipherName ) ,
+                               "xmlSecBufferSetMaxSize" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;    
+               }
+               inBuf = xmlSecBufferGetData( in ) ;
+
+               /* generate random */
+               if( blockSize > ( inSize + 1 ) ) {
+                       if( PK11_GenerateRandom( inBuf + inSize, blockSize - inSize - 1 ) != SECSuccess ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       xmlSecErrorsSafeString( cipherName ) ,
+                                       "PK11_GenerateRandom" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return -1 ;    
+                       }
+               }
+
+               inBuf[blockSize-1] = blockSize - inSize ;
+               inSize = blockSize ;
+       } else {
+               if( inSize != blockSize ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( cipherName ) ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;    
+               }
+       }
+
+       /* process the last block */
+       if( xmlSecBufferSetMaxSize( out , outSize + inSize + blockSize ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "xmlSecBufferSetMaxSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+       outBuf = xmlSecBufferGetData( out ) + outSize ;
+
+       if( PK11_CipherOp( ctx->cipherCtx , outBuf , &outLen , inSize + blockSize , xmlSecBufferGetData( in ) , inSize ) != SECSuccess ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "PK11_CipherOp" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( encrypt == 0 ) {
+               /* check padding */
+               if( outLen < outBuf[blockSize-1] ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( cipherName ) ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;    
+               }
+
+               outLen -= outBuf[blockSize-1] ;
+       }
+       /******************************************************************/
+
+       /******************************************************************
+       if( xmlSecBufferSetMaxSize( out , outSize + blockSize ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "xmlSecBufferSetMaxSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       outBuf = xmlSecBufferGetData( out ) + outSize ;
+
+       if( PK11_DigestFinal( ctx->cipherCtx , outBuf , &outLen , blockSize ) != SECSuccess ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "PK11_DigestFinal" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+       ******************************************************************/
+
+       if( xmlSecBufferSetSize( out , outSize + outLen ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "xmlSecBufferSetSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       if( xmlSecBufferRemoveHead( in , inSize ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( cipherName ) ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+/*     PK11_Finalize( ctx->cipherCtx ) ;*/
+       PK11_DestroyContext( ctx->cipherCtx , PR_TRUE ) ;
+       ctx->cipherCtx = NULL ;
 
-    if(transform->status == xmlSecTransformStatusNone) {
-       transform->status = xmlSecTransformStatusWorking;
-    }
-
-    if(transform->status == xmlSecTransformStatusWorking) {
-       if(ctx->ctxInitialized == 0) {
-           ret = xmlSecNssBlockCipherCtxInit(ctx, in, out, 
-                       (transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-                       xmlSecTransformGetName(transform), transformCtx);
-           if(ret < 0) {
-               xmlSecError(XMLSEC_ERRORS_HERE, 
-                           xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                           "xmlSecNssBlockCipherCtxInit",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
-               return(-1);
-           }
-       }
-       if((ctx->ctxInitialized == 0) && (last != 0)) {
-           xmlSecError(XMLSEC_ERRORS_HERE, 
-                       xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                       NULL,
-                       XMLSEC_ERRORS_R_INVALID_DATA,
-                       "not enough data to initialize transform");
-           return(-1);
-       }
-
-       if(ctx->ctxInitialized != 0) {
-           ret = xmlSecNssBlockCipherCtxUpdate(ctx, in, out, 
-                       (transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-                       xmlSecTransformGetName(transform), transformCtx);
-           if(ret < 0) {
-               xmlSecError(XMLSEC_ERRORS_HERE, 
-                           xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                           "xmlSecNssBlockCipherCtxUpdate",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
-               return(-1);
-           }
-       }
-       
-       if(last) {
-           ret = xmlSecNssBlockCipherCtxFinal(ctx, in, out, 
-                       (transform->operation == xmlSecTransformOperationEncrypt) ? 1 : 0,
-                       xmlSecTransformGetName(transform), transformCtx);
-           if(ret < 0) {
-               xmlSecError(XMLSEC_ERRORS_HERE, 
-                           xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                           "xmlSecNssBlockCipherCtxFinal",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
-               return(-1);
-           }
-           transform->status = xmlSecTransformStatusFinished;
-       } 
-    } else if(transform->status == xmlSecTransformStatusFinished) {
-       /* the only way we can get here is if there is no input */
-       xmlSecAssert2(xmlSecBufferGetSize(in) == 0, -1);
-    } else if(transform->status == xmlSecTransformStatusNone) {
-       /* the only way we can get here is if there is no enough data in the input */
-       xmlSecAssert2(last == 0, -1);
-    } else {
-       xmlSecError(XMLSEC_ERRORS_HERE, 
-                   xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                   NULL,
-                   XMLSEC_ERRORS_R_INVALID_STATUS,
-                   "status=%d", transform->status);
-       return(-1);
-    }
-    
-    return(0);
+       return 0 ;
 }
 
 
-#ifndef XMLSEC_NO_AES
-/*********************************************************************
+
+/**
+ * xmlSecTransformExecuteMethod:
+ * @transform:                 the pointer to transform object.
+ * @last:                      the flag: if set to 1 then it's the last data chunk.
+ * @transformCtx:              the pointer to transform context object.
  *
- * AES CBC cipher transforms
+ * Transform specific method to process a chunk of data.
  *
- ********************************************************************/
+ * Returns 0 on success or a negative value otherwise.
+ */
+static int
+xmlSecNssBlockCipherExecute(
+       xmlSecTransformPtr transform ,
+       int last ,
+       xmlSecTransformCtxPtr transformCtx
+) {
+       xmlSecNssBlockCipherCtxPtr      context = NULL ;
+       xmlSecBufferPtr                         inBuf = NULL ;
+       xmlSecBufferPtr                         outBuf = NULL ;
+       const xmlChar*                          cipherName ;
+       int                                                     operation ;
+       int                                                     rtv ;
+
+       xmlSecAssert2( xmlSecNssBlockCipherCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssBlockCipherSize ), -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       context = xmlSecNssBlockCipherGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssBlockCipherGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;    
+       }
+
+       inBuf = &( transform->inBuf ) ;
+       outBuf = &( transform->outBuf ) ;
+
+       if( transform->status == xmlSecTransformStatusNone ) {
+               transform->status = xmlSecTransformStatusWorking ;
+       }
+
+       operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ;
+       cipherName = xmlSecTransformGetName( transform ) ;
+
+       if( transform->status == xmlSecTransformStatusWorking ) {
+               if( context->cipherCtx == NULL ) {
+                       rtv = xmlSecNssBlockCipherCtxInit( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssBlockCipherCtxInit" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return -1 ;
+                       }
+               }
+
+               if( context->cipherCtx == NULL && last != 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE , 
+                               xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_INVALID_STATUS ,
+                               "No enough data to intialize transform" ) ;
+                       return -1 ;
+               }
+
+               if( context->cipherCtx != NULL ) {
+                       rtv = xmlSecNssBlockCipherCtxUpdate( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssBlockCipherCtxUpdate" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return -1 ;
+                       }
+               }
+               
+               if( last ) {
+                       rtv = xmlSecNssBlockCipherCtxFinal( context, inBuf , outBuf , operation , cipherName , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssBlockCipherCtxFinal" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return -1 ;
+                       }
+                       transform->status = xmlSecTransformStatusFinished ;
+               }
+       } else if( transform->status == xmlSecTransformStatusFinished ) {
+               if( xmlSecBufferGetSize( inBuf ) != 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE , 
+                               xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_INVALID_STATUS ,
+                               "status=%d", transform->status ) ;
+                       return -1 ;
+               }
+       } else {
+               xmlSecError( XMLSEC_ERRORS_HERE , 
+                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                       "status=%d", transform->status ) ;
+               return -1 ;
+       }
+
+       return 0 ;
+}
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssAes128CbcKlass = {
+#else
 static xmlSecTransformKlass xmlSecNssAes128CbcKlass = {
-    /* klass/object sizes */
-    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
-    xmlSecNssBlockCipherSize,          /* xmlSecSize objSize */
-
-    xmlSecNameAes128Cbc,                       /* const xmlChar* name; */
-    xmlSecHrefAes128Cbc,                       /* const xmlChar* href; */
-    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
-
-    xmlSecNssBlockCipherInitialize,            /* xmlSecTransformInitializeMethod initialize; */
-    xmlSecNssBlockCipherFinalize,              /* xmlSecTransformFinalizeMethod finalize; */
-    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
-    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
-    xmlSecNssBlockCipherSetKeyReq,             /* xmlSecTransformSetKeyMethod setKeyReq; */
-    xmlSecNssBlockCipherSetKey,                /* xmlSecTransformSetKeyMethod setKey; */
-    NULL,                                      /* xmlSecTransformValidateMethod validate; */
-    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
-    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
-    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
-    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
-    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
-    xmlSecNssBlockCipherExecute,               /* xmlSecTransformExecuteMethod execute; */
-
-    NULL,                                      /* void* reserved0; */
-    NULL,                                      /* void* reserved1; */
-};
+#endif
+       sizeof( xmlSecTransformKlass ) ,
+       xmlSecNssBlockCipherSize ,
+
+       xmlSecNameAes128Cbc ,
+       xmlSecHrefAes128Cbc ,
+       xmlSecTransformUsageEncryptionMethod ,
+
+       xmlSecNssBlockCipherInitialize ,
+       xmlSecNssBlockCipherFinalize ,
+       NULL ,
+       NULL ,
+
+       xmlSecNssBlockCipherSetKeyReq ,
+       xmlSecNssBlockCipherSetKey ,
+       NULL ,
+       xmlSecTransformDefaultGetDataType ,
+
+       xmlSecTransformDefaultPushBin ,
+       xmlSecTransformDefaultPopBin ,
+       NULL ,
+       NULL ,
+       xmlSecNssBlockCipherExecute ,
+
+       NULL ,
+       NULL
+} ;
+
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssAes192CbcKlass = {
+#else
+static xmlSecTransformKlass xmlSecNssAes192CbcKlass = {
+#endif
+       sizeof( xmlSecTransformKlass ) ,
+       xmlSecNssBlockCipherSize ,
+
+       xmlSecNameAes192Cbc ,
+       xmlSecHrefAes192Cbc ,
+       xmlSecTransformUsageEncryptionMethod ,
+
+       xmlSecNssBlockCipherInitialize ,
+       xmlSecNssBlockCipherFinalize ,
+       NULL ,
+       NULL ,
+
+       xmlSecNssBlockCipherSetKeyReq ,
+       xmlSecNssBlockCipherSetKey ,
+       NULL ,
+       xmlSecTransformDefaultGetDataType ,
+
+       xmlSecTransformDefaultPushBin ,
+       xmlSecTransformDefaultPopBin ,
+       NULL ,
+       NULL ,
+       xmlSecNssBlockCipherExecute ,
+
+       NULL ,
+       NULL
+} ;
+
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssAes256CbcKlass = {
+#else
+static xmlSecTransformKlass xmlSecNssAes256CbcKlass = {
+#endif
+       sizeof( xmlSecTransformKlass ) ,
+       xmlSecNssBlockCipherSize ,
+
+       xmlSecNameAes256Cbc ,
+       xmlSecHrefAes256Cbc ,
+       xmlSecTransformUsageEncryptionMethod ,
+
+       xmlSecNssBlockCipherInitialize ,
+       xmlSecNssBlockCipherFinalize ,
+       NULL ,
+       NULL ,
+
+       xmlSecNssBlockCipherSetKeyReq ,
+       xmlSecNssBlockCipherSetKey ,
+       NULL ,
+       xmlSecTransformDefaultGetDataType ,
+
+       xmlSecTransformDefaultPushBin ,
+       xmlSecTransformDefaultPopBin ,
+       NULL ,
+       NULL ,
+       xmlSecNssBlockCipherExecute ,
+
+       NULL ,
+       NULL
+} ;
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssDes3CbcKlass = {
+#else
+static xmlSecTransformKlass xmlSecNssDes3CbcKlass = {
+#endif
+       sizeof( xmlSecTransformKlass ) ,
+       xmlSecNssBlockCipherSize ,
+
+       xmlSecNameDes3Cbc ,
+       xmlSecHrefDes3Cbc ,
+       xmlSecTransformUsageEncryptionMethod ,
+
+       xmlSecNssBlockCipherInitialize ,
+       xmlSecNssBlockCipherFinalize ,
+       NULL ,
+       NULL ,
+
+       xmlSecNssBlockCipherSetKeyReq ,
+       xmlSecNssBlockCipherSetKey ,
+       NULL ,
+       xmlSecTransformDefaultGetDataType ,
+
+       xmlSecTransformDefaultPushBin ,
+       xmlSecTransformDefaultPopBin ,
+       NULL ,
+       NULL ,
+       xmlSecNssBlockCipherExecute ,
+
+       NULL ,
+       NULL
+} ;
 
 /**
- * xmlSecNssTransformAes128CbcGetKlass:
- * 
- * AES 128 CBC encryption transform klass.
- * 
- * Returns pointer to AES 128 CBC encryption transform.
- */ 
-xmlSecTransformId 
-xmlSecNssTransformAes128CbcGetKlass(void) {
-    return(&xmlSecNssAes128CbcKlass);
+ * xmlSecNssTransformAes128CbcGetKlass
+ *
+ * Get the AES128_CBC transform klass
+ *
+ * Return AES128_CBC transform klass
+ */
+xmlSecTransformId
+xmlSecNssTransformAes128CbcGetKlass( void ) {
+       return ( &xmlSecNssAes128CbcKlass ) ;
 }
 
-static xmlSecTransformKlass xmlSecNssAes192CbcKlass = {
-    /* klass/object sizes */
-    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
-    xmlSecNssBlockCipherSize,          /* xmlSecSize objSize */
-
-    xmlSecNameAes192Cbc,                       /* const xmlChar* name; */
-    xmlSecHrefAes192Cbc,                       /* const xmlChar* href; */
-    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
-
-    xmlSecNssBlockCipherInitialize,            /* xmlSecTransformInitializeMethod initialize; */
-    xmlSecNssBlockCipherFinalize,              /* xmlSecTransformFinalizeMethod finalize; */
-    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
-    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
-    xmlSecNssBlockCipherSetKeyReq,             /* xmlSecTransformSetKeyMethod setKeyReq; */
-    xmlSecNssBlockCipherSetKey,                /* xmlSecTransformSetKeyMethod setKey; */
-    NULL,                                      /* xmlSecTransformValidateMethod validate; */
-    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
-    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
-    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
-    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
-    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
-    xmlSecNssBlockCipherExecute,               /* xmlSecTransformExecuteMethod execute; */
-    
-    NULL,                                      /* void* reserved0; */
-    NULL,                                      /* void* reserved1; */
-};
-
 /**
- * xmlSecNssTransformAes192CbcGetKlass:
- * 
- * AES 192 CBC encryption transform klass.
- * 
- * Returns pointer to AES 192 CBC encryption transform.
- */ 
-xmlSecTransformId 
-xmlSecNssTransformAes192CbcGetKlass(void) {
-    return(&xmlSecNssAes192CbcKlass);
+ * xmlSecNssTransformAes192CbcGetKlass
+ *
+ * Get the AES192_CBC transform klass
+ *
+ * Return AES192_CBC transform klass
+ */
+xmlSecTransformId
+xmlSecNssTransformAes192CbcGetKlass( void ) {
+       return ( &xmlSecNssAes192CbcKlass ) ;
 }
 
-static xmlSecTransformKlass xmlSecNssAes256CbcKlass = {
-    /* klass/object sizes */
-    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
-    xmlSecNssBlockCipherSize,          /* xmlSecSize objSize */
-
-    xmlSecNameAes256Cbc,                       /* const xmlChar* name; */
-    xmlSecHrefAes256Cbc,                       /* const xmlChar* href; */
-    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
-
-    xmlSecNssBlockCipherInitialize,            /* xmlSecTransformInitializeMethod initialize; */
-    xmlSecNssBlockCipherFinalize,              /* xmlSecTransformFinalizeMethod finalize; */
-    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
-    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
-    xmlSecNssBlockCipherSetKeyReq,             /* xmlSecTransformSetKeyMethod setKeyReq; */
-    xmlSecNssBlockCipherSetKey,                /* xmlSecTransformSetKeyMethod setKey; */
-    NULL,                                      /* xmlSecTransformValidateMethod validate; */
-    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
-    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
-    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
-    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
-    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
-    xmlSecNssBlockCipherExecute,               /* xmlSecTransformExecuteMethod execute; */
-    
-    NULL,                                      /* void* reserved0; */
-    NULL,                                      /* void* reserved1; */
-};
-
 /**
- * xmlSecNssTransformAes256CbcGetKlass:
- * 
- * AES 256 CBC encryption transform klass.
- * 
- * Returns pointer to AES 256 CBC encryption transform.
- */ 
-xmlSecTransformId 
-xmlSecNssTransformAes256CbcGetKlass(void) {
-    return(&xmlSecNssAes256CbcKlass);
+ * xmlSecNssTransformAes256CbcGetKlass
+ *
+ * Get the AES256_CBC transform klass
+ *
+ * Return AES256_CBC transform klass
+ */
+xmlSecTransformId
+xmlSecNssTransformAes256CbcGetKlass( void ) {
+       return ( &xmlSecNssAes256CbcKlass ) ;
 }
 
-#endif /* XMLSEC_NO_AES */
-
-#ifndef XMLSEC_NO_DES
-static xmlSecTransformKlass xmlSecNssDes3CbcKlass = {
-    /* klass/object sizes */
-    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
-    xmlSecNssBlockCipherSize,          /* xmlSecSize objSize */
-
-    xmlSecNameDes3Cbc,                         /* const xmlChar* name; */
-    xmlSecHrefDes3Cbc,                                 /* const xmlChar* href; */
-    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
-
-    xmlSecNssBlockCipherInitialize,            /* xmlSecTransformInitializeMethod initialize; */
-    xmlSecNssBlockCipherFinalize,              /* xmlSecTransformFinalizeMethod finalize; */
-    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
-    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
-    xmlSecNssBlockCipherSetKeyReq,             /* xmlSecTransformSetKeyMethod setKeyReq; */
-    xmlSecNssBlockCipherSetKey,                /* xmlSecTransformSetKeyMethod setKey; */
-    NULL,                                      /* xmlSecTransformValidateMethod validate; */
-    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
-    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
-    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
-    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
-    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
-    xmlSecNssBlockCipherExecute,               /* xmlSecTransformExecuteMethod execute; */
-    
-    NULL,                                      /* void* reserved0; */
-    NULL,                                      /* void* reserved1; */
-};
-
-/** 
- * xmlSecNssTransformDes3CbcGetKlass:
+/**
+ * xmlSecNssTransformDes3CbcGetKlass
  *
- * Triple DES CBC encryption transform klass.
- * 
- * Returns pointer to Triple DES encryption transform.
+ * Get the DES3_CBC transform klass
+ *
+ * Return DES3_CBC transform klass
  */
-xmlSecTransformId 
-xmlSecNssTransformDes3CbcGetKlass(void) {
-    return(&xmlSecNssDes3CbcKlass);
+xmlSecTransformId
+xmlSecNssTransformDes3CbcGetKlass( void ) {
+       return ( &xmlSecNssDes3CbcKlass ) ;
 }
-#endif /* XMLSEC_NO_DES */
+
 
--- misc/xmlsec1-1.2.6/src/nss/crypto.c 2003-10-29 16:57:25.000000000 +0100
+++ misc/build/xmlsec1-1.2.6/src/nss/crypto.c   2008-06-29 23:44:19.000000000 +0200
@@ -130,6 +130,7 @@
     /**
      * High level routines form xmlsec command line utility
      */ 
+/*
     gXmlSecNssFunctions->cryptoAppInit                         = xmlSecNssAppInit;
     gXmlSecNssFunctions->cryptoAppShutdown             = xmlSecNssAppShutdown;
     gXmlSecNssFunctions->cryptoAppDefaultKeysMngrInit  = xmlSecNssAppDefaultKeysMngrInit;
@@ -143,10 +144,29 @@
     gXmlSecNssFunctions->cryptoAppPkcs12LoadMemory     = xmlSecNssAppPkcs12LoadMemory; 
     gXmlSecNssFunctions->cryptoAppKeyCertLoad          = xmlSecNssAppKeyCertLoad;
     gXmlSecNssFunctions->cryptoAppKeyCertLoadMemory    = xmlSecNssAppKeyCertLoadMemory;
-#endif /* XMLSEC_NO_X509 */
+#endif
     gXmlSecNssFunctions->cryptoAppKeyLoad              = xmlSecNssAppKeyLoad; 
     gXmlSecNssFunctions->cryptoAppKeyLoadMemory                = xmlSecNssAppKeyLoadMemory; 
     gXmlSecNssFunctions->cryptoAppDefaultPwdCallback   = (void*)xmlSecNssAppGetDefaultPwdCallback;
+*/
+
+    gXmlSecNssFunctions->cryptoAppInit                         = NULL ;
+    gXmlSecNssFunctions->cryptoAppShutdown             = NULL ;
+    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrInit  = NULL ;
+    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrAdoptKey      = NULL ;
+    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrLoad  = NULL ;
+    gXmlSecNssFunctions->cryptoAppDefaultKeysMngrSave  = NULL ;
+#ifndef XMLSEC_NO_X509
+    gXmlSecNssFunctions->cryptoAppKeysMngrCertLoad     = NULL ;
+    gXmlSecNssFunctions->cryptoAppKeysMngrCertLoadMemory= NULL ;
+    gXmlSecNssFunctions->cryptoAppPkcs12Load           = NULL ; 
+    gXmlSecNssFunctions->cryptoAppPkcs12LoadMemory     = NULL ; 
+    gXmlSecNssFunctions->cryptoAppKeyCertLoad          = NULL ;
+    gXmlSecNssFunctions->cryptoAppKeyCertLoadMemory    = NULL ;
+#endif /* XMLSEC_NO_X509 */
+    gXmlSecNssFunctions->cryptoAppKeyLoad              = NULL ; 
+    gXmlSecNssFunctions->cryptoAppKeyLoadMemory                = NULL ; 
+    gXmlSecNssFunctions->cryptoAppDefaultPwdCallback   = (void*)NULL ;
 
     return(gXmlSecNssFunctions);
 }
--- misc/xmlsec1-1.2.6/src/nss/digests.c        2003-09-26 02:58:15.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/digests.c  2008-06-29 23:44:19.000000000 +0200
@@ -21,7 +21,6 @@
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
-#include <xmlsec/nss/app.h>
 #include <xmlsec/nss/crypto.h>
 
 #define XMLSEC_NSS_MAX_DIGEST_SIZE             32
@@ -107,7 +106,7 @@
                    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                    "SECOID_FindOIDByTag",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        return(-1);
     }
     
@@ -117,7 +116,7 @@
                    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                    "PK11_CreateDigestContext",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        return(-1);
     }
        
@@ -208,7 +207,7 @@
                        xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                        "PK11_DigestBegin",
                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
+                       "error code=%d", PORT_GetError());
            return(-1);
        }
        transform->status = xmlSecTransformStatusWorking;
@@ -225,7 +224,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "PK11_DigestOp",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
            
@@ -246,7 +245,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "PK11_DigestFinal",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
            xmlSecAssert2(ctx->dgstSize > 0, -1);
@@ -285,7 +284,11 @@
  * SHA1 Digest transforms
  *
  *****************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssSha1Klass = {
+#else
 static xmlSecTransformKlass xmlSecNssSha1Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecNssDigestSize,                       /* xmlSecSize objSize */
--- misc/xmlsec1-1.2.6/src/nss/hmac.c   2003-09-26 02:58:15.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/hmac.c     2008-06-29 23:44:19.000000000 +0200
@@ -23,8 +23,8 @@
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
-#include <xmlsec/nss/app.h>
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/tokens.h>
 
 #define XMLSEC_NSS_MAX_HMAC_SIZE               128
 
@@ -241,13 +241,13 @@
     keyItem.data = xmlSecBufferGetData(buffer);
     keyItem.len  = xmlSecBufferGetSize(buffer); 
 
-    slot = PK11_GetBestSlot(ctx->digestType, NULL);
+    slot = xmlSecNssSlotGet(ctx->digestType);
     if(slot == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE, 
                    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
-                   "PK11_GetBestSlot",
+                   "xmlSecNssSlotGet",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        return(-1);
     }
        
@@ -258,7 +258,7 @@
                    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                    "PK11_ImportSymKey",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
         PK11_FreeSlot(slot);
        return(-1);
     }
@@ -269,7 +269,7 @@
                    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                    "PK11_CreateContextBySymKey",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        PK11_FreeSymKey(symKey);
         PK11_FreeSlot(slot);
        return(-1);
@@ -368,7 +368,7 @@
                        xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                        "PK11_DigestBegin",
                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
+                       "error code=%d", PORT_GetError());
            return(-1);
        }
        transform->status = xmlSecTransformStatusWorking;
@@ -385,7 +385,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "PK11_DigestOp",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
            
@@ -408,7 +408,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "PK11_DigestFinal",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
            xmlSecAssert2(dgstSize > 0, -1);
@@ -459,7 +459,11 @@
 /** 
  * HMAC SHA1
  */
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssHmacSha1Klass = {
+#else
 static xmlSecTransformKlass xmlSecNssHmacSha1Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecNssHmacSize,                         /* xmlSecSize objSize */
@@ -501,7 +505,11 @@
 /** 
  * HMAC Ripemd160
  */
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssHmacRipemd160Klass = {
+#else
 static xmlSecTransformKlass xmlSecNssHmacRipemd160Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecNssHmacSize,                         /* xmlSecSize objSize */
@@ -543,7 +551,11 @@
 /** 
  * HMAC Md5
  */
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssHmacMd5Klass = {
+#else
 static xmlSecTransformKlass xmlSecNssHmacMd5Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecNssHmacSize,                         /* xmlSecSize objSize */
--- misc/xmlsec1-1.2.6/src/nss/keysstore.c      2003-09-26 02:58:15.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/keysstore.c        2008-06-29 23:44:19.000000000 +0200
@@ -1,119 +1,522 @@
 /** 
  * XMLSec library
  * 
- * Nss keys store that uses Simple Keys Store under the hood. Uses the
- * Nss DB as a backing store for the finding keys, but the NSS DB is
- * not written to by the keys store.
- * So, if store->findkey is done and the key is not found in the simple
- * keys store, the NSS DB is looked up.
- * If store is called to adopt a key, that key is not written to the NSS
- * DB.
- * Thus, the NSS DB can be used to pre-load keys and becomes an alternate 
- * source of keys for xmlsec
- * 
  * This is free software; see Copyright file in the source
  * distribution for precise wording.
  * 
- * Copyright (c) 2003 America Online, Inc.  All rights reserved.
+ * Copyright................................
  */
-#include "globals.h"
 
-#include <stdlib.h>
+/**
+ * NSS key store uses a key list and a slot list as the key repository. NSS slot
+ * list is a backup repository for the finding keys. If a key is not found from
+ * the key list, the NSS slot list is looked up.
+ *
+ * Any key in the key list will not save to pkcs11 slot. When a store to called
+ * to adopt a key, the key is resident in the key list; While a store to called
+ * to set a is resident in the key list; While a store to called to set a slot 
+ * list, which means that the keys in the listed slot can be used for xml sign-
+ * nature or encryption.
+ *
+ * Then, a user can adjust slot list to effect the crypto behaviors of xmlSec.
+ *
+ * The framework will decrease the user interfaces to administrate xmlSec crypto
+ * engine. He can only focus on NSS layer functions. For examples, after the
+ * user set up a slot list handler to the keys store, he do not need to do any
+ * other work atop xmlSec interfaces, his action on the slot list handler, such
+ * as add a token to, delete a token from the list, will directly effect the key
+ * store behaviors.
+ *
+ * For example, a scenariio:
+ * 0. Create a slot list;( NSS interfaces )
+ * 1. Create a keys store;( xmlSec interfaces )
+ * 2. Set slot list with the keys store;( xmlSec Interfaces )
+ * 3. Add a slot to the slot list;( NSS interfaces )
+ * 4. Perform xml signature; ( xmlSec Interfaces )
+ * 5. Deleter a slot from the slot list;( NSS interfaces )
+ * 6. Perform xml encryption; ( xmlSec Interfaces )
+ * 7. Perform xml signature;( xmlSec Interfaces )
+ * 8. Destroy the keys store;( xmlSec Interfaces )
+ * 8. Destroy the slot list.( NSS Interfaces )
+ */
+
+#include "globals.h"
 #include <string.h>
 
-#include <nss.h> 
-#include <cert.h> 
-#include <pk11func.h> 
-#include <keyhi.h> 
+#include <nss.h>
+#include <pk11func.h>
+#include <prinit.h>
+#include <keyhi.h>
 
-#include <libxml/tree.h> 
 
 #include <xmlsec/xmlsec.h>
-#include <xmlsec/buffer.h>
-#include <xmlsec/base64.h>
-#include <xmlsec/errors.h>
-#include <xmlsec/xmltree.h>
-
+#include <xmlsec/keys.h>
 #include <xmlsec/keysmngr.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
 #include <xmlsec/nss/keysstore.h>
-#include <xmlsec/nss/x509.h>
+#include <xmlsec/nss/tokens.h>
+#include <xmlsec/nss/ciphers.h>
 #include <xmlsec/nss/pkikeys.h>
 
