[xmlsec] Use of smart-cards to perform cryptographic operations

Aleksey Sanin aleksey at aleksey.com
Mon May 16 10:13:20 PDT 2005

 > But looking at the way NSS handles it in the normal PKCS7 scenario,
 > SGN_End is called as the final action of a sequence which sees:
 > - first the selection of slot/token,
 > - then the verification that the token and the certificate is good for
 > signing,
 > - and finally the signature, that is actually performed by the card (in
 > fact NSS handles private-keys of PKCS11 devices - smart-cards or
 > software simulations - only as logical descriptors of keys that are
 > handled only by the devices).

The slot is associated with a key. If you already have a key then
you already have a slot. xmlsec uses "GetBestSlot" only if it reads
key from the input (e.g. from a certificate) or for hash operations.

Thus, if you want to sign something with a given key then you already
did the first two steps in your application. xmlsec is doing the last
step only (fo the final signature on a device and get back the result).

BTW, I did not wrote the xmlsec-nss myself. It was done by one of NSS
developers from AOL :)


More information about the xmlsec mailing list