[xmlsec] PKCS11 - Key not found

Aleksey Sanin aleksey at aleksey.com
Fri Nov 11 21:46:08 PST 2016


Can you try this patch (it is already merged to the master on github --
you will need to recompile the library and ensure you are loading
the recompiled libs instead of the default ones):

https://github.com/lsh123/xmlsec/pull/59

I believe this should help with RSA. I have no idea what to do with DSA
since I don't see any indication in the debug printout that this key is
private.

Aleksey

On 11/11/16 2:42 PM, Pablo Gabriel Gallardo wrote:
> Aleksey,
> 
> Here you have the RSA and DSA objects from my smart card in execution time:
> RSA:
> $1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
> 0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
> = 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
> 1, flags = 6,
>   _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
> bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
> 
> RSA->meth:
> (gdb) p *pKey.pkey->rsa->meth
> $3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
> rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
> <pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
> <pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
>   bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
> = 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
> rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}
> 
> RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0
> 
> DSA:
> (gdb) p *pKey.pkey->dsa
> $2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
> 0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
> = 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
> = {sk = 0x0, dummy = 1},
>   meth = 0x6, engine = 0x0}
> 
> 
> I've tried to debug the sources on GitHub but I've got this error:
> func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
> library function failed:mode=abi compatible;expected minor
> version=2;real minor version=2;expected subminor version=20;real


> subminor version=23
> Error: loaded xmlsec library version is not compatible.
> 
> But with the information above RSA is recognized as a public key
> because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.
> 
> Thank you for your interest in my case. What can I do to fix this?
> Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
> public key and one for the private key)?
> 
> Regards,
> 
> Pablo G. Gallardo
> 
> 2016-11-11 1:39 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:
>> Can you check what's going on in these two places?
>>
>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
>>
>> Unfortunately, there is no good way to determine if a PKEY is public
>> or private. Thus we use a hack. I am curious what is going on there
>> in your case.
>>
>> Aleksey
>>
>> On 11/10/16 5:35 PM, Pablo Gabriel Gallardo wrote:
>>> Hello Aleksey,
>>>
>>> I've used the RSA key from my smartcard by it is still being
>>> recognized as a public key. Is it because, as a smart card RSA key, it
>>> doesn't have the d member (because the private key never leaves the
>>> smart card)?
>>>
>>> Regards,
>>>
>>> Pablo
>>>
>>> 2016-11-09 8:43 GMT-02:00 Pablo G. Gallardo <pggllrd at gmail.com>:
>>>> Hi Aleksey,
>>>>
>>>> Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
>>>>
>>>> I'll fix that and then I'll came with the result.
>>>>
>>>> Thank you!
>>>>
>>>> Pablo
>>>>
>>>> Em 9 de novembro de 2016 00:17:27 BRST, Aleksey Sanin <aleksey at aleksey.com> escreveu:
>>>>> Assuming that the key type matches the requested signature type
>>>>> in the template (i.e. RSA signatures require RSA keys)...
>>>>>
>>>>> Can you try to print the key type with
>>>>>
>>>>> xmlSecKeyGetType(key)
>>>>>
>>>>> Basically, I suspect that it doesn't recognize the key as private
>>>>> thus can't find a proper key for the signature.
>>>>>
>>>>> Best,
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote:
>>>>>> Hello there!
>>>>>>
>>>>>> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
>>>>>> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
>>>>>> this error:
>>>>>>
>>>>>>
>>>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>>>>> is not found:
>>>>>>
>>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>>>>> library function failed:
>>>>>>
>>>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
>>>>>> library function failed:
>>>>>> Error: signature failed
>>>>>>
>>>>>> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
>>>>>> card but I'm sure that I am missing something.
>>>>>>
>>>>>> Could someone please help me to see what else I should be doing to
>>>>>> make this work? I've checked this mailing list and someone in 2008
>>>>> had
>>>>>> the same problem but he didn't mention how to solve it.
>>>>>>
>>>>>> Here are the parts I've modified from sign3.c. Complete source is on
>>>>>>
>>>>> https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
>>>>>>
>>>>>> static xmlSecKeyPtr load_key(const char *pwd) {
>>>>>>
>>>>>>     xmlSecKeyPtr key = NULL;
>>>>>>     xmlSecKeyDataPtr data;
>>>>>>     EVP_PKEY *pKey = NULL;
>>>>>>     int ret;
>>>>>>
>>>>>>     pKey = get_private_key(pwd);
>>>>>>     if(pKey == NULL)
>>>>>>         return NULL;
>>>>>>
>>>>>>     data = xmlSecOpenSSLEvpKeyAdopt(pKey);
>>>>>>     if(data == NULL) {
>>>>>>         EVP_PKEY_free(pKey);
>>>>>>         return NULL;
>>>>>>     }
>>>>>>
>>>>>>     key = xmlSecKeyCreate();
>>>>>>     if(key == NULL) {
>>>>>>         xmlSecKeyDataDestroy(data);
>>>>>>         return NULL;
>>>>>>     }
>>>>>>
>>>>>>     ret = xmlSecKeySetValue(key, data);
>>>>>>     if(ret < 0) {
>>>>>>         xmlSecKeyDestroy(key);
>>>>>>         xmlSecKeyDataDestroy(data);
>>>>>>         return NULL;
>>>>>>     }
>>>>>>     return key;
>>>>>> }
>>>>>>
>>>>>> int sign_file(const char* xml_file, char *password) {
>>>>>>
>>>>>> .....
>>>>>>
>>>>>>
>>>>>>     /* load private key */
>>>>>>     dsigCtx->signKey = load_key(password);
>>>>>>     if(dsigCtx->signKey == NULL) {
>>>>>>         fprintf(stderr,"Error: failed to load private key from
>>>>> smartcard\n");
>>>>>>     goto done;
>>>>>>     }
>>>>>>
>>>>>>     /* load certificate and add to the key
>>>>>>     if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
>>>>>> xmlSecKeyDataFormatPem) < 0) {
>>>>>>         fprintf(stderr,"Error: failed to load pem certificate
>>>>>> \"%s\"\n", cert_file);
>>>>>>         goto done;
>>>>>>     }*/
>>>>>>
>>>>>>     /* set key name to the file name, this is just an example!
>>>>>>     if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
>>>>>>         fprintf(stderr,"Error: failed to set key name for key from
>>>>>> \"%s\"\n", key_file);
>>>>>>         goto done;
>>>>>>     } */
>>>>>>
>>>>>>     /* sign the template */
>>>>>>     if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
>>>>>>         fprintf(stderr,"Error: signature failed\n");
>>>>>>         goto done;
>>>>>>     }
>>>>>>
>>>>>>     ....
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thank you!
>>>>>>
>>>>>> Pablo G. Gallardo
>>>>>> _______________________________________________
>>>>>> xmlsec mailing list
>>>>>> xmlsec at aleksey.com
>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>
>>>>
>>>> --
>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>


More information about the xmlsec mailing list