[xmlsec] Microsoft CAPI support with hardware token

Edward Shallow ed.shallow at rogers.com
Sat Sep 11 10:30:44 PDT 2004


   Yes I have successfully used an Aladdin eToken Pro in a Windows XP
environment with XMLsec 1.2.1 using the command line and template below.

Key points:

1) use --crypto mscrypto
2) point xmlsec at your token using dsig:KeyName in the template
3) make sure your keys were generated on the token and the returned
certificate is bound to those token-resident keys
4) if you can't get the key/cert working in other Windows applications, then
it won't work with XMLsec either
5) xmlsec (with --mscrypto) is just using CAPI with appropriate CSP as
dictated by particular cert you choose
6) xmlsec (with --mscrypto) really doesn't even know its using the token,
that is standard CAPI/CSP functionality support


P.S. Good job Aleksey and Wouter ;)


xmlsec sign --crypto mscrypto --output inout/edsigned3-enveloped.xml

<?xml version="1.0" encoding="UTF-8"?>
Signature created by EPMSigner V1.12 - Sign Template - enveloped-simple - Ed
Shallow June 27, 2003
			<SubSubData1 MimeType="text/plain">This is the data
to be signed.</SubSubData1>
			<SubSubData2 MimeType="text/plain">This is the data
to be signed.</SubSubData2>
			<SubSubData3 MimeType="text/plain">This is the data
to be signed.</SubSubData3>
		<SubData2>This is the data to be signed.</SubData2>
		<SubData3>This is the data to be signed.</SubData3>
	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
				<dsig:Reference URI="">
			<dsig:KeyName>CN=Thawte Freemail Member,
E=edissecure at yahoo.ca</dsig:KeyName>

More information about the xmlsec mailing list