[xmlsec] xmlsec1 and pkcs11

Jaromir Talir jaromir.talir at nic.cz
Wed Feb 10 01:49:23 PST 2021 

Well, seems to me that the engine is loaded even without playing with
openssl.conf as you may see in the first command where it uses openssl
internal default config. 

My expectation was that providing special dedicated config file will
solve the problem of not being able to pass "-engine pkcs11 -keyform
engine" on xmlsec1 command line. Unfortunately this is not the case.

Looks like nobody ever managed to sign with pkcs11 on xmlsec1 CLI and
patch will be needed.

Regards,
Jaromir

On Wed, 2021-02-10 at 08:36 +0100, Dmitry Belyavsky wrote:
> Dear Jaromir,
> 
> You are correct, the argument passed in the command line is used on
> loading the key - but the engine loaded via config is already loaded
> and provides the crypto-operations.
> 
> So the necessary patch should provide the engine (name) to the
> openssl-based xmlsec function loading the key.
> 
> On Tue, Feb 9, 2021 at 10:34 PM Jaromir Talir <jaromir.talir at nic.cz>
> wrote:
> > Hi Dmitry,
> > 
> > I don't think such openssl.conf can define default "engine" as the
> > replacement for command line parametr "-engine pkcs11", see bellow:
> > 
> > # ------------ test regular openssl signing with token
> > $ echo "data" | openssl rsautl -engine pkcs11 -keyform engine -
> > inkey "pkcs11:token=PIV_II;pin-value=123456" -sign  -out
> > /tmp/signature -in /dev/stdin 
> > engine "pkcs11" set.
> > # ------------ define openssl.conf
> > $ cat openssl.conf
> > openssl_conf = openssl_def
> > 
> > [openssl_def]
> > engines=engine_section
> > 
> > [engine_section]
> > pkcs11 = pkcs11_section
> > 
> > [pkcs11_section]
> > engine_id = pkcs11
> > dynamic_path = /usr/lib64/engines-1.1/pkcs11.so
> > #MODULE_PATH = /usr/lib64/softhsm/libsofthsm.so
> > MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so
> > init = 1
> > default_algorithms = ALL
> > # ----------- use openssl.conf and remove commandline parameter "-
> > engine pkcs11" 
> > $ echo "data" | OPENSSL_CONF=./openssl.conf openssl rsautl -keyform
> > engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign  -out
> > /tmp/signature -in /dev/stdin 
> > no engine specified
> > unable to load Private Key
> > # ----------- check that openssl.conf is read by adding strace to
> > previous call
> > $ echo "data" | OPENSSL_CONF=./openssl.conf strace openssl rsautl -
> > keyform engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign 
> > -out /tmp/signature -in /dev/stdin 2>&1 | grep openssl.conf
> > openat(AT_FDCWD, "./openssl.conf", O_RDONLY) = 3
> > read(3, "openssl_conf = openssl_def\n\n[ope"..., 4096) = 323
> > 
> > Regards,
> > Jaromir
> > 
> > On Tue, 2021-02-09 at 21:06 +0100, Dmitry Belyavsky wrote:
> > > I never used this engine, so I can't help, but maybe I'll be able
> > to
> > > provide some patch if necessary. 
> > > 
> > > I usually check if the specified config file and engine is loaded
> > > using strace. I remember that it is never loaded when openssl is
> > > linked statically. 
> > > 
> > > On Tue, 9 Feb 2021, 21:01 Jaromir Talir, <jaromir.talir at nic.cz>
> > > wrote:
> > > > I guess I tried that and failed, but I'll give it another try.
> > > > There is
> > > > at least question how to identify key. Did you use the same
> > > > approach as
> > > > in nss crypto with KeyName in template?
> > > > 
> > > > Regards,
> > > > Jaromir
> > > > 
> > > > On Tue, 2021-02-09 at 20:50 +0100, Dmitry Belyavsky wrote:
> > > > > It's rather simple to use the engine via config.
> > > > > 
> > > > > Smth like
> > > > > ======
> > > > > openssl_conf = openssl_def
> > > > > [openssl_def]
> > > > > engines = engine_section
> > > > > 
> > > > > [engine_section]
> > > > > pkcs11 = pkcs11_section
> > > > > 
> > > > > [pkcs11_section]
> > > > > engine_id = pkcs11
> > > > > dynamic_path = /path/to/engine.so
> > > > > default_algorithms = ALL
> > > > > ======
> > > > > and OPENSSL_CONF=openssl.conf xmlsec1... should allow the
> > engine
> > > > to
> > > > > load if the library is not built statically.
> > > > > 
> > > > > Not sure it will ask the password.
> > > > > 
> > > > > 
> > > > > 
> > > > > On Tue, Feb 9, 2021 at 8:46 PM Jaromir Talir
> > > > <jaromir.talir at nic.cz>
> > > > > wrote:
> > > > > > Hi Dmitry,
> > > > > > 
> > > > > > this would be great. I was able to use openssl with 'engine
> > > > pkcs11
> > > > > > -
> > > > > > keyform engine -inkey "pkcs11:..."'  but haven't found a
> > way
> > > > how to
> > > > > > pass this to xmlsec1. In the xmlsec1 mailing list archives
> > it
> > > > is
> > > > > > mentioned there may be a way to get this into openssl
> > config
> > > > but
> > > > > > without conclusion. 
> > > > > > 
> > > > > > Can you please share what was your approach?
> > > > > > 
> > > > > > Regards,
> > > > > > Jaromir 
> > > > > > 
> > > > > > On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote:
> > > > > > > Hi Jaromir,
> > > > > > > 
> > > > > > > I had some experience using xmlsec-openssl with PKCS#11-
> > > > capable
> > > > > > > engine and PKCS11-based keys, so I think it could be
> > possible
> > > > to
> > > > > > do
> > > > > > > it using openssl pkcs11 engine.
> > > > > > > 
> > > > > > > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir
> > > > > > <jaromir.talir at nic.cz>
> > > > > > > wrote:
> > > > > > > > Hi Aleksey,
> > > > > > > > 
> > > > > > > > I'm afraid this needs much deeper understanding of
> > > > internals
> > > > > > than I
> > > > > > > > have. It's quite surprising nobody tried it in 15?
> > years.
> > > > Maybe
> > > > > > > > author
> > > > > > > > of libreoffice xmlsec client could assist in debugging
> > > > where
> > > > > > this
> > > > > > > > PIN
> > > > > > > > enters the API and than CLI could be updated to follow
> > the
> > > > same
> > > > > > > > path?
> > > > > > > > 
> > > > > > > > Regards,
> > > > > > > > Jaromir  
> > > > > > > > 
> > > > > > > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote:
> > > > > > > > > Hi Jaromir,
> > > > > > > > > 
> > > > > > > > > I never tested passing password to the token from
> > CLI. If
> > > > you
> > > > > > can
> > > > > > > > > debug it then I would gladly accept patches :)
> > > > > > > > > 
> > > > > > > > > Best,
> > > > > > > > > 
> > > > > > > > > Aleksey
> > > > > > > > > 
> > > > > > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote:
> > > > > > > > > > Hi Miklos,
> > > > > > > > > > 
> > > > > > > > > > I tried LibreOffice with NSS backend and I was able
> > to
> > > > sign
> > > > > > ODT
> > > > > > > > > > document with the key on the token. I was asked for
> > PIN
> > > > in
> > > > > > GUI.
> > > > > > > > > > 
> > > > > > > > > > So the question for the audience is - how to pass
> > PIN
> > > > to
> > > > > > NSS in
> > > > > > > > > > xmlsec1
> > > > > > > > > > cli?
> > > > > > > > > > 
> > > > > > > > > > The last possible problem can be in KeyName so the
> > > > other
> > > > > > > > question
> > > > > > > > > > is -
> > > > > > > > > > is the described process to guess KeyName from
> > token
> > > > > > correct?
> > > > > > > > > > 
> > > > > > > > > > Regards,
> > > > > > > > > > Jaromir
> > > > > > > > > > 
> > > > > > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna
> > wrote:
> > > > > > > > > > > Hi Jaromir,
> > > > > > > > > > > 
> > > > > > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir
> > > > Talir
> > > > > > > > > > > <jaromir.talir at nic.cz> wrote:
> > > > > > > > > > > > good to hear you have succeeded. I played with
> > nss
> > > > and
> > > > > > > > pkcs11
> > > > > > > > > > > > and
> > > > > > > > > > > > seems
> > > > > > > > > > > > like I'm almost there but still not fully. I
> > guess
> > > > I
> > > > > > > > managed to
> > > > > > > > > > > > get
> > > > > > > > > > > > over task how to find proper keyname but
> > xmlsec1
> > > > still
> > > > > > > > cannot
> > > > > > > > > > > > find
> > > > > > > > > > > > the
> > > > > > > > > > > > key in the token. I suspect that problem may be
> > in
> > > > PIN
> > > > > > code
> > > > > > > > > > > > (i.e
> > > > > > > > > > > > "123456") that needs to be entered and I'm not
> > sure
> > > > if
> > > > > > > > xmlsec1
> > > > > > > > > > > > "--
> > > > > > > > > > > > pwd"
> > > > > > > > > > > > parameter is used for this.
> > > > > > > > > > > 
> > > > > > > > > > > To be clear, we only use the library part of
> > xmlsec1,
> > > > > > it's
> > > > > > > > > > > invoked by
> > > > > > > > > > > LibreOffice. Perhaps see if your HW works with
> > > > > > LibreOffice
> > > > > > > > (try
> > > > > > > > > > > to
> > > > > > > > > > > sign
> > > > > > > > > > > e.g. an ODT file), and if so, track down how your
> > > > code vs
> > > > > > > > xmlsec1
> > > > > > > > > > > cli
> > > > > > > > > > > vs
> > > > > > > > > > > LibreOffice uses the xmlsec1 library?
> > > > > > > > > > > 
> > > > > > > > > > > Seeing you're on Linux, I only tried this with
> > the
> > > > NSS
> > > > > > > > backend of
> > > > > > > > > > > xmlsec1.
> > > > > > > > > > > 
> > > > > > > > > > > Regards,
> > > > > > > > > > > 
> > > > > > > > > > > Miklos
> > > > > > > > > > 
> > > > > > > > > > 
> > > > > > > > > > _______________________________________________
> > > > > > > > > > xmlsec mailing list
> > > > > > > > > > xmlsec at aleksey.com
> > > > > > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > > > > > > > 
> > > > > > > > 
> > > > > > > > 
> > > > > > > > _______________________________________________
> > > > > > > > xmlsec mailing list
> > > > > > > > xmlsec at aleksey.com
> > > > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > > > > 
> > > > > > > 
> > > > > > 
> > > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > 
> > 
> > 
> 
>

More information about the xmlsec mailing list