[xmlsec] Use of smart-cards to perform cryptographic operations
clizio at net4u.it
Mon May 16 10:29:58 PDT 2005
Aleksey Sanin wrote:
> > But looking at the way NSS handles it in the normal PKCS7 scenario,
> > SGN_End is called as the final action of a sequence which sees:
> > - first the selection of slot/token,
> > - then the verification that the token and the certificate is good for
> > signing,
> > - and finally the signature, that is actually performed by the card (in
> > fact NSS handles private-keys of PKCS11 devices - smart-cards or
> > software simulations - only as logical descriptors of keys that are
> > handled only by the devices).
> The slot is associated with a key. If you already have a key then
> you already have a slot. xmlsec uses "GetBestSlot" only if it reads
> key from the input (e.g. from a certificate) or for hash operations.
> Thus, if you want to sign something with a given key then you already
> did the first two steps in your application. xmlsec is doing the last
> step only (fo the final signature on a device and get back the result).
> BTW, I did not wrote the xmlsec-nss myself. It was done by one of NSS
> developers from AOL :)
I'll do my best (not only slot :-)).
Looking at you're example sign3.c I was wandering if the signing
sequence could be realised by modifying the underlying NSS layer so that:
- xmlSecCryptoAppKeyLoad could actually prepare a key structure for a
pseudo-file whose name is something like 'slot-name : token-name'
(and here the API already provide PIN parameters);
- xmlSecCryptoAppKeyCertLoad could be used to actually select a
certificate (ant its key) via a nickname specified with cert-file name;
- xmlSecKeySetName - as now
- xmlSecDSigCtxSign - performing the signature with the supplied infos abore
Thanks for your patience.
Clizio dr. Merli
C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
Socio AIP (Associazione Informatici Professionisti)
More information about the xmlsec