Steve Parkinson wrote: > Also, bear in mind that exposing more of NSS to XPCOM might be a good > thing. We should probably think about what subset of NSS we'd want to > expose.
My understanding is that since Python is becoming a first class language in Mozilla, you will eventually (if not already) be able to use NSS with Python, but you will have to use the interfaces specified in IDL and all the XPCOM stuff that comes with it. OK in Mozilla, but probably not for your random project that just wants to do SSL. > 1) Write some C middleware around NSS to expose native objects/APIs to > the language. This is how JSS works. There's a considerable amount of C > code in JSS (in the JNI 'native' method implementations) to wrap the NSS > semantics in something approaching the standard Java Cryptographic > Architecture. An example is how we expose an NSPR/NSS socket as a Java > SSLSocket. You mean, for example with Python, write (in C) a Python wrapper/API for NSS? I think this would be best in the long run for high performance, but see below. > 2) Another approach might be to automate (using swig?) the export of > most NSS functions wholesale into the language of choice, without any > change of semantics or naming. Then, provide a new abstraction layer > with the language-appropriate semantics, implemented in the language > itself, rather than in C. Yes, I think this is the best place to start. I don't think just automatically swigging huge chunks of NSS would work (I think I tried this very briefly a couple of years ago). Rather, you would start from some limited task you want to accomplish (connect to an SSL server and download data, without any security checks even), swig only the needed APIs and get it running. Once that works, build a usable library (still very limited API coverage). At that point it would make sense to ask the question of perhaps going to the straight C/C++ approach and dump swig (it brings considerable overhead; in some tests I've seen swigged code being 2.5 times slower than one built with direct C/C++). -- Heikki Toivonen _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
