[xmlsec] Signing xml using etoken
Ivan Barrera A.
ivan.barrera at will.cl
Wed Jul 9 13:12:47 PDT 2008
Roumen Petrov escribió:
> Ivan Barrera A. wrote:
>> Hi again.
>>
>> Ive tried almost all solutions ive found on the web, and still no luck.
>
> Hmm. I don' think that xmlsec support engines. Did you found a patch ?
>
Nope
>> - USB etoken (Aladdin Pro32K, using its own format)
>> - Library from aladdin to access de eToken
>> (/usr/lib//usr/lib/libeTPkcs11.so)
>> - a X509 Cert inside the eToken, along private and public keys (that
>> cannot be exported. The eToken has to sign all data itself)
>
> Since this is you environment, could you propose a patch to xmlsec that
> support openssl engines?
Yep :)
As soon as i have something working, ill clean it up, and propose a patch.
So far, ive done a dirty hack to select engine inside openssl/app.c.
Now im on to replicating the -keyform part on ssl.
>> Using openssl, ive been able to sign digest using :
>> openssl dgst -engine pkcs11 -keyform engine -sign
>> <id-of-the-key-inside-token> xmlfile.xml
>>
>> It seems to work, as it ask to enter the etoken password and output some
>> raw data.
>
> [SNIP]
>
>
> Aleksey,
> I think that first we has to enable xmlsec to use openssl config file.
> In the configuration file we can specify which engine to use. Samples
> can be found as search for "opensc pkcs11 engine".
>
> To work --crypto-config option we has to update:
> src/openssl/app.c:53: OPENSSL_config(NULL);
> Also if function argument is not set we may look for environment
> variable is OPENSSL_CONF.
>
> Next I think is specific to engine - how to identify key(token) to use
> for the operation.
>
> Roumen
>
>
>
>
>
More information about the xmlsec
mailing list