-/****************************************************************************
+/**
+ * Internal NSS key store context
  *
- * Nss Keys Store. Uses Simple Keys Store under the hood
- * 
- * Simple Keys Store ptr is located after xmlSecKeyStore
+ * This context is located after xmlSecKeyStore
+ */
+typedef struct _xmlSecNssKeysStoreCtx  xmlSecNssKeysStoreCtx ;
+typedef struct _xmlSecNssKeysStoreCtx* xmlSecNssKeysStoreCtxPtr ;
+
+struct _xmlSecNssKeysStoreCtx {
+       xmlSecPtrListPtr                keyList ;
+       xmlSecPtrListPtr                slotList ;
+} ;
+
+#define xmlSecNssKeysStoreSize \
+       ( sizeof( xmlSecKeyStore ) + sizeof( xmlSecNssKeysStoreCtx ) )
+
+#define xmlSecNssKeysStoreGetCtx( data ) \
+       ( ( xmlSecNssKeysStoreCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyStore ) ) )
+
+int xmlSecNssKeysStoreAdoptKeySlot(
+       xmlSecKeyStorePtr               store ,
+       xmlSecNssKeySlotPtr             keySlot
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( context->slotList == NULL ) {
+               if( ( context->slotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                               "xmlSecPtrListCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;
+               }
+       }
+
+       if( !xmlSecPtrListCheckId( context->slotList , xmlSecNssKeySlotListId ) ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListCheckId" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( xmlSecPtrListAdd( context->slotList , keySlot ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListAdd" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       return 0 ;
+}
+
+int xmlSecNssKeysStoreAdoptKey(
+       xmlSecKeyStorePtr       store ,
+       xmlSecKeyPtr            key
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( context->keyList == NULL ) {
+               if( ( context->keyList = xmlSecPtrListCreate( xmlSecKeyPtrListId ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                               "xmlSecPtrListCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return -1 ;
+               }
+       }
+
+       if( !xmlSecPtrListCheckId( context->keyList , xmlSecKeyPtrListId ) ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListCheckId" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       if( xmlSecPtrListAdd( context->keyList , key ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecPtrListAdd" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
+
+       return 0 ;
+}
+
+/** 
+ * xmlSecKeyStoreInitializeMethod:
+ * @store:             the store.
  *
- ***************************************************************************/
-#define xmlSecNssKeysStoreSize \
-       (sizeof(xmlSecKeyStore) + sizeof(xmlSecKeyStorePtr))
-
-#define xmlSecNssKeysStoreGetSS(store) \
-    ((xmlSecKeyStoreCheckSize((store), xmlSecNssKeysStoreSize)) ? \
-     (xmlSecKeyStorePtr*)(((xmlSecByte*)(store)) + sizeof(xmlSecKeyStore)) : \
-     (xmlSecKeyStorePtr*)NULL)
-
-static int                     xmlSecNssKeysStoreInitialize    (xmlSecKeyStorePtr store);
-static void                    xmlSecNssKeysStoreFinalize      (xmlSecKeyStorePtr store);
-static xmlSecKeyPtr            xmlSecNssKeysStoreFindKey       (xmlSecKeyStorePtr store, 
-                                                                const xmlChar* name, 
-                                                                xmlSecKeyInfoCtxPtr keyInfoCtx);
+ * Keys store specific initialization method.
+ *
+ * Returns 0 on success or a negative value if an error occurs.
+ */
+static int
+xmlSecNssKeysStoreInitialize(
+       xmlSecKeyStorePtr store
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , -1 ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;
+       }
 
-static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
-    sizeof(xmlSecKeyStoreKlass),
-    xmlSecNssKeysStoreSize,
+       context->keyList = NULL ;
+       context->slotList = NULL ;
 
-    /* data */
-    BAD_CAST "NSS-keys-store",         /* const xmlChar* name; */ 
-        
-    /* constructors/destructor */
-    xmlSecNssKeysStoreInitialize,      /* xmlSecKeyStoreInitializeMethod initialize; */
-    xmlSecNssKeysStoreFinalize,                /* xmlSecKeyStoreFinalizeMethod finalize; */
-    xmlSecNssKeysStoreFindKey,         /* xmlSecKeyStoreFindKeyMethod findKey; */
-
-    /* reserved for the future */
-    NULL,                              /* void* reserved0; */
-    NULL,                              /* void* reserved1; */
-};
+       return 0 ;
+}
 
-/**
- * xmlSecNssKeysStoreGetKlass:
- * 
- * The Nss list based keys store klass.
+/** 
+ * xmlSecKeyStoreFinalizeMethod:
+ * @store:             the store.
  *
- * Returns Nss list based keys store klass.
+ * Keys store specific finalization (destroy) method.
  */
-xmlSecKeyStoreId 
-xmlSecNssKeysStoreGetKlass(void) {
-    return(&xmlSecNssKeysStoreKlass);
+void
+xmlSecNssKeysStoreFinalize(
+       xmlSecKeyStorePtr store
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+
+       xmlSecAssert( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) ) ;
+       xmlSecAssert( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return ;
+       }
+
+       if( context->keyList != NULL ) {
+               xmlSecPtrListDestroy( context->keyList ) ;
+               context->keyList = NULL ;
+       }
+
+       if( context->slotList != NULL ) {
+               xmlSecPtrListDestroy( context->slotList ) ;
+               context->slotList = NULL ;
+       }
 }
 
-/**
- * xmlSecNssKeysStoreAdoptKey:
- * @store:             the pointer to Nss keys store.
- * @key:               the pointer to key.
- * 
- * Adds @key to the @store. 
+xmlSecKeyPtr
+xmlSecNssKeysStoreFindKeyFromSlot(
+       PK11SlotInfo* slot,
+       const xmlChar* name,
+       xmlSecKeyInfoCtxPtr keyInfoCtx
+) {
+       xmlSecKeyPtr            key = NULL ;
+       xmlSecKeyDataPtr        data = NULL ;
+       int                                     length ;
+
+       xmlSecAssert2( slot != NULL , NULL ) ;
+       xmlSecAssert2( name != NULL , NULL ) ;
+       xmlSecAssert2( keyInfoCtx != NULL , NULL ) ;
+
+       if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSymmetric ) == xmlSecKeyDataTypeSymmetric ) {
+               PK11SymKey*                     symKey ;
+               PK11SymKey*                     curKey ;
+
+               /* Find symmetric key from the slot by name */
+               symKey = PK11_ListFixedKeysInSlot( slot , ( char* )name , NULL ) ;
+               for( curKey = symKey ; curKey != NULL ; curKey = PK11_GetNextSymKey( curKey ) ) {
+                       /* Check the key request */
+                       length = PK11_GetKeyLength( curKey ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       data = xmlSecNssSymKeyDataKeyAdopt( curKey ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+                       break ;
+               }
+
+               /* Destroy the sym key list */
+               for( curKey = symKey ; curKey != NULL ; ) {
+                       symKey = curKey ;
+                       curKey = PK11_GetNextSymKey( symKey ) ;
+                       PK11_FreeSymKey( symKey ) ;
+               }
+       } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+               SECKEYPublicKeyList*            pubKeyList ;
+               SECKEYPublicKey*                        pubKey ;
+               SECKEYPublicKeyListNode*        curPub ;
+
+               /* Find asymmetric key from the slot by name */
+               pubKeyList = PK11_ListPublicKeysInSlot( slot , ( char* )name ) ;
+               pubKey = NULL ;
+               curPub = PUBKEY_LIST_HEAD(pubKeyList);
+               for( ; !PUBKEY_LIST_END(curPub, pubKeyList) ; curPub = PUBKEY_LIST_NEXT( curPub ) ) {
+                       /* Check the key request */
+                       length = SECKEY_PublicKeyStrength( curPub->key ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       pubKey = curPub->key ;
+                       break ;
+               }
+
+               if( pubKey != NULL ) {
+                       data = xmlSecNssPKIAdoptKey( NULL, pubKey ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+               }
+
+               /* Destroy the public key list */
+               SECKEY_DestroyPublicKeyList( pubKeyList ) ;
+       } else if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+               SECKEYPrivateKeyList*           priKeyList = NULL ;
+               SECKEYPrivateKey*                       priKey = NULL ;
+               SECKEYPrivateKeyListNode*       curPri ;
+
+               /* Find asymmetric key from the slot by name */
+               priKeyList = PK11_ListPrivKeysInSlot( slot , ( char* )name , NULL ) ;
+               priKey = NULL ;
+               curPri = PRIVKEY_LIST_HEAD(priKeyList);
+               for( ; !PRIVKEY_LIST_END(curPri, priKeyList) ; curPri = PRIVKEY_LIST_NEXT( curPri ) ) {
+                       /* Check the key request */
+                       length = PK11_SignatureLen( curPri->key ) ;
+                       length *= 8 ;
+                       if( ( keyInfoCtx->keyReq.keyBitsSize > 0 ) &&
+                               ( length > 0 ) &&
+                               ( length < keyInfoCtx->keyReq.keyBitsSize ) )
+                               continue ;
+
+                       /* We find a eligible key */
+                       priKey = curPri->key ;
+                       break ;
+               }
+
+               if( priKey != NULL ) {
+                       data = xmlSecNssPKIAdoptKey( priKey, NULL ) ;
+                       if( data == NULL ) {
+                               /* Do nothing */
+                       }
+               }
+
+               /* Destroy the private key list */
+               SECKEY_DestroyPrivateKeyList( priKeyList ) ;
+       }
+
+       /* If we have gotten the key value */
+       if( data != NULL ) {
+               if( ( key = xmlSecKeyCreate() ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "xmlSecKeyCreate" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyDataDestroy( data ) ;
+                       return NULL ;
+               }
+
+               if( xmlSecKeySetValue( key , data ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "xmlSecKeySetValue" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       xmlSecKeyDestroy( key ) ;
+                       xmlSecKeyDataDestroy( data ) ;
+                       return NULL ;
+               }
+       }
+
+       return(key);
+}
+
+/** 
+ * xmlSecKeyStoreFindKeyMethod:
+ * @store:             the store.
+ * @name:              the desired key name.
+ * @keyInfoCtx:        the pointer to key info context.
  *
- * Returns 0 on success or a negative value if an error occurs.
+ * Keys store specific find method. The caller is responsible for destroying 
+ * the returned key using #xmlSecKeyDestroy method.
+ *
+ * Returns the pointer to a key or NULL if key is not found or an error occurs.
  */
-int 
-xmlSecNssKeysStoreAdoptKey(xmlSecKeyStorePtr store, xmlSecKeyPtr key) {
-    xmlSecKeyStorePtr *ss;
-    
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
-    xmlSecAssert2((key != NULL), -1);
+static xmlSecKeyPtr
+xmlSecNssKeysStoreFindKey(
+       xmlSecKeyStorePtr store ,
+       const xmlChar* name ,
+       xmlSecKeyInfoCtxPtr keyInfoCtx
+) {
+       xmlSecNssKeysStoreCtxPtr context = NULL ;
+       xmlSecKeyPtr    key = NULL ;
+       xmlSecNssKeySlotPtr     keySlot = NULL ;
+       xmlSecSize              pos ;
+       xmlSecSize              size ;
+
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ) , NULL ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ) , NULL ) ;
+       xmlSecAssert2( keyInfoCtx != NULL , NULL ) ;
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                       "xmlSecNssKeysStoreGetCtx" ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return NULL ;
+       }
+
+       /*-
+        * Look for key at keyList at first.
+        */
+       if( context->keyList != NULL ) {
+               size = xmlSecPtrListGetSize( context->keyList ) ;
+               for( pos = 0 ; pos < size ; pos ++ ) {
+                       key = ( xmlSecKeyPtr )xmlSecPtrListGetItem( context->keyList , pos ) ;
+                       if( key != NULL && xmlSecKeyMatch( key , name , &( keyInfoCtx->keyReq ) ) ) {
+                               return xmlSecKeyDuplicate( key ) ;
+                       }
+               }
+       }
+
+       /*-
+        * Find the key from slotList
+        */
+       if( context->slotList != NULL ) {
+               PK11SlotInfo*                   slot = NULL ;
+
+               size = xmlSecPtrListGetSize( context->slotList ) ;
+               for( pos = 0 ; pos < size ; pos ++ ) {
+                       keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( context->slotList , pos ) ;
+                       slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+                       if( slot == NULL ) {
+                               continue ;
+                       } else {
+                               key = xmlSecNssKeysStoreFindKeyFromSlot( slot, name, keyInfoCtx ) ;
+                               if( key == NULL ) {
+                                       continue ;
+                               } else {
+                                       return( key ) ;
+                               }
+                       }
+               }
+       }
+
+       /*-
+        * Create a session key if we can not find the key from keyList and slotList
+        */
+       if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypeSession ) == xmlSecKeyDataTypeSession ) {
+               key = xmlSecKeyGenerate( keyInfoCtx->keyReq.keyId , keyInfoCtx->keyReq.keyBitsSize , xmlSecKeyDataTypeSession ) ;
+               if( key == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               xmlSecErrorsSafeString( xmlSecKeyStoreGetName( store ) ) ,
+                               "xmlSecKeySetValue" ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return NULL ;
+               }
+
+               return key ;
+       }
+
+       /**
+        * We have no way to find the key any more.
+        */
+       return NULL ;
+}
 
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL) && 
-                  (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1);
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
+#else
+static xmlSecKeyStoreKlass xmlSecNssKeysStoreKlass = {
+#endif
+       sizeof( xmlSecKeyStoreKlass ) ,
+       xmlSecNssKeysStoreSize ,
+       BAD_CAST "implicit_nss_keys_store" ,
+       xmlSecNssKeysStoreInitialize ,
+       xmlSecNssKeysStoreFinalize ,
+       xmlSecNssKeysStoreFindKey ,
+       NULL ,
+       NULL
+} ;
 
-    return (xmlSecSimpleKeysStoreAdoptKey(*ss, key));
+/**
+ * xmlSecNssKeysStoreGetKlass:
+ * 
+ * The simple list based keys store klass.
+ *
+ * Returns simple list based keys store klass.
+ */
+xmlSecKeyStoreId 
+xmlSecNssKeysStoreGetKlass( void ) {
+    return &xmlSecNssKeysStoreKlass ;
 }
 
+
+/**************************
+ * Application routines
+ */
 /** 
  * xmlSecNssKeysStoreLoad:
  * @store:             the pointer to Nss keys store.
@@ -125,8 +528,11 @@
  * Returns 0 on success or a negative value if an error occurs.
  */
 int
-xmlSecNssKeysStoreLoad(xmlSecKeyStorePtr store, const char *uri, 
-                           xmlSecKeysMngrPtr keysMngr) {
+xmlSecNssKeysStoreLoad(
+       xmlSecKeyStorePtr store,
+       const char *uri, 
+       xmlSecKeysMngrPtr keysMngr
+) {
     xmlDocPtr doc;
     xmlNodePtr root;
     xmlNodePtr cur;
@@ -252,254 +658,147 @@
  */
 int
 xmlSecNssKeysStoreSave(xmlSecKeyStorePtr store, const char *filename, xmlSecKeyDataType type) {
-    xmlSecKeyStorePtr *ss;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
-    xmlSecAssert2((filename != NULL), -1);    
-    
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL) && 
-                  (xmlSecKeyStoreCheckId(*ss, xmlSecSimpleKeysStoreId))), -1);
-
-    return (xmlSecSimpleKeysStoreSave(*ss, filename, type));
-}
-
-static int
-xmlSecNssKeysStoreInitialize(xmlSecKeyStorePtr store) {
-    xmlSecKeyStorePtr *ss;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), -1);
+    xmlSecKeyInfoCtx keyInfoCtx;
+       xmlSecNssKeysStoreCtxPtr context ;
+    xmlSecPtrListPtr list;
+    xmlSecKeyPtr key;
+    xmlSecSize i, keysSize;    
+    xmlDocPtr doc;
+    xmlNodePtr cur;
+    xmlSecKeyDataPtr data;
+    xmlSecPtrListPtr idsList;
+    xmlSecKeyDataId dataId;
+    xmlSecSize idsSize, j;
+    int ret;
 
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2((*ss == NULL), -1);
+       xmlSecAssert2( xmlSecKeyStoreCheckId( store , xmlSecNssKeysStoreId ), -1 ) ;
+       xmlSecAssert2( xmlSecKeyStoreCheckSize( store , xmlSecNssKeysStoreSize ), -1 ) ;
+    xmlSecAssert2(filename != NULL, -1);    
+
+       context = xmlSecNssKeysStoreGetCtx( store ) ;
+       xmlSecAssert2( context != NULL, -1 );
+
+    list = context->keyList ;
+       xmlSecAssert2( list != NULL, -1 );
+    xmlSecAssert2(xmlSecPtrListCheckId(list, xmlSecKeyPtrListId), -1);
 
-    *ss = xmlSecKeyStoreCreate(xmlSecSimpleKeysStoreId);
-    if(*ss == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
+    /* create doc */
+    doc = xmlSecCreateTree(BAD_CAST "Keys", xmlSecNs);
+    if(doc == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
-                   "xmlSecKeyStoreCreate",
+                   "xmlSecCreateTree",
                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "xmlSecSimpleKeysStoreId");
-       return(-1);
+                   XMLSEC_ERRORS_NO_MESSAGE);
+               return(-1);
     }
-
-    return(0);    
-}
-
-static void
-xmlSecNssKeysStoreFinalize(xmlSecKeyStorePtr store) {
-    xmlSecKeyStorePtr *ss;
-    
-    xmlSecAssert(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId));
-    
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert((ss != NULL) && (*ss != NULL));
     
-    xmlSecKeyStoreDestroy(*ss);
-}
-
-static xmlSecKeyPtr 
-xmlSecNssKeysStoreFindKey(xmlSecKeyStorePtr store, const xmlChar* name, 
-                         xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecKeyStorePtr* ss;
-    xmlSecKeyPtr key = NULL;
-    xmlSecKeyPtr retval = NULL;
-    xmlSecKeyReqPtr keyReq = NULL;
-    CERTCertificate *cert = NULL;
-    SECKEYPublicKey *pubkey = NULL;
-    SECKEYPrivateKey *privkey = NULL;
-    xmlSecKeyDataPtr data = NULL;
-    xmlSecKeyDataPtr x509Data = NULL;
-    int ret;
-
-    xmlSecAssert2(xmlSecKeyStoreCheckId(store, xmlSecNssKeysStoreId), NULL);
-    xmlSecAssert2(keyInfoCtx != NULL, NULL);
-
-    ss = xmlSecNssKeysStoreGetSS(store);
-    xmlSecAssert2(((ss != NULL) && (*ss != NULL)), NULL);
-
-    key = xmlSecKeyStoreFindKey(*ss, name, keyInfoCtx);
-    if (key != NULL) {
-       return (key);
-    }
+    idsList = xmlSecKeyDataIdsGet();   
+    xmlSecAssert2(idsList != NULL, -1);
+       
+    keysSize = xmlSecPtrListGetSize(list);
+    idsSize = xmlSecPtrListGetSize(idsList);
+    for(i = 0; i < keysSize; ++i) {
+       key = (xmlSecKeyPtr)xmlSecPtrListGetItem(list, i);
+       xmlSecAssert2(key != NULL, -1);
+           
+    cur = xmlSecAddChild(xmlDocGetRootElement(doc), xmlSecNodeKeyInfo, xmlSecDSigNs);
+       if(cur == NULL) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+                       xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                       "xmlSecAddChild",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       "node=%s",
+                       xmlSecErrorsSafeString(xmlSecNodeKeyInfo));
+           xmlFreeDoc(doc); 
+           return(-1);
+       }
 
-    /* Try to find the key in the NSS DB, and construct an xmlSecKey.
-     * we must have a name to lookup keys in NSS DB.
-     */
-    if (name == NULL) {
-       goto done;
-    }
+       /* special data key name */
+       if(xmlSecKeyGetName(key) != NULL) {
+       if(xmlSecAddChild(cur, xmlSecNodeKeyName, xmlSecDSigNs) == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                           xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                           "xmlSecAddChild",
+                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                           "node=%s",
+                           xmlSecErrorsSafeString(xmlSecNodeKeyName));
+                       xmlFreeDoc(doc); 
+                       return(-1);
+           }
+       }
+    
+       /* create nodes for other keys data */
+       for(j = 0; j < idsSize; ++j) {
+           dataId = (xmlSecKeyDataId)xmlSecPtrListGetItem(idsList, j);
+           xmlSecAssert2(dataId != xmlSecKeyDataIdUnknown, -1);
 
-    /* what type of key are we looking for? 
-     * TBD: For now, we'll look only for public/private keys using the
-     * name as a cert nickname. Later on, we can attempt to find
-     * symmetric keys using PK11_FindFixedKey 
-     */
-    keyReq = &(keyInfoCtx->keyReq);
-    if (keyReq->keyType & 
-       (xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate)) {
-       cert = CERT_FindCertByNickname (CERT_GetDefaultCertDB(), (char *)name);
-       if (cert == NULL) {
-           goto done;
-       }
-
-       if (keyReq->keyType & xmlSecKeyDataTypePublic) {
-           pubkey = CERT_ExtractPublicKey(cert);
-           if (pubkey == NULL) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           NULL,
-                           "CERT_ExtractPublicKey",
-                           XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
-               goto done;
+           if(dataId->dataNodeName == NULL) {
+                       continue;
+           }
+           
+           data = xmlSecKeyGetData(key, dataId);
+           if(data == NULL) {
+                       continue;
            }
-       } 
 
-       if (keyReq->keyType & xmlSecKeyDataTypePrivate) { 
-           privkey = PK11_FindKeyByAnyCert(cert, NULL);
-           if (privkey == NULL) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           NULL,
-                           "PK11_FindKeyByAnyCert",
-                           XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
-               goto done;
+           if(xmlSecAddChild(cur, dataId->dataNodeName, dataId->dataNodeNs) == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                           xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                           "xmlSecAddChild",
+                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                           "node=%s", 
+                           xmlSecErrorsSafeString(dataId->dataNodeName));
+                       xmlFreeDoc(doc); 
+               return(-1);
            }
        }
 
-       data = xmlSecNssPKIAdoptKey(privkey, pubkey);
-       if(data == NULL) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecNssPKIAdoptKey",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-       }    
-       privkey = NULL;
-       pubkey = NULL;
-
-        key = xmlSecKeyCreate();
-        if (key == NULL) {
+    ret = xmlSecKeyInfoCtxInitialize(&keyInfoCtx, NULL);
+       if(ret < 0) {
            xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecKeyCreate",
+                       xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                       "xmlSecKeyInfoCtxInitialize",
                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
                        XMLSEC_ERRORS_NO_MESSAGE);
-           return (NULL);
-        }
-
-       x509Data = xmlSecKeyDataCreate(xmlSecNssKeyDataX509Id);
-       if(x509Data == NULL) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecKeyDataCreate",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "transform=%s",
-                       xmlSecErrorsSafeString(xmlSecTransformKlassGetName(xmlSecNssKeyDataX509Id)));
-           goto done;
-       }
-
-       ret = xmlSecNssKeyDataX509AdoptKeyCert(x509Data, cert);
-       if (ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecNssKeyDataX509AdoptKeyCert",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "data=%s",
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-           goto done;
-       }
-       cert = CERT_DupCertificate(cert);
-       if (cert == NULL) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "CERT_DupCertificate",
-                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       "data=%s",
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-           goto done;
-       }
-
-       ret = xmlSecNssKeyDataX509AdoptCert(x509Data, cert);
-       if (ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecNssKeyDataX509AdoptCert",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "data=%s",
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-           goto done;
+           xmlFreeDoc(doc);
+           return(-1);
        }
-       cert = NULL;
 
-       ret = xmlSecKeySetValue(key, data);
-       if (ret < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecKeySetValue",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "data=%s", 
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)));
-           goto done;
-       }
-       data = NULL;
+       keyInfoCtx.mode                 = xmlSecKeyInfoModeWrite;
+    keyInfoCtx.keyReq.keyId            = xmlSecKeyDataIdUnknown;
+       keyInfoCtx.keyReq.keyType       = type;
+       keyInfoCtx.keyReq.keyUsage      = xmlSecKeyDataUsageAny;
 
