[xmlsec] xmlsec1 and pkcs11

Aleksey Sanin aleksey at aleksey.com
Tue Feb 9 11:11:25 PST 2021 

All known to me use cases for reading keys from token do not use CLI :)

Aleksey

On 2/9/21 10:59 AM, Jaromir Talir wrote:
> Hi Aleksey,
> 
> I'm afraid this needs much deeper understanding of internals than I
> have. It's quite surprising nobody tried it in 15? years. Maybe author
> of libreoffice xmlsec client could assist in debugging where this PIN
> enters the API and than CLI could be updated to follow the same path?
> 
> Regards,
> Jaromir
> 
> On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote:
>> Hi Jaromir,
>>
>> I never tested passing password to the token from CLI. If you can
>> debug it then I would gladly accept patches :)
>>
>> Best,
>>
>> Aleksey
>>
>> On 2/9/21 1:42 AM, Jaromir Talir wrote:
>>> Hi Miklos,
>>>
>>> I tried LibreOffice with NSS backend and I was able to sign ODT
>>> document with the key on the token. I was asked for PIN in GUI.
>>>
>>> So the question for the audience is - how to pass PIN to NSS in
>>> xmlsec1
>>> cli?
>>>
>>> The last possible problem can be in KeyName so the other question
>>> is -
>>> is the described process to guess KeyName from token correct?
>>>
>>> Regards,
>>> Jaromir
>>>
>>> On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote:
>>>> Hi Jaromir,
>>>>
>>>> On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir
>>>> <jaromir.talir at nic.cz> wrote:
>>>>> good to hear you have succeeded. I played with nss and pkcs11
>>>>> and
>>>>> seems
>>>>> like I'm almost there but still not fully. I guess I managed to
>>>>> get
>>>>> over task how to find proper keyname but xmlsec1 still cannot
>>>>> find
>>>>> the
>>>>> key in the token. I suspect that problem may be in PIN code
>>>>> (i.e
>>>>> "123456") that needs to be entered and I'm not sure if xmlsec1
>>>>> "--
>>>>> pwd"
>>>>> parameter is used for this.
>>>>
>>>> To be clear, we only use the library part of xmlsec1, it's
>>>> invoked by
>>>> LibreOffice. Perhaps see if your HW works with LibreOffice (try
>>>> to
>>>> sign
>>>> e.g. an ODT file), and if so, track down how your code vs xmlsec1
>>>> cli
>>>> vs
>>>> LibreOffice uses the xmlsec1 library?
>>>>
>>>> Seeing you're on Linux, I only tried this with the NSS backend of
>>>> xmlsec1.
>>>>
>>>> Regards,
>>>>
>>>> Miklos
>>>
>>>
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
> 
>

More information about the xmlsec mailing list