[xmlsec] PKCS11 - Key not found

Aleksey Sanin aleksey at aleksey.com
Thu Nov 10 19:39:55 PST 2016 

Can you check what's going on in these two places?

https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887

Unfortunately, there is no good way to determine if a PKEY is public
or private. Thus we use a hack. I am curious what is going on there
in your case.

Aleksey

On 11/10/16 5:35 PM, Pablo Gabriel Gallardo wrote:
> Hello Aleksey,
> 
> I've used the RSA key from my smartcard by it is still being
> recognized as a public key. Is it because, as a smart card RSA key, it
> doesn't have the d member (because the private key never leaves the
> smart card)?
> 
> Regards,
> 
> Pablo
> 
> 2016-11-09 8:43 GMT-02:00 Pablo G. Gallardo <pggllrd at gmail.com>:
>> Hi Aleksey,
>>
>> Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
>>
>> I'll fix that and then I'll came with the result.
>>
>> Thank you!
>>
>> Pablo
>>
>> Em 9 de novembro de 2016 00:17:27 BRST, Aleksey Sanin <aleksey at aleksey.com> escreveu:
>>> Assuming that the key type matches the requested signature type
>>> in the template (i.e. RSA signatures require RSA keys)...
>>>
>>> Can you try to print the key type with
>>>
>>> xmlSecKeyGetType(key)
>>>
>>> Basically, I suspect that it doesn't recognize the key as private
>>> thus can't find a proper key for the signature.
>>>
>>> Best,
>>>
>>> Aleksey
>>>
>>> On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote:
>>>> Hello there!
>>>>
>>>> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
>>>> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
>>>> this error:
>>>>
>>>>
>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>>> is not found:
>>>>
>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>>> library function failed:
>>>>
>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
>>>> library function failed:
>>>> Error: signature failed
>>>>
>>>> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
>>>> card but I'm sure that I am missing something.
>>>>
>>>> Could someone please help me to see what else I should be doing to
>>>> make this work? I've checked this mailing list and someone in 2008
>>> had
>>>> the same problem but he didn't mention how to solve it.
>>>>
>>>> Here are the parts I've modified from sign3.c. Complete source is on
>>>>
>>> https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
>>>>
>>>> static xmlSecKeyPtr load_key(const char *pwd) {
>>>>
>>>>     xmlSecKeyPtr key = NULL;
>>>>     xmlSecKeyDataPtr data;
>>>>     EVP_PKEY *pKey = NULL;
>>>>     int ret;
>>>>
>>>>     pKey = get_private_key(pwd);
>>>>     if(pKey == NULL)
>>>>         return NULL;
>>>>
>>>>     data = xmlSecOpenSSLEvpKeyAdopt(pKey);
>>>>     if(data == NULL) {
>>>>         EVP_PKEY_free(pKey);
>>>>         return NULL;
>>>>     }
>>>>
>>>>     key = xmlSecKeyCreate();
>>>>     if(key == NULL) {
>>>>         xmlSecKeyDataDestroy(data);
>>>>         return NULL;
>>>>     }
>>>>
>>>>     ret = xmlSecKeySetValue(key, data);
>>>>     if(ret < 0) {
>>>>         xmlSecKeyDestroy(key);
>>>>         xmlSecKeyDataDestroy(data);
>>>>         return NULL;
>>>>     }
>>>>     return key;
>>>> }
>>>>
>>>> int sign_file(const char* xml_file, char *password) {
>>>>
>>>> .....
>>>>
>>>>
>>>>     /* load private key */
>>>>     dsigCtx->signKey = load_key(password);
>>>>     if(dsigCtx->signKey == NULL) {
>>>>         fprintf(stderr,"Error: failed to load private key from
>>> smartcard\n");
>>>>     goto done;
>>>>     }
>>>>
>>>>     /* load certificate and add to the key
>>>>     if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
>>>> xmlSecKeyDataFormatPem) < 0) {
>>>>         fprintf(stderr,"Error: failed to load pem certificate
>>>> \"%s\"\n", cert_file);
>>>>         goto done;
>>>>     }*/
>>>>
>>>>     /* set key name to the file name, this is just an example!
>>>>     if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
>>>>         fprintf(stderr,"Error: failed to set key name for key from
>>>> \"%s\"\n", key_file);
>>>>         goto done;
>>>>     } */
>>>>
>>>>     /* sign the template */
>>>>     if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
>>>>         fprintf(stderr,"Error: signature failed\n");
>>>>         goto done;
>>>>     }
>>>>
>>>>     ....
>>>> }
>>>>
>>>>
>>>>
>>>> Thank you!
>>>>
>>>> Pablo G. Gallardo
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
>>
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>

More information about the xmlsec mailing list