-       ret = xmlSecKeyAdoptData(key, x509Data);
-       if (ret < 0) {
+       /* finally write key in the node */
+       ret = xmlSecKeyInfoNodeWrite(cur, key, &keyInfoCtx);
+       if(ret < 0) {
            xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecKeyAdoptData",
+                       xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                       "xmlSecKeyInfoNodeWrite",
                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "data=%s",
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(x509Data)));
-           goto done;
-       }
-       x509Data = NULL;
-
-       retval = key;
-       key = NULL;
-    }
-
-done:
-    if (cert != NULL) {
-       CERT_DestroyCertificate(cert);
-    }
-    if (pubkey != NULL) {
-       SECKEY_DestroyPublicKey(pubkey);
-    }
-    if (privkey != NULL) {
-       SECKEY_DestroyPrivateKey(privkey);
-    }
-    if (data != NULL) {
-       xmlSecKeyDataDestroy(data);
-    }
-    if (x509Data != NULL) {
-       xmlSecKeyDataDestroy(x509Data);
-    }
-    if (key != NULL) {
-       xmlSecKeyDestroy(key);
+                       XMLSEC_ERRORS_NO_MESSAGE);
+           xmlSecKeyInfoCtxFinalize(&keyInfoCtx);
+           xmlFreeDoc(doc); 
+           return(-1);
+       }               
+       xmlSecKeyInfoCtxFinalize(&keyInfoCtx);
     }
-
-    /* now that we have a key, make sure it is valid and let the simple
-     * store adopt it */
-    if (retval) {
-       if (xmlSecKeyIsValid(retval)) {
-           ret = xmlSecSimpleKeysStoreAdoptKey(*ss, retval);
-           if (ret < 0) {
+    
+    /* now write result */
+    ret = xmlSaveFormatFile(filename, doc, 1);
+    if(ret < 0) {
                xmlSecError(XMLSEC_ERRORS_HERE,
-                           xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
-                           "xmlSecSimpleKeysStoreAdoptKey",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
-               xmlSecKeyDestroy(retval);
-               retval = NULL;
-           }
-        } else {
-           xmlSecKeyDestroy(retval);
-           retval = NULL;
-       }
-    }
-
-    return (retval);
+                   xmlSecErrorsSafeString(xmlSecKeyStoreGetName(store)),
+                   "xmlSaveFormatFile",
+                   XMLSEC_ERRORS_R_XML_FAILED,
+                   "filename=%s", 
+                   xmlSecErrorsSafeString(filename));
+               xmlFreeDoc(doc); 
+               return(-1);
+    }     
+    
+    xmlFreeDoc(doc);
+    return(0);
 }
+
--- misc/xmlsec1-1.2.6/src/nss/keytrans.c       2008-06-29 23:44:39.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/keytrans.c 2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,752 @@
-dummy
+/** 
+ *
+ * XMLSec library
+ * 
+ * AES Algorithm support
+ * 
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright .................................
+ */
+#include "globals.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <nss.h>
+#include <pk11func.h>
+#include <keyhi.h>
+#include <key.h>
+#include <hasht.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/pkikeys.h>
+#include <xmlsec/nss/tokens.h>
+
+/*********************************************************************
+ *
+ * key transform transforms
+ *
+ ********************************************************************/
+typedef struct _xmlSecNssKeyTransportCtx                       xmlSecNssKeyTransportCtx ;
+typedef struct _xmlSecNssKeyTransportCtx*              xmlSecNssKeyTransportCtxPtr ;
+
+#define xmlSecNssKeyTransportSize      \
+       ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssKeyTransportCtx ) )
+
+#define xmlSecNssKeyTransportGetCtx( transform ) \
+       ( ( xmlSecNssKeyTransportCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) )
+
+struct _xmlSecNssKeyTransportCtx {
+       CK_MECHANISM_TYPE               cipher ;
+       SECKEYPublicKey*                pubkey ;
+       SECKEYPrivateKey*               prikey ;
+       xmlSecKeyDataId                 keyId ;
+       xmlSecBufferPtr                 material ; /* to be encrypted/decrypted material */
+} ;
+
+static int             xmlSecNssKeyTransportInitialize(xmlSecTransformPtr transform);
+static void    xmlSecNssKeyTransportFinalize(xmlSecTransformPtr transform);
+static int     xmlSecNssKeyTransportSetKeyReq(xmlSecTransformPtr transform, 
+                                                        xmlSecKeyReqPtr keyReq);
+static int     xmlSecNssKeyTransportSetKey(xmlSecTransformPtr transform, 
+                                                        xmlSecKeyPtr key);
+static int     xmlSecNssKeyTransportExecute(xmlSecTransformPtr transform, 
+                                                        int last,
+                                                        xmlSecTransformCtxPtr transformCtx);
+static xmlSecSize      xmlSecNssKeyTransportGetKeySize(xmlSecTransformPtr transform);
+
+static int
+xmlSecNssKeyTransportCheckId(
+       xmlSecTransformPtr transform
+) {
+       #ifndef XMLSEC_NO_RSA
+       if( xmlSecTransformCheckId( transform, xmlSecNssTransformRsaPkcs1Id ) ||
+               xmlSecTransformCheckId( transform, xmlSecNssTransformRsaOaepId ) ) {
+
+               return(1);
+    }
+       #endif /* XMLSEC_NO_RSA */
+    
+    return(0);
+}
+
+static int 
+xmlSecNssKeyTransportInitialize(xmlSecTransformPtr transform) {
+       xmlSecNssKeyTransportCtxPtr context ;
+    int ret;
+    
+    xmlSecAssert2(xmlSecNssKeyTransportCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyTransportSize), -1);
+    
+       context = xmlSecNssKeyTransportGetCtx( transform ) ;
+       xmlSecAssert2( context != NULL , -1 ) ;
+
+       #ifndef XMLSEC_NO_RSA
+       if( transform->id == xmlSecNssTransformRsaPkcs1Id ) {
+               context->cipher = CKM_RSA_PKCS ;
+               context->keyId = xmlSecNssKeyDataRsaId ;
+       } else if( transform->id == xmlSecNssTransformRsaOaepId ) {
+               context->cipher = CKM_RSA_PKCS_OAEP ;
+               context->keyId = xmlSecNssKeyDataRsaId ;
+       } else
+       #endif          /* XMLSEC_NO_RSA */
+
+       if( 1 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+                   NULL ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       context->pubkey = NULL ;
+       context->prikey = NULL ;
+       context->material = NULL ;
+
+    return(0);
+}
+
+static void 
+xmlSecNssKeyTransportFinalize(xmlSecTransformPtr transform) {
+       xmlSecNssKeyTransportCtxPtr context ;
+    
+    xmlSecAssert(xmlSecNssKeyTransportCheckId(transform));
+    xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssKeyTransportSize));
+    
+       context = xmlSecNssKeyTransportGetCtx( transform ) ;
+       xmlSecAssert( context != NULL ) ;
+
+       if( context->pubkey != NULL ) {
+               SECKEY_DestroyPublicKey( context->pubkey ) ;
+               context->pubkey = NULL ;
+       }
+
+       if( context->prikey != NULL ) {
+               SECKEY_DestroyPrivateKey( context->prikey ) ;
+               context->prikey = NULL ;
+       }
+
+       if( context->material != NULL ) {
+               xmlSecBufferDestroy(context->material);
+               context->material = NULL ;
+       }
+}
+
+static int  
+xmlSecNssKeyTransportSetKeyReq(xmlSecTransformPtr transform,  xmlSecKeyReqPtr keyReq) {
+       xmlSecNssKeyTransportCtxPtr context ;
+       xmlSecSize cipherSize = 0 ;
+
+    
+    xmlSecAssert2(xmlSecNssKeyTransportCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyTransportSize), -1);
+    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
+    xmlSecAssert2(keyReq != NULL, -1);
+    
+       context = xmlSecNssKeyTransportGetCtx( transform ) ;
+       xmlSecAssert2( context != NULL , -1 ) ;
+
+    keyReq->keyId       = context->keyId;
+    if(transform->operation == xmlSecTransformOperationEncrypt) {
+               keyReq->keyUsage = xmlSecKeyUsageEncrypt;
+       keyReq->keyType  = xmlSecKeyDataTypePublic;
+    } else {
+               keyReq->keyUsage = xmlSecKeyUsageDecrypt;
+       keyReq->keyType  = xmlSecKeyDataTypePrivate;
+    }
+
+    return(0);
+}
+
+static int     
+xmlSecNssKeyTransportSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
+       xmlSecNssKeyTransportCtxPtr context = NULL ;
+       xmlSecKeyDataPtr        keyData = NULL ;
+       SECKEYPublicKey*        pubkey = NULL ;
+       SECKEYPrivateKey*       prikey = NULL ;
+
+    xmlSecAssert2(xmlSecNssKeyTransportCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyTransportSize), -1);
+    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
+    xmlSecAssert2(key != NULL, -1);
+
+       context = xmlSecNssKeyTransportGetCtx( transform ) ;
+       if( context == NULL || context->keyId == NULL || context->pubkey != NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssKeyTransportGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+       xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ;
+
+       keyData = xmlSecKeyGetValue( key ) ;
+       if( keyData == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) ,
+                   "xmlSecKeyGetValue" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+    if(transform->operation == xmlSecTransformOperationEncrypt) {
+               if( ( pubkey = xmlSecNssPKIKeyDataGetPubKey( keyData ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                           xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
+                           "xmlSecNssPKIKeyDataGetPubKey" ,
+                           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                           XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return(-1);    
+               }
+
+               context->pubkey = pubkey ;
+       } else {
+               if( ( prikey = xmlSecNssPKIKeyDataGetPrivKey( keyData ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                           xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
+                           "xmlSecNssPKIKeyDataGetPrivKey" ,
+                           XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                           XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return(-1);    
+               }
+
+               context->prikey = prikey ;
+       }
+
+       return(0) ;
+}
+
+/**
+ * key wrap transform
+ */
+static int 
+xmlSecNssKeyTransportCtxInit(
+       xmlSecNssKeyTransportCtxPtr             ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       xmlSecSize                      blockSize ;
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ( ctx->pubkey != NULL && encrypt ) || ( ctx->prikey != NULL && !encrypt ), -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       if( ctx->material != NULL ) {
+               xmlSecBufferDestroy( ctx->material ) ;
+               ctx->material = NULL ;
+       }
+
+       if( ctx->pubkey != NULL ) {
+               blockSize = SECKEY_PublicKeyStrength( ctx->pubkey ) ;
+       } else if( ctx->prikey != NULL ) {
+               blockSize = PK11_SignatureLen( ctx->prikey ) ;
+       } else {
+               blockSize = -1 ;
+       }
+
+       if( blockSize < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       ctx->material = xmlSecBufferCreate( blockSize ) ;
+       if( ctx->material == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferCreate" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       /* read raw key material into context */
+       if( xmlSecBufferSetData( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferSetData" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       return(0);
+}
+
+/**
+ * key wrap transform update
+ */
+static int 
+xmlSecNssKeyTransportCtxUpdate(
+       xmlSecNssKeyTransportCtxPtr             ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ( ctx->pubkey != NULL && encrypt ) || ( ctx->prikey != NULL && !encrypt ), -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( ctx->material != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       /* read raw key material and append into context */
+       if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferAppend" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       return(0);
+}
+
+/**
+ * Block cipher transform final
+ */
+static int 
+xmlSecNssKeyTransportCtxFinal(
+       xmlSecNssKeyTransportCtxPtr             ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       SECKEYPublicKey*        targetKey ;
+       PK11SymKey*                     symKey ;
+       PK11SlotInfo*           slot ;
+       SECItem                         oriskv ;
+       xmlSecSize                      blockSize ;
+       xmlSecBufferPtr         result ;
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ( ctx->pubkey != NULL && encrypt ) || ( ctx->prikey != NULL && !encrypt ), -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( ctx->material != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       /* read raw key material and append into context */
+       if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferAppend" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       /* Now we get all of the key materail */
+       /* from now on we will wrap or unwrap the key */
+       if( ctx->pubkey != NULL ) {
+               blockSize = SECKEY_PublicKeyStrength( ctx->pubkey ) ;
+       } else if( ctx->prikey != NULL ) {
+               blockSize = PK11_SignatureLen( ctx->prikey ) ;
+       } else {
+               blockSize = -1 ;
+       }
+
+       if( blockSize < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_GetBlockSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       result = xmlSecBufferCreate( blockSize * 2 ) ;
+       if( result == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferCreate" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       oriskv.type = siBuffer ;
+       oriskv.data = xmlSecBufferGetData( ctx->material ) ;
+       oriskv.len = xmlSecBufferGetSize( ctx->material ) ;
+
+       if( encrypt != 0 ) {
+               CK_OBJECT_HANDLE        id ;
+               SECItem                         wrpskv ;
+
+               /* Create template symmetric key from material */
+               if( ( slot = ctx->pubkey->pkcs11Slot ) == NULL ) {
+                       slot = xmlSecNssSlotGet( ctx->cipher ) ;
+                       if( slot == NULL ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecNssSlotGet" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               xmlSecBufferDestroy(result);
+                               return(-1);    
+                       }
+
+                       id = PK11_ImportPublicKey( slot, ctx->pubkey, PR_FALSE ) ;
+                       if( id == CK_INVALID_HANDLE ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "PK11_ImportPublicKey" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               xmlSecBufferDestroy(result);
+                               PK11_FreeSlot( slot ) ;
+                               return(-1);    
+                       }
+               }
+
+               /* pay attention to mechanism */
+               symKey = PK11_ImportSymKey( slot, ctx->cipher, PK11_OriginUnwrap, CKA_WRAP, &oriskv, NULL ) ;
+               if( symKey == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "PK11_ImportSymKey" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecBufferDestroy(result);
+                       PK11_FreeSlot( slot ) ;
+                       return(-1);    
+               }
+
+               wrpskv.type = siBuffer ;
+               wrpskv.data = xmlSecBufferGetData( result ) ;
+               wrpskv.len = xmlSecBufferGetMaxSize( result ) ;
+
+               if( PK11_PubWrapSymKey( ctx->cipher, ctx->pubkey, symKey, &wrpskv ) != SECSuccess ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "PK11_PubWrapSymKey" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       PK11_FreeSymKey( symKey ) ;
+                       xmlSecBufferDestroy(result);
+                       PK11_FreeSlot( slot ) ;
+                       return(-1);    
+               }
+
+               if( xmlSecBufferSetSize( result , wrpskv.len ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "xmlSecBufferSetSize" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       PK11_FreeSymKey( symKey ) ;
+                       xmlSecBufferDestroy(result);
+                       PK11_FreeSlot( slot ) ;
+                       return(-1);    
+               }
+               PK11_FreeSymKey( symKey ) ;
+               PK11_FreeSlot( slot ) ;
+       } else {
+               SECItem*                        keyItem ;
+               CK_OBJECT_HANDLE        id1 ;
+
+               /* pay attention to mechanism */
+               if( ( symKey = PK11_PubUnwrapSymKey( ctx->prikey, &oriskv, ctx->cipher, CKA_UNWRAP, 0 ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "PK11_PubUnwrapSymKey" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecBufferDestroy(result);
+                       return(-1);    
+               }
+
+               /* Extract raw data from symmetric key */
+               if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "PK11_ExtractKeyValue" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       PK11_FreeSymKey( symKey ) ;
+                       xmlSecBufferDestroy(result);
+                       return(-1);    
+               }
+
+               if( ( keyItem = PK11_GetKeyData( symKey ) ) == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "PK11_GetKeyData" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       PK11_FreeSymKey( symKey ) ;
+                       xmlSecBufferDestroy(result);
+                       return(-1);    
+               }
+
+               if( xmlSecBufferSetData( result, keyItem->data, keyItem->len ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               "PK11_PubUnwrapSymKey" ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       PK11_FreeSymKey( symKey ) ;
+                       xmlSecBufferDestroy(result);
+                       return(-1);    
+               }
+               PK11_FreeSymKey( symKey ) ;
+       }
+
+       /* Write output */
+       if( xmlSecBufferAppend( out, xmlSecBufferGetData(result), xmlSecBufferGetSize(result) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferAppend" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecBufferDestroy(result);
+               return(-1);    
+       }
+       xmlSecBufferDestroy(result);
+
+       return(0);
+}
+
+static int 
+xmlSecNssKeyTransportExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) {
+       xmlSecNssKeyTransportCtxPtr     context = NULL ;
+       xmlSecBufferPtr                 inBuf, outBuf ; 
+       int                                             operation ;
+       int                                             rtv ;
+
+       xmlSecAssert2( xmlSecNssKeyTransportCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssKeyTransportSize ), -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       context = xmlSecNssKeyTransportGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssKeyTransportGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       inBuf = &( transform->inBuf ) ;
+       outBuf = &( transform->outBuf ) ;
+
+       if( transform->status == xmlSecTransformStatusNone ) {
+               transform->status = xmlSecTransformStatusWorking ;
+       }
+
+       operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ;
+       if( transform->status == xmlSecTransformStatusWorking ) {
+               if( context->material == NULL ) {
+                       rtv = xmlSecNssKeyTransportCtxInit( context, inBuf , outBuf , operation , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssKeyTransportCtxInit" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return(-1);
+                       }
+               }
+
+               if( context->material == NULL && last != 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE , 
+                               xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_INVALID_STATUS ,
+                               "No enough data to intialize transform" ) ;
+                       return(-1);
+               }
+
+               if( context->material != NULL ) {
+                       rtv = xmlSecNssKeyTransportCtxUpdate( context, inBuf , outBuf , operation , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssKeyTransportCtxUpdate" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return(-1);
+                       }
+               }
+               
+               if( last ) {
+                       rtv = xmlSecNssKeyTransportCtxFinal( context, inBuf , outBuf , operation , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssKeyTransportCtxFinal" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return(-1);
+                       }
+                       transform->status = xmlSecTransformStatusFinished ;
+               }
+       } else if( transform->status == xmlSecTransformStatusFinished ) {
+               if( xmlSecBufferGetSize( inBuf ) != 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE , 
+                               xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_INVALID_STATUS ,
+                               "status=%d", transform->status ) ;
+                       return(-1);
+               }
+       } else {
+               xmlSecError( XMLSEC_ERRORS_HERE , 
+                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                       "status=%d", transform->status ) ;
+               return(-1);
+       }
+
+       return(0);
+}
+
+
+#ifndef XMLSEC_NO_RSA
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssRsaPkcs1Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssRsaPkcs1Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
+    xmlSecNssKeyTransportSize,                         /* xmlSecSize objSize */
+
+    xmlSecNameRsaPkcs1,                                /* const xmlChar* name; */
+    xmlSecHrefRsaPkcs1,                                /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyTransportInitialize,                   /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyTransportFinalize,                     /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyTransportSetKeyReq,                    /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyTransportSetKey,                       /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                                      /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyTransportExecute,                      /* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,                                      /* void* reserved0; */
+    NULL,                                      /* void* reserved1; */
+};
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssRsaOaepKlass = {
+#else
+static xmlSecTransformKlass xmlSecNssRsaOaepKlass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
+    xmlSecNssKeyTransportSize,                         /* xmlSecSize objSize */
+
+    xmlSecNameRsaOaep,                         /* const xmlChar* name; */
+    xmlSecHrefRsaOaep,                         /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyTransportInitialize,                   /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyTransportFinalize,                     /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyTransportSetKeyReq,                    /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyTransportSetKey,                       /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                                      /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyTransportExecute,                      /* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,                                      /* void* reserved0; */
+    NULL,                                      /* void* reserved1; */
+};
+
+/** 
+ * xmlSecNssTransformRsaPkcs1GetKlass:
+ *
+ * The RSA-PKCS1 key transport transform klass.
+ *
+ * Returns RSA-PKCS1 key transport transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformRsaPkcs1GetKlass(void) {
+    return(&xmlSecNssRsaPkcs1Klass);
+}
+
+/** 
+ * xmlSecNssTransformRsaOaepGetKlass:
+ *
+ * The RSA-PKCS1 key transport transform klass.
+ *
+ * Returns RSA-PKCS1 key transport transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformRsaOaepGetKlass(void) {
+    return(&xmlSecNssRsaOaepKlass);
+}
+
+#endif /* XMLSEC_NO_RSA */
+
--- misc/xmlsec1-1.2.6/src/nss/keywrapers.c     2008-06-29 23:44:40.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/keywrapers.c       2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,1213 @@
-dummy
+/** 
+ *
+ * XMLSec library
+ * 
+ * AES Algorithm support
+ * 
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ * 
+ * Copyright .................................
+ */
+#include "globals.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <nss.h>
+#include <pk11func.h>
+#include <hasht.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/xmltree.h>
+#include <xmlsec/keys.h>
+#include <xmlsec/transforms.h>
+#include <xmlsec/errors.h>
+
+#include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
+
+#define XMLSEC_NSS_AES128_KEY_SIZE             16
+#define XMLSEC_NSS_AES192_KEY_SIZE             24
+#define XMLSEC_NSS_AES256_KEY_SIZE             32
+#define XMLSEC_NSS_DES3_KEY_SIZE               24
+#define XMLSEC_NSS_DES3_KEY_LENGTH      24
+#define XMLSEC_NSS_DES3_IV_LENGTH       8
+#define XMLSEC_NSS_DES3_BLOCK_LENGTH    8
+
+static xmlSecByte xmlSecNssKWDes3Iv[XMLSEC_NSS_DES3_IV_LENGTH] = { 
+    0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 
+};
+
+/*********************************************************************
+ *
+ * key wrap transforms
+ *
+ ********************************************************************/
+typedef struct _xmlSecNssKeyWrapCtx                    xmlSecNssKeyWrapCtx ;
+typedef struct _xmlSecNssKeyWrapCtx*           xmlSecNssKeyWrapCtxPtr ;
+
+#define xmlSecNssKeyWrapSize   \
+       ( sizeof( xmlSecTransform ) + sizeof( xmlSecNssKeyWrapCtx ) )
+
+#define xmlSecNssKeyWrapGetCtx( transform ) \
+       ( ( xmlSecNssKeyWrapCtxPtr )( ( ( xmlSecByte* )( transform ) ) + sizeof( xmlSecTransform ) ) )
+
+struct _xmlSecNssKeyWrapCtx {
+       CK_MECHANISM_TYPE               cipher ;
+       PK11SymKey*                             symkey ;
+       xmlSecKeyDataId                 keyId ;
+       xmlSecBufferPtr                 material ; /* to be encrypted/decrypted key material */
+} ;
+
+static int             xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform);
+static void    xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform);
+static int     xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform, 
+                                                        xmlSecKeyReqPtr keyReq);
+static int     xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, 
+                                                        xmlSecKeyPtr key);
+static int     xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, 
+                                                        int last,
+                                                        xmlSecTransformCtxPtr transformCtx);
+static xmlSecSize      xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform);
+
+static int
+xmlSecNssKeyWrapCheckId(
+       xmlSecTransformPtr transform
+) {
+       #ifndef XMLSEC_NO_DES
+       if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) {
+               return(1);
+       }
+       #endif /* XMLSEC_NO_DES */
+
+       #ifndef XMLSEC_NO_AES
+       if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes128Id ) ||
+               xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes192Id ) ||
+               xmlSecTransformCheckId( transform, xmlSecNssTransformKWAes256Id ) ) {
+
+               return(1);
+    }
+       #endif /* XMLSEC_NO_AES */
+    
+    return(0);
+}
+
+static xmlSecSize  
+xmlSecNssKeyWrapGetKeySize(xmlSecTransformPtr transform) {
+#ifndef XMLSEC_NO_DES
+       if( xmlSecTransformCheckId( transform, xmlSecNssTransformKWDes3Id ) ) {
+               return(XMLSEC_NSS_DES3_KEY_SIZE);
+       } else
+#endif /* XMLSEC_NO_DES */
+
+#ifndef XMLSEC_NO_AES
+    if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes128Id)) {
+               return(XMLSEC_NSS_AES128_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes192Id)) {
+               return(XMLSEC_NSS_AES192_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) {
+               return(XMLSEC_NSS_AES256_KEY_SIZE);
+    } else if(xmlSecTransformCheckId(transform, xmlSecNssTransformKWAes256Id)) {
+               return(XMLSEC_NSS_AES256_KEY_SIZE);
+    } else
+#endif /* XMLSEC_NO_AES */
+
+       if(1)
+               return(0);
+}
+
+
+static int 
+xmlSecNssKeyWrapInitialize(xmlSecTransformPtr transform) {
+       xmlSecNssKeyWrapCtxPtr context ;
+    int ret;
+    
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+    
+       context = xmlSecNssKeyWrapGetCtx( transform ) ;
+       xmlSecAssert2( context != NULL , -1 ) ;
+
+       #ifndef XMLSEC_NO_DES
+       if( transform->id == xmlSecNssTransformKWDes3Id ) {
+               context->cipher = CKM_DES3_CBC ;
+               context->keyId = xmlSecNssKeyDataDesId ;
+       } else
+       #endif          /* XMLSEC_NO_DES */
+
+       #ifndef XMLSEC_NO_AES
+       if( transform->id == xmlSecNssTransformKWAes128Id ) {
+       /*      context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       if( transform->id == xmlSecNssTransformKWAes192Id ) {
+       /*      context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       if( transform->id == xmlSecNssTransformKWAes256Id ) {
+       /*      context->cipher = CKM_NETSCAPE_AES_KEY_WRAP ;*/
+               context->cipher = CKM_AES_CBC ;
+               context->keyId = xmlSecNssKeyDataAesId ;
+       } else
+       #endif          /* XMLSEC_NO_AES */
+
+
+       if( 1 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
+                   NULL ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       context->symkey = NULL ;
+       context->material = NULL ;
+
+    return(0);
+}
+
+static void 
+xmlSecNssKeyWrapFinalize(xmlSecTransformPtr transform) {
+       xmlSecNssKeyWrapCtxPtr context ;
+    
+    xmlSecAssert(xmlSecNssKeyWrapCheckId(transform));
+    xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize));
+    
+       context = xmlSecNssKeyWrapGetCtx( transform ) ;
+       xmlSecAssert( context != NULL ) ;
+
+       if( context->symkey != NULL ) {
+               PK11_FreeSymKey( context->symkey ) ;
+               context->symkey = NULL ;
+       }
+
+       if( context->material != NULL ) {
+               xmlSecBufferDestroy(context->material);
+               context->material = NULL ;
+       }
+}
+
+static int  
+xmlSecNssKeyWrapSetKeyReq(xmlSecTransformPtr transform,  xmlSecKeyReqPtr keyReq) {
+       xmlSecNssKeyWrapCtxPtr context ;
+       xmlSecSize cipherSize = 0 ;
+
+    
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
+    xmlSecAssert2(keyReq != NULL, -1);
+    
+       context = xmlSecNssKeyWrapGetCtx( transform ) ;
+       xmlSecAssert2( context != NULL , -1 ) ;
+
+    keyReq->keyId       = context->keyId;
+    keyReq->keyType  = xmlSecKeyDataTypeSymmetric;
+    if(transform->operation == xmlSecTransformOperationEncrypt) {
+               keyReq->keyUsage = xmlSecKeyUsageEncrypt;
+    } else {
+               keyReq->keyUsage = xmlSecKeyUsageDecrypt;
+    }
+
+       keyReq->keyBitsSize = xmlSecNssKeyWrapGetKeySize( transform ) ;
+
+    return(0);
+}
+
+static int     
+xmlSecNssKeyWrapSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
+       xmlSecNssKeyWrapCtxPtr context = NULL ;
+       xmlSecKeyDataPtr        keyData = NULL ;
+       PK11SymKey*                     symkey = NULL ;
+
+    xmlSecAssert2(xmlSecNssKeyWrapCheckId(transform), -1);
+    xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecNssKeyWrapSize), -1);
+    xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
+    xmlSecAssert2(key != NULL, -1);
+
+       context = xmlSecNssKeyWrapGetCtx( transform ) ;
+       if( context == NULL || context->keyId == NULL || context->symkey != NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssKeyWrapGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+       xmlSecAssert2( xmlSecKeyCheckId( key, context->keyId ), -1 ) ;
+
+       keyData = xmlSecKeyGetValue( key ) ;
+       if( keyData == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyGetName( key ) ) ,
+                   "xmlSecKeyGetValue" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( ( symkey = xmlSecNssSymKeyDataGetKey( keyData ) ) == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyDataGetName( keyData ) ) ,
+                   "xmlSecNssSymKeyDataGetKey" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       context->symkey = symkey ;
+
+       return(0) ;
+}
+
+/**
+ * key wrap transform
+ */
+static int 
+xmlSecNssKeyWrapCtxInit(
+       xmlSecNssKeyWrapCtxPtr          ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       xmlSecSize                      blockSize ;
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       if( ctx->material != NULL ) {
+               xmlSecBufferDestroy( ctx->material ) ;
+               ctx->material = NULL ;
+       }
+
+       if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_GetBlockSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       ctx->material = xmlSecBufferCreate( blockSize ) ;
+       if( ctx->material == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferCreate" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       /* read raw key material into context */
+       if( xmlSecBufferSetData( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferSetData" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       return(0);
+}
+
+/**
+ * key wrap transform update
+ */
+static int 
+xmlSecNssKeyWrapCtxUpdate(
+       xmlSecNssKeyWrapCtxPtr          ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( ctx->material != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       /* read raw key material and append into context */
+       if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferAppend" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       return(0);
+}
+
+static int 
+xmlSecNssKWDes3BufferReverse(xmlSecByte *buf, xmlSecSize size) {
+    xmlSecSize s;
+    xmlSecSize i;
+    xmlSecByte c;
+    
+    xmlSecAssert2(buf != NULL, -1);
+    
+    s = size / 2;
+    --size;
+    for(i = 0; i < s; ++i) {
+       c = buf[i];
+       buf[i] = buf[size - i];
+       buf[size - i] = c;
+    }
+    return(0);
+}
+
+static xmlSecByte *
+xmlSecNssComputeSHA1(const xmlSecByte *in, xmlSecSize inSize, 
+                    xmlSecByte *out, xmlSecSize outSize)
+{
+    PK11Context *context = NULL;
+    SECStatus s;
+    xmlSecByte *digest = NULL;
+    unsigned int len;
+
+    xmlSecAssert2(in != NULL, NULL);
+    xmlSecAssert2(out != NULL, NULL);
+    xmlSecAssert2(outSize >= SHA1_LENGTH, NULL);
+
+    /* Create a context for hashing (digesting) */
+    context = PK11_CreateDigestContext(SEC_OID_SHA1);
+    if (context == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   NULL,
+                   "PK11_CreateDigestContext",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   "error code = %d", PORT_GetError());
+       goto done;
+    }
+
+    s = PK11_DigestBegin(context);
+    if (s != SECSuccess) { 
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   NULL,
+                   "PK11_DigestBegin",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   "error code = %d", PORT_GetError());
+       goto done;
+    }
+
+    s = PK11_DigestOp(context, in, inSize);
+    if (s != SECSuccess) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   NULL,
+                   "PK11_DigestOp",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   "error code = %d", PORT_GetError());
+       goto done;
+    }
+
+    s = PK11_DigestFinal(context, out, &len, outSize);
+    if (s != SECSuccess) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   NULL,
+                   "PK11_DigestFinal",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   "error code = %d", PORT_GetError());
+       goto done;
+    }
+    xmlSecAssert2(len == SHA1_LENGTH, NULL);
+
+    digest = out;
+
+done:
+    if (context != NULL) {
+       PK11_DestroyContext(context, PR_TRUE);
+    }
+    return (digest);
+}
+
+static int
+xmlSecNssKWDes3Encrypt(
+       PK11SymKey*                                     symKey ,
+       CK_MECHANISM_TYPE                       cipherMech ,
+    const xmlSecByte*                  iv ,
+       xmlSecSize                                      ivSize ,
+    const xmlSecByte*                  in ,
+       xmlSecSize                                      inSize ,
+    xmlSecByte*                        out ,
+       xmlSecSize                                      outSize ,
+       int                                                     enc
+) {
+    PK11Context*        EncContext = NULL;
+       SECItem                         ivItem ;
+       SECItem*                        secParam = NULL ;
+    int                                        tmp1_outlen;
+    unsigned int               tmp2_outlen;
+       int                 result_len = -1;
+       SECStatus           rv;
+
+       xmlSecAssert2( cipherMech != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( symKey != NULL , -1 ) ;
+    xmlSecAssert2(iv != NULL, -1);
+    xmlSecAssert2(ivSize == XMLSEC_NSS_DES3_IV_LENGTH, -1);
+    xmlSecAssert2(in != NULL, -1);
+    xmlSecAssert2(inSize > 0, -1);
+    xmlSecAssert2(out != NULL, -1);
+    xmlSecAssert2(outSize >= inSize, -1);
+ 
+       /* Prepare IV */
+       ivItem.data = ( unsigned char* )iv ;
+       ivItem.len = ivSize ;
+
+    secParam = PK11_ParamFromIV(cipherMech, &ivItem);
+    if (secParam == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                   NULL,
+                   "PK11_ParamFromIV",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   "Error code = %d", PORT_GetError());
+               goto done;
+    }
+
+    EncContext = PK11_CreateContextBySymKey(cipherMech, 
+                                           enc ? CKA_ENCRYPT : CKA_DECRYPT,
+                                           symKey, secParam);
+    if (EncContext == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                   NULL,
+                   "PK11_CreateContextBySymKey",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   "Error code = %d", PORT_GetError());
+               goto done;
+    }
+
+    tmp1_outlen = tmp2_outlen = 0;
+    rv = PK11_CipherOp(EncContext, out, &tmp1_outlen, outSize,
+                      (unsigned char *)in, inSize);
+    if (rv != SECSuccess) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                   NULL,
+                   "PK11_CipherOp",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   "Error code = %d", PORT_GetError());
+               goto done;
+    }
+
+    rv = PK11_DigestFinal(EncContext, out+tmp1_outlen, 
+                         &tmp2_outlen, outSize-tmp1_outlen);
+    if (rv != SECSuccess) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                   NULL,
+                   "PK11_DigestFinal",
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                   "Error code = %d", PORT_GetError());
+               goto done;
+    }
+
+    result_len = tmp1_outlen + tmp2_outlen;
+
+done:
+    if (secParam) {
+               SECITEM_FreeItem(secParam, PR_TRUE);
+    }
+    if (EncContext) {
+       PK11_DestroyContext(EncContext, PR_TRUE);
+    }
+
+    return(result_len);
+}
+
+static int
+xmlSecNssKeyWrapDesOp(
+       xmlSecNssKeyWrapCtxPtr          ctx ,
+       int                                             encrypt ,
+       xmlSecBufferPtr                         result
+) {
+    xmlSecByte sha1[SHA1_LENGTH];    
+    xmlSecByte iv[XMLSEC_NSS_DES3_IV_LENGTH];
+    xmlSecByte* in;    
+    xmlSecSize inSize;    
+    xmlSecByte* out;    
+    xmlSecSize outSize;    
+    xmlSecSize s;    
+    int ret;
+    SECStatus status;
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( ctx->material != NULL , -1 ) ;
+       xmlSecAssert2( result != NULL , -1 ) ;
+
+       in = xmlSecBufferGetData(ctx->material);
+       inSize = xmlSecBufferGetSize(ctx->material) ;
+       out = xmlSecBufferGetData(result);
+       outSize = xmlSecBufferGetMaxSize(result) ;
+       if( encrypt ) {
+       /* step 2: calculate sha1 and CMS */
+       if(xmlSecNssComputeSHA1(in, inSize, sha1, SHA1_LENGTH) == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                           "xmlSecNssComputeSHA1",
+                           XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                           XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+       }
+
+           /* step 3: construct WKCKS */
+       memcpy(out, in, inSize);
+           memcpy(out + inSize, sha1, XMLSEC_NSS_DES3_BLOCK_LENGTH);
+
+       /* step 4: generate random iv */
+       status = PK11_GenerateRandom(iv, XMLSEC_NSS_DES3_IV_LENGTH);
+       if(status != SECSuccess) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "PK11_GenerateRandom",
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                       "error code = %d", PORT_GetError());
+                       return(-1);    
+       }       
+
+       /* step 5: first encryption, result is TEMP1 */
+       ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+                                   iv, XMLSEC_NSS_DES3_IV_LENGTH, 
+                                       out, inSize + XMLSEC_NSS_DES3_IV_LENGTH,
+                                       out, outSize, 1);
+       if(ret < 0) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecNssKWDes3Encrypt",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+       }
+
+       /* step 6: construct TEMP2=IV || TEMP1 */
+       memmove(out + XMLSEC_NSS_DES3_IV_LENGTH, out, 
+               inSize + XMLSEC_NSS_DES3_IV_LENGTH);
+       memcpy(out, iv, XMLSEC_NSS_DES3_IV_LENGTH);
+               s = ret + XMLSEC_NSS_DES3_IV_LENGTH; 
+    
+       /* step 7: reverse octets order, result is TEMP3 */
+           ret = xmlSecNssKWDes3BufferReverse(out, s);
+               if(ret < 0) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                           "xmlSecNssKWDes3BufferReverse",
+                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                           XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+       }
+
+       /* step 8: second encryption with static IV */
+       ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+                                   xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, 
+                                       out, s,
+                                       out, outSize, 1);
+       if(ret < 0) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                           "xmlSecNssKWDes3Encrypt",
+                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                           XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+       }
+               s = ret;
+
+               if( xmlSecBufferSetSize( result , s ) < 0 ) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                           "xmlSecBufferSetSize",
+                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                           XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+               }
+       } else {
+       /* step 2: first decryption with static IV, result is TEMP3 */
+       ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+                                   xmlSecNssKWDes3Iv, XMLSEC_NSS_DES3_IV_LENGTH, 
+                                       in, inSize,
+                                       out, outSize, 0);
+       if((ret < 0) || (ret < XMLSEC_NSS_DES3_IV_LENGTH)) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecNssKWDes3Encrypt",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+       }
+       s = ret; 
+    
+       /* step 3: reverse octets order in TEMP3, result is TEMP2 */
+       ret = xmlSecNssKWDes3BufferReverse(out, s);
+       if(ret < 0) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecNssKWDes3BufferReverse",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+       }
+
+       /* steps 4 and 5: get IV and decrypt second time, result is WKCKS */
+       ret = xmlSecNssKWDes3Encrypt( ctx->symkey, ctx->cipher,
+                                   out, XMLSEC_NSS_DES3_IV_LENGTH, 
+                                       out+XMLSEC_NSS_DES3_IV_LENGTH, s-XMLSEC_NSS_DES3_IV_LENGTH,
+                                       out, outSize, 0);
+       if((ret < 0) || (ret < XMLSEC_NSS_DES3_BLOCK_LENGTH)) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecNssKWDes3Encrypt",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+       }
+               s = ret - XMLSEC_NSS_DES3_IV_LENGTH;
+    
+       /* steps 6 and 7: calculate SHA1 and validate it */
+       if(xmlSecNssComputeSHA1(out, s, sha1, SHA1_LENGTH) == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecNssComputeSHA1",
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+                }
+
+               if(memcmp(sha1, out + s, XMLSEC_NSS_DES3_BLOCK_LENGTH) != 0) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                                NULL,
+                           XMLSEC_ERRORS_R_INVALID_DATA,
+                           "SHA1 does not match");
+                       return(-1);         
+               }
+
+               if( xmlSecBufferSetSize( result , s ) < 0 ) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                           NULL,
+                           "xmlSecBufferSetSize",
+                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                           XMLSEC_ERRORS_NO_MESSAGE);
+                       return(-1);         
+               }
+       }
+
+       return(0);
+}
+
+static int
+xmlSecNssKeyWrapAesOp(
+       xmlSecNssKeyWrapCtxPtr          ctx ,
+       int                                             encrypt ,
+       xmlSecBufferPtr                         result
+) {
+    PK11Context*        cipherCtx = NULL;
+       SECItem                         ivItem ;
+       SECItem*                        secParam = NULL ;
+       xmlSecSize                      inSize ;
+       xmlSecSize                      inBlocks ;
+       int                                     blockSize ;
+       int                                     midSize ;
+       int                                     finSize ;
+       xmlSecByte*                     out ;
+    xmlSecSize                 outSize;    
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( ctx->material != NULL , -1 ) ;
+       xmlSecAssert2( result != NULL , -1 ) ;
+
+       /* Do not set any IV */
+    memset(&ivItem, 0, sizeof(ivItem));
+
+       /* Get block size */
+       if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_GetBlockSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       inSize = xmlSecBufferGetSize( ctx->material ) ;
+       if( xmlSecBufferSetMaxSize( result , inSize + blockSize ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferSetMaxSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       /* Get Param for context initialization */
+       if( ( secParam = PK11_ParamFromIV( ctx->cipher , &ivItem ) ) == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_ParamFromIV" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       cipherCtx = PK11_CreateContextBySymKey( ctx->cipher , encrypt ? CKA_ENCRYPT : CKA_DECRYPT , ctx->symkey , secParam ) ;
+       if( cipherCtx == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_CreateContextBySymKey" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               SECITEM_FreeItem( secParam , PR_TRUE ) ;
+               return(-1);    
+       }
+
+       out = xmlSecBufferGetData(result) ;
+       outSize = xmlSecBufferGetMaxSize(result) ;
+       if( PK11_CipherOp( cipherCtx , out, &midSize , outSize , xmlSecBufferGetData( ctx->material ) , inSize ) != SECSuccess ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_CipherOp" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( PK11_DigestFinal( cipherCtx , out + midSize , &finSize , outSize - midSize ) != SECSuccess ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_DigestFinal" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( xmlSecBufferSetSize( result , midSize + finSize ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferSetSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       return 0 ;
+}
+
+/**
+ * Block cipher transform final
+ */
+static int 
+xmlSecNssKeyWrapCtxFinal(
+       xmlSecNssKeyWrapCtxPtr          ctx ,
+       xmlSecBufferPtr                         in ,
+       xmlSecBufferPtr                         out ,
+       int                                             encrypt ,
+       xmlSecTransformCtxPtr           transformCtx
+) {
+       PK11SymKey*                     targetKey ;
+       xmlSecSize                      blockSize ;
+       xmlSecBufferPtr         result ;
+
+       xmlSecAssert2( ctx != NULL , -1 ) ;
+       xmlSecAssert2( ctx->cipher != CKM_INVALID_MECHANISM , -1 ) ;
+       xmlSecAssert2( ctx->symkey != NULL , -1 ) ;
+       xmlSecAssert2( ctx->keyId != NULL , -1 ) ;
+       xmlSecAssert2( ctx->material != NULL , -1 ) ;
+       xmlSecAssert2( in != NULL , -1 ) ;
+       xmlSecAssert2( out != NULL , -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       /* read raw key material and append into context */
+       if( xmlSecBufferAppend( ctx->material, xmlSecBufferGetData(in), xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferAppend" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       if( xmlSecBufferRemoveHead( in , xmlSecBufferGetSize(in) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferRemoveHead" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       /* Now we get all of the key materail */
+       /* from now on we will wrap or unwrap the key */
+       if( ( blockSize = PK11_GetBlockSize( ctx->cipher , NULL ) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "PK11_GetBlockSize" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       result = xmlSecBufferCreate( blockSize ) ;
+       if( result == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferCreate" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       switch( ctx->cipher ) {
+               case CKM_DES3_CBC :
+                       if( xmlSecNssKeyWrapDesOp(ctx, encrypt, result) < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecNssKeyWrapDesOp" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               xmlSecBufferDestroy(result);
+                               return(-1);    
+                       }
+                       break ;
+       /*      case CKM_NETSCAPE_AES_KEY_WRAP :*/
+               case CKM_AES_CBC :
+                       if( xmlSecNssKeyWrapAesOp(ctx, encrypt, result) < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecNssKeyWrapAesOp" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               xmlSecBufferDestroy(result);
+                               return(-1);    
+                       }
+                       break ;
+       }
+
+       /* Write output */
+       if( xmlSecBufferAppend( out, xmlSecBufferGetData(result), xmlSecBufferGetSize(result) ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecBufferAppend" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecBufferDestroy(result);
+               return(-1);    
+       }
+       xmlSecBufferDestroy(result);
+
+       return(0);
+}
+
+static int 
+xmlSecNssKeyWrapExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) {
+       xmlSecNssKeyWrapCtxPtr  context = NULL ;
+       xmlSecBufferPtr                 inBuf, outBuf ; 
+       int                                             operation ;
+       int                                             rtv ;
+
+       xmlSecAssert2( xmlSecNssKeyWrapCheckId( transform ), -1 ) ;
+       xmlSecAssert2( xmlSecTransformCheckSize( transform, xmlSecNssKeyWrapSize ), -1 ) ;
+    xmlSecAssert2( ( transform->operation == xmlSecTransformOperationEncrypt ) || ( transform->operation == xmlSecTransformOperationDecrypt ), -1 ) ;
+       xmlSecAssert2( transformCtx != NULL , -1 ) ;
+
+       context = xmlSecNssKeyWrapGetCtx( transform ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                   "xmlSecNssKeyWrapGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return(-1);    
+       }
+
+       inBuf = &( transform->inBuf ) ;
+       outBuf = &( transform->outBuf ) ;
+
+       if( transform->status == xmlSecTransformStatusNone ) {
+               transform->status = xmlSecTransformStatusWorking ;
+       }
+
+       operation = ( transform->operation == xmlSecTransformOperationEncrypt ) ? 1 : 0 ;
+       if( transform->status == xmlSecTransformStatusWorking ) {
+               if( context->material == NULL ) {
+                       rtv = xmlSecNssKeyWrapCtxInit( context, inBuf , outBuf , operation , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssKeyWrapCtxInit" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return(-1);
+                       }
+               }
+
+               if( context->material == NULL && last != 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE , 
+                               xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_INVALID_STATUS ,
+                               "No enough data to intialize transform" ) ;
+                       return(-1);
+               }
+
+               if( context->material != NULL ) {
+                       rtv = xmlSecNssKeyWrapCtxUpdate( context, inBuf , outBuf , operation , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssKeyWrapCtxUpdate" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return(-1);
+                       }
+               }
+               
+               if( last ) {
+                       rtv = xmlSecNssKeyWrapCtxFinal( context, inBuf , outBuf , operation , transformCtx ) ;
+                       if( rtv < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE , 
+                                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                                       "xmlSecNssKeyWrapCtxFinal" ,
+                                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               return(-1);
+                       }
+                       transform->status = xmlSecTransformStatusFinished ;
+               }
+       } else if( transform->status == xmlSecTransformStatusFinished ) {
+               if( xmlSecBufferGetSize( inBuf ) != 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE , 
+                               xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_INVALID_STATUS ,
+                               "status=%d", transform->status ) ;
+                       return(-1);
+               }
+       } else {
+               xmlSecError( XMLSEC_ERRORS_HERE , 
+                       xmlSecErrorsSafeString( xmlSecTransformGetName( transform ) ) ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_INVALID_STATUS ,
+                       "status=%d", transform->status ) ;
+               return(-1);
+       }
+
+       return(0);
+}
+
+#ifndef XMLSEC_NO_AES
+
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes128Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes128Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,                              /* xmlSecSize objSize */
+
+    xmlSecNameKWAes128,                                /* const xmlChar* name; */
+    xmlSecHrefKWAes128,                                /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize,                        /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,                  /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,                 /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,                    /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                                      /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,                   /* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,                                      /* void* reserved0; */
+    NULL,                                      /* void* reserved1; */
+};
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes192Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes192Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,                              /* xmlSecSize objSize */
+
+    xmlSecNameKWAes192,                                /* const xmlChar* name; */
+    xmlSecHrefKWAes192,                                /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize,                        /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,                  /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,                 /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,                    /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                                      /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,                   /* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,                                      /* void* reserved0; */
+    NULL,                                      /* void* reserved1; */
+};
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWAes256Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWAes256Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,                              /* xmlSecSize objSize */
+
+    xmlSecNameKWAes256,                                /* const xmlChar* name; */
+    xmlSecHrefKWAes256,                                /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize,                        /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,                  /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,                 /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,                    /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                                      /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,                   /* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,                                      /* void* reserved0; */
+    NULL,                                      /* void* reserved1; */
+};
+
+/** 
+ * xmlSecNssTransformKWAes128GetKlass:
+ *
+ * The AES-128 key wrapper transform klass.
+ *
+ * Returns AES-128 key wrapper transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformKWAes128GetKlass(void) {
+    return(&xmlSecNssKWAes128Klass);
+}
+
+/** 
+ * xmlSecNssTransformKWAes192GetKlass:
+ *
+ * The AES-192 key wrapper transform klass.
+ *
+ * Returns AES-192 key wrapper transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformKWAes192GetKlass(void) {
+    return(&xmlSecNssKWAes192Klass);
+}
+
+/** 
+ *
+ * The AES-256 key wrapper transform klass.
+ *
+ * Returns AES-256 key wrapper transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformKWAes256GetKlass(void) {
+    return(&xmlSecNssKWAes256Klass);
+}
+
+#endif /* XMLSEC_NO_AES */
+
+
+#ifndef XMLSEC_NO_DES
+
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssKWDes3Klass = {
+#else
+static xmlSecTransformKlass xmlSecNssKWDes3Klass = {
+#endif
+    /* klass/object sizes */
+    sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
+    xmlSecNssKeyWrapSize,                      /* xmlSecSize objSize */
+
+    xmlSecNameKWDes3,                          /* const xmlChar* name; */
+    xmlSecHrefKWDes3,                          /* const xmlChar* href; */
+    xmlSecTransformUsageEncryptionMethod,      /* xmlSecAlgorithmUsage usage; */
+
+    xmlSecNssKeyWrapInitialize,                        /* xmlSecTransformInitializeMethod initialize; */
+    xmlSecNssKeyWrapFinalize,                  /* xmlSecTransformFinalizeMethod finalize; */
+    NULL,                                      /* xmlSecTransformNodeReadMethod readNode; */
+    NULL,                                      /* xmlSecTransformNodeWriteMethod writeNode; */
+    xmlSecNssKeyWrapSetKeyReq,                 /* xmlSecTransformSetKeyMethod setKeyReq; */
+    xmlSecNssKeyWrapSetKey,                    /* xmlSecTransformSetKeyMethod setKey; */
+    NULL,                                      /* xmlSecTransformValidateMethod validate; */
+    xmlSecTransformDefaultGetDataType,         /* xmlSecTransformGetDataTypeMethod getDataType; */
+    xmlSecTransformDefaultPushBin,             /* xmlSecTransformPushBinMethod pushBin; */
+    xmlSecTransformDefaultPopBin,              /* xmlSecTransformPopBinMethod popBin; */
+    NULL,                                      /* xmlSecTransformPushXmlMethod pushXml; */
+    NULL,                                      /* xmlSecTransformPopXmlMethod popXml; */
+    xmlSecNssKeyWrapExecute,                   /* xmlSecTransformExecuteMethod execute; */
+    
+    NULL,                                      /* void* reserved0; */
+    NULL,                                      /* void* reserved1; */
+};
+
+/** 
+ * xmlSecNssTransformKWDes3GetKlass:
+ * 
+ * The Triple DES key wrapper transform klass.
+ *
+ * Returns Triple DES key wrapper transform klass.
+ */
+xmlSecTransformId 
+xmlSecNssTransformKWDes3GetKlass(void) {
+    return(&xmlSecNssKWDes3Klass);
+}
+
+#endif /* XMLSEC_NO_DES */
+
--- misc/xmlsec1-1.2.6/src/nss/pkikeys.c        2004-03-17 06:06:45.000000000 +0100
+++ misc/build/xmlsec1-1.2.6/src/nss/pkikeys.c  2008-06-29 23:44:19.000000000 +0200
@@ -5,6 +5,7 @@
  * distribution for preciese wording.
  * 
  * Copyright (c) 2003 America Online, Inc.  All rights reserved.
+ * Copyright ...........................
  */
 #include "globals.h"
 
