[xmlsec] Use of smart-cards to perform cryptographic operations
clizio at net4u.it
Mon May 16 04:45:29 PDT 2005
If I did well understand the XmlSec docs, I believe that the interface
proposed by XmlSec to perform cryptographic operations cannot be used
with the support of smart-cards, especially when adoptig mozilla-nss
library. In fact in the 'critical' APIs (for signing and encrypting) the
calling program cannot specify the slot name and the token name (as
reported by PKCS11 interface), neither a callback to a routine for the
password (PIN) specification.
For now I'm modifying the underlying nss-layer of XmlSec (version 1.2.8)
to check some internal environment variables specifying the slot name,
the token name and the PIN (in a hard-coded encrypted form): if these
variables are not present the nss-layer performs normally, otherwise it
uses the given values to properly select and authenticate the requested
Meanwhile I'm developing some extra APIs to assign the requested values
to the internal environment variables.
But this is only a functional patch to limit the work for using smart cards.
What about an extension of the XmlSec interface with some extra APIs for
the specification of requested slot/token and of a PIN callback routines?
independent of the underlying crypto layer (i.e. valid not only for
mozilla-nss, but for openssl engines as well).
I've read somewhere (don't remembere where, sorry) that someone was
arguing about the use of 'best-slot'. But in real application, supported
by a graphical interface or by a server infrastructure using HSMs (Hw
security modules), the application has these infos from othe sources
(the end-user or some application configs), so I believe that the XmlSec
should perform what previously selected by the application, not doing
some sort of 'best-selection' whose criteria are not well defined.
I excuse for my criticism, but I believe this is an important point to
Clizio dr. Merli
C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
Socio AIP (Associazione Informatici Professionisti)
More information about the xmlsec