<div dir="ltr">Dear Jaromir,<div><br></div><div>You are correct, the argument passed in the command line is used on loading the key - but the engine loaded via config is already loaded and provides the crypto-operations.</div><div><br></div><div>So the necessary patch should provide the engine (name) to the openssl-based xmlsec function loading the key.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 9, 2021 at 10:34 PM Jaromir Talir <<a href="mailto:jaromir.talir@nic.cz">jaromir.talir@nic.cz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Dmitry,<br>
<br>
I don't think such openssl.conf can define default "engine" as the<br>
replacement for command line parametr "-engine pkcs11", see bellow:<br>
<br>
# ------------ test regular openssl signing with token<br>
$ echo "data" | openssl rsautl -engine pkcs11 -keyform engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign -out /tmp/signature -in /dev/stdin <br>
engine "pkcs11" set.<br>
# ------------ define openssl.conf<br>
$ cat openssl.conf<br>
openssl_conf = openssl_def<br>
<br>
[openssl_def]<br>
engines=engine_section<br>
<br>
[engine_section]<br>
pkcs11 = pkcs11_section<br>
<br>
[pkcs11_section]<br>
engine_id = pkcs11<br>
dynamic_path = /usr/lib64/engines-1.1/pkcs11.so<br>
#MODULE_PATH = /usr/lib64/softhsm/libsofthsm.so<br>
MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so<br>
init = 1<br>
default_algorithms = ALL<br>
# ----------- use openssl.conf and remove commandline parameter "-engine pkcs11" <br>
$ echo "data" | OPENSSL_CONF=./openssl.conf openssl rsautl -keyform engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign -out /tmp/signature -in /dev/stdin <br>
no engine specified<br>
unable to load Private Key<br>
# ----------- check that openssl.conf is read by adding strace to previous call<br>
$ echo "data" | OPENSSL_CONF=./openssl.conf strace openssl rsautl -keyform engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign -out /tmp/signature -in /dev/stdin 2>&1 | grep openssl.conf<br>
openat(AT_FDCWD, "./openssl.conf", O_RDONLY) = 3<br>
read(3, "openssl_conf = openssl_def\n\n[ope"..., 4096) = 323<br>
<br>
Regards,<br>
Jaromir<br>
<br>
On Tue, 2021-02-09 at 21:06 +0100, Dmitry Belyavsky wrote:<br>
> I never used this engine, so I can't help, but maybe I'll be able to<br>
> provide some patch if necessary. <br>
> <br>
> I usually check if the specified config file and engine is loaded<br>
> using strace. I remember that it is never loaded when openssl is<br>
> linked statically. <br>
> <br>
> On Tue, 9 Feb 2021, 21:01 Jaromir Talir, <<a href="mailto:jaromir.talir@nic.cz" target="_blank">jaromir.talir@nic.cz</a>><br>
> wrote:<br>
> > I guess I tried that and failed, but I'll give it another try.<br>
> > There is<br>
> > at least question how to identify key. Did you use the same<br>
> > approach as<br>
> > in nss crypto with KeyName in template?<br>
> > <br>
> > Regards,<br>
> > Jaromir<br>
> > <br>
> > On Tue, 2021-02-09 at 20:50 +0100, Dmitry Belyavsky wrote:<br>
> > > It's rather simple to use the engine via config.<br>
> > > <br>
> > > Smth like<br>
> > > ======<br>
> > > openssl_conf = openssl_def<br>
> > > [openssl_def]<br>
> > > engines = engine_section<br>
> > > <br>
> > > [engine_section]<br>
> > > pkcs11 = pkcs11_section<br>
> > > <br>
> > > [pkcs11_section]<br>
> > > engine_id = pkcs11<br>
> > > dynamic_path = /path/to/engine.so<br>
> > > default_algorithms = ALL<br>
> > > ======<br>
> > > and OPENSSL_CONF=openssl.conf xmlsec1... should allow the engine<br>
> > to<br>
> > > load if the library is not built statically.<br>
> > > <br>
> > > Not sure it will ask the password.<br>
> > > <br>
> > > <br>
> > > <br>
> > > On Tue, Feb 9, 2021 at 8:46 PM Jaromir Talir<br>
> > <<a href="mailto:jaromir.talir@nic.cz" target="_blank">jaromir.talir@nic.cz</a>><br>
> > > wrote:<br>
> > > > Hi Dmitry,<br>
> > > > <br>
