[xmlsec] Concerning smartcard implementation for signature with xmlsec1 on a XML-file.

Aleksey Sanin aleksey at aleksey.com
Thu Oct 6 09:38:59 PDT 2011

You don't need to load the file but you need somehow tell
xmlsec which key to use. The easiest way is to use KeyName.

Sorry again, I don't have direct experience with smart cards
and xmlsec


On 10/6/11 9:26 AM, Si St wrote:
> (Main stuff at "SUPPOSITIONS" further down)
> I have tried out a openssl.cnf config together with commandline that
> performes openssl-processes according to the examples in:
> http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart
> But I modified the openssl.cnf for my own smartcard with
> /usr/lib/libiid.so.
> I have also put in a request for help to define the key_id in
> openssl.cnf at the page:
> http://old.nabble.com/sufficient-engine-configuration-i-openssl.cnf-for-signing-with-smartcard-xmlsec1-td32596200.html
> Testwise, I have full contact with the smartcard, when defining the
> right key_id and pincode,eagerly blinking and hanging until the process
> is fulfilled. This is good.
> Upon trying the xmlsec1 with "--crypto" there is blinking and hang also,
> but because I am not able to define the key_id in the openssl.cnf I have
> this error:
> xmlsec1 sign --crypto openssl --output signed_template_KOM.xml
> template_KOM.xml
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto
> library function failed:subj=/C=NO/O=STORSET SIGBJ\xC3\x98RN/CN=STORSET
> SIGBJ\xC3\x98RN/serialNumber=981789261;err=20;msg=unable to get local
> issuer certificate
> func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate
> verification failed:err=20;msg=unable to get local issuer certificate
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> is not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> Error: failed to sign file "template_KOM.xml"
> The reason for the first error part is that in the template, a
> definition of the certificate by pasting it into the element
> <Certificate/>  is mandatory. With the --privkey keyfile.pem switch and
> the corresponding CA cert-file defined to the --trusted switch, this
> error disappears. In all, the file is signed with or without the
> --trusted switch, when I experimentally tried the signing with the
> "wrong" key as keyFILE.pem .
> In the instance with the --privkey I do not need the element<KeyName/>:
> The msg.xml is signed and "xmlsec1 verify" gives "OK".
> I would assume that this is also true with --crypto, as long as the the
> key_id  is defined correctly in the openssl.cnf. I understand this so
> that --crypto will substitute a similar call that --privkey performes on
> a keyfile.pem, assuming that the key is there ready for signing, when
> once found. (?).
> But a quick glance at the keys.c and the more it could be that this is
> not so. I cannot tell. In addition there is no way of getting the key
> out of the smartcard as FILE. At the particular level of this smartcard
> certificate ("person high") the security policy definition has decided
> it so. - The whole thing would be in box if a keyfile.pem could have
> been used. It works with xmlsec1 exactly right. I have even asked for
> export of the key as file, but there is only a no-answer. It is quite
> incredible that a key.pem cannot be handed out as long as the keyfile
> can be thoroughly encrypted and password protected with pkcs6 and topk8,
> - at least for responsible people.

More information about the xmlsec mailing list