[xmlsec] Use of smart-cards to perform cryptographic operations
Clizio Merli
clizio at net4u.it
Mon May 16 10:29:58 PDT 2005
Aleksey Sanin wrote:
>
> > But looking at the way NSS handles it in the normal PKCS7 scenario,
> > SGN_End is called as the final action of a sequence which sees:
> > - first the selection of slot/token,
> > - then the verification that the token and the certificate is good for
> > signing,
> > - and finally the signature, that is actually performed by the card (in
> > fact NSS handles private-keys of PKCS11 devices - smart-cards or
> > software simulations - only as logical descriptors of keys that are
> > handled only by the devices).
>
> The slot is associated with a key. If you already have a key then
> you already have a slot. xmlsec uses "GetBestSlot" only if it reads
> key from the input (e.g. from a certificate) or for hash operations.
>
> Thus, if you want to sign something with a given key then you already
> did the first two steps in your application. xmlsec is doing the last
> step only (fo the final signature on a device and get back the result).
>
> BTW, I did not wrote the xmlsec-nss myself. It was done by one of NSS
> developers from AOL :)
>
> Aleksey
>
OK
I'll do my best (not only slot :-)).
Looking at you're example sign3.c I was wandering if the signing
sequence could be realised by modifying the underlying NSS layer so that:
- ...
- xmlSecCryptoAppKeyLoad could actually prepare a key structure for a
pseudo-file whose name is something like 'slot-name : token-name'
(and here the API already provide PIN parameters);
- xmlSecCryptoAppKeyCertLoad could be used to actually select a
certificate (ant its key) via a nickname specified with cert-file name;
- xmlSecKeySetName - as now
- xmlSecDSigCtxSign - performing the signature with the supplied infos abore
- ...
Thanks for your patience.
Clizio
--
----------------------------
Clizio dr. Merli
C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
EUCIP Certified
Socio AIP (Associazione Informatici Professionisti)
----------------------------
More information about the xmlsec
mailing list