[xmlsec] xmlsec1 and pkcs11

Miklos Vajna vmiklos at vmiklos.hu
Wed Feb 17 13:45:12 PST 2021

Hi Jaromir,

On Wed, Feb 17, 2021 at 02:26:08PM +0100, Jaromir Talir <jaromir.talir at nic.cz> wrote:
> did I understand correctly, that you wrote libreoffice signer using
> xmlsec1 libraries? Or you are just using it?

Nah, openoffice was already able to sign ODF files using libxmlsec, but
I did a considerable amount of maintenance after the libreoffice fork in
this area (most importantly porting to mscng on Windows, which resulted
in libxmlsec's mscng backend as well).

> If you are the author, are
> you able to trace where in the xmlsec1 API PIN is passed to crypto
> engine (nss)?

It doesn't work like this. We take signing keys from the NSS store (e.g.
mozilla firefox profile), that already includes pkcs#11 tokens. And then
once we sign it (call xmlSecDSigCtxSign()), then NSS invokes the pkcs#11
driver which takes care of asking for the PIN interactively, on the
graphical user interface. So my understanding is that at least
libreoffice and libxmlsec has no code to open a graphical popup to ask
for a PIN, the driver does this. (At least with the pkcs#11 HW I have at

I understand that asking for the PIN in a cmdline app also makes sense,
but I have no experience there.



More information about the xmlsec mailing list