@@ -24,6 +25,7 @@
 #include <xmlsec/nss/crypto.h>
 #include <xmlsec/nss/bignum.h>
 #include <xmlsec/nss/pkikeys.h>
+#include <xmlsec/nss/tokens.h>
 
 /**************************************************************************
  *
@@ -98,14 +100,13 @@
 {
     xmlSecAssert(ctx != NULL);
     if (ctx->privkey != NULL) {
-       SECKEY_DestroyPrivateKey(ctx->privkey);
-       ctx->privkey = NULL;
+               SECKEY_DestroyPrivateKey(ctx->privkey);
+               ctx->privkey = NULL;
     }
 
-    if (ctx->pubkey)
-    {
-       SECKEY_DestroyPublicKey(ctx->pubkey);
-       ctx->pubkey = NULL;
+    if (ctx->pubkey) {
+               SECKEY_DestroyPublicKey(ctx->pubkey);
+               ctx->pubkey = NULL;
     }
 
 }
@@ -115,29 +116,32 @@
                           xmlSecNssPKIKeyDataCtxPtr ctxSrc)
 {
     xmlSecNSSPKIKeyDataCtxFree(ctxDst);
+       ctxDst->privkey = NULL ;
+       ctxDst->pubkey = NULL ;
     if (ctxSrc->privkey != NULL) {
-       ctxDst->privkey = SECKEY_CopyPrivateKey(ctxSrc->privkey);
-       if(ctxDst->privkey == NULL) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "SECKEY_CopyPrivateKey",
-                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           return(-1);
-       }
+               ctxDst->privkey = SECKEY_CopyPrivateKey(ctxSrc->privkey);
+               if(ctxDst->privkey == NULL) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "SECKEY_CopyPrivateKey",
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                               "error code=%d", PORT_GetError());
+                   return(-1);
+               }
     }
 
     if (ctxSrc->pubkey != NULL) {
-       ctxDst->pubkey = SECKEY_CopyPublicKey(ctxSrc->pubkey);
-       if(ctxDst->pubkey == NULL) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "SECKEY_CopyPublicKey",
-                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           return(-1);
-       }
+               ctxDst->pubkey = SECKEY_CopyPublicKey(ctxSrc->pubkey);
+               if(ctxDst->pubkey == NULL) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "SECKEY_CopyPublicKey",
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                               "error code=%d", PORT_GetError());
+                   return(-1);
+               }
     }
+
     return (0);
 }
 
@@ -147,20 +151,41 @@
                             SECKEYPublicKey  *pubkey)
 {
     xmlSecNssPKIKeyDataCtxPtr ctx;
+       KeyType                                 pubType = nullKey ;
+       KeyType                                 priType = nullKey ;
     
     xmlSecAssert2(xmlSecKeyDataIsValid(data), -1);
     xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssPKIKeyDataSize), -1);
 
+       if( privkey != NULL ) {
+               priType = SECKEY_GetPrivateKeyType( privkey ) ;
+       }
+
+       if( pubkey != NULL ) {
+               pubType = SECKEY_GetPublicKeyType( pubkey ) ;
+       }
+
+       if( priType != nullKey && pubType != nullKey ) {
+               if( pubType != priType ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               "different type of private and public key" ) ;
+                       return -1 ;
+               }
+       }
+
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
     
     if (ctx->privkey) {
-       SECKEY_DestroyPrivateKey(ctx->privkey); 
+               SECKEY_DestroyPrivateKey(ctx->privkey); 
     }
     ctx->privkey = privkey;
 
     if (ctx->pubkey) {
-       SECKEY_DestroyPublicKey(ctx->pubkey);
+               SECKEY_DestroyPublicKey(ctx->pubkey);
     }
     ctx->pubkey = pubkey;
 
@@ -183,61 +208,75 @@
 {
     xmlSecKeyDataPtr data = NULL;
     int ret;
-    KeyType kt;
-    
-    if (pubkey != NULL) {
-       kt = SECKEY_GetPublicKeyType(pubkey);
-    } else {
-       kt = SECKEY_GetPrivateKeyType(privkey);
-       pubkey = SECKEY_ConvertToPublicKey(privkey);
-    }
+       KeyType                                 pubType = nullKey ;
+       KeyType                                 priType = nullKey ;
     
-    switch(kt) {       
+       if( privkey != NULL ) {
+               priType = SECKEY_GetPrivateKeyType( privkey ) ;
+       }
+
+       if( pubkey != NULL ) {
+               pubType = SECKEY_GetPublicKeyType( pubkey ) ;
+       }
+
+       if( priType != nullKey && pubType != nullKey ) {
+               if( pubType != priType ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               "different type of private and public key" ) ;
+                       return( NULL ) ;
+               }
+       }
+   
+       pubType = priType != nullKey ? priType : pubType ;
+    switch(pubType) {  
 #ifndef XMLSEC_NO_RSA    
     case rsaKey:
-       data = xmlSecKeyDataCreate(xmlSecNssKeyDataRsaId);
-       if(data == NULL) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecKeyDataCreate",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "xmlSecNssKeyDataRsaId");
-           return(NULL);           
-       }
-       break;
+               data = xmlSecKeyDataCreate(xmlSecNssKeyDataRsaId);
+               if(data == NULL) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecKeyDataCreate",
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                               "xmlSecNssKeyDataRsaId");
+                   return(NULL);           
+               }
+               break;
 #endif /* XMLSEC_NO_RSA */     
 #ifndef XMLSEC_NO_DSA  
     case dsaKey:
-       data = xmlSecKeyDataCreate(xmlSecNssKeyDataDsaId);
-       if(data == NULL) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecKeyDataCreate",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       "xmlSecNssKeyDataDsaId");
-           return(NULL);           
-       }
-       break;
+               data = xmlSecKeyDataCreate(xmlSecNssKeyDataDsaId);
+               if(data == NULL) {
+                   xmlSecError(XMLSEC_ERRORS_HERE,
+                               NULL,
+                               "xmlSecKeyDataCreate",
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                               "xmlSecNssKeyDataDsaId");
+                   return(NULL);           
+               }
+               break;
 #endif /* XMLSEC_NO_DSA */     
     default:   
-       xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecError(XMLSEC_ERRORS_HERE,
                    NULL,
                    NULL,
                    XMLSEC_ERRORS_R_INVALID_TYPE,
-                   "PKI key type %d not supported", kt);
-       return(NULL);
+                   "PKI key type %d not supported", pubType);
+               return(NULL);
     }
 
     xmlSecAssert2(data != NULL, NULL);    
     ret = xmlSecNssPKIKeyDataAdoptKey(data, privkey, pubkey);
     if(ret < 0) {      
-       xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecError(XMLSEC_ERRORS_HERE,
                    NULL,
                    "xmlSecNssPKIKeyDataAdoptKey",
                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
                    XMLSEC_ERRORS_NO_MESSAGE);
-       xmlSecKeyDataDestroy(data);
-       return(NULL);       
+               xmlSecKeyDataDestroy(data);
+               return(NULL);       
     }
     return(data);
 }
@@ -263,7 +302,7 @@
     xmlSecAssert2(ctx != NULL, NULL);
     xmlSecAssert2(ctx->pubkey != NULL, NULL);
 
-    ret = SECKEY_CopyPublicKey(ctx->pubkey);
+       ret = SECKEY_CopyPublicKey(ctx->pubkey);
     return(ret);
 }
 
@@ -312,9 +351,9 @@
     xmlSecAssert2(ctx != NULL, nullKey);
     
     if (ctx->pubkey != NULL) {
-       kt = SECKEY_GetPublicKeyType(ctx->pubkey);
+               kt = SECKEY_GetPublicKeyType(ctx->pubkey);
     } else {
-       kt = SECKEY_GetPrivateKeyType(ctx->privkey);
+               kt = SECKEY_GetPrivateKeyType(ctx->privkey);
     }
     return(kt);
 }
@@ -453,7 +492,11 @@
 static void            xmlSecNssKeyDataDsaDebugXmlDump (xmlSecKeyDataPtr data,
                                                         FILE* output);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecNssKeyDataDsaKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecNssKeyDataDsaKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     xmlSecNssPKIKeyDataSize,
 
@@ -553,13 +596,13 @@
        goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_DSA, NULL);
+    slot = xmlSecNssSlotGet(CKM_DSA);
     if(slot == NULL) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                   "PK11_GetBestSlot",
+                   "xmlSecNssSlotGet",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        ret = -1;
        goto done;
     }
@@ -570,7 +613,7 @@
                    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                    "PORT_NewArena",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        ret = -1;
        goto done;
     }
@@ -582,7 +625,7 @@
                    xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                    "PORT_ArenaZAlloc",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        PORT_FreeArena(arena, PR_FALSE);
        ret = -1;
        goto done;
@@ -750,21 +793,21 @@
        goto done;
     }
     data = NULL;
-
     ret = 0;
 
 done:
     if (slot != NULL) {
-       PK11_FreeSlot(slot);
+        PK11_FreeSlot(slot);
     }
-    if (ret != 0) {
-       if (pubkey != NULL) {
-           SECKEY_DestroyPublicKey(pubkey);
-       }
-       if (data != NULL) {
-           xmlSecKeyDataDestroy(data);
-       }
+
+    if (pubkey != NULL) {
+        SECKEY_DestroyPublicKey(pubkey);
+    }
+
+    if (data != NULL) {
+        xmlSecKeyDataDestroy(data);
     }
+
     return(ret);
 }
 
@@ -783,7 +826,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/
 
     if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) {
        /* we can have only private key or public key */
@@ -905,7 +948,8 @@
                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                    "PK11_PQG_ParamGen",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   "size=%d", sizeBits);
+                   "size=%d, error code=%d", sizeBits, PORT_GetError());
+       ret = -1;
        goto done;
     }
 
@@ -915,11 +959,12 @@
                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                    "PK11_PQG_VerifyParams",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   "size=%d", sizeBits);
+                   "size=%d, error code=%d", sizeBits, PORT_GetError());
+       ret = -1;
        goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_DSA_KEY_PAIR_GEN, NULL);
+    slot = xmlSecNssSlotGet(CKM_DSA_KEY_PAIR_GEN);
     PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */);
     privkey = PK11_GenerateKeyPair(slot, CKM_DSA_KEY_PAIR_GEN, pqgParams,
                                   &pubkey, PR_FALSE, PR_TRUE, NULL);
@@ -929,8 +974,9 @@
                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                    "PK11_GenerateKeyPair",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
         
+       ret = -1;
        goto done;
     }
 
@@ -943,29 +989,32 @@
                    XMLSEC_ERRORS_NO_MESSAGE);
        goto done;
     }
-
+       privkey = NULL ;
+       pubkey = NULL ;
     ret = 0;
 
 done:
     if (slot != NULL) {
-       PK11_FreeSlot(slot);
+               PK11_FreeSlot(slot);
     }
+
     if (pqgParams != NULL) {
-       PK11_PQG_DestroyParams(pqgParams);
+               PK11_PQG_DestroyParams(pqgParams);
     }
+
     if (pqgVerify != NULL) {
-       PK11_PQG_DestroyVerify(pqgVerify);
-    }
-    if (ret == 0) {
-       return (0);
+               PK11_PQG_DestroyVerify(pqgVerify);
     }
+
     if (pubkey != NULL) {
-       SECKEY_DestroyPublicKey(pubkey);
+               SECKEY_DestroyPublicKey(pubkey);
     }
+
     if (privkey != NULL) {
-       SECKEY_DestroyPrivateKey(privkey);
+               SECKEY_DestroyPrivateKey(privkey);
     }
-    return(-1);
+
+    return(ret);
 }
 
 static xmlSecKeyDataType
@@ -975,11 +1024,11 @@
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), xmlSecKeyDataTypeUnknown);
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/
     if (ctx->privkey != NULL) {
-       return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
-    } else {
-       return(xmlSecKeyDataTypePublic);
+               return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
+    } else if( ctx->pubkey != NULL ) {
+               return(xmlSecKeyDataTypePublic);
     }
        
     return(xmlSecKeyDataTypeUnknown);
@@ -992,7 +1041,7 @@
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDsaId), 0);
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == dsaKey, -1);*/
 
     return(8 * SECKEY_PublicKeyStrength(ctx->pubkey));
 }
@@ -1084,7 +1133,11 @@
 static void            xmlSecNssKeyDataRsaDebugXmlDump (xmlSecKeyDataPtr data,
                                                         FILE* output);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecNssKeyDataRsaKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecNssKeyDataRsaKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     xmlSecNssPKIKeyDataSize,
 
@@ -1181,13 +1234,13 @@
        goto done;
     }
 
-    slot = PK11_GetBestSlot(CKM_RSA_PKCS, NULL);
+    slot = xmlSecNssSlotGet(CKM_RSA_PKCS);
     if(slot == NULL) {
         xmlSecError(XMLSEC_ERRORS_HERE,
                     xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                    "PK11_GetBestSlot",
+                    "xmlSecNssSlotGet",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
         ret = -1;
         goto done;
     }
@@ -1198,7 +1251,7 @@
                     xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                     "PORT_NewArena",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
         ret = -1;
         goto done;
     }
@@ -1210,7 +1263,7 @@
                     xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
                     "PORT_ArenaZAlloc",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
        PORT_FreeArena(arena, PR_FALSE);
         ret = -1;
         goto done;
@@ -1349,7 +1402,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(xmlSecKeyGetValue(key));
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/
 
 
     if(((xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate) & keyInfoCtx->keyReq.keyType) == 0) {
@@ -1420,7 +1473,7 @@
     params.keySizeInBits = sizeBits;
     params.pe = 65537;
 
-    slot = PK11_GetBestSlot(CKM_RSA_PKCS_KEY_PAIR_GEN, NULL);
+    slot = xmlSecNssSlotGet(CKM_RSA_PKCS_KEY_PAIR_GEN);
     PK11_Authenticate(slot, PR_TRUE, NULL /* default pwd callback */);
     privkey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, &params,
                                   &pubkey, PR_FALSE, PR_TRUE, NULL);
@@ -1430,7 +1483,7 @@
                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                    "PK11_GenerateKeyPair",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
         
        goto done;
     }
@@ -1472,7 +1525,7 @@
     
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/
     if (ctx->privkey != NULL) {
        return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
     } else {
@@ -1490,7 +1543,7 @@
 
     ctx = xmlSecNssPKIKeyDataGetCtx(data);
     xmlSecAssert2(ctx != NULL, -1);
-    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);
+/*    xmlSecAssert2(SECKEY_GetPublicKeyType(ctx->pubkey) == rsaKey, -1);*/
 
     return(8 * SECKEY_PublicKeyStrength(ctx->pubkey));
 }
--- misc/xmlsec1-1.2.6/src/nss/signatures.c     2003-09-26 02:58:15.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/signatures.c       2008-06-29 23:44:19.000000000 +0200
@@ -199,7 +199,7 @@
                        xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                        "SGN_NewContext",
                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
+                       "error code=%d", PORT_GetError());
            return(-1);
         }
     } else {
@@ -222,7 +222,7 @@
                        xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                        "VFY_CreateContext",
                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
+                       "error code=%d", PORT_GetError());
            return(-1);
         }
     }
@@ -282,7 +282,7 @@
                    xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                    "VFY_Update, VFY_End",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
 
        if (PORT_GetError() == SEC_ERROR_PKCS7_BAD_SIGNATURE) {
            xmlSecError(XMLSEC_ERRORS_HERE, 
@@ -341,7 +341,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "SGN_Begin",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
        } else {
@@ -351,7 +351,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "VFY_Begin",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
        }
@@ -368,7 +368,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "SGN_Update",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
        } else {
@@ -378,7 +378,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "VFY_Update",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
        }
@@ -404,7 +404,7 @@
                            xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
                            "SGN_End",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
 
@@ -459,7 +459,11 @@
  *
  ***************************************************************************/
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssDsaSha1Klass = {
+#else
 static xmlSecTransformKlass xmlSecNssDsaSha1Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecNssSignatureSize,            /* xmlSecSize objSize */
@@ -506,7 +510,11 @@
  * RSA-SHA1 signature transform
  *
  ***************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecTransformKlass xmlSecNssRsaSha1Klass = {
+#else
 static xmlSecTransformKlass xmlSecNssRsaSha1Klass = {
+#endif
     /* klass/object sizes */
     sizeof(xmlSecTransformKlass),              /* xmlSecSize klassSize */
     xmlSecNssSignatureSize,            /* xmlSecSize objSize */
--- misc/xmlsec1-1.2.6/src/nss/symkeys.c        2003-07-21 05:12:52.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/symkeys.c  2008-06-29 23:44:19.000000000 +0200
@@ -15,178 +15,837 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <pk11func.h>
+#include <nss.h>
+
 #include <xmlsec/xmlsec.h>
 #include <xmlsec/xmltree.h>
+#include <xmlsec/base64.h>
 #include <xmlsec/keys.h>
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/transforms.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
+#include <xmlsec/nss/ciphers.h>
+#include <xmlsec/nss/tokens.h>
 
 /*****************************************************************************
  * 
- * Symmetic (binary) keys - just a wrapper for xmlSecKeyDataBinary
+ * Symmetic (binary) keys - a wrapper over slot information and PK11SymKey
  *
  ****************************************************************************/
-static int     xmlSecNssSymKeyDataInitialize           (xmlSecKeyDataPtr data);
-static int     xmlSecNssSymKeyDataDuplicate            (xmlSecKeyDataPtr dst,
-                                                        xmlSecKeyDataPtr src);
-static void    xmlSecNssSymKeyDataFinalize             (xmlSecKeyDataPtr data);
-static int     xmlSecNssSymKeyDataXmlRead              (xmlSecKeyDataId id,
-                                                        xmlSecKeyPtr key,
-                                                        xmlNodePtr node,
-                                                        xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssSymKeyDataXmlWrite             (xmlSecKeyDataId id,
-                                                        xmlSecKeyPtr key,
-                                                        xmlNodePtr node,
-                                                        xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssSymKeyDataBinRead              (xmlSecKeyDataId id,
-                                                        xmlSecKeyPtr key,
-                                                        const xmlSecByte* buf,
-                                                        xmlSecSize bufSize,
-                                                        xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssSymKeyDataBinWrite             (xmlSecKeyDataId id,
-                                                        xmlSecKeyPtr key,
-                                                        xmlSecByte** buf,
-                                                        xmlSecSize* bufSize,
-                                                        xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int     xmlSecNssSymKeyDataGenerate             (xmlSecKeyDataPtr data,
-                                                        xmlSecSize sizeBits,
-                                                        xmlSecKeyDataType type);
-
-static xmlSecKeyDataType xmlSecNssSymKeyDataGetType    (xmlSecKeyDataPtr data);
-static xmlSecSize      xmlSecNssSymKeyDataGetSize              (xmlSecKeyDataPtr data);
-static void    xmlSecNssSymKeyDataDebugDump    (xmlSecKeyDataPtr data,
-                                                        FILE* output);
-static void    xmlSecNssSymKeyDataDebugXmlDump (xmlSecKeyDataPtr data,
-                                                        FILE* output);
-static int     xmlSecNssSymKeyDataKlassCheck   (xmlSecKeyDataKlass* klass);
+typedef struct _xmlSecNssSymKeyDataCtx      xmlSecNssSymKeyDataCtx ;
+typedef struct _xmlSecNssSymKeyDataCtx*     xmlSecNssSymKeyDataCtxPtr ;
+
+struct _xmlSecNssSymKeyDataCtx {
+    CK_MECHANISM_TYPE       cipher ;    /* the symmetic key mechanism */
+    PK11SlotInfo*           slot ;      /* the key resident slot */
+    PK11SymKey*             symkey ;    /* the symmetic key */
+} ;
+
+#define xmlSecNssSymKeyDataSize \
+    ( sizeof( xmlSecKeyData ) + sizeof( xmlSecNssSymKeyDataCtx ) )
+
+#define xmlSecNssSymKeyDataGetCtx( data ) \
+    ( ( xmlSecNssSymKeyDataCtxPtr )( ( ( xmlSecByte* )( data ) ) + sizeof( xmlSecKeyData ) ) )
+
+
+static int  xmlSecNssSymKeyDataInitialize       (xmlSecKeyDataPtr data);
+static int  xmlSecNssSymKeyDataDuplicate        (xmlSecKeyDataPtr dst,
+                             xmlSecKeyDataPtr src);
+static void xmlSecNssSymKeyDataFinalize     (xmlSecKeyDataPtr data);
+static int  xmlSecNssSymKeyDataXmlRead      (xmlSecKeyDataId id,
+                             xmlSecKeyPtr key,
+                             xmlNodePtr node,
+                             xmlSecKeyInfoCtxPtr keyInfoCtx);
+static int  xmlSecNssSymKeyDataXmlWrite     (xmlSecKeyDataId id,
+                             xmlSecKeyPtr key,
+                             xmlNodePtr node,
+                             xmlSecKeyInfoCtxPtr keyInfoCtx);
+static int  xmlSecNssSymKeyDataBinRead      (xmlSecKeyDataId id,
+                             xmlSecKeyPtr key,
+                             const xmlSecByte* buf,
+                             xmlSecSize bufSize,
+                             xmlSecKeyInfoCtxPtr keyInfoCtx);
+static int  xmlSecNssSymKeyDataBinWrite     (xmlSecKeyDataId id,
+                             xmlSecKeyPtr key,
+                             xmlSecByte** buf,
+                             xmlSecSize* bufSize,
+                             xmlSecKeyInfoCtxPtr keyInfoCtx);
+static int  xmlSecNssSymKeyDataGenerate     (xmlSecKeyDataPtr data,
+                             xmlSecSize sizeBits,
+                             xmlSecKeyDataType type);
+
+static xmlSecKeyDataType xmlSecNssSymKeyDataGetType (xmlSecKeyDataPtr data);
+static xmlSecSize   xmlSecNssSymKeyDataGetSize      (xmlSecKeyDataPtr data);
+static void xmlSecNssSymKeyDataDebugDump    (xmlSecKeyDataPtr data,
+                             FILE* output);
+static void xmlSecNssSymKeyDataDebugXmlDump (xmlSecKeyDataPtr data,
+                             FILE* output);
+static int  xmlSecNssSymKeyDataKlassCheck   (xmlSecKeyDataKlass* klass);
 
 #define xmlSecNssSymKeyDataCheckId(data) \
     (xmlSecKeyDataIsValid((data)) && \
      xmlSecNssSymKeyDataKlassCheck((data)->id))
 
+/**
+ * xmlSecNssSymKeyDataAdoptKey:
+ * @data:                              the pointer to symmetric key data.
+ * @symkey:                            the symmetric key
+ *
+ * Set the value of symmetric key data.
+ *
+ * Returns 0 on success or a negative value if an error occurs.
+ */
+int
+xmlSecNssSymKeyDataAdoptKey(
+       xmlSecKeyDataPtr data ,
+       PK11SymKey* symkey
+) {
+       xmlSecNssSymKeyDataCtxPtr context = NULL ;
+
+       xmlSecAssert2( xmlSecNssSymKeyDataCheckId( data ), -1 ) ;
+       xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), -1 ) ;
+       xmlSecAssert2( symkey != NULL, -1 ) ;
+
+       context = xmlSecNssSymKeyDataGetCtx( data ) ;
+       xmlSecAssert2(context != NULL, -1);
+
+       context->cipher = PK11_GetMechanism( symkey ) ;
+
+       if( context->slot != NULL ) {
+               PK11_FreeSlot( context->slot ) ;
+               context->slot = NULL ;
+       }
+       context->slot = PK11_GetSlotFromKey( symkey ) ;
+
+       if( context->symkey != NULL ) {
+               PK11_FreeSymKey( context->symkey ) ;
+               context->symkey = NULL ;
+       }
+       context->symkey = PK11_ReferenceSymKey( symkey ) ;
+
+       return 0 ;
+}
+
+xmlSecKeyDataPtr xmlSecNssSymKeyDataKeyAdopt(
+    PK11SymKey*     symKey
+) {
+       xmlSecKeyDataPtr        data = NULL ;
+       CK_MECHANISM_TYPE       mechanism = CKM_INVALID_MECHANISM ;
+
+       xmlSecAssert2( symKey != NULL , NULL ) ;
+
+       mechanism = PK11_GetMechanism( symKey ) ;
+       switch( mechanism ) {
+               case CKM_DES3_KEY_GEN :
+               case CKM_DES3_CBC :
+               case CKM_DES3_MAC :
+                       data = xmlSecKeyDataCreate( xmlSecNssKeyDataDesId ) ;
+                       if( data == NULL ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecKeyDataCreate" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       "xmlSecNssKeyDataDesId" ) ;
+                               return NULL ;
+                       }
+                       break ;
+               case CKM_AES_KEY_GEN :
+               case CKM_AES_CBC :
+               case CKM_AES_MAC :
+                       data = xmlSecKeyDataCreate( xmlSecNssKeyDataAesId ) ;
+                       if( data == NULL ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       "xmlSecKeyDataCreate" ,
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                                       "xmlSecNssKeyDataDesId" ) ;
+                               return NULL ;
+                       }
+                       break ;
+               default :
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                               "Unsupported mechanism" ) ;
+                       return NULL ;
+       }
+
+       if( xmlSecNssSymKeyDataAdoptKey( data , symKey ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       "xmlSecNssSymKeyDataAdoptKey" ,
+                       XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecKeyDataDestroy( data ) ;
+               return NULL ;
+       }
+
+       return data ;
+}
+
+
+PK11SymKey*
+xmlSecNssSymKeyDataGetKey(
+    xmlSecKeyDataPtr data
+) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    PK11SymKey* symkey ;
+
+    xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), NULL);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), NULL);
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, NULL);
+
+    if( ctx->symkey != NULL ) {
+        symkey = PK11_ReferenceSymKey( ctx->symkey ) ;
+    } else {
+        symkey = NULL ;
+    }
+
+    return(symkey);
+}
+
 static int
 xmlSecNssSymKeyDataInitialize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1);
-    
-    return(xmlSecKeyDataBinaryValueInitialize(data));
+    xmlSecAssert2(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize), -1);
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    memset( ctx, 0, sizeof(xmlSecNssSymKeyDataCtx));
+
+    /* Set the block cipher mechanism */
+#ifndef XMLSEC_NO_DES
+    if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) {
+        ctx->cipher = CKM_DES3_KEY_GEN;
+    } else
+#endif  /* XMLSEC_NO_DES */
+
+#ifndef XMLSEC_NO_AES
+    if(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataDesId)) {
+        ctx->cipher = CKM_AES_KEY_GEN;
+    } else
+#endif  /* XMLSEC_NO_AES */
+
+    if(1) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            NULL ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            "Unsupported block cipher" ) ;
+        return(-1) ;
+    }
+
+    return(0);
 }
 
 static int
 xmlSecNssSymKeyDataDuplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) {
+    xmlSecNssSymKeyDataCtxPtr ctxDst;
+    xmlSecNssSymKeyDataCtxPtr ctxSrc;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(dst), -1);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(dst, xmlSecNssSymKeyDataSize), -1);
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(src), -1);
+    xmlSecAssert2(xmlSecKeyDataCheckSize(src, xmlSecNssSymKeyDataSize), -1);
     xmlSecAssert2(dst->id == src->id, -1);
-        
-    return(xmlSecKeyDataBinaryValueDuplicate(dst, src));
+
+    ctxDst = xmlSecNssSymKeyDataGetCtx(dst);
+    xmlSecAssert2(ctxDst != NULL, -1);
+
+    ctxSrc = xmlSecNssSymKeyDataGetCtx(src);
+    xmlSecAssert2(ctxSrc != NULL, -1);
+
+    ctxDst->cipher = ctxSrc->cipher ;
+
+    if( ctxSrc->slot != NULL ) {
+        if( ctxDst->slot != NULL && ctxDst->slot != ctxSrc->slot ) {
+            PK11_FreeSlot( ctxDst->slot ) ;
+            ctxDst->slot = NULL ;
+        }
+
+        if( ctxDst->slot == NULL && ctxSrc->slot != NULL )
+            ctxDst->slot = PK11_ReferenceSlot( ctxSrc->slot ) ;
+    } else {
+        if( ctxDst->slot != NULL ) {
+            PK11_FreeSlot( ctxDst->slot ) ;
+            ctxDst->slot = NULL ;
+        }
+    }
+
+    if( ctxSrc->symkey != NULL ) {
+        if( ctxDst->symkey != NULL && ctxDst->symkey != ctxSrc->symkey ) {
+            PK11_FreeSymKey( ctxDst->symkey ) ;
+            ctxDst->symkey = NULL ;
+        }
+
+        if( ctxDst->symkey == NULL && ctxSrc->symkey != NULL )
+            ctxDst->symkey = PK11_ReferenceSymKey( ctxSrc->symkey ) ;
+    } else {
+        if( ctxDst->symkey != NULL ) {
+            PK11_FreeSymKey( ctxDst->symkey ) ;
+            ctxDst->symkey = NULL ;
+        }
+    }
+
+    return(0);
 }
 
 static void
 xmlSecNssSymKeyDataFinalize(xmlSecKeyDataPtr data) {
+    xmlSecNssSymKeyDataCtxPtr ctx;
+
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
-    
-    xmlSecKeyDataBinaryValueFinalize(data);
+    xmlSecAssert(xmlSecKeyDataCheckSize(data, xmlSecNssSymKeyDataSize));
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert(ctx != NULL);
+
+    if( ctx->slot != NULL ) {
+        PK11_FreeSlot( ctx->slot ) ;
+        ctx->slot = NULL ;
+    }
+
+    if( ctx->symkey != NULL ) {
+        PK11_FreeSymKey( ctx->symkey ) ;
+        ctx->symkey = NULL ;
+    }
+
+    ctx->cipher = CKM_INVALID_MECHANISM ;
 }
 
 static int
 xmlSecNssSymKeyDataXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
-                              xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+                   xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+    PK11SlotInfo* slot ;
+    xmlSecBufferPtr keyBuf;
+    xmlSecSize len;
+    xmlSecKeyDataPtr data;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    SECItem keyItem ;
+    int ret;
+    
+    xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* Create a new KeyData from a id */
+    data = xmlSecKeyDataCreate(id);
+    if(data == NULL ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    /* Create a buffer for raw symmetric key value */
+    if( ( keyBuf = xmlSecBufferCreate( 128 ) ) == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecBufferCreate" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Read the raw key value */
+    if( xmlSecBufferBase64NodeContentRead( keyBuf , node ) < 0 ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Wrap the raw key value SECItem */
+    keyItem.type = siBuffer ;
+    keyItem.data = xmlSecBufferGetData( keyBuf ) ;
+    keyItem.len = xmlSecBufferGetSize( keyBuf ) ;
+
+    /* Import the raw key into slot temporalily and get the key handler*/
+    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ;
+    if( symKey == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "PK11_ImportSymKey" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               PK11_FreeSlot( slot ) ;
+        xmlSecBufferDestroy( keyBuf ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+       PK11_FreeSlot( slot ) ;
+
+    /* raw key material has been copied into symKey, it isn't used any more */
+    xmlSecBufferDestroy( keyBuf ) ;
     
-    return(xmlSecKeyDataBinaryValueXmlRead(id, key, node, keyInfoCtx));
+    /* Adopt the symmetric key into key data */
+    ret = xmlSecNssSymKeyDataAdoptKey(data, symKey);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataBinaryValueSetBuffer",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        PK11_FreeSymKey( symKey ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+    /* symKey has been duplicated into data, it isn't used any more */
+    PK11_FreeSymKey( symKey ) ;
+
+    /* Check value */
+    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyReqMatchKeyValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(0);
+    }
+    
+    ret = xmlSecKeySetValue(key, data);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeySetValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+
+    return(0);
 }
 
 static int 
 xmlSecNssSymKeyDataXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
-                                   xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+                    xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+       /* Get symmetric key from "key" */
+    symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); 
+    if( symKey != NULL ) {
+        SECItem* keyItem ;
+               xmlSecBufferPtr keyBuf ;
+
+               /* Extract raw key data from symmetric key */
+               if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_ExtractKeyValue",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+
+               /* Get raw key data from "symKey" */
+        keyItem = PK11_GetKeyData( symKey ) ;
+           if(keyItem == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_GetKeyData",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               /* Create key data buffer with raw kwy material */
+               keyBuf = xmlSecBufferCreate(keyItem->len) ;
+           if(keyBuf == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "xmlSecBufferCreate",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               xmlSecBufferSetData( keyBuf , keyItem->data , keyItem->len ) ;
+
+               /* Write raw key material into current xml node */
+               if( xmlSecBufferBase64NodeContentWrite( keyBuf, node, XMLSEC_BASE64_LINESIZE ) < 0 ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "xmlSecBufferBase64NodeContentWrite",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       xmlSecBufferDestroy(keyBuf);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+               xmlSecBufferDestroy(keyBuf);
+               PK11_FreeSymKey( symKey ) ;
+    }
     
-    return(xmlSecKeyDataBinaryValueXmlWrite(id, key, node, keyInfoCtx));
+    return 0 ;
 }
 
 static int
 xmlSecNssSymKeyDataBinRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
-                                   const xmlSecByte* buf, xmlSecSize bufSize,
-                                   xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+                    const xmlSecByte* buf, xmlSecSize bufSize,
+                    xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+    PK11SlotInfo* slot ;
+    xmlSecKeyDataPtr data;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    SECItem keyItem ;
+    int ret;
     
-    return(xmlSecKeyDataBinaryValueBinRead(id, key, buf, bufSize, keyInfoCtx));
+    xmlSecAssert2(id != xmlSecKeyDataIdUnknown, -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(buf != NULL, -1);
+    xmlSecAssert2(bufSize != 0, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* Create a new KeyData from a id */
+    data = xmlSecKeyDataCreate(id);
+    if(data == NULL ) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataCreate",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Wrap the raw key value SECItem */
+    keyItem.type = siBuffer ;
+    keyItem.data = buf ;
+    keyItem.len = bufSize ;
+
+    /* Import the raw key into slot temporalily and get the key handler*/
+    symKey = PK11_ImportSymKey(slot, ctx->cipher, PK11_OriginGenerated, CKA_VALUE, &keyItem, NULL ) ;
+    if( symKey == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "PK11_ImportSymKey" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+               PK11_FreeSlot( slot ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1) ;
+    }
+
+    /* Adopt the symmetric key into key data */
+    ret = xmlSecNssSymKeyDataAdoptKey(data, symKey);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyDataBinaryValueSetBuffer",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        PK11_FreeSymKey( symKey ) ;
+               PK11_FreeSlot( slot ) ;
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+    /* symKey has been duplicated into data, it isn't used any more */
+    PK11_FreeSymKey( symKey ) ;
+       PK11_FreeSlot( slot ) ;
+
+    /* Check value */
+    if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), data) != 1) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeyReqMatchKeyValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(0);
+    }
+    
+    ret = xmlSecKeySetValue(key, data);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+            "xmlSecKeySetValue",
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            XMLSEC_ERRORS_NO_MESSAGE);
+               xmlSecKeyDataDestroy( data ) ;
+        return(-1);
+    }
+
+    return(0);
 }
 
 static int
 xmlSecNssSymKeyDataBinWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
-                                   xmlSecByte** buf, xmlSecSize* bufSize,
-                                   xmlSecKeyInfoCtxPtr keyInfoCtx) {
+                    xmlSecByte** buf, xmlSecSize* bufSize,
+                    xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    PK11SymKey* symKey ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataKlassCheck(id), -1);
+    xmlSecAssert2(key != NULL, -1);
+    xmlSecAssert2(buf != NULL, -1);
+    xmlSecAssert2(bufSize != 0, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+       /* Get symmetric key from "key" */
+    symKey = xmlSecNssSymKeyDataGetKey(xmlSecKeyGetValue(key)); 
+    if( symKey != NULL ) {
+        SECItem* keyItem ;
+
+               /* Extract raw key data from symmetric key */
+               if( PK11_ExtractKeyValue( symKey ) != SECSuccess ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_ExtractKeyValue",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+               }
+
+               /* Get raw key data from "symKey" */
+        keyItem = PK11_GetKeyData( symKey ) ;
+           if(keyItem == NULL) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               "PK11_GetKeyData",
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               *bufSize = keyItem->len;
+               *buf = ( xmlSecByte* )xmlMalloc( *bufSize );
+               if( *buf == NULL ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+               xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+               NULL,
+               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+               XMLSEC_ERRORS_NO_MESSAGE);
+                       PK11_FreeSymKey( symKey ) ;
+               return(-1);
+       }
+
+               memcpy((*buf), keyItem->data, (*bufSize));
+               PK11_FreeSymKey( symKey ) ;
+    }
     
-    return(xmlSecKeyDataBinaryValueBinWrite(id, key, buf, bufSize, keyInfoCtx));
+    return 0 ;
 }
 
 static int
 xmlSecNssSymKeyDataGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlSecKeyDataType type ATTRIBUTE_UNUSED) {
-    xmlSecBufferPtr buffer;
-
+    PK11SymKey* symkey ;
+    PK11SlotInfo* slot ;
+    xmlSecNssSymKeyDataCtxPtr ctx;
+    int ret;
+    
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), -1);
     xmlSecAssert2(sizeBits > 0, -1);
 
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(data);
-    xmlSecAssert2(buffer != NULL, -1);
-    
-    return(xmlSecNssGenerateRandom(buffer, (sizeBits + 7) / 8));
+    ctx = xmlSecNssSymKeyDataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+       if( sizeBits % 8 != 0 ) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            NULL,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+            "Symmetric key size must be octuple");
+        return(-1);
+       }
+
+    /* Get slot */
+    slot = xmlSecNssSlotGet(ctx->cipher);
+    if( slot == NULL ) {
+        xmlSecError( XMLSEC_ERRORS_HERE ,
+            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+            "xmlSecNssSlotGet" ,
+            XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+            XMLSEC_ERRORS_NO_MESSAGE ) ;
+        return(-1) ;
+    }
+
+       if( PK11_Authenticate( slot, PR_FALSE , NULL ) != SECSuccess ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                   "PK11_Authenticate" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               PK11_FreeSlot( slot ) ;
+               return -1 ;
+       }
+
+       symkey = PK11_KeyGen( slot , ctx->cipher , NULL , sizeBits/8 , NULL ) ;
+       if( symkey == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                   "PK11_KeyGen" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               PK11_FreeSlot( slot ) ;
+               return -1 ;
+       }
+
+       if( ctx->slot != NULL ) {
+               PK11_FreeSlot( ctx->slot ) ;
+               ctx->slot = NULL ;
+       }
+       ctx->slot = slot ;
+
+       if( ctx->symkey != NULL ) {
+               PK11_FreeSymKey( ctx->symkey ) ;
+               ctx->symkey = NULL ;
+       }
+       ctx->symkey = symkey ;
+
+       return 0 ;
 }
 
 static xmlSecKeyDataType
 xmlSecNssSymKeyDataGetType(xmlSecKeyDataPtr data) {
-    xmlSecBufferPtr buffer;
+       xmlSecNssSymKeyDataCtxPtr context = NULL ;
+       xmlSecKeyDataType type = xmlSecKeyDataTypeUnknown ;
 
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), xmlSecKeyDataTypeUnknown);
+       xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), xmlSecKeyDataTypeUnknown ) ;
 
-    buffer = xmlSecKeyDataBinaryValueGetBuffer(data);
-    xmlSecAssert2(buffer != NULL, xmlSecKeyDataTypeUnknown);
+       context = xmlSecNssSymKeyDataGetCtx( data ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                   "xmlSecNssSymKeyDataGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return xmlSecKeyDataTypeUnknown ;
+       }
+
+       if( context->symkey != NULL ) {
+               type |= xmlSecKeyDataTypeSymmetric ;
+       } else {
+               type |= xmlSecKeyDataTypeUnknown ;
+       }
 
-    return((xmlSecBufferGetSize(buffer) > 0) ? xmlSecKeyDataTypeSymmetric : xmlSecKeyDataTypeUnknown);
+       return type ;
 }
 
 static xmlSecSize 
 xmlSecNssSymKeyDataGetSize(xmlSecKeyDataPtr data) {
+       xmlSecNssSymKeyDataCtxPtr context ;
+       unsigned int    length = 0 ;
+
     xmlSecAssert2(xmlSecNssSymKeyDataCheckId(data), 0);
-    
-    return(xmlSecKeyDataBinaryValueGetSize(data));
+       xmlSecAssert2( xmlSecKeyDataCheckSize( data, xmlSecNssSymKeyDataSize ), 0 ) ;
+
+       context = xmlSecNssSymKeyDataGetCtx( data ) ;
+       if( context == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                   xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                   "xmlSecNssSymKeyDataGetCtx" ,
+                   XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                   XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return 0 ;
+       }
+
+       if( context->symkey != NULL ) {
+               length = PK11_GetKeyLength( context->symkey ) ;
+               length *= 8 ;
+       }
+
+       return length ;
 }
 
 static void 
 xmlSecNssSymKeyDataDebugDump(xmlSecKeyDataPtr data, FILE* output) {
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
     
-    xmlSecKeyDataBinaryValueDebugDump(data, output);    
+       /* print only size, everything else is sensitive */
+       fprintf( output , "=== %s: size=%d\n" , data->id->dataNodeName ,
+                                                                                       xmlSecKeyDataGetSize(data)) ;
 }
 
 static void
 xmlSecNssSymKeyDataDebugXmlDump(xmlSecKeyDataPtr data, FILE* output) {
     xmlSecAssert(xmlSecNssSymKeyDataCheckId(data));
     
-    xmlSecKeyDataBinaryValueDebugXmlDump(data, output);    
+       /* print only size, everything else is sensitive */
+       fprintf( output , "<%s size=\"%d\" />\n" , data->id->dataNodeName ,
+                                                                                       xmlSecKeyDataGetSize(data)) ;
 }
 
 static int 
 xmlSecNssSymKeyDataKlassCheck(xmlSecKeyDataKlass* klass) {    
 #ifndef XMLSEC_NO_DES
     if(klass == xmlSecNssKeyDataDesId) {
-       return(1);
+    return(1);
     }
 #endif /* XMLSEC_NO_DES */
 
 #ifndef XMLSEC_NO_AES
     if(klass == xmlSecNssKeyDataAesId) {
-       return(1);
+    return(1);
     }
 #endif /* XMLSEC_NO_AES */
 
 #ifndef XMLSEC_NO_HMAC
     if(klass == xmlSecNssKeyDataHmacId) {
-       return(1);
+    return(1);
     }
 #endif /* XMLSEC_NO_HMAC */
 
@@ -199,42 +858,46 @@
  * <xmlsec:AESKeyValue> processing
  *
  *************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecNssKeyDataAesKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecNssKeyDataAesKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameAESKeyValue,
     xmlSecKeyDataUsageKeyValueNode | xmlSecKeyDataUsageRetrievalMethodNodeXml, 
-                                               /* xmlSecKeyDataUsage usage; */
-    xmlSecHrefAESKeyValue,                     /* const xmlChar* href; */
-    xmlSecNodeAESKeyValue,                     /* const xmlChar* dataNodeName; */
-    xmlSecNs,                                  /* const xmlChar* dataNodeNs; */
+                        /* xmlSecKeyDataUsage usage; */
+    xmlSecHrefAESKeyValue,          /* const xmlChar* href; */
+    xmlSecNodeAESKeyValue,          /* const xmlChar* dataNodeName; */
+    xmlSecNs,                   /* const xmlChar* dataNodeNs; */
     
