[xmlsec] Signing xml using etoken

Ivan Barrera A. ivan.barrera at will.cl
Tue Jul 8 17:03:09 PDT 2008 

Oh, Forgot to mention,
using NSS , didnt work either :

# xmlsec/apps/xmlsec1 --sign --crypto nss --crypto-config
/root/.netscape/ --output a.xml xml1.xml
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
library function failed: ;last nss error=-8174 (0xFFFFE012)
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=875:obj=unknown:subj=unknown:error=45:key
is not found: ;last nss error=-8174 (0xFFFFE012)
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed: ;last nss error=-8174 (0xFFFFE012)
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed: ;last nss error=-8174 (0xFFFFE012)
Error: signature failed
Error: failed to sign file "xml1.xml"


I have properly set the configurations for nss DB, and KeyName in the
xml1.xml file.
Also, the pcscd daemon shows activity when running xmlsec, but there is
no input for the etoken password.

# certutil -K -h eToken -X -d /root/.netscape/
Enter Password or Pin for "eToken":
< 0> rsa      "DDDDDDDD-35ED-XXXX-ZZZZ-GGGGGGGGGGGG:0"   eTCAPI private key
< 1> rsa      "DDDDDDDD-35ED-XXXX-ZZZZ-GGGGGGGGGGGG:1"   eTCAPI private key




Ivan Barrera A. escribió:
> 
> I've been fighting the last week on trying to sign xmldocuments, using a
> cert stored on an etoken. (aladdin 32K).
> Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying
> to sign the document in any way.
> 
> So far, ive tried openssl, and nss with no luck. Using openssl alone, i
> can get the system to sign smime documents using the token (  openssl
> smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem
> -keyform engine -inkey
> 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
> )
> And adding the etoken lib to nss :
> modutil -list gives
>   2. eToken
>         library name: /usr/lib/libeTPkcs11.so
>          slots: 17 slots attached
>         status: loaded
> 
>          slot: AKS ifdh 00 00
>         token: eToken
> 
> 
> 
> However, when i try to sign anything using xmlsec1, i only get
> 
> # xmlsec1 --sign --crypto nss   --output a.xml test4.xml
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed: ;last nss error=0 (0x00000000)
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> is not found: ;last nss error=0 (0x00000000)
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed: ;last nss error=0 (0x00000000)
> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed: ;last nss error=0 (0x00000000)
> Error: signature failed
> Error: failed to sign file "test4.xml"
> 
> 
> 
> Ive tried using keyname, keyvalue, keys.xml file. Nothing worked.  Most
> probably, im doing something wrong.
> Someone has done , or know how can i achieve this ?
> 
> BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec.
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list