[xmlsec] Use of smart-cards to perform cryptographic operations

Clizio Merli clizio at net4u.it
Mon May 16 10:02:46 PDT 2005

Aleksey Sanin wrote:

> In the scenario you describe (private key is sitting on the smart card)
> the signature will be done on *this* smart card no matter what simply
> because you are not allowed (most of the time) to export private key
> from the smart card.
> Aleksey
You are right.
But in NSS that part is actually resolved by the function SGN_End 
routine (via PK11_Sign routine and the slot already connected to the 
selected private-key structure). You call SGN_End in 'nss/signatures.c' 
But looking at the way NSS handles it in the normal PKCS7 scenario, 
SGN_End is called as the final action of a sequence which sees:
- first the selection of slot/token,
- then the verification that the token and the certificate is good for 
- and finally the signature, that is actually performed by the card (in 
fact NSS handles private-keys of PKCS11 devices - smart-cards or 
software simulations - only as logical descriptors of keys that are 
handled only by the devices).
What I don't understand is how I can realize such a sequence in a 
XmlSec1 application.


Clizio dr. Merli

C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
EUCIP Certified
Socio AIP (Associazione Informatici Professionisti)

More information about the xmlsec mailing list