[xmlsec] Signing xml using etoken

Ivan Barrera A. ivan.barrera at will.cl
Wed Jul 9 13:12:47 PDT 2008

Roumen Petrov escribió:
> Ivan Barrera A. wrote:
>> Hi again.
>> Ive tried almost all solutions ive found on the web, and still no luck.
> Hmm. I don' think that xmlsec support engines. Did you found a patch ?


>> - USB etoken (Aladdin Pro32K, using its own format)
>> - Library from aladdin to access de eToken
>> (/usr/lib//usr/lib/libeTPkcs11.so)
>> - a X509 Cert inside the eToken, along private and public keys (that
>> cannot be exported. The eToken has to sign all data itself)
> Since this is you environment, could you propose a patch to xmlsec that
> support openssl engines?

Yep :)
As soon as i have something working, ill clean it up, and propose a patch.
So far, ive done a dirty hack to select engine inside openssl/app.c.
Now im on to replicating the -keyform part on ssl.

>> Using openssl, ive been able to sign digest using :
>> openssl dgst -engine pkcs11  -keyform engine -sign
>> <id-of-the-key-inside-token> xmlfile.xml
>> It seems to work, as it ask to enter the etoken password and output some
>> raw data.
> [SNIP]
> Aleksey,
> I think that first we has to enable xmlsec to use openssl config file.
> In the configuration file we can specify which engine to use. Samples
> can be found as search for "opensc pkcs11 engine".
> To work --crypto-config option we has to update:
> src/openssl/app.c:53:    OPENSSL_config(NULL);
> Also if function argument is not set we may look for environment
> variable is OPENSSL_CONF.
> Next I think is specific to engine - how to identify key(token) to use
> for the operation.
> Roumen

More information about the xmlsec mailing list