     /* constructors/destructor */
-    xmlSecNssSymKeyDataInitialize,             /* xmlSecKeyDataInitializeMethod initialize; */
-    xmlSecNssSymKeyDataDuplicate,              /* xmlSecKeyDataDuplicateMethod duplicate; */
-    xmlSecNssSymKeyDataFinalize,               /* xmlSecKeyDataFinalizeMethod finalize; */
-    xmlSecNssSymKeyDataGenerate,               /* xmlSecKeyDataGenerateMethod generate; */
+    xmlSecNssSymKeyDataInitialize,      /* xmlSecKeyDataInitializeMethod initialize; */
+    xmlSecNssSymKeyDataDuplicate,       /* xmlSecKeyDataDuplicateMethod duplicate; */
+    xmlSecNssSymKeyDataFinalize,        /* xmlSecKeyDataFinalizeMethod finalize; */
+    xmlSecNssSymKeyDataGenerate,        /* xmlSecKeyDataGenerateMethod generate; */
     
     /* get info */
-    xmlSecNssSymKeyDataGetType,                /* xmlSecKeyDataGetTypeMethod getType; */
-    xmlSecNssSymKeyDataGetSize,                /* xmlSecKeyDataGetSizeMethod getSize; */
-    NULL,                                      /* xmlSecKeyDataGetIdentifier getIdentifier; */
+    xmlSecNssSymKeyDataGetType,         /* xmlSecKeyDataGetTypeMethod getType; */
+    xmlSecNssSymKeyDataGetSize,     /* xmlSecKeyDataGetSizeMethod getSize; */
+    NULL,                   /* xmlSecKeyDataGetIdentifier getIdentifier; */
 
     /* read/write */
-    xmlSecNssSymKeyDataXmlRead,                /* xmlSecKeyDataXmlReadMethod xmlRead; */
-    xmlSecNssSymKeyDataXmlWrite,               /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
-    xmlSecNssSymKeyDataBinRead,                /* xmlSecKeyDataBinReadMethod binRead; */
-    xmlSecNssSymKeyDataBinWrite,               /* xmlSecKeyDataBinWriteMethod binWrite; */
+    xmlSecNssSymKeyDataXmlRead,     /* xmlSecKeyDataXmlReadMethod xmlRead; */
+    xmlSecNssSymKeyDataXmlWrite,        /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
+    xmlSecNssSymKeyDataBinRead,     /* xmlSecKeyDataBinReadMethod binRead; */
+    xmlSecNssSymKeyDataBinWrite,        /* xmlSecKeyDataBinWriteMethod binWrite; */
 
     /* debug */
-    xmlSecNssSymKeyDataDebugDump,              /* xmlSecKeyDataDebugDumpMethod debugDump; */
-    xmlSecNssSymKeyDataDebugXmlDump,   /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
+    xmlSecNssSymKeyDataDebugDump,       /* xmlSecKeyDataDebugDumpMethod debugDump; */
+    xmlSecNssSymKeyDataDebugXmlDump,    /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
 
     /* reserved for the future */
-    NULL,                                      /* void* reserved0; */
-    NULL,                                      /* void* reserved1; */
+    NULL,                   /* void* reserved0; */
+    NULL,                   /* void* reserved1; */
 };
 
 /** 
@@ -251,9 +914,9 @@
 
 /**
  * xmlSecNssKeyDataAesSet:
- * @data:              the pointer to AES key data.
- * @buf:               the pointer to key value.
- * @bufSize:           the key value size (in bytes).
+ * @data:       the pointer to AES key data.
+ * @buf:        the pointer to key value.
+ * @bufSize:        the key value size (in bytes).
  *
  * Sets the value of AES key data.
  *
@@ -280,42 +943,46 @@
  * <xmlsec:DESKeyValue> processing
  *
  *************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecNssKeyDataDesKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecNssKeyDataDesKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameDESKeyValue,
     xmlSecKeyDataUsageKeyValueNode | xmlSecKeyDataUsageRetrievalMethodNodeXml, 
-                                               /* xmlSecKeyDataUsage usage; */
-    xmlSecHrefDESKeyValue,                     /* const xmlChar* href; */
-    xmlSecNodeDESKeyValue,                     /* const xmlChar* dataNodeName; */
-    xmlSecNs,                                  /* const xmlChar* dataNodeNs; */
+                        /* xmlSecKeyDataUsage usage; */
+    xmlSecHrefDESKeyValue,          /* const xmlChar* href; */
+    xmlSecNodeDESKeyValue,          /* const xmlChar* dataNodeName; */
+    xmlSecNs,                   /* const xmlChar* dataNodeNs; */
     
     /* constructors/destructor */
-    xmlSecNssSymKeyDataInitialize,             /* xmlSecKeyDataInitializeMethod initialize; */
-    xmlSecNssSymKeyDataDuplicate,              /* xmlSecKeyDataDuplicateMethod duplicate; */
-    xmlSecNssSymKeyDataFinalize,               /* xmlSecKeyDataFinalizeMethod finalize; */
-    xmlSecNssSymKeyDataGenerate,               /* xmlSecKeyDataGenerateMethod generate; */
+    xmlSecNssSymKeyDataInitialize,      /* xmlSecKeyDataInitializeMethod initialize; */
+    xmlSecNssSymKeyDataDuplicate,       /* xmlSecKeyDataDuplicateMethod duplicate; */
+    xmlSecNssSymKeyDataFinalize,        /* xmlSecKeyDataFinalizeMethod finalize; */
+    xmlSecNssSymKeyDataGenerate,        /* xmlSecKeyDataGenerateMethod generate; */
     
     /* get info */
-    xmlSecNssSymKeyDataGetType,                /* xmlSecKeyDataGetTypeMethod getType; */
-    xmlSecNssSymKeyDataGetSize,                /* xmlSecKeyDataGetSizeMethod getSize; */
-    NULL,                                      /* xmlSecKeyDataGetIdentifier getIdentifier; */
+    xmlSecNssSymKeyDataGetType,         /* xmlSecKeyDataGetTypeMethod getType; */
+    xmlSecNssSymKeyDataGetSize,     /* xmlSecKeyDataGetSizeMethod getSize; */
+    NULL,                   /* xmlSecKeyDataGetIdentifier getIdentifier; */
 
     /* read/write */
-    xmlSecNssSymKeyDataXmlRead,                /* xmlSecKeyDataXmlReadMethod xmlRead; */
-    xmlSecNssSymKeyDataXmlWrite,               /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
-    xmlSecNssSymKeyDataBinRead,                /* xmlSecKeyDataBinReadMethod binRead; */
-    xmlSecNssSymKeyDataBinWrite,               /* xmlSecKeyDataBinWriteMethod binWrite; */
+    xmlSecNssSymKeyDataXmlRead,     /* xmlSecKeyDataXmlReadMethod xmlRead; */
+    xmlSecNssSymKeyDataXmlWrite,        /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
+    xmlSecNssSymKeyDataBinRead,     /* xmlSecKeyDataBinReadMethod binRead; */
+    xmlSecNssSymKeyDataBinWrite,        /* xmlSecKeyDataBinWriteMethod binWrite; */
 
     /* debug */
-    xmlSecNssSymKeyDataDebugDump,              /* xmlSecKeyDataDebugDumpMethod debugDump; */
-    xmlSecNssSymKeyDataDebugXmlDump,   /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
+    xmlSecNssSymKeyDataDebugDump,       /* xmlSecKeyDataDebugDumpMethod debugDump; */
+    xmlSecNssSymKeyDataDebugXmlDump,    /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
 
     /* reserved for the future */
-    NULL,                                      /* void* reserved0; */
-    NULL,                                      /* void* reserved1; */
+    NULL,                   /* void* reserved0; */
+    NULL,                   /* void* reserved1; */
 };
 
 /** 
@@ -332,9 +999,9 @@
 
 /**
  * xmlSecNssKeyDataDesSet:
- * @data:              the pointer to DES key data.
- * @buf:               the pointer to key value.
- * @bufSize:           the key value size (in bytes).
+ * @data:       the pointer to DES key data.
+ * @buf:        the pointer to key value.
+ * @bufSize:        the key value size (in bytes).
  *
  * Sets the value of DES key data.
  *
@@ -362,42 +1029,46 @@
  * <xmlsec:HMACKeyValue> processing
  *
  *************************************************************************/
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecNssKeyDataHmacKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecNssKeyDataHmacKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
-    xmlSecKeyDataBinarySize,
+    xmlSecNssSymKeyDataSize,
 
     /* data */
     xmlSecNameHMACKeyValue,
     xmlSecKeyDataUsageKeyValueNode | xmlSecKeyDataUsageRetrievalMethodNodeXml, 
-                                               /* xmlSecKeyDataUsage usage; */
-    xmlSecHrefHMACKeyValue,                    /* const xmlChar* href; */
-    xmlSecNodeHMACKeyValue,                    /* const xmlChar* dataNodeName; */
-    xmlSecNs,                                  /* const xmlChar* dataNodeNs; */
+                        /* xmlSecKeyDataUsage usage; */
+    xmlSecHrefHMACKeyValue,         /* const xmlChar* href; */
+    xmlSecNodeHMACKeyValue,         /* const xmlChar* dataNodeName; */
+    xmlSecNs,                   /* const xmlChar* dataNodeNs; */
     
     /* constructors/destructor */
-    xmlSecNssSymKeyDataInitialize,             /* xmlSecKeyDataInitializeMethod initialize; */
-    xmlSecNssSymKeyDataDuplicate,              /* xmlSecKeyDataDuplicateMethod duplicate; */
-    xmlSecNssSymKeyDataFinalize,               /* xmlSecKeyDataFinalizeMethod finalize; */
-    xmlSecNssSymKeyDataGenerate,               /* xmlSecKeyDataGenerateMethod generate; */
+    xmlSecNssSymKeyDataInitialize,      /* xmlSecKeyDataInitializeMethod initialize; */
+    xmlSecNssSymKeyDataDuplicate,       /* xmlSecKeyDataDuplicateMethod duplicate; */
+    xmlSecNssSymKeyDataFinalize,        /* xmlSecKeyDataFinalizeMethod finalize; */
+    xmlSecNssSymKeyDataGenerate,        /* xmlSecKeyDataGenerateMethod generate; */
     
     /* get info */
-    xmlSecNssSymKeyDataGetType,                /* xmlSecKeyDataGetTypeMethod getType; */
-    xmlSecNssSymKeyDataGetSize,                /* xmlSecKeyDataGetSizeMethod getSize; */
-    NULL,                                      /* xmlSecKeyDataGetIdentifier getIdentifier; */
+    xmlSecNssSymKeyDataGetType,         /* xmlSecKeyDataGetTypeMethod getType; */
+    xmlSecNssSymKeyDataGetSize,     /* xmlSecKeyDataGetSizeMethod getSize; */
+    NULL,                   /* xmlSecKeyDataGetIdentifier getIdentifier; */
 
     /* read/write */
-    xmlSecNssSymKeyDataXmlRead,                /* xmlSecKeyDataXmlReadMethod xmlRead; */
-    xmlSecNssSymKeyDataXmlWrite,               /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
-    xmlSecNssSymKeyDataBinRead,                /* xmlSecKeyDataBinReadMethod binRead; */
-    xmlSecNssSymKeyDataBinWrite,               /* xmlSecKeyDataBinWriteMethod binWrite; */
+    xmlSecNssSymKeyDataXmlRead,     /* xmlSecKeyDataXmlReadMethod xmlRead; */
+    xmlSecNssSymKeyDataXmlWrite,        /* xmlSecKeyDataXmlWriteMethod xmlWrite; */
+    xmlSecNssSymKeyDataBinRead,     /* xmlSecKeyDataBinReadMethod binRead; */
+    xmlSecNssSymKeyDataBinWrite,        /* xmlSecKeyDataBinWriteMethod binWrite; */
 
     /* debug */
-    xmlSecNssSymKeyDataDebugDump,              /* xmlSecKeyDataDebugDumpMethod debugDump; */
-    xmlSecNssSymKeyDataDebugXmlDump,   /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
+    xmlSecNssSymKeyDataDebugDump,       /* xmlSecKeyDataDebugDumpMethod debugDump; */
+    xmlSecNssSymKeyDataDebugXmlDump,    /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */
 
     /* reserved for the future */
-    NULL,                                      /* void* reserved0; */
-    NULL,                                      /* void* reserved1; */
+    NULL,                   /* void* reserved0; */
+    NULL,                   /* void* reserved1; */
 };
 
 /** 
@@ -414,9 +1085,9 @@
 
 /**
  * xmlSecNssKeyDataHmacSet:
- * @data:              the pointer to HMAC key data.
- * @buf:               the pointer to key value.
- * @bufSize:           the key value size (in bytes).
+ * @data:       the pointer to HMAC key data.
+ * @buf:        the pointer to key value.
+ * @bufSize:        the key value size (in bytes).
  *
  * Sets the value of HMAC key data.
  *
--- misc/xmlsec1-1.2.6/src/nss/tokens.c 2008-06-29 23:44:40.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/tokens.c   2008-06-29 23:44:19.000000000 +0200
@@ -1 +1,548 @@
-dummy
+/**
+ * XMLSec library
+ *
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright..................................
+ *
+ * Contributor(s): _____________________________
+ *
+ */
+
+/**
+ * In order to ensure that particular crypto operation is performed on
+ * particular crypto device, a subclass of xmlSecList is used to store slot and 
+ * mechanism information.
+ *
+ * In the list, a slot is bound with a mechanism. If the mechanism is available,
+ * this mechanism only can perform on the slot; otherwise, it can perform on
+ * every eligibl slot in the list.
+ *
+ * When try to find a slot for a particular mechanism, the slot bound with
+ * avaliable mechanism will be looked up firstly.
+ */
+#include "globals.h"
+#include <string.h>
+
+#include <xmlsec/xmlsec.h>
+#include <xmlsec/errors.h>
+#include <xmlsec/list.h>
+
+#include <xmlsec/nss/tokens.h>
+
+int
+xmlSecNssKeySlotSetMechList(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE_PTR mechanismList
+) {
+       int counter ;
+
+       xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+       if( keySlot->mechanismList != CK_NULL_PTR ) {
+               xmlFree( keySlot->mechanismList ) ;
+
+               for( counter = 0 ; *( mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+               keySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+               if( keySlot->mechanismList == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return( -1 );
+               }
+               for( ; counter >= 0 ; counter -- )
+                       *( keySlot->mechanismList + counter ) = *(  mechanismList + counter ) ;
+       }
+
+       return( 0 );
+}
+
+int
+xmlSecNssKeySlotEnableMech(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE mechanism
+) {
+       int counter ;
+       CK_MECHANISM_TYPE_PTR newList ;
+
+       xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+       if( mechanism != CKM_INVALID_MECHANISM ) {
+               for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+               newList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+               if( newList == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return( -1 );
+               }
+               *( newList + counter + 1 ) = CKM_INVALID_MECHANISM ;
+               *( newList + counter ) = mechanism ;
+               for( counter -= 1 ; counter >= 0 ; counter -- )
+                       *( newList + counter ) = *(  keySlot->mechanismList + counter ) ;
+
+               xmlFree( keySlot->mechanismList ) ;
+               keySlot->mechanismList = newList ;
+       }
+
+       return(0);
+}
+
+int
+xmlSecNssKeySlotDisableMech(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE mechanism
+) {
+       int counter ;
+
+       xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+       for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+               if( *( keySlot->mechanismList + counter ) == mechanism ) {
+                       for( ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+                               *( keySlot->mechanismList + counter ) = *( keySlot->mechanismList + counter + 1 ) ;
+                       }
+
+                       break ;
+               }
+       }
+
+       return(0); 
+}
+
+CK_MECHANISM_TYPE_PTR
+xmlSecNssKeySlotGetMechList(
+    xmlSecNssKeySlotPtr keySlot
+) {
+       if( keySlot != NULL )
+               return keySlot->mechanismList ;
+       else
+               return NULL ;
+}
+
+int
+xmlSecNssKeySlotSetSlot(
+    xmlSecNssKeySlotPtr keySlot ,
+       PK11SlotInfo* slot
+) {
+       xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+       if( slot != NULL && keySlot->slot != slot ) {
+               if( keySlot->slot != NULL )
+                       PK11_FreeSlot( keySlot->slot ) ;
+
+               if( keySlot->mechanismList != NULL ) {
+                       xmlFree( keySlot->mechanismList ) ;
+                       keySlot->mechanismList = NULL ;
+               }
+
+               keySlot->slot = PK11_ReferenceSlot( slot ) ;
+       }
+
+       return(0);
+}
+
+int
+xmlSecNssKeySlotInitialize(
+    xmlSecNssKeySlotPtr keySlot ,
+       PK11SlotInfo* slot
+) {
+       xmlSecAssert2( keySlot != NULL , -1 ) ;
+       xmlSecAssert2( keySlot->slot == NULL , -1 ) ;
+       xmlSecAssert2( keySlot->mechanismList == NULL , -1 ) ;
+
+       if( slot != NULL ) {
+               keySlot->slot = PK11_ReferenceSlot( slot ) ;
+       }
+
+       return(0);
+}
+
+void
+xmlSecNssKeySlotFinalize(
+    xmlSecNssKeySlotPtr keySlot
+) {
+       xmlSecAssert( keySlot != NULL ) ;
+
+       if( keySlot->mechanismList != NULL ) {
+               xmlFree( keySlot->mechanismList ) ;
+               keySlot->mechanismList = NULL ;
+       }
+
+       if( keySlot->slot != NULL ) {
+               PK11_FreeSlot( keySlot->slot ) ;
+               keySlot->slot = NULL ;
+       }
+               
+}
+
+PK11SlotInfo*
+xmlSecNssKeySlotGetSlot(
+       xmlSecNssKeySlotPtr keySlot
+) {
+       if( keySlot != NULL )
+               return keySlot->slot ;
+       else
+               return NULL ;
+}
+
+xmlSecNssKeySlotPtr
+xmlSecNssKeySlotCreate() {
+       xmlSecNssKeySlotPtr keySlot ;
+
+       /* Allocates a new xmlSecNssKeySlot and fill the fields */
+       keySlot = ( xmlSecNssKeySlotPtr )xmlMalloc( sizeof( xmlSecNssKeySlot ) ) ;
+       if( keySlot == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( NULL );
+       }
+       memset( keySlot, 0, sizeof( xmlSecNssKeySlot ) ) ;
+
+       return( keySlot ) ;
+}
+
+int
+xmlSecNssKeySlotCopy(
+       xmlSecNssKeySlotPtr newKeySlot ,
+       xmlSecNssKeySlotPtr keySlot
+) {
+       CK_MECHANISM_TYPE_PTR mech ;
+       int counter ;
+
+       xmlSecAssert2( newKeySlot != NULL , -1 ) ;
+       xmlSecAssert2( keySlot != NULL , -1 ) ;
+
+       if( keySlot->slot != NULL && newKeySlot->slot != keySlot->slot ) {
+               if( newKeySlot->slot != NULL )
+                       PK11_FreeSlot( newKeySlot->slot ) ;
+
+               newKeySlot->slot = PK11_ReferenceSlot( keySlot->slot ) ;
+       }
+
+       if( keySlot->mechanismList != CK_NULL_PTR ) {
+               xmlFree( newKeySlot->mechanismList ) ;
+
+               for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) ;
+               newKeySlot->mechanismList = ( CK_MECHANISM_TYPE_PTR )xmlMalloc( ( counter + 1 ) * sizeof( CK_MECHANISM_TYPE ) ) ;
+               if( newKeySlot->mechanismList == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return( -1 );
+               }
+               for( ; counter >= 0 ; counter -- )
+                       *( newKeySlot->mechanismList + counter ) = *(  keySlot->mechanismList + counter ) ;
+       }
+
+       return( 0 );
+}
+
+xmlSecNssKeySlotPtr
+xmlSecNssKeySlotDuplicate(
+       xmlSecNssKeySlotPtr keySlot
+) {
+       xmlSecNssKeySlotPtr newKeySlot ;
+       int ret ;
+
+       xmlSecAssert2( keySlot != NULL , NULL ) ;
+
+       newKeySlot = xmlSecNssKeySlotCreate() ;
+       if( newKeySlot == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( NULL );
+       }
+
+       if( xmlSecNssKeySlotCopy( newKeySlot, keySlot ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( NULL );
+       }
+
+       return( newKeySlot );
+}
+
+void
+xmlSecNssKeySlotDestroy(
+           xmlSecNssKeySlotPtr keySlot
+) {
+       xmlSecAssert( keySlot != NULL ) ;
+
+       if( keySlot->mechanismList != NULL )
+               xmlFree( keySlot->mechanismList ) ;
+
+       if( keySlot->slot != NULL )
+               PK11_FreeSlot( keySlot->slot ) ;
+               
+       xmlFree( keySlot ) ;
+}
+
+int
+xmlSecNssKeySlotBindMech(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE type
+) {
+       int counter ;
+
+       xmlSecAssert2( keySlot != NULL , 0 ) ;
+       xmlSecAssert2( keySlot->slot != NULL , 0 ) ;
+       xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ;
+
+       for( counter = 0 ; *( keySlot->mechanismList + counter ) != CKM_INVALID_MECHANISM ; counter ++ ) {
+               if( *( keySlot->mechanismList + counter ) == type )
+                       return(1) ;
+       }
+
+       return( 0 ) ;
+}
+
+int
+xmlSecNssKeySlotSupportMech(
+       xmlSecNssKeySlotPtr keySlot ,
+       CK_MECHANISM_TYPE type
+) {
+       xmlSecAssert2( keySlot != NULL , 0 ) ;
+       xmlSecAssert2( keySlot->slot != NULL , 0 ) ;
+       xmlSecAssert2( type != CKM_INVALID_MECHANISM , 0 ) ;
+
+       if( PK11_DoesMechanism( keySlot->slot , type ) == PR_TRUE ) {
+               return(1);
+       } else
+               return(0);
+}
+
+void
+xmlSecNssKeySlotDebugDump(
+       xmlSecNssKeySlotPtr keySlot ,
+       FILE* output
+) {
+       xmlSecAssert( keySlot != NULL ) ;
+       xmlSecAssert( output != NULL ) ;
+
+       fprintf( output, "== KEY SLOT\n" );
+}
+
+void
+xmlSecNssKeySlotDebugXmlDump(
+       xmlSecNssKeySlotPtr keySlot ,
+       FILE* output
+) {
+}
+
+/**
+ * Key Slot List
+ */
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = {
+#else
+static xmlSecPtrListKlass xmlSecNssKeySlotPtrListKlass = {
+#endif
+    BAD_CAST "mechanism-list",
+    (xmlSecPtrDuplicateItemMethod)xmlSecNssKeySlotDuplicate,
+    (xmlSecPtrDestroyItemMethod)xmlSecNssKeySlotDestroy,
+    (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugDump,
+    (xmlSecPtrDebugDumpItemMethod)xmlSecNssKeySlotDebugXmlDump,
+};
+
+xmlSecPtrListId 
+xmlSecNssKeySlotListGetKlass(void) {
+    return(&xmlSecNssKeySlotPtrListKlass);
+}
+
+
+/*-
+ * Global PKCS#11 crypto token repository -- Key slot list
+ */
+static xmlSecPtrListPtr _xmlSecNssKeySlotList = NULL ;
+
+PK11SlotInfo*
+xmlSecNssSlotGet(
+       CK_MECHANISM_TYPE type
+) {
+       PK11SlotInfo*                   slot = NULL ;
+       xmlSecNssKeySlotPtr             keySlot ;
+       xmlSecSize                              ksSize ;
+       xmlSecSize                              ksPos ;
+       char                                    flag ;
+
+       if( _xmlSecNssKeySlotList == NULL ) {
+               slot = PK11_GetBestSlot( type , NULL ) ;
+       } else {
+               ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ;
+
+               /*-
+                * Firstly, checking whether the mechanism is bound with a special slot.
+                * If no bound slot, we try to find the first eligible slot in the list.
+                */
+               for( flag = 0, ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) {
+                       keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ;
+                       if( keySlot != NULL && xmlSecNssKeySlotBindMech( keySlot, type ) ) {
+                               slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+                               flag = 2 ;
+                       } else if( flag == 0 && xmlSecNssKeySlotSupportMech( keySlot, type ) ) {
+                               slot = xmlSecNssKeySlotGetSlot( keySlot ) ;
+                               flag = 1 ;
+                       }
+
+                       if( flag == 2 )
+                               break ;
+               }
+               if( slot != NULL )
+                       slot = PK11_ReferenceSlot( slot ) ;
+       }
+
+       if( slot != NULL && PK11_NeedLogin( slot ) ) {
+               if( PK11_Authenticate( slot , PR_TRUE , NULL ) != SECSuccess ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       PK11_FreeSlot( slot ) ;
+                       return( NULL );
+               }
+       }
+
+       return slot ;
+}
+
+int
+xmlSecNssSlotInitialize(
+       void
+) {
+       if( _xmlSecNssKeySlotList != NULL ) {
+               xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ;
+               _xmlSecNssKeySlotList = NULL ;
+       }
+
+       _xmlSecNssKeySlotList = xmlSecPtrListCreate( xmlSecNssKeySlotListId ) ;
+       if( _xmlSecNssKeySlotList == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE ,
+                       NULL ,
+                       NULL ,
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return( -1 );
+       }
+
+       return(0);
+}
+
+void
+xmlSecNssSlotShutdown(
+       void
+) {
+       if( _xmlSecNssKeySlotList != NULL ) {
+               xmlSecPtrListDestroy( _xmlSecNssKeySlotList ) ;
+               _xmlSecNssKeySlotList = NULL ;
+       }
+}
+
+int
+xmlSecNssSlotAdopt(
+       PK11SlotInfo* slot,
+       CK_MECHANISM_TYPE type
+) {
+       xmlSecNssKeySlotPtr             keySlot ;
+       xmlSecSize                              ksSize ;
+       xmlSecSize                              ksPos ;
+       char                                    flag ;
+
+       xmlSecAssert2( _xmlSecNssKeySlotList != NULL, -1 ) ;
+       xmlSecAssert2( slot != NULL, -1 ) ;
+
+       ksSize = xmlSecPtrListGetSize( _xmlSecNssKeySlotList ) ;
+
+       /*-
+        * Firstly, checking whether the slot is in the repository already.
+        */
+       flag = 0 ;
+       for( ksPos = 0 ; ksPos < ksSize ; ksPos ++ ) {
+               keySlot = ( xmlSecNssKeySlotPtr )xmlSecPtrListGetItem( _xmlSecNssKeySlotList, ksPos ) ;
+               /* If find the slot in the list */
+               if( keySlot != NULL && xmlSecNssKeySlotGetSlot( keySlot ) == slot ) {
+                       /* If mechnism type is valid, bind the slot with the mechanism */
+                       if( type != CKM_INVALID_MECHANISM ) {
+                               if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) {
+                                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                                               NULL ,
+                                               NULL ,
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                                       return(-1);
+                               }
+                       }
+
+                       flag = 1 ;
+               }
+       }
+
+       /* If the slot do not in the list, add a new item to the list */
+       if( flag == 0 ) {
+               /* Create a new KeySlot */
+               keySlot = xmlSecNssKeySlotCreate() ;
+               if( keySlot == NULL ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       return(-1);
+               }
+
+               /* Initialize the keySlot with a slot */
+               if( xmlSecNssKeySlotInitialize( keySlot, slot ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecNssKeySlotDestroy( keySlot ) ;
+                       return(-1);
+               }
+
+               /* If mechnism type is valid, bind the slot with the mechanism */
+               if( type != CKM_INVALID_MECHANISM ) {
+                       if( xmlSecNssKeySlotEnableMech( keySlot, type ) < 0 ) {
+                               xmlSecError( XMLSEC_ERRORS_HERE ,
+                                       NULL ,
+                                       NULL ,
+                                       XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+                               xmlSecNssKeySlotDestroy( keySlot ) ;
+                               return(-1);
+                       }
+               }
+
+               /* Add keySlot into the list */
+               if( xmlSecPtrListAdd( _xmlSecNssKeySlotList, keySlot ) < 0 ) {
+                       xmlSecError( XMLSEC_ERRORS_HERE ,
+                               NULL ,
+                               NULL ,
+                               XMLSEC_ERRORS_R_XMLSEC_FAILED ,
+                               XMLSEC_ERRORS_NO_MESSAGE ) ;
+                       xmlSecNssKeySlotDestroy( keySlot ) ;
+                       return(-1);
+               }
+       }
+
+       return(0);
+}
+
--- misc/xmlsec1-1.2.6/src/nss/x509.c   2003-09-26 05:53:09.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/x509.c     2008-06-29 23:44:19.000000000 +0200
@@ -34,7 +34,6 @@
 #include <xmlsec/keys.h>
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/keysmngr.h>
-#include <xmlsec/x509.h>
 #include <xmlsec/base64.h>
 #include <xmlsec/errors.h>
 
