[xmlsec] Signing xml using etoken

Roumen Petrov xmlsec at roumenpetrov.info
Wed Jul 9 13:02:04 PDT 2008

Ivan Barrera A. wrote:
> Hi again.
> Ive tried almost all solutions ive found on the web, and still no luck.

Hmm. I don' think that xmlsec support engines. Did you found a patch ?

> Maybe it cannot be done, i dont know, so ill explain a little more of
> what i have :
> - USB etoken (Aladdin Pro32K, using its own format)
> - Library from aladdin to access de eToken
> (/usr/lib//usr/lib/libeTPkcs11.so)
> - a X509 Cert inside the eToken, along private and public keys (that
> cannot be exported. The eToken has to sign all data itself)

Since this is you environment, could you propose a patch to xmlsec that 
support openssl engines?

> Using openssl, ive been able to sign digest using :
> openssl dgst -engine pkcs11  -keyform engine -sign
> <id-of-the-key-inside-token> xmlfile.xml
> It seems to work, as it ask to enter the etoken password and output some
> raw data.


I think that first we has to enable xmlsec to use openssl config file. 
In the configuration file we can specify which engine to use. Samples 
can be found as search for "opensc pkcs11 engine".

To work --crypto-config option we has to update:
src/openssl/app.c:53:    OPENSSL_config(NULL);
Also if function argument is not set we may look for environment 
variable is OPENSSL_CONF.

Next I think is specific to engine - how to identify key(token) to use 
for the operation.


More information about the xmlsec mailing list