[xmlsec] xmlsec1 and pkcs11

Jaromir Talir jaromir.talir at nic.cz
Tue Feb 9 12:01:56 PST 2021 

I guess I tried that and failed, but I'll give it another try. There is
at least question how to identify key. Did you use the same approach as
in nss crypto with KeyName in template?

Regards,
Jaromir

On Tue, 2021-02-09 at 20:50 +0100, Dmitry Belyavsky wrote:
> It's rather simple to use the engine via config.
> 
> Smth like
> ======
> openssl_conf = openssl_def
> [openssl_def]
> engines = engine_section
> 
> [engine_section]
> pkcs11 = pkcs11_section
> 
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /path/to/engine.so
> default_algorithms = ALL
> ======
> and OPENSSL_CONF=openssl.conf xmlsec1... should allow the engine to
> load if the library is not built statically.
> 
> Not sure it will ask the password.
> 
> 
> 
> On Tue, Feb 9, 2021 at 8:46 PM Jaromir Talir <jaromir.talir at nic.cz>
> wrote:
> > Hi Dmitry,
> > 
> > this would be great. I was able to use openssl with 'engine pkcs11
> > -
> > keyform engine -inkey "pkcs11:..."'  but haven't found a way how to
> > pass this to xmlsec1. In the xmlsec1 mailing list archives it is
> > mentioned there may be a way to get this into openssl config but
> > without conclusion. 
> > 
> > Can you please share what was your approach?
> > 
> > Regards,
> > Jaromir 
> > 
> > On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote:
> > > Hi Jaromir,
> > > 
> > > I had some experience using xmlsec-openssl with PKCS#11-capable
> > > engine and PKCS11-based keys, so I think it could be possible to
> > do
> > > it using openssl pkcs11 engine.
> > > 
> > > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir
> > <jaromir.talir at nic.cz>
> > > wrote:
> > > > Hi Aleksey,
> > > > 
> > > > I'm afraid this needs much deeper understanding of internals
> > than I
> > > > have. It's quite surprising nobody tried it in 15? years. Maybe
> > > > author
> > > > of libreoffice xmlsec client could assist in debugging where
> > this
> > > > PIN
> > > > enters the API and than CLI could be updated to follow the same
> > > > path?
> > > > 
> > > > Regards,
> > > > Jaromir  
> > > > 
> > > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote:
> > > > > Hi Jaromir,
> > > > > 
> > > > > I never tested passing password to the token from CLI. If you
> > can
> > > > > debug it then I would gladly accept patches :)
> > > > > 
> > > > > Best,
> > > > > 
> > > > > Aleksey
> > > > > 
> > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote:
> > > > > > Hi Miklos,
> > > > > > 
> > > > > > I tried LibreOffice with NSS backend and I was able to sign
> > ODT
> > > > > > document with the key on the token. I was asked for PIN in
> > GUI.
> > > > > > 
> > > > > > So the question for the audience is - how to pass PIN to
> > NSS in
> > > > > > xmlsec1
> > > > > > cli?
> > > > > > 
> > > > > > The last possible problem can be in KeyName so the other
> > > > question
> > > > > > is -
> > > > > > is the described process to guess KeyName from token
> > correct?
> > > > > > 
> > > > > > Regards,
> > > > > > Jaromir
> > > > > > 
> > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote:
> > > > > > > Hi Jaromir,
> > > > > > > 
> > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir
> > > > > > > <jaromir.talir at nic.cz> wrote:
> > > > > > > > good to hear you have succeeded. I played with nss and
> > > > pkcs11
> > > > > > > > and
> > > > > > > > seems
> > > > > > > > like I'm almost there but still not fully. I guess I
> > > > managed to
> > > > > > > > get
> > > > > > > > over task how to find proper keyname but xmlsec1 still
> > > > cannot
> > > > > > > > find
> > > > > > > > the
> > > > > > > > key in the token. I suspect that problem may be in PIN
> > code
> > > > > > > > (i.e
> > > > > > > > "123456") that needs to be entered and I'm not sure if
> > > > xmlsec1
> > > > > > > > "--
> > > > > > > > pwd"
> > > > > > > > parameter is used for this.
> > > > > > > 
> > > > > > > To be clear, we only use the library part of xmlsec1,
> > it's
> > > > > > > invoked by
> > > > > > > LibreOffice. Perhaps see if your HW works with
> > LibreOffice
> > > > (try
> > > > > > > to
> > > > > > > sign
> > > > > > > e.g. an ODT file), and if so, track down how your code vs
> > > > xmlsec1
> > > > > > > cli
> > > > > > > vs
> > > > > > > LibreOffice uses the xmlsec1 library?
> > > > > > > 
> > > > > > > Seeing you're on Linux, I only tried this with the NSS
> > > > backend of
> > > > > > > xmlsec1.
> > > > > > > 
> > > > > > > Regards,
> > > > > > > 
> > > > > > > Miklos
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > xmlsec mailing list
> > > > > > xmlsec at aleksey.com
> > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > > > 
> > > > 
> > > > 
> > > > _______________________________________________
> > > > xmlsec mailing list
> > > > xmlsec at aleksey.com
> > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > 
> > > 
> > 
> > 
> 
>

More information about the xmlsec mailing list