@@ -61,37 +60,21 @@
 static int             xmlSecNssX509CertificateNodeRead        (xmlSecKeyDataPtr data,
                                                                 xmlNodePtr node,
                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int             xmlSecNssX509CertificateNodeWrite       (CERTCertificate* cert,
-                                                                xmlNodePtr node,
-                                                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int             xmlSecNssX509SubjectNameNodeRead        (xmlSecKeyDataPtr data,
                                                                 xmlNodePtr node,
                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int             xmlSecNssX509SubjectNameNodeWrite       (CERTCertificate* cert,
-                                                                xmlNodePtr node,
-                                                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int             xmlSecNssX509IssuerSerialNodeRead       (xmlSecKeyDataPtr data,
                                                                 xmlNodePtr node,
                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int             xmlSecNssX509IssuerSerialNodeWrite      (CERTCertificate* cert,
-                                                                xmlNodePtr node,
-                                                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int             xmlSecNssX509SKINodeRead                (xmlSecKeyDataPtr data,
                                                                 xmlNodePtr node,
                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int             xmlSecNssX509SKINodeWrite               (CERTCertificate* cert,
-                                                                xmlNodePtr node,
-                                                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int             xmlSecNssX509CRLNodeRead                (xmlSecKeyDataPtr data,
                                                                 xmlNodePtr node,
                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
-static int             xmlSecNssX509CRLNodeWrite               (CERTSignedCrl* crl,
-                                                                xmlNodePtr node,
-                                                                xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int             xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, 
                                                                xmlSecKeyPtr key,
                                                                xmlSecKeyInfoCtxPtr keyInfoCtx);
-
 static CERTCertificate*        xmlSecNssX509CertDerRead                (const xmlSecByte* buf, 
                                                                 xmlSecSize size);
 static CERTCertificate*        xmlSecNssX509CertBase64DerRead          (xmlChar* buf);
@@ -104,9 +87,6 @@
                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static xmlChar*                xmlSecNssX509CrlBase64DerWrite          (CERTSignedCrl* crl, 
                                                                 int base64LineWrap);
-static xmlChar*                xmlSecNssX509NameWrite                  (CERTName* nm);
-static xmlChar*                xmlSecNssASN1IntegerWrite               (SECItem *num);
-static xmlChar*                xmlSecNssX509SKIWrite                   (CERTCertificate* cert);
 static void            xmlSecNssX509CertDebugDump              (CERTCertificate* cert, 
                                                                 FILE* output);
 static void            xmlSecNssX509CertDebugXmlDump           (CERTCertificate* cert, 
@@ -254,7 +234,11 @@
 
 
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecNssKeyDataX509Klass = {
+#else
 static xmlSecKeyDataKlass xmlSecNssKeyDataX509Klass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     xmlSecNssX509DataSize,
 
@@ -378,7 +362,7 @@
                        xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                        "CERT_NewCertList",
                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
+                       "error code=%d", PORT_GetError());
            return(-1); 
        }
     }
@@ -389,7 +373,7 @@
                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                    "CERT_AddCertToListTail",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        return(-1);     
     }
     ctx->numCerts++;
@@ -588,7 +572,7 @@
                        xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
                        "CERT_DupCertificate",
                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
+                       "error code=%d", PORT_GetError());
            return(-1);
        }
        
@@ -627,7 +611,7 @@
                         xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
                         "SEC_DupCrl",
                         XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
+                        "error code=%d", PORT_GetError());
             return(-1);
         }
 
@@ -652,7 +636,7 @@
                        xmlSecErrorsSafeString(xmlSecKeyDataGetName(dst)),
                        "CERT_DupCertificate",
                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
+                       "error code=%d", PORT_GetError());
            return(-1);
        }
        ret = xmlSecNssKeyDataX509AdoptKeyCert(dst, certDst);
@@ -752,31 +736,22 @@
 xmlSecNssKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
                                xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataPtr data;
+    xmlNodePtr cur;
+    xmlChar* buf;
     CERTCertificate* cert;
     CERTSignedCrl* crl;
     xmlSecSize size, pos;
-    int content = 0;
-    int ret;
                                
     xmlSecAssert2(id == xmlSecNssKeyDataX509Id, -1);
     xmlSecAssert2(key != NULL, -1);
     xmlSecAssert2(node != NULL, -1);
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
-    content = xmlSecX509DataGetNodeContent (node, 1, keyInfoCtx);
-    if (content < 0) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                   "xmlSecX509DataGetNodeContent",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "content=%d", content);
-       return(-1);
-    } else if(content == 0) {
-       /* by default we are writing certificates and crls */
-       content = XMLSEC_X509DATA_DEFAULT;
+    /* todo: flag in ctx remove all existing content */
+    if(0) {
+        xmlNodeSetContent(node, NULL);
     }
 
-    /* get x509 data */
     data = xmlSecKeyGetData(key, id);
     if(data == NULL) {
        /* no x509 data in the key */
@@ -795,80 +770,75 @@
                        "pos=%d", pos);
            return(-1);
        }
-
-       if((content & XMLSEC_X509DATA_CERTIFICATE_NODE) != 0) {
-           ret = xmlSecNssX509CertificateNodeWrite(cert, node, keyInfoCtx);
-           if(ret < 0) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                           "xmlSecNssX509CertificateNodeWrite",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           "pos=%d", pos);
-               return(-1);
-           }
+       
+       /* set base64 lines size from context */
+       buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); 
+       if(buf == NULL) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+                       xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                       "xmlSecNssX509CertBase64DerWrite",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       XMLSEC_ERRORS_NO_MESSAGE);
+           return(-1);
        }
-
-       if((content & XMLSEC_X509DATA_SUBJECTNAME_NODE) != 0) {
-           ret = xmlSecNssX509SubjectNameNodeWrite(cert, node, keyInfoCtx);
-           if(ret < 0) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                           "xmlSecNssX509SubjectNameNodeWrite",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           "pos=%d", pos);
-               return(-1);
-           }
+       
+       cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
+       if(cur == NULL) {
+           xmlSecError(XMLSEC_ERRORS_HERE,
+                       xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                       "xmlSecAddChild",
+                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                       "node=%s",
+                       xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
+           xmlFree(buf);
+           return(-1); 
        }
+       /* todo: add \n around base64 data - from context */
+       /* todo: add errors check */
+       xmlNodeSetContent(cur, xmlSecStringCR);
+       xmlNodeSetContent(cur, buf);
+       xmlFree(buf);
+    }    
 
-       if((content & XMLSEC_X509DATA_ISSUERSERIAL_NODE) != 0) {
-           ret = xmlSecNssX509IssuerSerialNodeWrite(cert, node, keyInfoCtx);
-           if(ret < 0) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                           "xmlSecNssX509IssuerSerialNodeWrite",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           "pos=%d", pos);
-               return(-1);
-           }
-       }
+    /* write crls */
+    size = xmlSecNssKeyDataX509GetCrlsSize(data);
+    for(pos = 0; pos < size; ++pos) {
+        crl = xmlSecNssKeyDataX509GetCrl(data, pos);
+        if(crl == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                        "xmlSecNssKeyDataX509GetCrl",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "pos=%d", pos);
+            return(-1);
+        }
 
-       if((content & XMLSEC_X509DATA_SKI_NODE) != 0) {
-           ret = xmlSecNssX509SKINodeWrite(cert, node, keyInfoCtx);
-           if(ret < 0) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                           "xmlSecNssX509SKINodeWrite",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           "pos=%d", pos);
-               return(-1);
-           }
-       }
-    }    
+        /* set base64 lines size from context */
+        buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize);
+        if(buf == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                        "xmlSecNssX509CrlBase64DerWrite",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        XMLSEC_ERRORS_NO_MESSAGE);
+            return(-1);
+        }
 
-    /* write crls if needed */
-    if((content & XMLSEC_X509DATA_CRL_NODE) != 0) {
-       size = xmlSecNssKeyDataX509GetCrlsSize(data);
-       for(pos = 0; pos < size; ++pos) {
-           crl = xmlSecNssKeyDataX509GetCrl(data, pos);
-           if(crl == NULL) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                           "xmlSecNssKeyDataX509GetCrl",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           "pos=%d", pos);
-               return(-1);
-           }
-           
-           ret = xmlSecNssX509CRLNodeWrite(crl, node, keyInfoCtx);
-           if(ret < 0) {
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
-                           "xmlSecNssX509CRLNodeWrite",
-                           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                           "pos=%d", pos);
-               return(-1);
-           }
-       }
+        cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
+        if(cur == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                        "xmlSecAddChild",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "new_node=%s",
+                        xmlSecErrorsSafeString(xmlSecNodeX509CRL));
+            xmlFree(buf);
+            return(-1);
+        }
+        /* todo: add \n around base64 data - from context */
+        /* todo: add errors check */
+        xmlNodeSetContent(cur, xmlSecStringCR);
+        xmlNodeSetContent(cur, buf);
     }
 
     return(0);
@@ -1015,19 +985,13 @@
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
     content = xmlNodeGetContent(node);
-    if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
-       if(content != NULL) {
-           xmlFree(content);
-       }
-       if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-                       xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
-                       XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           return(-1);
-       }
-       return(0);
+    if(content == NULL){
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                   xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+                   XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+       return(-1);
     }
 
     cert = xmlSecNssX509CertBase64DerRead(content);
@@ -1057,46 +1021,6 @@
     return(0);
 }
 
-static int 
-xmlSecNssX509CertificateNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlChar* buf;
-    xmlNodePtr cur;
-    
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-    xmlSecAssert2(keyInfoCtx != NULL, -1);
-    
-    /* set base64 lines size from context */
-    buf = xmlSecNssX509CertBase64DerWrite(cert, keyInfoCtx->base64LineSize); 
-    if(buf == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecNssX509CertBase64DerWrite",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-       
-    cur = xmlSecAddChild(node, xmlSecNodeX509Certificate, xmlSecDSigNs);
-    if(cur == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecAddChild",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "node=%s",
-                   xmlSecErrorsSafeString(xmlSecNodeX509Certificate));
-       xmlFree(buf);
-       return(-1);     
-    }
-
-    /* todo: add \n around base64 data - from context */
-    /* todo: add errors check */
-    xmlNodeSetContent(cur, xmlSecStringCR);
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-    return(0);
-}
-
 static int             
 xmlSecNssX509SubjectNameNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {     
     xmlSecKeyDataStorePtr x509Store;
@@ -1120,19 +1044,13 @@
     }
 
     subject = xmlNodeGetContent(node);
-    if((subject == NULL) || (xmlSecIsEmptyString(subject) == 1)) {
-       if(subject != NULL) {
-           xmlFree(subject);
-       }
-       if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-                       xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
-                       XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           return(-1);
-       }
-       return(0);
+    if(subject == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                   xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+                   XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+       return(-1);
     }
 
     cert = xmlSecNssX509StoreFindCert(x509Store, subject, NULL, NULL, NULL, keyInfoCtx);
@@ -1167,40 +1085,6 @@
     return(0);
 }
 
-static int
-xmlSecNssX509SubjectNameNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlChar* buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    buf = xmlSecNssX509NameWrite(&(cert->subject));
-    if(buf == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecNssX509NameWrite(&(cert->subject))",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509SubjectName, xmlSecDSigNs);
-    if(cur == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-           NULL,
-           "xmlSecAddChild",
-           XMLSEC_ERRORS_R_XMLSEC_FAILED,
-           "node=%s",
-           xmlSecErrorsSafeString(xmlSecNodeX509SubjectName));
-       xmlFree(buf);
-       return(-1);
-    }
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-    return(0);
-}
-
 static int 
 xmlSecNssX509IssuerSerialNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
@@ -1226,21 +1110,9 @@
     }
 
     cur = xmlSecGetNextElementNode(node->children);
-    if(cur == NULL) {
-       if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-                       xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
-                       XMLSEC_ERRORS_R_NODE_NOT_FOUND,
-                       "node=%s",
-                       xmlSecErrorsSafeString(xmlSecNodeGetName(cur)));
-           return(-1);
-       }
-       return(0);
-    }
-    
+
     /* the first is required node X509IssuerName */
-    if(!xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
+    if((cur == NULL) || !xmlSecCheckNodeName(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs)) {
        xmlSecError(XMLSEC_ERRORS_HERE,
                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                    xmlSecErrorsSafeString(xmlSecNodeX509IssuerName),
@@ -1332,78 +1204,6 @@
     return(0);
 }
 
-static int
-xmlSecNssX509IssuerSerialNodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlNodePtr cur;
-    xmlNodePtr issuerNameNode;
-    xmlNodePtr issuerNumberNode;
-    xmlChar* buf;
-    
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    /* create xml nodes */
-    cur = xmlSecAddChild(node, xmlSecNodeX509IssuerSerial, xmlSecDSigNs);
-    if(cur == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecAddChild",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "node=%s",
-                   xmlSecErrorsSafeString(xmlSecNodeX509IssuerSerial));
-       return(-1);
-    }
-
-    issuerNameNode = xmlSecAddChild(cur, xmlSecNodeX509IssuerName, xmlSecDSigNs);
-    if(issuerNameNode == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecAddChild",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "node=%s",
-                   xmlSecErrorsSafeString(xmlSecNodeX509IssuerName));
-       return(-1);
-    }
-
-    issuerNumberNode = xmlSecAddChild(cur, xmlSecNodeX509SerialNumber, xmlSecDSigNs);
-    if(issuerNumberNode == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecAddChild",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "node=%s",
-                   xmlSecErrorsSafeString(xmlSecNodeX509SerialNumber));
-       return(-1);
-    }
-
-    /* write data */
-    buf = xmlSecNssX509NameWrite(&(cert->issuer));
-    if(buf == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecNssX509NameWrite(&(cert->issuer))",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-    xmlNodeSetContent(issuerNameNode, buf);
-    xmlFree(buf);
-
-    buf = xmlSecNssASN1IntegerWrite(&(cert->serialNumber));
-    if(buf == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecNssASN1IntegerWrite(&(cert->serialNumber))",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-    xmlNodeSetContent(issuerNumberNode, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
 static int 
 xmlSecNssX509SKINodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataStorePtr x509Store;
@@ -1427,20 +1227,14 @@
     }
     
     ski = xmlNodeGetContent(node);
-    if((ski == NULL) || (xmlSecIsEmptyString(ski) == 1)) {
-       if(ski != NULL) {
-           xmlFree(ski);
-       }
-       if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-                       xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
-                       XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
-                       "node=%s",
-                       xmlSecErrorsSafeString(xmlSecNodeX509SKI));
-           return(-1);
-       }
-       return(0);
+    if(ski == NULL) {
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                   xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+                   XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+                   "node=%s",
+                   xmlSecErrorsSafeString(xmlSecNodeX509SKI));
+       return(-1);
     }
 
     cert = xmlSecNssX509StoreFindCert(x509Store, NULL, NULL, NULL, ski, keyInfoCtx);
@@ -1475,41 +1269,6 @@
     return(0);
 }
 
-static int
-xmlSecNssX509SKINodeWrite(CERTCertificate* cert, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx ATTRIBUTE_UNUSED) {
-    xmlChar *buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(cert != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-
-    buf = xmlSecNssX509SKIWrite(cert);
-    if(buf == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecNssX509SKIWrite",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509SKI, xmlSecDSigNs);
-    if(cur == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecAddChild",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "new_node=%s",
-                   xmlSecErrorsSafeString(xmlSecNodeX509SKI));
-       xmlFree(buf);
-       return(-1);
-    }
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
 static int 
 xmlSecNssX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlChar *content;
@@ -1520,19 +1279,13 @@
     xmlSecAssert2(keyInfoCtx != NULL, -1);
 
     content = xmlNodeGetContent(node);
-   if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
-       if(content != NULL) {
-           xmlFree(content);
-       }
-       if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
-                       xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
-                       XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           return(-1);
-       }
-       return(0);
+    if(content == NULL){
+       xmlSecError(XMLSEC_ERRORS_HERE,
+                   xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                   xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+                   XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+                   XMLSEC_ERRORS_NO_MESSAGE);
+       return(-1);
     }
 
     crl = xmlSecNssX509CrlBase64DerRead(content, keyInfoCtx);
@@ -1552,47 +1305,6 @@
 }
 
 static int
-xmlSecNssX509CRLNodeWrite(CERTSignedCrl* crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
-    xmlChar* buf = NULL;
-    xmlNodePtr cur = NULL;
-
-    xmlSecAssert2(crl != NULL, -1);
-    xmlSecAssert2(node != NULL, -1);
-    xmlSecAssert2(keyInfoCtx != NULL, -1);
-
-    /* set base64 lines size from context */
-    buf = xmlSecNssX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize); 
-    if(buf == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecNssX509CrlBase64DerWrite",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(-1);
-    }
-
-    cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
-    if(cur == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecAddChild",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   "new_node=%s",
-                   xmlSecErrorsSafeString(xmlSecNodeX509CRL));
-       xmlFree(buf);
-       return(-1);
-    }
-    /* todo: add \n around base64 data - from context */
-    /* todo: add errors check */
-    xmlNodeSetContent(cur, xmlSecStringCR);
-    xmlNodeSetContent(cur, buf);
-    xmlFree(buf);
-
-    return(0);
-}
-
-
-static int
 xmlSecNssKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key,
                                    xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecNssX509DataCtxPtr ctx;
@@ -1600,6 +1312,10 @@
     int ret;
     SECStatus status;
     PRTime notBefore, notAfter;
+
+    PK11SlotInfo* slot ;
+    SECKEYPublicKey *pubKey = NULL;
+    SECKEYPrivateKey *priKey = NULL;
     
     xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecNssKeyDataX509Id), -1);
     xmlSecAssert2(key != NULL, -1);
@@ -1632,10 +1348,13 @@
                            xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
                            "CERT_DupCertificate",
                            XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                           XMLSEC_ERRORS_NO_MESSAGE);
+                           "error code=%d", PORT_GetError());
                return(-1);
            }
        
+               /*-
+                * Get Public key from cert, which does not always work for sign action.
+         *
            keyValue = xmlSecNssX509CertGetKey(ctx->keyCert);
            if(keyValue == NULL) {
                xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1645,6 +1364,54 @@
                            XMLSEC_ERRORS_NO_MESSAGE);
                return(-1);
            }
+                */
+
+               /*-
+                * I'll search key according to KeyReq.
+                */
+        slot = cert->slot ;
+        if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate ) == xmlSecKeyDataTypePrivate ) {
+            if( ( priKey = PK11_FindKeyByAnyCert( cert , NULL ) ) == NULL ) {
+                xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                    "PK11_FindPrivateKeyFromCert" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+                return -1 ;
+            }
+        }
+
+               if( ( keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePublic ) == xmlSecKeyDataTypePublic ) {
+            if( ( pubKey = CERT_ExtractPublicKey( cert ) ) == NULL ) {
+                xmlSecError( XMLSEC_ERRORS_HERE ,
+                    xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                    "CERT_ExtractPublicKey" ,
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                    XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                               if( priKey != NULL )
+                                       SECKEY_DestroyPrivateKey( priKey ) ;
+                return -1 ;
+            }
+        }
+
+        keyValue = xmlSecNssPKIAdoptKey(priKey, pubKey);
+               if( keyValue == NULL ) {
+            xmlSecError( XMLSEC_ERRORS_HERE ,
+                xmlSecErrorsSafeString( xmlSecKeyDataGetName( data ) ) ,
+                "xmlSecNssPKIAdoptKey" ,
+                XMLSEC_ERRORS_R_CRYPTO_FAILED ,
+                XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+                       if( priKey != NULL )
+                               SECKEY_DestroyPrivateKey( priKey ) ;
+
+                       if( pubKey != NULL )
+                               SECKEY_DestroyPublicKey( pubKey ) ;
+
+            return -1 ;
+               }
+               /* Modify keyValue get Done */
            
            /* verify that the key matches our expectations */
            if(xmlSecKeyReqMatchKeyValue(&(keyInfoCtx->keyReq), keyValue) != 1) {
@@ -1725,14 +1492,6 @@
     return(0);
 }
 
-/** 
- * xmlSecNssX509CertGetKey:
- * @cert:              the certificate.
- * 
- * Extracts public key from the @cert.
- *
- * Returns public key value or NULL if an error occurs.
- */
 xmlSecKeyDataPtr       
 xmlSecNssX509CertGetKey(CERTCertificate* cert) {
     xmlSecKeyDataPtr data;
@@ -1746,7 +1505,7 @@
                    NULL,
                    "CERT_ExtractPublicKey",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        return(NULL);
     }    
 
@@ -1804,7 +1563,7 @@
                    NULL,
                    "__CERT_NewTempCertificate",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        return(NULL);
     }
 
@@ -1827,7 +1586,7 @@
                    NULL,
                    "cert->derCert",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        return(NULL);
     }
     
@@ -1890,7 +1649,7 @@
                     NULL,
                     "PK11_GetInternalKeySlot",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
        return NULL;
     }
 
@@ -1905,7 +1664,7 @@
                    NULL,
                    "PK11_ImportCRL",
                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
+                   "error code=%d", PORT_GetError());
        PK11_FreeSlot(slot);
        return(NULL);
     }
@@ -1929,7 +1688,7 @@
                     NULL,
                     "crl->derCrl",
                     XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
+                    "error code=%d", PORT_GetError());
         return(NULL);
     }
 
@@ -1946,86 +1705,6 @@
     return(res);
 }
 
-static xmlChar*
-xmlSecNssX509NameWrite(CERTName* nm) {
-    xmlChar *res = NULL;
-    char *str;
-
-    xmlSecAssert2(nm != NULL, NULL);
-
-    str = CERT_NameToAscii(nm);
-    if (str == NULL) {
-        xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "CERT_NameToAscii",
-                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-        return(NULL);
-    }
-
-    res = xmlStrdup(BAD_CAST str);
-    if(res == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlStrdup",
-                   XMLSEC_ERRORS_R_MALLOC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       PORT_Free(str);
-       return(NULL);
-    }
-    PORT_Free(str);
-    return(res);
-}
-
-static xmlChar*
-xmlSecNssASN1IntegerWrite(SECItem *num) {
-    xmlChar *res = NULL;
-    
-    xmlSecAssert2(num != NULL, NULL);
-
-    /* TODO : to be implemented after 
-     * NSS bug http://bugzilla.mozilla.org/show_bug.cgi?id=212864 is fixed 
-     */
-    return(res);
-}
-
-static xmlChar*
-xmlSecNssX509SKIWrite(CERTCertificate* cert) {
-    xmlChar *res = NULL;
-    SECItem ski;
-    SECStatus rv;
-
-    xmlSecAssert2(cert != NULL, NULL);
-
-    memset(&ski, 0, sizeof(ski));
-
-    rv = CERT_FindSubjectKeyIDExtension(cert, &ski);
-    if (rv != SECSuccess) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "CERT_FindSubjectKeyIDExtension",
-                   XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       SECITEM_FreeItem(&ski, PR_FALSE);
-       return(NULL);
-    }
-
-    res = xmlSecBase64Encode(ski.data, ski.len, 0);
-    if(res == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "xmlSecBase64Encode",
-                   XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       SECITEM_FreeItem(&ski, PR_FALSE);
-       return(NULL);
-    }
-    SECITEM_FreeItem(&ski, PR_FALSE);
-    
-    return(res);
-}
-
-
 static void 
 xmlSecNssX509CertDebugDump(CERTCertificate* cert, FILE* output) {
     SECItem *sn;
@@ -2084,7 +1763,11 @@
                                                                 xmlSecSize bufSize,
                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataKlass xmlSecNssKeyDataRawX509CertKlass = {
+#else
 static xmlSecKeyDataKlass xmlSecNssKeyDataRawX509CertKlass = {
+#endif
     sizeof(xmlSecKeyDataKlass),
     sizeof(xmlSecKeyData),
 
--- misc/xmlsec1-1.2.6/src/nss/x509vfy.c        2003-09-26 02:58:15.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/src/nss/x509vfy.c  2008-06-29 23:44:19.000000000 +0200
@@ -30,6 +30,7 @@
 #include <xmlsec/keyinfo.h>
 #include <xmlsec/keysmngr.h>
 #include <xmlsec/base64.h>
+#include <xmlsec/bn.h>
 #include <xmlsec/errors.h>
 
 #include <xmlsec/nss/crypto.h>
@@ -43,8 +44,8 @@
 typedef struct _xmlSecNssX509StoreCtx          xmlSecNssX509StoreCtx, 
                                                *xmlSecNssX509StoreCtxPtr;
 struct _xmlSecNssX509StoreCtx {
-    CERTCertList* certsList; /* just keeping a reference to destroy later */
-};         
+       CERTCertList* certsList; /* just keeping a reference to destroy later */
+};             
 
 /****************************************************************************
  *
@@ -54,45 +55,40 @@
  *
  ***************************************************************************/
 #define xmlSecNssX509StoreGetCtx(store) \
-    ((xmlSecNssX509StoreCtxPtr)(((xmlSecByte*)(store)) + \
-                                   sizeof(xmlSecKeyDataStoreKlass)))
+       ((xmlSecNssX509StoreCtxPtr)(((xmlSecByte*)(store)) + \
+                                       sizeof(xmlSecKeyDataStoreKlass)))
 #define xmlSecNssX509StoreSize \
-    (sizeof(xmlSecKeyDataStoreKlass) + sizeof(xmlSecNssX509StoreCtx))
+       (sizeof(xmlSecKeyDataStoreKlass) + sizeof(xmlSecNssX509StoreCtx))
  
 static int             xmlSecNssX509StoreInitialize    (xmlSecKeyDataStorePtr store);
 static void            xmlSecNssX509StoreFinalize      (xmlSecKeyDataStorePtr store);
-static int             xmlSecNssX509NameStringRead     (xmlSecByte **str, 
-                                                        int *strLen, 
-                                                        xmlSecByte *res, 
-                                                        int resLen,
-                                                        xmlSecByte delim, 
-                                                        int ingoreTrailingSpaces);
-static xmlSecByte *    xmlSecNssX509NameRead           (xmlSecByte *str, 
-                                                        int len);
-
-static void            xmlSecNssNumToItem(SECItem *it, unsigned long num);
 
+static int             xmlSecNssIntegerToItem( const xmlChar* integer , SECItem *it ) ;
 
+#ifdef __MINGW32__ // for runtime-pseudo-reloc
+static struct _xmlSecKeyDataStoreKlass xmlSecNssX509StoreKlass = {
+#else
 static xmlSecKeyDataStoreKlass xmlSecNssX509StoreKlass = {
-    sizeof(xmlSecKeyDataStoreKlass),
-    xmlSecNssX509StoreSize,
-
-    /* data */
-    xmlSecNameX509Store,                       /* const xmlChar* name; */ 
-        
-    /* constructors/destructor */
-    xmlSecNssX509StoreInitialize,              /* xmlSecKeyDataStoreInitializeMethod initialize; */
-    xmlSecNssX509StoreFinalize,                        /* xmlSecKeyDataStoreFinalizeMethod finalize; */
-
-    /* reserved for the future */
-    NULL,                                      /* void* reserved0; */
-    NULL,                                      /* void* reserved1; */
+#endif
+       sizeof(xmlSecKeyDataStoreKlass),
+       xmlSecNssX509StoreSize,
+
+       /* data */
+       xmlSecNameX509Store,                    /* const xmlChar* name; */ 
+               
+       /* constructors/destructor */
+       xmlSecNssX509StoreInitialize,           /* xmlSecKeyDataStoreInitializeMethod initialize; */
+       xmlSecNssX509StoreFinalize,                     /* xmlSecKeyDataStoreFinalizeMethod finalize; */
+
+       /* reserved for the future */
+       NULL,                                   /* void* reserved0; */
+       NULL,                                   /* void* reserved1; */
 };
 
 static CERTCertificate*                xmlSecNssX509FindCert(xmlChar *subjectName,
-                                                     xmlChar *issuerName,
-                                                     xmlChar *issuerSerial,
-                                                     xmlChar *ski);
+                                                         xmlChar *issuerName,
+                                                         xmlChar *issuerSerial,
+                                                         xmlChar *ski);
 
 
 /** 
@@ -104,7 +100,7 @@
  */
 xmlSecKeyDataStoreId 
 xmlSecNssX509StoreGetKlass(void) {
-    return(&xmlSecNssX509StoreKlass);
+       return(&xmlSecNssX509StoreKlass);
 }
 
 /**
@@ -125,15 +121,15 @@
 xmlSecNssX509StoreFindCert(xmlSecKeyDataStorePtr store, xmlChar *subjectName,
                                xmlChar *issuerName, xmlChar *issuerSerial,
                                xmlChar *ski, xmlSecKeyInfoCtx* keyInfoCtx) {
-    xmlSecNssX509StoreCtxPtr ctx;
-    
-    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId), NULL);
-    xmlSecAssert2(keyInfoCtx != NULL, NULL);
+       xmlSecNssX509StoreCtxPtr ctx;
+       
+       xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId), NULL);
+       xmlSecAssert2(keyInfoCtx != NULL, NULL);
 
-    ctx = xmlSecNssX509StoreGetCtx(store);
-    xmlSecAssert2(ctx != NULL, NULL);
+       ctx = xmlSecNssX509StoreGetCtx(store);
+       xmlSecAssert2(ctx != NULL, NULL);
 
-    return(xmlSecNssX509FindCert(subjectName, issuerName, issuerSerial, ski));
+       return(xmlSecNssX509FindCert(subjectName, issuerName, issuerSerial, ski));
 }
 
