[xmlsec] PKCS11 - Key not found
Pablo Gabriel Gallardo
pggllrd at gmail.com
Sat Nov 12 08:17:38 PST 2016
Aleksey,
It worked! Thank you so much for your help and time!
<?xml version="1.0" encoding="UTF-8"?>
<!--
XML Security Library example: Original XML doc file for sign3 example.
-->
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>HjY8ilZAIEM2tBbPn5mYO1ieIX4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Pep0e8/pVZV/gmFNOqgfCN9hryv+k5gVP/wyzOSa49ui8K/VfIu3Nkcm2FWDphAo
PJBMOw8BEA9htmsgrmmdhWPIM5bsM1rfn072FczBCqbW+/G6x26cG++ZkJ7E8jBG
Z33vAXLFLdYOJvCXtsWwn4IvAPoRyYdVyz1b6FEB0KwUMr4ryLWpEXG+K0jQpC3k
uP2o06fUs5M3IBW1+PTDqiN6AyiwUg85l1Ulqamq5QUKm7VJMokBXL8evmLS171r
1PhwWWHKP6aQJa6ydfw3xkY4RdDSJEx0E0mlkapwCkdBfmB52OY2QaCCrAZOEfzg
hXUit89sIQfAWnAAOfsAMA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName/>
<X509Certificate/>
</X509Data>
</KeyInfo>
</Signature></Envelope>
Regards,
Pablo G. Gallardo
2016-11-12 3:46 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:
> Can you try this patch (it is already merged to the master on github --
> you will need to recompile the library and ensure you are loading
> the recompiled libs instead of the default ones):
>
> https://github.com/lsh123/xmlsec/pull/59
>
> I believe this should help with RSA. I have no idea what to do with DSA
> since I don't see any indication in the debug printout that this key is
> private.
>
> Aleksey
>
> On 11/11/16 2:42 PM, Pablo Gabriel Gallardo wrote:
>> Aleksey,
>>
>> Here you have the RSA and DSA objects from my smart card in execution time:
>> RSA:
>> $1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
>> 0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
>> = 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
>> 1, flags = 6,
>> _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
>> bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
>>
>> RSA->meth:
>> (gdb) p *pKey.pkey->rsa->meth
>> $3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
>> rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
>> <pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
>> <pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
>> bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
>> = 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
>> rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}
>>
>> RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0
>>
>> DSA:
>> (gdb) p *pKey.pkey->dsa
>> $2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
>> 0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
>> = 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
>> = {sk = 0x0, dummy = 1},
>> meth = 0x6, engine = 0x0}
>>
>>
>> I've tried to debug the sources on GitHub but I've got this error:
>> func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
>> library function failed:mode=abi compatible;expected minor
>> version=2;real minor version=2;expected subminor version=20;real
>
>
>> subminor version=23
>> Error: loaded xmlsec library version is not compatible.
>>
>> But with the information above RSA is recognized as a public key
>> because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.
>>
>> Thank you for your interest in my case. What can I do to fix this?
>> Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
>> public key and one for the private key)?
>>
>> Regards,
>>
>> Pablo G. Gallardo
>>
>> 2016-11-11 1:39 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:
>>> Can you check what's going on in these two places?
>>>
>>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
>>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
>>>
>>> Unfortunately, there is no good way to determine if a PKEY is public
>>> or private. Thus we use a hack. I am curious what is going on there
>>> in your case.
>>>
>>> Aleksey
>>>
>>> On 11/10/16 5:35 PM, Pablo Gabriel Gallardo wrote:
>>>> Hello Aleksey,
>>>>
>>>> I've used the RSA key from my smartcard by it is still being
>>>> recognized as a public key. Is it because, as a smart card RSA key, it
>>>> doesn't have the d member (because the private key never leaves the
>>>> smart card)?
>>>>
>>>> Regards,
>>>>
>>>> Pablo
>>>>
>>>> 2016-11-09 8:43 GMT-02:00 Pablo G. Gallardo <pggllrd at gmail.com>:
>>>>> Hi Aleksey,
>>>>>
>>>>> Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
>>>>>
>>>>> I'll fix that and then I'll came with the result.
>>>>>
>>>>> Thank you!
>>>>>
>>>>> Pablo
>>>>>
>>>>> Em 9 de novembro de 2016 00:17:27 BRST, Aleksey Sanin <aleksey at aleksey.com> escreveu:
>>>>>> Assuming that the key type matches the requested signature type
>>>>>> in the template (i.e. RSA signatures require RSA keys)...
