[xmlsec] Use of smart-cards to perform cryptographic operations

Clizio Merli clizio at net4u.it
Mon May 16 04:45:29 PDT 2005

If I did well understand the XmlSec docs, I believe that the interface 
proposed by XmlSec to perform cryptographic operations cannot be used 
with the support of smart-cards, especially when adoptig mozilla-nss 
library. In fact in the 'critical' APIs (for signing and encrypting) the 
calling program cannot specify the slot name and the token name (as 
reported by PKCS11 interface), neither a callback to a routine for the 
password (PIN) specification.

For now I'm modifying the underlying nss-layer of XmlSec (version 1.2.8) 
to check some internal environment variables specifying the slot name, 
the token name and the PIN (in a hard-coded encrypted form): if these 
variables are not present the nss-layer performs normally, otherwise it 
uses the given values to properly select and authenticate the requested 
Meanwhile I'm developing some extra APIs to assign the requested values 
to the internal environment variables.
But this is only a functional patch to limit the work for using smart cards.

What about an extension of the XmlSec interface with some extra APIs for 
the specification of requested slot/token and of a PIN callback routines?

For example:
- xmlSecSetSlotName,
- xmlSecSetTokenName,
- xmlSecSetPINCallback,
independent of the underlying crypto layer (i.e. valid not only for 
mozilla-nss, but for openssl engines as well).

I've read somewhere (don't remembere where, sorry) that someone was 
arguing about the use of 'best-slot'. But in real application, supported 
by a graphical interface or by a server infrastructure using HSMs (Hw 
security modules), the application has these infos from othe sources 
(the end-user or some application configs), so I believe that the XmlSec 
should perform what previously selected by the application, not doing 
some sort of 'best-selection' whose criteria are not well defined.

I excuse for my criticism, but I believe this is an important point to 

Clizio Merli

Clizio dr. Merli

C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
EUCIP Certified
Socio AIP (Associazione Informatici Professionisti)

More information about the xmlsec mailing list