[xmlsec] OpenSSL engine patch

LS leonardo.secci at unirel.com
Wed Sep 22 17:06:52 UTC 2021

Dear xmlsec community,

I'd like to share with you a patch I developed to allow usage of an OpenSSL's engine in xmlsec.

The usage with command line is simple, I added the option --privkey-openssl-engine to supply the engine's name and the key specs.

 --privkey-openssl-engine[:<name>] <openssl-engine>;<openssl-key-id>,[,<crtfile>[,<cafile>[...]]] 
       load private key by OpenSSL ENGINE interface; specify the name of engine
       (like with -engine params), the key specs (like with -inkey or -key params) 
       and certificates that verify this key

At moment I tested only pkcs11 engine with SoftHSM2 but I'd like that all of you interested in using HSM or smartcard with xmlsec make a test .

To setup a token with SoftHSM run:
  softhsm2-util --init-token --free --label "XmlsecToken" --pin password --so-pin password

To create a key pair in token run:
  pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type rsa:2048 --id 1000 --label XmlsecKey --pin password

To generate a certificate run:
  openssl req -new -x509 -subj "/CN=Xmlsec" -engine pkcs11 -keyform engine -key "pkcs11:token=XmlsecToken;object=XmlsecKey;type=private;pin-value=password" -out Xmlsec.pem

To sign an xml with a patched xmlsec run:
  xmlsec1 --sign "--privkey-openssl-engine:XmlsecKey" "pkcs11;pkcs11:token=XmlsecToken;object=XmlsecKey;pin-value=password,Xmlsec.pem" sample.xml

Best regards

Leonardo Secci
mailto:leonardo.secci at unirel.com

UniRel s.r.l.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20210922/add7cf32/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xmlsec1-1.2.32-openssl-engine.diff.gz
Type: application/gzip
Size: 3041 bytes
Desc: not available
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20210922/add7cf32/attachment.gz>

More information about the xmlsec mailing list