[xmlsec] Signing xml using etoken

Aleksey Sanin aleksey at aleksey.com
Wed Jul 9 07:09:46 PDT 2008 

OK, the next step is to figure out how to get EVP for the
key on the token. Check what "-keyform engine" command line
option does.

Aleksey

Ivan Barrera A. wrote:
> Aleksey Sanin escribió:
>> I think that you need to figure out how does "-engine" option
>> is handled for openssl command line tool. Then you will need
>> to do similar openssl initialization in xmlsec.
> 
> I figured that out.
> Just to try that, i added the engine initialization on the same openssl
> engine. However, it cannot find the key yet.
> I guess the key is not being called through the engine, an so far, i
> havent found where in the code to look at..
> 
> Thanks
> 
> 
>> Aleksey
>>
>> Ivan Barrera A. wrote:
>>> Hi again.
>>>
>>> Ive tried almost all solutions ive found on the web, and still no luck.
>>>
>>> Maybe it cannot be done, i dont know, so ill explain a little more of
>>> what i have :
>>>
>>> - USB etoken (Aladdin Pro32K, using its own format)
>>> - Library from aladdin to access de eToken
>>> (/usr/lib//usr/lib/libeTPkcs11.so)
>>> - a X509 Cert inside the eToken, along private and public keys (that
>>> cannot be exported. The eToken has to sign all data itself)
>>>
>>> Using openssl, ive been able to sign digest using :
>>> openssl dgst -engine pkcs11  -keyform engine -sign
>>> <id-of-the-key-inside-token> xmlfile.xml
>>>
>>> It seems to work, as it ask to enter the etoken password and output some
>>> raw data.
>>>
>>> I havent been able to make xmlsec use openssl this way, so the token can
>>> do the signing of the document.
>>>
>>> Any ideas ?
>>>
>>>
>>> Ivan Barrera A. escribió:
>>>> I've been fighting the last week on trying to sign xmldocuments, using a
>>>> cert stored on an etoken. (aladdin 32K).
>>>> Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying
>>>> to sign the document in any way.
>>>>
>>>> So far, ive tried openssl, and nss with no luck. Using openssl alone, i
>>>> can get the system to sign smime documents using the token (  openssl
>>>> smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem
>>>> -keyform engine -inkey
>>>> 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
>>>>
>>>> )
>>>> And adding the etoken lib to nss :
>>>> modutil -list gives
>>>>   2. eToken
>>>>         library name: /usr/lib/libeTPkcs11.so
>>>>          slots: 17 slots attached
>>>>         status: loaded
>>>>
>>>>          slot: AKS ifdh 00 00
>>>>         token: eToken
>>>>
>>>>
>>>>
>>>> However, when i try to sign anything using xmlsec1, i only get
>>>>
>>>> # xmlsec1 --sign --crypto nss   --output a.xml test4.xml
>>>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>>>>
>>>> library function failed: ;last nss error=0 (0x00000000)
>>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>>>
>>>> is not found: ;last nss error=0 (0x00000000)
>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>>>
>>>> library function failed: ;last nss error=0 (0x00000000)
>>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>>>>
>>>> library function failed: ;last nss error=0 (0x00000000)
>>>> Error: signature failed
>>>> Error: failed to sign file "test4.xml"
>>>>
>>>>
>>>>
>>>> Ive tried using keyname, keyvalue, keys.xml file. Nothing worked.  Most
>>>> probably, im doing something wrong.
>>>> Someone has done , or know how can i achieve this ?
>>>>
>>>> BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec.
>>>>
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec

More information about the xmlsec mailing list