[xmlsec] xmlsec1 and pkcs11

Jaromir Talir jaromir.talir at nic.cz
Mon Feb 8 13:16:17 PST 2021 

Hi Miklos,
good to hear you have succeeded. I played with nss and pkcs11 and seems
like I'm almost there but still not fully. I guess I managed to get
over task how to find proper keyname but xmlsec1 still cannot find the
key in the token. I suspect that problem may be in PIN code (i.e
"123456") that needs to be entered and I'm not sure if xmlsec1 "--pwd"
parameter is used for this. See bellow my attempts:

$ certutil -d /etc/pki/nssdb/ -L -h PIV_II

Certificate Nickname                                         Trust
Attributes
                                                            
SSL,S/MIME,JAR/XPI

Enter Password or Pin for "PIV_II":
PIV_II:Certificate for Card Authentication                   u,u,u
$ certutil -d /etc/pki/nssdb/ -L -n "PIV_II:Certificate for Card
Authentication"
Enter Password or Pin for "PIV_II":
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            72:ce:89:eb:aa:6e:11:8b:dc:de:1d:44:42:83:8d:ba:
            3f:34:e5:50
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "O=Default Company Ltd,L=Default City,C=XX"
        Validity:
            Not Before: Sat Feb 06 20:25:16 2021
            Not After : Sun Feb 06 20:25:16 2022
        Subject: "O=Default Company Ltd,L=Default City,C=XX"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    c3:e1:14:51:c0:69:c1:d4:f7:49:89:37:8f:a2:be:34:
                    43:77:49:ff:ae:9c:2e:bf:cb:07:81:44:b9:3e:25:78:
                    81:74:ef:2d:5e:10:85:3a:7f:3a:8c:99:4a:f4:67:2b:
                    ed:c0:4a:d1:e6:99:38:ed:57:34:ec:8e:3b:41:9c:9e:
                    55:05:ec:c3:ed:d3:ed:dd:bb:ad:e2:9d:e2:d5:ae:51:
                    6d:54:16:d7:fd:91:3d:22:16:d4:e8:0b:ed:b6:eb:4f:
                    5e:0e:64:70:b5:25:b5:34:27:fa:86:6a:70:1b:1e:90:
                    a6:f8:a7:0c:93:2f:d0:f1:23:55:ec:78:61:02:9f:6b:
                    86:a6:a0:8f:0f:95:b7:4d:bb:32:f7:72:bd:d1:0a:5c:
                    c7:03:df:5e:b8:52:90:e5:aa:66:0e:62:25:a9:2e:00:
                    4c:b8:5b:f2:0a:c7:ed:6d:ba:58:6b:91:a1:23:c2:09:
                    8b:34:54:06:19:46:7c:d9:0e:86:2a:f5:85:3a:ed:7a:
                    56:7c:87:a0:22:4c:d4:56:7b:22:77:e0:aa:f3:71:59:
                    ad:05:0e:ec:5f:9b:ed:83:3e:a3:0d:2f:7d:3d:fb:1f:
                    83:d4:5c:fd:2b:f2:55:ed:63:c1:9a:97:4e:2f:2f:4d:
                    ad:fa:37:9a:36:23:d6:47:50:1b:b6:f3:3e:16:48:09
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Key ID
            Data:
                64:c5:9b:29:eb:74:fd:5e:54:05:33:37:58:31:b6:25:
                c3:9f:02:27

            Name: Certificate Authority Key Identifier
            Key ID:
                64:c5:9b:29:eb:74:fd:5e:54:05:33:37:58:31:b6:25:
                c3:9f:02:27

