[xmlsec] Concerning smartcard implementation for signature with xmlsec1 on a XML-file.

Aleksey Sanin aleksey at aleksey.com
Tue Sep 27 12:14:20 PDT 2011

Well, it is hard to say how far away you are but these are the steps
that should help you:

1) Configure OpenSSL or NSS to use the PKCS12 modules that came from
your smart card. Since you already have it working in Firefox, this
means that you have necessary stuff for NSS. However, it might be
possible that your Firefox uses a *private* NSS instance and you need
to repeat the configuration to be for the global instance as well.

2) Figure out the "key name" for this key if you can.

3) Add <KeyName>...</KeyName> to your xml message to tell xmlsec which
key to load.

4) Sign the message with the right crypto engine loaded (nss or openssl)

xmlsec1 sign --crypto ??? msg.xml

Sorry, I don't have a lot of experience with smart cards thus it is
only high-level instructions.


On 9/27/11 11:56 AM, Si St wrote:
> I have read through the threads concerning this issue as the following:
> http://www.aleksey.com/pipermail/xmlsec/2006/007519.html
> http://www.mail-archive.com/xmlsec@aleksey.com/msg02523.html
> I am working in the health sector in Norway as privat doctor. Coming up
> there will in the future be a mandatory claim to send messages via a MSH
> and ebXML, and the message.xml as Payload would have to be signed. At
> this stage xmlsec can be used for this with the following setup:
> 1. make ready the msg.xml with the necessary signature elements and
> pasted-in x509-cert added
> 2. run xmlsec1 as this:
> xmlsec1 [sign] [--privkey  key-to-be-used.pem] [--trusted
> x509cert-to-be-used_ca.pem] [msg.xml]
> Verification test gives OK.
> The signature would have to be done with a personal key and not a
> organisational key as in the instance above. The key resides in a
> smartcard delivered from buypass.no and is the only standard until now.
> The buypass.no delivers an accessCD with the necessary PKCS11 machinery
> on. Installing this I get contact with the smartcard through Firefox.
> This edition is for linux, other edition exists for MS Windows. I apply
> linux to produce the msg.xml as a ready file. To sign the file for
> simplicity it doesnt matter weather I use Windows or linux, but the
> working day is on a linux machine, so I would prefer linux by choice.
> The msg.xml file is sent with "Hermes2" - CECID,Hong Kong University -
> as the Message Service Handler. I am so far able to pass all servers up
> to the point where the receiver actually is dealing with the content in
> the msg.xml directly. But here am I stopped because the signature has to
> be done with the key inside the smartcard, and the error message asks
> for the organisational cert to be exchanged with the personal cert. So
> the question is: How far am I from succeeding, what help can I get from
> you to achieve the missing part in this run?
> I am not a programmer able to write the eventual necessary programs
> myself, but maybe and hopefully only small configuration changes is
> necessary from this point on.
> Sincerely Yours,
> S. Storset

More information about the xmlsec mailing list