[xmlsec] PKCS11 - Key not found

Pablo Gabriel Gallardo pggllrd at gmail.com
Fri Nov 11 14:42:48 PST 2016 

Aleksey,

Here you have the RSA and DSA objects from my smart card in execution time:
RSA:
$1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
= 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
1, flags = 6,
  _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}

RSA->meth:
(gdb) p *pKey.pkey->rsa->meth
$3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
<pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
<pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
  bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
= 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}

RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0

DSA:
(gdb) p *pKey.pkey->dsa
$2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
= 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
= {sk = 0x0, dummy = 1},
  meth = 0x6, engine = 0x0}


I've tried to debug the sources on GitHub but I've got this error:
func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
library function failed:mode=abi compatible;expected minor
version=2;real minor version=2;expected subminor version=20;real
subminor version=23
Error: loaded xmlsec library version is not compatible.

But with the information above RSA is recognized as a public key
because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.

Thank you for your interest in my case. What can I do to fix this?
Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
public key and one for the private key)?

Regards,

Pablo G. Gallardo

2016-11-11 1:39 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:
> Can you check what's going on in these two places?
>
> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
>
> Unfortunately, there is no good way to determine if a PKEY is public
> or private. Thus we use a hack. I am curious what is going on there
> in your case.
>
> Aleksey
>
> On 11/10/16 5:35 PM, Pablo Gabriel Gallardo wrote:
>> Hello Aleksey,
>>
>> I've used the RSA key from my smartcard by it is still being
>> recognized as a public key. Is it because, as a smart card RSA key, it
>> doesn't have the d member (because the private key never leaves the
>> smart card)?
>>
>> Regards,
>>
>> Pablo
>>
>> 2016-11-09 8:43 GMT-02:00 Pablo G. Gallardo <pggllrd at gmail.com>:
>>> Hi Aleksey,
>>>
>>> Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
>>>
>>> I'll fix that and then I'll came with the result.
>>>
>>> Thank you!
>>>
>>> Pablo
>>>
>>> Em 9 de novembro de 2016 00:17:27 BRST, Aleksey Sanin <aleksey at aleksey.com> escreveu:
>>>> Assuming that the key type matches the requested signature type
>>>> in the template (i.e. RSA signatures require RSA keys)...
>>>>
>>>> Can you try to print the key type with
>>>>
>>>> xmlSecKeyGetType(key)
>>>>
>>>> Basically, I suspect that it doesn't recognize the key as private
>>>> thus can't find a proper key for the signature.
>>>>
>>>> Best,
>>>>
>>>> Aleksey
>>>>
>>>> On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote:
>>>>> Hello there!
>>>>>
>>>>> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
>>>>> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
>>>>> this error:
>>>>>
>>>>>
>>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>>>> is not found:
>>>>>
>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>>>> library function failed:
>>>>>
>>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
>>>>> library function failed:
>>>>> Error: signature failed
>>>>>
>>>>> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
>>>>> card but I'm sure that I am missing something.
>>>>>
>>>>> Could someone please help me to see what else I should be doing to
>>>>> make this work? I've checked this mailing list and someone in 2008
>>>> had
>>>>> the same problem but he didn't mention how to solve it.
>>>>>
>>>>> Here are the parts I've modified from sign3.c. Complete source is on
>>>>>
>>>> https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
>>>>>
>>>>> static xmlSecKeyPtr load_key(const char *pwd) {
>>>>>
>>>>>     xmlSecKeyPtr key = NULL;
>>>>>     xmlSecKeyDataPtr data;
>>>>>     EVP_PKEY *pKey = NULL;
>>>>>     int ret;
>>>>>
>>>>>     pKey = get_private_key(pwd);
>>>>>     if(pKey == NULL)
>>>>>         return NULL;
>>>>>
>>>>>     data = xmlSecOpenSSLEvpKeyAdopt(pKey);
>>>>>     if(data == NULL) {
>>>>>         EVP_PKEY_free(pKey);
>>>>>         return NULL;
>>>>>     }
>>>>>
>>>>>     key = xmlSecKeyCreate();
>>>>>     if(key == NULL) {
>>>>>         xmlSecKeyDataDestroy(data);
>>>>>         return NULL;
>>>>>     }
>>>>>
>>>>>     ret = xmlSecKeySetValue(key, data);
>>>>>     if(ret < 0) {
>>>>>         xmlSecKeyDestroy(key);
>>>>>         xmlSecKeyDataDestroy(data);
>>>>>         return NULL;
>>>>>     }
>>>>>     return key;
>>>>> }
>>>>>
>>>>> int sign_file(const char* xml_file, char *password) {
>>>>>
>>>>> .....
>>>>>
>>>>>
>>>>>     /* load private key */
>>>>>     dsigCtx->signKey = load_key(password);
>>>>>     if(dsigCtx->signKey == NULL) {
>>>>>         fprintf(stderr,"Error: failed to load private key from
>>>> smartcard\n");
>>>>>     goto done;
>>>>>     }
>>>>>
>>>>>     /* load certificate and add to the key
>>>>>     if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
>>>>> xmlSecKeyDataFormatPem) < 0) {
>>>>>         fprintf(stderr,"Error: failed to load pem certificate
>>>>> \"%s\"\n", cert_file);
>>>>>         goto done;
>>>>>     }*/
>>>>>
>>>>>     /* set key name to the file name, this is just an example!
>>>>>     if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
>>>>>         fprintf(stderr,"Error: failed to set key name for key from
>>>>> \"%s\"\n", key_file);
>>>>>         goto done;
>>>>>     } */
>>>>>
>>>>>     /* sign the template */
>>>>>     if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
>>>>>         fprintf(stderr,"Error: signature failed\n");
>>>>>         goto done;
>>>>>     }
>>>>>
>>>>>     ....
>>>>> }
>>>>>
>>>>>
>>>>>
>>>>> Thank you!
>>>>>
>>>>> Pablo G. Gallardo
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>
>>>
>>> --
>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>

More information about the xmlsec mailing list