[xmlsec] xmlsec and HSMs / Accelerators

Patrick Richard patr at sxip.com
Wed Apr 14 10:38:55 PDT 2004

> > What I am wanting to do is use HSMs with xmlsec without too many
> > 'external' initializers etc.. First I need to know it works at all,
> > which it seems to (via CAPI, whatever is underneath it doesn't
> care).
> I have here code that works perfectly with the software implementation
> of CAPI
> but has difficulties with at least one model of hardware token. This
> is what I
> refered to in my last message.

Yes, this is to be expected when using an HSM with most higher level
libs which are crypto lib 'clients'. This happens with both CAPI, and
even P-11 via CAPI *or* openssl.

Typically, the problems arise in session management, handling token
logons etc. as the registration of the _required_ callbacks when using
an HSM (which are not required mostly when using acceleration) - in the
absence of the callbacks you have to have a way to pass things down to
the logon level from the higher level app. When you need these callbacks
(or of the required session parameters for logons etc.) from within
either CAPI or openSSL (i.e. passphrase etc.) is hard to pass up through
a higher level lib (i.e. xmlsec), unless the lib has explicit support
for it, or else if it is designed to expose the top level app to the
lower layer. 

Hence my original question, (which was partially answered with respect
to acceleration), regarding whether anyone has had any success using
xmlsec to an HSM which is operating in 'secure' mode.

More information about the xmlsec mailing list