[xmlsec] xmlsec1 and pkcs11

Dmitry Belyavsky beldmit at gmail.com
Tue Feb 9 11:50:42 PST 2021


It's rather simple to use the engine via config.

Smth like
======
openssl_conf = openssl_def
[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /path/to/engine.so
default_algorithms = ALL
======
and OPENSSL_CONF=openssl.conf xmlsec1... should allow the engine to load if
the library is not built statically.

Not sure it will ask the password.



On Tue, Feb 9, 2021 at 8:46 PM Jaromir Talir <jaromir.talir at nic.cz> wrote:

> Hi Dmitry,
>
> this would be great. I was able to use openssl with 'engine pkcs11 -
> keyform engine -inkey "pkcs11:..."'  but haven't found a way how to
> pass this to xmlsec1. In the xmlsec1 mailing list archives it is
> mentioned there may be a way to get this into openssl config but
> without conclusion.
>
> Can you please share what was your approach?
>
> Regards,
> Jaromir
>
> On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote:
> > Hi Jaromir,
> >
> > I had some experience using xmlsec-openssl with PKCS#11-capable
> > engine and PKCS11-based keys, so I think it could be possible to do
> > it using openssl pkcs11 engine.
> >
> > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir <jaromir.talir at nic.cz>
> > wrote:
> > > Hi Aleksey,
> > >
> > > I'm afraid this needs much deeper understanding of internals than I
> > > have. It's quite surprising nobody tried it in 15? years. Maybe
> > > author
> > > of libreoffice xmlsec client could assist in debugging where this
> > > PIN
> > > enters the API and than CLI could be updated to follow the same
> > > path?
> > >
> > > Regards,
> > > Jaromir
> > >
> > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote:
> > > > Hi Jaromir,
> > > >
> > > > I never tested passing password to the token from CLI. If you can
> > > > debug it then I would gladly accept patches :)
> > > >
> > > > Best,
> > > >
> > > > Aleksey
> > > >
> > > > On 2/9/21 1:42 AM, Jaromir Talir wrote:
> > > > > Hi Miklos,
> > > > >
> > > > > I tried LibreOffice with NSS backend and I was able to sign ODT
> > > > > document with the key on the token. I was asked for PIN in GUI.
> > > > >
> > > > > So the question for the audience is - how to pass PIN to NSS in
> > > > > xmlsec1
> > > > > cli?
> > > > >
> > > > > The last possible problem can be in KeyName so the other
> > > question
> > > > > is -
> > > > > is the described process to guess KeyName from token correct?
> > > > >
> > > > > Regards,
> > > > > Jaromir
> > > > >
> > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote:
> > > > > > Hi Jaromir,
> > > > > >
> > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir
> > > > > > <jaromir.talir at nic.cz> wrote:
> > > > > > > good to hear you have succeeded. I played with nss and
> > > pkcs11
> > > > > > > and
> > > > > > > seems
> > > > > > > like I'm almost there but still not fully. I guess I
> > > managed to
> > > > > > > get
> > > > > > > over task how to find proper keyname but xmlsec1 still
> > > cannot
> > > > > > > find
> > > > > > > the
> > > > > > > key in the token. I suspect that problem may be in PIN code
> > > > > > > (i.e
> > > > > > > "123456") that needs to be entered and I'm not sure if
> > > xmlsec1
> > > > > > > "--
> > > > > > > pwd"
> > > > > > > parameter is used for this.
> > > > > >
> > > > > > To be clear, we only use the library part of xmlsec1, it's
> > > > > > invoked by
> > > > > > LibreOffice. Perhaps see if your HW works with LibreOffice
> > > (try
> > > > > > to
> > > > > > sign
> > > > > > e.g. an ODT file), and if so, track down how your code vs
> > > xmlsec1
> > > > > > cli
> > > > > > vs
> > > > > > LibreOffice uses the xmlsec1 library?
> > > > > >
> > > > > > Seeing you're on Linux, I only tried this with the NSS
> > > backend of
> > > > > > xmlsec1.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Miklos
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > xmlsec mailing list
> > > > > xmlsec at aleksey.com
> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > >
> > >
> > >
> > > _______________________________________________
> > > xmlsec mailing list
> > > xmlsec at aleksey.com
> > > http://www.aleksey.com/mailman/listinfo/xmlsec
> >
> >
>
>
>

-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20210209/3e9310fe/attachment.htm>


More information about the xmlsec mailing list