 /**
@@ -148,116 +144,130 @@
  */ 
 CERTCertificate *      
 xmlSecNssX509StoreVerify(xmlSecKeyDataStorePtr store, CERTCertList* certs,
-                            xmlSecKeyInfoCtx* keyInfoCtx) {
-    xmlSecNssX509StoreCtxPtr ctx;
-    CERTCertListNode*       head;
-    CERTCertificate*       cert = NULL;
-    CERTCertListNode*       head1;
-    CERTCertificate*       cert1 = NULL;
-    SECStatus status = SECFailure;
-    int64 timeboundary;
-    int64 tmp1, tmp2;
-
-    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId), NULL);
-    xmlSecAssert2(certs != NULL, NULL);
-    xmlSecAssert2(keyInfoCtx != NULL, NULL);
-
-    ctx = xmlSecNssX509StoreGetCtx(store);
-    xmlSecAssert2(ctx != NULL, NULL);
-
-    for (head = CERT_LIST_HEAD(certs);
-         !CERT_LIST_END(head, certs);
-         head = CERT_LIST_NEXT(head)) {
-        cert = head->cert;
+                                xmlSecKeyInfoCtx* keyInfoCtx) {
+       xmlSecNssX509StoreCtxPtr ctx;
+       CERTCertListNode*          head;
+       CERTCertificate*           cert = NULL;
+       CERTCertListNode*          head1;
+       CERTCertificate*           cert1 = NULL;
+       SECStatus status = SECFailure;
+       int64 timeboundary;
+       int64 tmp1, tmp2;
+
+       xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId), NULL);
+       xmlSecAssert2(certs != NULL, NULL);
+       xmlSecAssert2(keyInfoCtx != NULL, NULL);
+
+       ctx = xmlSecNssX509StoreGetCtx(store);
+       xmlSecAssert2(ctx != NULL, NULL);
+
+       for (head = CERT_LIST_HEAD(certs);
+                !CERT_LIST_END(head, certs);
+                head = CERT_LIST_NEXT(head)) {
+               cert = head->cert;
        if(keyInfoCtx->certsVerificationTime > 0) {
-           /* convert the time since epoch in seconds to microseconds */
-           LL_UI2L(timeboundary, keyInfoCtx->certsVerificationTime);
-           tmp1 = (int64)PR_USEC_PER_SEC;
-           tmp2 = timeboundary;
-           LL_MUL(timeboundary, tmp1, tmp2);
+               /* convert the time since epoch in seconds to microseconds */
+               LL_UI2L(timeboundary, keyInfoCtx->certsVerificationTime);
+               tmp1 = (int64)PR_USEC_PER_SEC;
+               tmp2 = timeboundary;
+               LL_MUL(timeboundary, tmp1, tmp2);
        } else {
-           timeboundary = PR_Now();
+               timeboundary = PR_Now();
        }
 
        /* if cert is the issuer of any other cert in the list, then it is 
         * to be skipped */
        for (head1 = CERT_LIST_HEAD(certs); 
-            !CERT_LIST_END(head1, certs);
-            head1 = CERT_LIST_NEXT(head1)) {
+                !CERT_LIST_END(head1, certs);
+                head1 = CERT_LIST_NEXT(head1)) {
 
-           cert1 = head1->cert;
-           if (cert1 == cert) {
+               cert1 = head1->cert;
+               if (cert1 == cert) {
                continue;
-           }
+               }
 
-           if (SECITEM_CompareItem(&cert1->derIssuer, &cert->derSubject)
-                                     == SECEqual) {
+               if (SECITEM_CompareItem(&cert1->derIssuer, &cert->derSubject)
+                                                                 == SECEqual) {
                break;
-           }
+               }
        }
 
        if (!CERT_LIST_END(head1, certs)) {
-           continue;
+               continue;
        }
-
-       status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), 
-                                       cert, PR_FALSE, 
-                                       (SECCertificateUsage)0,
-                                       timeboundary , NULL, NULL, NULL);
-       if (status == SECSuccess) {
-           break;
+    /* JL: OpenOffice.org implements its own certificate verification routine. 
+      The goal is to seperate validation of the signature
+      and the certificate. For example, OOo could show that the document signature is valid,
+      but the certificate could not be verified. If we do not prevent the verification of
+      the certificate by libxmlsec and the verification fails, then the XML signature may not be 
+      verified. This would happen, for example, if the root certificate is not installed.
+      
+      In the store schould only be the certificate from the X509Certificate element 
+      and the X509IssuerSerial element. The latter is only there
+      if the certificate is installed. Both certificates must be the same!
+      In case of writing the signature, the store contains only the certificate that
+      was created based on the information from the X509IssuerSerial element. */
+    status = SECSuccess;
+    break;
+/*     status = CERT_VerifyCertificate(CERT_GetDefaultCertDB(), 
+                                       cert, PR_FALSE, 
+                                       (SECCertificateUsage)0,
+                                                       timeboundary , NULL, NULL, NULL);
+       if (status == SECSuccess) {
+               break;
+       } */
        }
-    }
 
-    if (status == SECSuccess) {
+       if (status == SECSuccess) {
        return (cert);
-    }
-    
-    switch(PORT_GetError()) {
+       }
+       
+       switch(PORT_GetError()) {
        case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
        case SEC_ERROR_CA_CERT_INVALID:
        case SEC_ERROR_UNKNOWN_SIGNER:
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
-                        NULL,
-                        XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
-                        "cert with subject name %s could not be verified because the issuer's cert is expired/invalid or not found",
-                        cert->subjectName);
-           break;
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                                               NULL,
+                                               XMLSEC_ERRORS_R_CERT_ISSUER_FAILED,
+                                               "cert with subject name %s could not be verified because the issuer's cert is expired/invalid or not found",
+                                               cert->subjectName);
+               break;
        case SEC_ERROR_EXPIRED_CERTIFICATE:
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
-                        NULL,
-                        XMLSEC_ERRORS_R_CERT_HAS_EXPIRED,
-                        "cert with subject name %s has expired",
-                        cert->subjectName);
-           break;
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                                               NULL,
+                                               XMLSEC_ERRORS_R_CERT_HAS_EXPIRED,
+                                               "cert with subject name %s has expired",
+                                               cert->subjectName);
+               break;
        case SEC_ERROR_REVOKED_CERTIFICATE:
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
-                        NULL,
-                        XMLSEC_ERRORS_R_CERT_REVOKED,
-                        "cert with subject name %s has been revoked",
-                        cert->subjectName);
-           break;
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                                               NULL,
+                                               XMLSEC_ERRORS_R_CERT_REVOKED,
+                                               "cert with subject name %s has been revoked",
+                                               cert->subjectName);
+               break;
        default:
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
-                        NULL,
-                        XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
-                        "cert with subject name %s could not be verified",
-                        cert->subjectName);
-           break;
-    }
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                                               NULL,
+                                               XMLSEC_ERRORS_R_CERT_VERIFY_FAILED,
+                                               "cert with subject name %s could not be verified, errcode %d",
+                                               cert->subjectName,
+                       PORT_GetError());
+               break;
+       }
    
-    return (NULL);
+       return (NULL);
 }
 
 /**
  * xmlSecNssX509StoreAdoptCert:
- * @store:              the pointer to X509 key data store klass.
- * @cert:               the pointer to NSS X509 certificate.
- * @type:               the certificate type (trusted/untrusted).
+ * @store:                       the pointer to X509 key data store klass.
+ * @cert:                         the pointer to NSS X509 certificate.
+ * @type:                         the certificate type (trusted/untrusted).
  *
  * Adds trusted (root) or untrusted certificate to the store.
  *
@@ -265,67 +275,67 @@
  */
 int
 xmlSecNssX509StoreAdoptCert(xmlSecKeyDataStorePtr store, CERTCertificate* cert, xmlSecKeyDataType type ATTRIBUTE_UNUSED) {
-    xmlSecNssX509StoreCtxPtr ctx;
-    int ret;
+       xmlSecNssX509StoreCtxPtr ctx;
+       int ret;
 
-    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId), -1);
-    xmlSecAssert2(cert != NULL, -1);
+       xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId), -1);
+       xmlSecAssert2(cert != NULL, -1);
 
-    ctx = xmlSecNssX509StoreGetCtx(store);
-    xmlSecAssert2(ctx != NULL, -1);
+       ctx = xmlSecNssX509StoreGetCtx(store);
+       xmlSecAssert2(ctx != NULL, -1);
 
-    if(ctx->certsList == NULL) {
-        ctx->certsList = CERT_NewCertList();
-        if(ctx->certsList == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
-                        "CERT_NewCertList",
-                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
-            return(-1);
-        }
-    }
-
-    ret = CERT_AddCertToListTail(ctx->certsList, cert);
-    if(ret != SECSuccess) {
-        xmlSecError(XMLSEC_ERRORS_HERE,
-                    xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
-                    "CERT_AddCertToListTail",
-                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                    XMLSEC_ERRORS_NO_MESSAGE);
-        return(-1);
-    }
+       if(ctx->certsList == NULL) {
+               ctx->certsList = CERT_NewCertList();
+               if(ctx->certsList == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                                               "CERT_NewCertList",
+                                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                                               "error code=%d", PORT_GetError());
+                       return(-1);
+               }
+       }
 
-    return(0);
+       ret = CERT_AddCertToListTail(ctx->certsList, cert);
+       if(ret != SECSuccess) {
+               xmlSecError(XMLSEC_ERRORS_HERE,
+                                       xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                                       "CERT_AddCertToListTail",
+                                       XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                                       "error code=%d", PORT_GetError());
+               return(-1);
+       }
+
+       return(0);
 }
 
 static int
 xmlSecNssX509StoreInitialize(xmlSecKeyDataStorePtr store) {
-    xmlSecNssX509StoreCtxPtr ctx;
-    xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId), -1);
+       xmlSecNssX509StoreCtxPtr ctx;
+       xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId), -1);
 
-    ctx = xmlSecNssX509StoreGetCtx(store);
-    xmlSecAssert2(ctx != NULL, -1);
+       ctx = xmlSecNssX509StoreGetCtx(store);
+       xmlSecAssert2(ctx != NULL, -1);
 
-    memset(ctx, 0, sizeof(xmlSecNssX509StoreCtx));
+       memset(ctx, 0, sizeof(xmlSecNssX509StoreCtx));
 
-    return(0);    
+       return(0);      
 }
 
 static void
 xmlSecNssX509StoreFinalize(xmlSecKeyDataStorePtr store) {
-    xmlSecNssX509StoreCtxPtr ctx;
-    xmlSecAssert(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId));
+       xmlSecNssX509StoreCtxPtr ctx;
+       xmlSecAssert(xmlSecKeyDataStoreCheckId(store, xmlSecNssX509StoreId));
 
-    ctx = xmlSecNssX509StoreGetCtx(store);
-    xmlSecAssert(ctx != NULL);
-    
-    if (ctx->certsList) {
+       ctx = xmlSecNssX509StoreGetCtx(store);
+       xmlSecAssert(ctx != NULL);
+       
+       if (ctx->certsList) {
        CERT_DestroyCertList(ctx->certsList);
        ctx->certsList = NULL;
-    }
+       }
 
-    memset(ctx, 0, sizeof(xmlSecNssX509StoreCtx));
+       memset(ctx, 0, sizeof(xmlSecNssX509StoreCtx));
 }
 
 
@@ -340,376 +350,213 @@
  */
 static CERTCertificate*                
 xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName, 
-                     xmlChar *issuerSerial, xmlChar *ski) {
-    CERTCertificate *cert = NULL;
-    xmlChar         *p = NULL;
-    CERTName *name = NULL;
-    SECItem *nameitem = NULL;
-    PRArenaPool *arena = NULL;
-
-    if (subjectName != NULL) {
-       p = xmlSecNssX509NameRead(subjectName, xmlStrlen(subjectName));
-       if (p == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecNssX509NameRead",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "subject=%s",
-                        xmlSecErrorsSafeString(subjectName));
-           goto done;
-       }
-
-       arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-       if (arena == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "PORT_NewArena",
-                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-       }
-
-       name = CERT_AsciiToName((char*)p);
-       if (name == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "CERT_AsciiToName",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-       }
-
-       nameitem = SEC_ASN1EncodeItem(arena, NULL, (void *)name,
-                                     SEC_ASN1_GET(CERT_NameTemplate));
-       if (nameitem == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "SEC_ASN1EncodeItem",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-       }
-
-       cert = CERT_FindCertByName(CERT_GetDefaultCertDB(), nameitem);
-       goto done;
-    }
-
-    if((issuerName != NULL) && (issuerSerial != NULL)) {
-       CERTIssuerAndSN issuerAndSN;
-
-       p = xmlSecNssX509NameRead(issuerName, xmlStrlen(issuerName));
-       if (p == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecNssX509NameRead",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "issuer=%s",
-                        xmlSecErrorsSafeString(issuerName));
-           goto done;
-       }
-
-       arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-       if (arena == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "PORT_NewArena",
-                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-       }
-
-       name = CERT_AsciiToName((char*)p);
-       if (name == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "CERT_AsciiToName",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-       }
-
-       nameitem = SEC_ASN1EncodeItem(arena, NULL, (void *)name,
-                                     SEC_ASN1_GET(CERT_NameTemplate));
-       if (nameitem == NULL) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "SEC_ASN1EncodeItem",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-       }
-
-       memset(&issuerAndSN, 0, sizeof(issuerAndSN));
+                         xmlChar *issuerSerial, xmlChar *ski) {
+       CERTCertificate *cert = NULL;
+       CERTName *name = NULL;
+       SECItem *nameitem = NULL;
+       PRArenaPool *arena = NULL;
+
+       if (subjectName != NULL) {
+               arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+               if (arena == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               NULL,
+                                               "PORT_NewArena",
+                                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                                               "error code=%d", PORT_GetError());
+                       goto done;
+               }
 
-       issuerAndSN.derIssuer.data = nameitem->data;
-       issuerAndSN.derIssuer.len = nameitem->len;
+               name = CERT_AsciiToName((char*)subjectName);
+               if (name == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               NULL,
+                                               "CERT_AsciiToName",
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                               "error code=%d", PORT_GetError());
+                       goto done;
+               }
 
-       /* TBD: serial num can be arbitrarily long */
-       xmlSecNssNumToItem(&issuerAndSN.serialNumber, PORT_Atoi((char *)issuerSerial));
+               nameitem = SEC_ASN1EncodeItem(arena, NULL, (void *)name,
+                                         SEC_ASN1_GET(CERT_NameTemplate));
+               if (nameitem == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               NULL,
+                                               "SEC_ASN1EncodeItem",
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                               "error code=%d", PORT_GetError());
+                       goto done;
+               }
 
-       cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), 
-                                         &issuerAndSN);
-       SECITEM_FreeItem(&issuerAndSN.serialNumber, PR_FALSE);
-       goto done;
-    }
-
-    if(ski != NULL) {
-       SECItem subjKeyID;
-       int len;
-
-       len = xmlSecBase64Decode(ski, (xmlSecByte*)ski, xmlStrlen(ski));
-        if(len < 0) {
-            xmlSecError(XMLSEC_ERRORS_HERE,
-                        NULL,
-                        "xmlSecBase64Decode",
-                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                        "ski=%s",
-                        xmlSecErrorsSafeString(ski));
-           goto done;
-        }
-
-       memset(&subjKeyID, 0, sizeof(subjKeyID));
-       subjKeyID.data = ski;
-       subjKeyID.len = xmlStrlen(ski);
-        cert = CERT_FindCertBySubjectKeyID(CERT_GetDefaultCertDB(), 
-                                          &subjKeyID);
-    }
+               cert = CERT_FindCertByName(CERT_GetDefaultCertDB(), nameitem);
+               goto done;
+       }
 
-done:
-    if (p != NULL) {
-       PORT_Free(p);
-    }
-    if (arena != NULL) {
-       PORT_FreeArena(arena, PR_FALSE);
-    }
-    if (name != NULL) {
-       CERT_DestroyName(name);
-    }
+       if((issuerName != NULL) && (issuerSerial != NULL)) {
+               CERTIssuerAndSN issuerAndSN;
 
-    return(cert);
-}
+               arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+               if (arena == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               NULL,
+                                               "PORT_NewArena",
+                                               XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                                               "error code=%d", PORT_GetError());
+                       goto done;
+               }
 
-/**
- * xmlSecNssX509NameRead:
- */       
-static xmlSecByte *
-xmlSecNssX509NameRead(xmlSecByte *str, int len) {
-    xmlSecByte name[256];
-    xmlSecByte value[256];
-    xmlSecByte *retval = NULL;
-    xmlSecByte *p = NULL;
-    int nameLen, valueLen;
-
-    xmlSecAssert2(str != NULL, NULL);
-    
-    /* return string should be no longer than input string */
-    retval = (xmlSecByte *)PORT_Alloc(len+1);
-    if(retval == NULL) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   "PORT_Alloc",
-                   XMLSEC_ERRORS_R_MALLOC_FAILED,
-                   XMLSEC_ERRORS_NO_MESSAGE);
-       return(NULL);
-    }
-    p = retval;
-    
-    while(len > 0) {
-       /* skip spaces after comma or semicolon */
-       while((len > 0) && isspace(*str)) {
-           ++str; --len;
-       }
-
-       nameLen = xmlSecNssX509NameStringRead(&str, &len, name, sizeof(name), '=', 0);  
-       if(nameLen < 0) {
-           xmlSecError(XMLSEC_ERRORS_HERE,
-                       NULL,
-                       "xmlSecNssX509NameStringRead",
-                       XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                       XMLSEC_ERRORS_NO_MESSAGE);
-           goto done;
-       }
-       memcpy(p, name, nameLen);
-       p+=nameLen;
-       *p++='=';
-       if(len > 0) {
-           ++str; --len;
-           if((*str) == '\"') {
-               valueLen = xmlSecNssX509NameStringRead(&str, &len, 
-                                       value, sizeof(value), '"', 1);  
-               if(valueLen < 0) {
-                   xmlSecError(XMLSEC_ERRORS_HERE,
+               name = CERT_AsciiToName((char*)issuerName);
+               if (name == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
                                NULL,
-                               "xmlSecNssX509NameStringRead",
+                               "CERT_AsciiToName",
                                XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                               XMLSEC_ERRORS_NO_MESSAGE);
-                   goto done;
-               }
-               /* skip spaces before comma or semicolon */
-               while((len > 0) && isspace(*str)) {
-                   ++str; --len;
+                               "error code=%d", PORT_GetError());
+                       goto done;
                }
-               if((len > 0) && ((*str) != ',')) {
-                   xmlSecError(XMLSEC_ERRORS_HERE,
-                               NULL,
-                               NULL,
-                               XMLSEC_ERRORS_R_INVALID_DATA,
-                               "comma is expected");
-                   goto done;
-               }
-               if(len > 0) {
-                   ++str; --len;
+
+               nameitem = SEC_ASN1EncodeItem(arena, NULL, (void *)name,
+                                         SEC_ASN1_GET(CERT_NameTemplate));
+               if (nameitem == NULL) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
+                                               NULL,
+                                               "SEC_ASN1EncodeItem",
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                               "error code=%d", PORT_GetError());
+                       goto done;
                }
-               *p++='\"';
-               memcpy(p, value, valueLen);
-               p+=valueLen;
-               *p++='\"';
-           } else if((*str) == '#') {
-               /* TODO: read octect values */
-               xmlSecError(XMLSEC_ERRORS_HERE,
-                           NULL,
-                           NULL,
-                           XMLSEC_ERRORS_R_INVALID_DATA,
-                           "reading octect values is not implemented yet");
-               goto done;
-           } else {
-               valueLen = xmlSecNssX509NameStringRead(&str, &len, 
-                                       value, sizeof(value), ',', 1);  
-               if(valueLen < 0) {
-                   xmlSecError(XMLSEC_ERRORS_HERE,
+
+               memset(&issuerAndSN, 0, sizeof(issuerAndSN));
+
+               issuerAndSN.derIssuer.data = nameitem->data;
+               issuerAndSN.derIssuer.len = nameitem->len;
+
+               if( xmlSecNssIntegerToItem( issuerSerial, &issuerAndSN.serialNumber ) < 0 ) {
+                       xmlSecError(XMLSEC_ERRORS_HERE,
                                NULL,
-                               "xmlSecNssX509NameStringRead",
+                               "xmlSecNssIntegerToItem",
                                XMLSEC_ERRORS_R_XMLSEC_FAILED,
-                               XMLSEC_ERRORS_NO_MESSAGE);
-                   goto done;
-               }
-               memcpy(p, value, valueLen);
-               p+=valueLen;
-               if (len > 0)
-                   *p++=',';
-           }                   
-       } else {
-           valueLen = 0;
+                               "serial number=%s",
+                               xmlSecErrorsSafeString(issuerSerial));
+                       goto done;
+               }
+
+               cert = CERT_FindCertByIssuerAndSN(CERT_GetDefaultCertDB(), 
+                                         &issuerAndSN);
+               SECITEM_FreeItem(&issuerAndSN.serialNumber, PR_FALSE);
+               goto done;
+       }
+
+       if(ski != NULL) {
+               SECItem subjKeyID;
+               int len;
+
+               len = xmlSecBase64Decode(ski, (xmlSecByte*)ski, xmlStrlen(ski));
+                       if(len < 0) {
+                               xmlSecError(XMLSEC_ERRORS_HERE,
+                                               NULL,
+                                               "xmlSecBase64Decode",
+                                               XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                                               "ski=%s",
+                                               xmlSecErrorsSafeString(ski));
+                               goto done;
+                       }
+
+               memset(&subjKeyID, 0, sizeof(subjKeyID));
+               subjKeyID.data = ski;
+               subjKeyID.len = xmlStrlen(ski);
+               cert = CERT_FindCertBySubjectKeyID(CERT_GetDefaultCertDB(), 
+                                          &subjKeyID);
        }
-       if(len > 0) {
-           ++str; --len;
-       }       
-    }
-
-    *p = 0;
-    return(retval);
-    
+
 done:
-    PORT_Free(retval);
-    return (NULL);
+       if (arena != NULL) {
+       PORT_FreeArena(arena, PR_FALSE);
+       }
+       if (name != NULL) {
+       CERT_DestroyName(name);
+       }
+
+       return(cert);
 }
 
+static int
+xmlSecNssIntegerToItem(
+       const xmlChar* integer ,
+       SECItem *item
+) {
+       xmlSecBn bn ;
+       xmlSecSize i, length ;
+       const xmlSecByte* bnInteger ;
 
+       xmlSecAssert2( integer != NULL, -1 ) ;
+       xmlSecAssert2( item != NULL, -1 ) ;
 
-/**
- * xmlSecNssX509NameStringRead:
- */
-static int 
-xmlSecNssX509NameStringRead(xmlSecByte **str, int *strLen, 
-                           xmlSecByte *res, int resLen,
-                           xmlSecByte delim, int ingoreTrailingSpaces) {
-    xmlSecByte *p, *q, *nonSpace; 
-
-    xmlSecAssert2(str != NULL, -1);
-    xmlSecAssert2(strLen != NULL, -1);
-    xmlSecAssert2(res != NULL, -1);
-    
-    p = (*str);
-    nonSpace = q = res;
-    while(((p - (*str)) < (*strLen)) && ((*p) != delim) && ((q - res) < resLen)) { 
-       if((*p) != '\\') {
-           if(ingoreTrailingSpaces && !isspace(*p)) {
-               nonSpace = q;   
-           }
-           *(q++) = *(p++);
-       } else {
-           ++p;
-           nonSpace = q;    
-           if(xmlSecIsHex((*p))) {
-               if((p - (*str) + 1) >= (*strLen)) {
-                   xmlSecError(XMLSEC_ERRORS_HERE,
-                               NULL,
-                               NULL,
-                               XMLSEC_ERRORS_R_INVALID_DATA,
-                               "two hex digits expected");
-                   return(-1);
-               }
-               *(q++) = xmlSecGetHex(p[0]) * 16 + xmlSecGetHex(p[1]);
-               p += 2;
-           } else {
-               if(((++p) - (*str)) >= (*strLen)) {
-                   xmlSecError(XMLSEC_ERRORS_HERE,
-                               NULL,
-                               NULL,
-                               XMLSEC_ERRORS_R_INVALID_DATA,
-                               "escaped symbol missed");
-                   return(-1);
-               }
-               *(q++) = *(p++); 
-           }
-       }           
-    }
-    if(((p - (*str)) < (*strLen)) && ((*p) != delim)) {
-       xmlSecError(XMLSEC_ERRORS_HERE,
-                   NULL,
-                   NULL,
-                   XMLSEC_ERRORS_R_INVALID_SIZE,
-                   "buffer is too small");
-       return(-1);
-    }
-    (*strLen) -= (p - (*str));
-    (*str) = p;
-    return((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res);
-}
+       if( xmlSecBnInitialize( &bn, 0 ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnInitialize",
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+               return -1 ;     
+       }
 
-/* code lifted from NSS */
-static void
-xmlSecNssNumToItem(SECItem *it, unsigned long ui)
-{
-    unsigned char bb[5];
-    int len;
-
-    bb[0] = 0;
-    bb[1] = (unsigned char) (ui >> 24);
-    bb[2] = (unsigned char) (ui >> 16);
-    bb[3] = (unsigned char) (ui >> 8);
-    bb[4] = (unsigned char) (ui);
-
-    /*
-    ** Small integers are encoded in a single byte. Larger integers
-    ** require progressively more space.
-    */
-    if (ui > 0x7f) {
-        if (ui > 0x7fff) {
-            if (ui > 0x7fffffL) {
-                if (ui >= 0x80000000L) {
-                    len = 5;
-                } else {
-                    len = 4;
-                }
-            } else {
-                len = 3;
-            }
-        } else {
-            len = 2;
-        }
-    } else {
-        len = 1;
-    }
-
-    it->data = (unsigned char *)PORT_Alloc(len);
-    if (it->data == NULL) {
-        return;
-    }
+       if( xmlSecBnFromDecString( &bn, integer ) < 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnFromDecString",
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecBnFinalize( &bn ) ;
+               return -1 ;     
+       }
+
+       length = xmlSecBnGetSize( &bn ) ;
+       if( length <= 0 ) {
+               xmlSecError( XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnGetSize",
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecBnFinalize( &bn ) ;
+               return -1 ;
+       }
+
+       bnInteger = xmlSecBnGetData( &bn ) ;
+       if( bnInteger == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "xmlSecBnGetData",
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
 
-    it->len = len;
-    PORT_Memcpy(it->data, bb + (sizeof(bb) - len), len);
+               xmlSecBnFinalize( &bn ) ;
+               return -1 ;
+       }
+
+       item->data = ( unsigned char * )PORT_Alloc( length );
+       if( item->data == NULL ) {
+               xmlSecError( XMLSEC_ERRORS_HERE,
+                       NULL,
+                       "PORT_Alloc",
+                       XMLSEC_ERRORS_R_INVALID_DATA,
+                       XMLSEC_ERRORS_NO_MESSAGE ) ;
+
+               xmlSecBnFinalize( &bn ) ;
+               return -1 ;
+       }
+
+       item->len = length;
+
+       for( i = 0 ; i < length ; i ++ )
+               item->data[i] = *( bnInteger + i ) ;
+
+       xmlSecBnFinalize( &bn ) ;
+
+       return 0 ;
 }
-#endif /* XMLSEC_NO_X509 */
 
+#endif /* XMLSEC_NO_X509 */
 
--- misc/xmlsec1-1.2.6/win32/Makefile.msvc      2004-06-09 16:35:12.000000000 +0200
+++ misc/build/xmlsec1-1.2.6/win32/Makefile.msvc        2008-06-29 23:44:19.000000000 +0200
@@ -223,6 +223,10 @@
        $(XMLSEC_OPENSSL_INTDIR_A)\x509vfy.obj 
 
 XMLSEC_NSS_OBJS = \
+       $(XMLSEC_NSS_INTDIR)\akmngr.obj\
+       $(XMLSEC_NSS_INTDIR)\keytrans.obj\
+       $(XMLSEC_NSS_INTDIR)\keywrapers.obj\
+       $(XMLSEC_NSS_INTDIR)\tokens.obj\
        $(XMLSEC_NSS_INTDIR)\app.obj\
        $(XMLSEC_NSS_INTDIR)\bignum.obj\
        $(XMLSEC_NSS_INTDIR)\ciphers.obj \
@@ -235,9 +239,6 @@
        $(XMLSEC_NSS_INTDIR)\x509.obj\
        $(XMLSEC_NSS_INTDIR)\x509vfy.obj\
        $(XMLSEC_NSS_INTDIR)\keysstore.obj\
-       $(XMLSEC_NSS_INTDIR)\kt_rsa.obj\
-       $(XMLSEC_NSS_INTDIR)\kw_des.obj\
-       $(XMLSEC_NSS_INTDIR)\kw_aes.obj\
        $(XMLSEC_NSS_INTDIR)\strings.obj
 XMLSEC_NSS_OBJS_A = \
        $(XMLSEC_NSS_INTDIR_A)\app.obj\
@@ -258,6 +259,7 @@
        $(XMLSEC_NSS_INTDIR_A)\strings.obj
 
 XMLSEC_MSCRYPTO_OBJS = \
+       $(XMLSEC_MSCRYPTO_INTDIR)\akmngr.obj\
        $(XMLSEC_MSCRYPTO_INTDIR)\app.obj\
        $(XMLSEC_MSCRYPTO_INTDIR)\crypto.obj \
        $(XMLSEC_MSCRYPTO_INTDIR)\ciphers.obj \
@@ -376,7 +378,7 @@
 XMLSEC_OPENSSL_SOLIBS   = libeay32.lib wsock32.lib kernel32.lib user32.lib gdi32.lib
 XMLSEC_OPENSSL_ALIBS    = libeay32.lib wsock32.lib kernel32.lib user32.lib gdi32.lib
 
-XMLSEC_NSS_SOLIBS      = smime3.lib ssl3.lib nss3.lib libnspr4.lib libplds4.lib libplc4.lib kernel32.lib user32.lib gdi32.lib
+XMLSEC_NSS_SOLIBS      = smime3.lib nss3.lib nspr4.lib kernel32.lib user32.lib gdi32.lib
 XMLSEC_NSS_ALIBS       = smime3.lib ssl3.lib nss3.lib libnspr4_s.lib libplds4_s.lib libplc4_s.lib kernel32.lib user32.lib gdi32.lib
 
 XMLSEC_MSCRYPTO_SOLIBS  = kernel32.lib user32.lib gdi32.lib Crypt32.lib Advapi32.lib