>>>>>>
>>>>>> Can you try to print the key type with
>>>>>>
>>>>>> xmlSecKeyGetType(key)
>>>>>>
>>>>>> Basically, I suspect that it doesn't recognize the key as private
>>>>>> thus can't find a proper key for the signature.
>>>>>>
>>>>>> Best,
>>>>>>
>>>>>> Aleksey
>>>>>>
>>>>>> On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote:
>>>>>>> Hello there!
>>>>>>>
>>>>>>> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
>>>>>>> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
>>>>>>> this error:
>>>>>>>
>>>>>>>
>>>>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>>>>>> is not found:
>>>>>>>
>>>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>>>>>> library function failed:
>>>>>>>
>>>>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
>>>>>>> library function failed:
>>>>>>> Error: signature failed
>>>>>>>
>>>>>>> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
>>>>>>> card but I'm sure that I am missing something.
>>>>>>>
>>>>>>> Could someone please help me to see what else I should be doing to
>>>>>>> make this work? I've checked this mailing list and someone in 2008
>>>>>> had
>>>>>>> the same problem but he didn't mention how to solve it.
>>>>>>>
>>>>>>> Here are the parts I've modified from sign3.c. Complete source is on
>>>>>>>
>>>>>> https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
>>>>>>>
>>>>>>> static xmlSecKeyPtr load_key(const char *pwd) {
>>>>>>>
>>>>>>> xmlSecKeyPtr key = NULL;
>>>>>>> xmlSecKeyDataPtr data;
>>>>>>> EVP_PKEY *pKey = NULL;
>>>>>>> int ret;
>>>>>>>
>>>>>>> pKey = get_private_key(pwd);
>>>>>>> if(pKey == NULL)
>>>>>>> return NULL;
>>>>>>>
>>>>>>> data = xmlSecOpenSSLEvpKeyAdopt(pKey);
>>>>>>> if(data == NULL) {
>>>>>>> EVP_PKEY_free(pKey);
>>>>>>> return NULL;
>>>>>>> }
>>>>>>>
>>>>>>> key = xmlSecKeyCreate();
>>>>>>> if(key == NULL) {
>>>>>>> xmlSecKeyDataDestroy(data);
>>>>>>> return NULL;
>>>>>>> }
>>>>>>>
>>>>>>> ret = xmlSecKeySetValue(key, data);
>>>>>>> if(ret < 0) {
>>>>>>> xmlSecKeyDestroy(key);
>>>>>>> xmlSecKeyDataDestroy(data);
>>>>>>> return NULL;
>>>>>>> }
>>>>>>> return key;
>>>>>>> }
>>>>>>>
>>>>>>> int sign_file(const char* xml_file, char *password) {
>>>>>>>
>>>>>>> .....
>>>>>>>
>>>>>>>
>>>>>>> /* load private key */
>>>>>>> dsigCtx->signKey = load_key(password);
>>>>>>> if(dsigCtx->signKey == NULL) {
>>>>>>> fprintf(stderr,"Error: failed to load private key from
>>>>>> smartcard\n");
>>>>>>> goto done;
>>>>>>> }
>>>>>>>
>>>>>>> /* load certificate and add to the key
>>>>>>> if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
>>>>>>> xmlSecKeyDataFormatPem) < 0) {
>>>>>>> fprintf(stderr,"Error: failed to load pem certificate
>>>>>>> \"%s\"\n", cert_file);
>>>>>>> goto done;
>>>>>>> }*/
>>>>>>>
>>>>>>> /* set key name to the file name, this is just an example!
>>>>>>> if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
>>>>>>> fprintf(stderr,"Error: failed to set key name for key from
>>>>>>> \"%s\"\n", key_file);
>>>>>>> goto done;
>>>>>>> } */
>>>>>>>
>>>>>>> /* sign the template */
>>>>>>> if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
>>>>>>> fprintf(stderr,"Error: signature failed\n");
>>>>>>> goto done;
>>>>>>> }
>>>>>>>
>>>>>>> ....
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thank you!
>>>>>>>
>>>>>>> Pablo G. Gallardo
>>>>>>> _______________________________________________
>>>>>>> xmlsec mailing list
>>>>>>> xmlsec at aleksey.com
>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>
>>>>>
>>>>> --
>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>> _______________________________________________
>>>> xmlsec mailing list
>>>> xmlsec at aleksey.com
>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>
More information about the xmlsec
mailing list