[xmlsec] xmlsec1 and pkcs11

Wed Feb 17 05:26:08 PST 2021

Miklos,

did I understand correctly, that you wrote libreoffice signer using
xmlsec1 libraries? Or you are just using it? If you are the author, are
you able to trace where in the xmlsec1 API PIN is passed to crypto
engine (nss)?

Regards,
Jaromir

On Tue, 2021-02-09 at 20:27 +0100, Jaromir Talir wrote:
> There is at least one big "client" for CLI that is pysaml2
> https://github.com/IdentityPython/pysaml2/blob/master/docs/howto/config.rst#xmlsec-binary
> Simple way to add PIN would allow to use pysaml2 and hw tokens
> easily.
> 
> At least seems to me that if someone managed to call this outside
> CLI,
> it is promising that CLI version is not impossible. 
> 
> Regards,
> Jaromir
> 
> On Tue, 2021-02-09 at 11:11 -0800, Aleksey Sanin wrote:
> > All known to me use cases for reading keys from token do not use
> > CLI
> > :)
> > 
> > Aleksey
> > 
> > On 2/9/21 10:59 AM, Jaromir Talir wrote:
> > > Hi Aleksey,
> > > 
> > > I'm afraid this needs much deeper understanding of internals than
> > > I
> > > have. It's quite surprising nobody tried it in 15? years. Maybe
> > > author
> > > of libreoffice xmlsec client could assist in debugging where this
> > > PIN
> > > enters the API and than CLI could be updated to follow the same
> > > path?
> > > 
> > > Regards,
> > > Jaromir
> > > 
> > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote:
> > > > Hi Jaromir,
> > > > 
> > > > I never tested passing password to the token from CLI. If you
> > > > can
> > > > debug it then I would gladly accept patches :)
> > > > 
> > > > Best,
> > > > 
> > > > Aleksey
> > > > 
> > > > On 2/9/21 1:42 AM, Jaromir Talir wrote:
> > > > > Hi Miklos,
> > > > > 
> > > > > I tried LibreOffice with NSS backend and I was able to sign
> > > > > ODT
> > > > > document with the key on the token. I was asked for PIN in
> > > > > GUI.
> > > > > 
> > > > > So the question for the audience is - how to pass PIN to NSS
> > > > > in
> > > > > xmlsec1
> > > > > cli?
> > > > > 
> > > > > The last possible problem can be in KeyName so the other
> > > > > question
> > > > > is -
> > > > > is the described process to guess KeyName from token correct?
> > > > > 
> > > > > Regards,
> > > > > Jaromir
> > > > > 
> > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote:
> > > > > > Hi Jaromir,
> > > > > > 
> > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir
> > > > > > <jaromir.talir at nic.cz> wrote:
> > > > > > > good to hear you have succeeded. I played with nss and
> > > > > > > pkcs11
> > > > > > > and
> > > > > > > seems
> > > > > > > like I'm almost there but still not fully. I guess I
> > > > > > > managed to
> > > > > > > get
> > > > > > > over task how to find proper keyname but xmlsec1 still
> > > > > > > cannot
> > > > > > > find
> > > > > > > the
> > > > > > > key in the token. I suspect that problem may be in PIN
> > > > > > > code
> > > > > > > (i.e
> > > > > > > "123456") that needs to be entered and I'm not sure if
> > > > > > > xmlsec1
> > > > > > > "--
> > > > > > > pwd"
> > > > > > > parameter is used for this.
> > > > > > 
> > > > > > To be clear, we only use the library part of xmlsec1, it's
> > > > > > invoked by
> > > > > > LibreOffice. Perhaps see if your HW works with LibreOffice
> > > > > > (try
> > > > > > to
> > > > > > sign
> > > > > > e.g. an ODT file), and if so, track down how your code vs
> > > > > > xmlsec1
> > > > > > cli
> > > > > > vs
> > > > > > LibreOffice uses the xmlsec1 library?
> > > > > > 
> > > > > > Seeing you're on Linux, I only tried this with the NSS
> > > > > > backend of
> > > > > > xmlsec1.
> > > > > > 
> > > > > > Regards,
> > > > > > 
> > > > > > Miklos
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > xmlsec mailing list
> > > > > xmlsec at aleksey.com
> > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > > 
> > > 
> > > 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec