[xmlsec] Concerning smartcard implementation for signature with xmlsec1 on a XML-file.

Si St sigbj-st at operamail.com
Tue Sep 27 11:56:32 PDT 2011 

I have read through the threads concerning this issue as the following:

http://www.aleksey.com/pipermail/xmlsec/2006/007519.html
http://www.mail-archive.com/xmlsec@aleksey.com/msg02523.html

I am working in the health sector in Norway as privat doctor. Coming up
there will in the future be a mandatory claim to send messages via a MSH
and ebXML, and the message.xml as Payload would have to be signed. At
this stage xmlsec can be used for this with the following setup:

1. make ready the msg.xml with the necessary signature elements and
pasted-in x509-cert added
2. run xmlsec1 as this:
xmlsec1 [sign] [--privkey  key-to-be-used.pem] [--trusted
x509cert-to-be-used_ca.pem] [msg.xml]

Verification test gives OK.

The signature would have to be done with a personal key and not a
organisational key as in the instance above. The key resides in a
smartcard delivered from buypass.no and is the only standard until now.
The buypass.no delivers an accessCD with the necessary PKCS11 machinery
on. Installing this I get contact with the smartcard through Firefox.
This edition is for linux, other edition exists for MS Windows. I apply
linux to produce the msg.xml as a ready file. To sign the file for
simplicity it doesnt matter weather I use Windows or linux, but the
working day is on a linux machine, so I would prefer linux by choice. 

The msg.xml file is sent with "Hermes2" - CECID,Hong Kong University -
as the Message Service Handler. I am so far able to pass all servers up
to the point where the receiver actually is dealing with the content in
the msg.xml directly. But here am I stopped because the signature has to
be done with the key inside the smartcard, and the error message asks
for the organisational cert to be exchanged with the personal cert. So
the question is: How far am I from succeeding, what help can I get from
you to achieve the missing part in this run?

I am not a programmer able to write the eventual necessary programs
myself, but maybe and hopefully only small configuration changes is
necessary from this point on. 

Sincerely Yours,
S. Storset
-- 
  Si St
  sigbj-st at operamail.com

-- 
http://www.fastmail.fm - The professional email service

More information about the xmlsec mailing list