            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        92:5f:67:78:13:a8:6c:cc:3b:38:3b:7d:9c:70:23:97:
        44:3b:d6:a7:ce:68:21:9a:83:20:70:05:69:ba:5b:0d:
        a5:9d:4d:a4:04:c0:78:93:96:17:e1:a4:55:f6:80:4b:
        69:ce:39:c9:78:8b:fd:9b:b2:a5:8a:43:b1:2b:9f:82:
        7a:57:d7:a2:f9:41:f2:63:4f:6c:7d:d9:dd:fc:ce:d1:
        57:73:ab:49:4b:7f:8c:38:b9:02:a7:3e:2c:46:2c:4b:
        b7:88:2a:93:1d:32:27:f4:71:f2:cf:9d:02:39:84:e5:
        ad:ef:13:33:40:b7:e7:76:aa:72:51:17:3d:62:b4:28:
        85:e3:f5:51:1c:a1:1c:d2:ba:e6:fd:0e:7f:5e:ac:10:
        f1:af:88:1f:5b:4a:4d:f8:9f:58:48:9d:91:8c:f5:59:
        1d:dd:2e:7e:94:82:c3:ac:b4:72:e0:7a:26:d5:3e:73:
        33:d9:87:24:01:b0:7d:48:eb:07:66:05:ea:3f:9a:c4:
        3e:e0:d7:5f:2b:d9:3a:7c:88:18:c6:e5:bc:e9:4d:01:
        35:03:a0:7b:af:d6:c0:a8:a4:bb:e9:97:8b:21:a1:87:
        46:06:8f:cd:f2:a4:56:da:b2:17:5b:a1:2a:43:bf:fb:
        4d:b1:21:6a:fb:4f:db:91:ca:d8:97:30:5f:26:08:38
    Fingerprint (SHA-256):
       
95:A1:4B:E3:BB:89:6C:E5:D2:03:13:97:D3:7E:65:76:46:EC:91:B7:66:32:C4:6B
:12:8D:CF:91:FE:B7:F5:79
    Fingerprint (SHA1):
        C6:89:F5:3D:ED:00:C6:30:E8:54:14:72:B6:F7:04:B1:F3:D3:9A:8A

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

$ cat test.xml
<RootElement>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
   <CanonicalizationMethod Algorithm=
      "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm=
      "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <Reference URI="">
      <Transforms>
       <Transform Algorithm=
         "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
      </Transforms>
       <DigestMethod Algorithm=
          "http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue></DigestValue>
     </Reference>
  </SignedInfo>
  <SignatureValue />
  <KeyInfo>
    <KeyName>PIV_II:Certificate for Card Authentication</KeyName>
  </KeyInfo>
 </Signature>
</RootElement>
$ xmlsec1 --sign --crypto nss --crypto-config /etc/pki/nssdb/ --pwd
123456 --output test-signed.xml test.xml
func=xmlSecKeysMngrGetKey:file=keys.c:line=1253:obj=unknown:subj=xmlSec
KeysMngrFindKey:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=793:obj=unknow
n:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=508:obj=unkn
own:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library
function failed: 
func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecD
SigCtxProcessSignatureNode:error=1:xmlsec library function failed: 
Error: signature failed 
Error: failed to sign file "test.xml"



Regards,
Jaromir

> Message: 2
> Date: Mon, 8 Feb 2021 11:13:46 +0100
> From: Miklos Vajna <vmiklos at vmiklos.hu>
> To: xmlsec at aleksey.com
> Subject: Re: [xmlsec] xmlsec1 and pkcs11
> Message-ID: <20210208101346.GE29873 at vmiklos.hu>
> Content-Type: text/plain; charset=utf-8
> 
> Hi Jaromir,
> 
> On Mon, Feb 08, 2021 at 10:33:41AM +0100, Jaromir Talir <
> jaromir.talir at nic.cz> wrote:
> > is there anybody on the list who has successfully used xmlsec1
> > commandline tool with pkcs11 token? If so can you please share how?
> > 
> > It is mentioned several times in the mailing list archive but the
> > answers only say that "it should work". From this search I got to
> > the
> > conclusion that some magic must be done with openssl config to make
> > it
> > work but nobody revealed this magic. Or maybe it is proper way to
> > use
> > nss backend instead? Please, share your success stories.
> 
> I have a pkcs11 token with an ECDSA certificate. It's working for me
> with NSS on Linux and MSCNG on Windows.
> 
> I haven't tried openssl.
> 
> Regards,
> 
> Miklos
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 
> 
> ------------------------------
> 
> End of xmlsec Digest, Vol 185, Issue 1
> **************************************

More information about the xmlsec mailing list