> > > > this would be great. I was able to use openssl with 'engine<br>
> > pkcs11<br>
> > > > -<br>
> > > > keyform engine -inkey "pkcs11:..."' but haven't found a way<br>
> > how to<br>
> > > > pass this to xmlsec1. In the xmlsec1 mailing list archives it<br>
> > is<br>
> > > > mentioned there may be a way to get this into openssl config<br>
> > but<br>
> > > > without conclusion. <br>
> > > > <br>
> > > > Can you please share what was your approach?<br>
> > > > <br>
> > > > Regards,<br>
> > > > Jaromir <br>
> > > > <br>
> > > > On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote:<br>
> > > > > Hi Jaromir,<br>
> > > > > <br>
> > > > > I had some experience using xmlsec-openssl with PKCS#11-<br>
> > capable<br>
> > > > > engine and PKCS11-based keys, so I think it could be possible<br>
> > to<br>
> > > > do<br>
> > > > > it using openssl pkcs11 engine.<br>
> > > > > <br>
> > > > > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir<br>
> > > > <<a href="mailto:jaromir.talir@nic.cz" target="_blank">jaromir.talir@nic.cz</a>><br>
> > > > > wrote:<br>
> > > > > > Hi Aleksey,<br>
> > > > > > <br>
> > > > > > I'm afraid this needs much deeper understanding of<br>
> > internals<br>
> > > > than I<br>
> > > > > > have. It's quite surprising nobody tried it in 15? years.<br>
> > Maybe<br>
> > > > > > author<br>
> > > > > > of libreoffice xmlsec client could assist in debugging<br>
> > where<br>
> > > > this<br>
> > > > > > PIN<br>
> > > > > > enters the API and than CLI could be updated to follow the<br>
> > same<br>
> > > > > > path?<br>
> > > > > > <br>
> > > > > > Regards,<br>
> > > > > > Jaromir <br>
> > > > > > <br>
> > > > > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote:<br>
> > > > > > > Hi Jaromir,<br>
> > > > > > > <br>
> > > > > > > I never tested passing password to the token from CLI. If<br>
> > you<br>
> > > > can<br>
> > > > > > > debug it then I would gladly accept patches :)<br>
> > > > > > > <br>
> > > > > > > Best,<br>
> > > > > > > <br>
> > > > > > > Aleksey<br>
> > > > > > > <br>
> > > > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote:<br>
> > > > > > > > Hi Miklos,<br>
> > > > > > > > <br>
> > > > > > > > I tried LibreOffice with NSS backend and I was able to<br>
> > sign<br>
> > > > ODT<br>
> > > > > > > > document with the key on the token. I was asked for PIN<br>
> > in<br>
> > > > GUI.<br>
> > > > > > > > <br>
> > > > > > > > So the question for the audience is - how to pass PIN<br>
> > to<br>
> > > > NSS in<br>
> > > > > > > > xmlsec1<br>
> > > > > > > > cli?<br>
> > > > > > > > <br>
> > > > > > > > The last possible problem can be in KeyName so the<br>
> > other<br>
> > > > > > question<br>
> > > > > > > > is -<br>
> > > > > > > > is the described process to guess KeyName from token<br>
> > > > correct?<br>
> > > > > > > > <br>
> > > > > > > > Regards,<br>
> > > > > > > > Jaromir<br>
> > > > > > > > <br>
> > > > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote:<br>
> > > > > > > > > Hi Jaromir,<br>
> > > > > > > > > <br>
> > > > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir<br>
> > Talir<br>
> > > > > > > > > <<a href="mailto:jaromir.talir@nic.cz" target="_blank">jaromir.talir@nic.cz</a>> wrote:<br>
> > > > > > > > > > good to hear you have succeeded. I played with nss<br>
> > and<br>
> > > > > > pkcs11<br>
> > > > > > > > > > and<br>
> > > > > > > > > > seems<br>
> > > > > > > > > > like I'm almost there but still not fully. I guess<br>
> > I<br>
> > > > > > managed to<br>
> > > > > > > > > > get<br>
> > > > > > > > > > over task how to find proper keyname but xmlsec1<br>
> > still<br>
> > > > > > cannot<br>
> > > > > > > > > > find<br>
> > > > > > > > > > the<br>
> > > > > > > > > > key in the token. I suspect that problem may be in<br>
> > PIN<br>
> > > > code<br>
> > > > > > > > > > (i.e<br>
> > > > > > > > > > "123456") that needs to be entered and I'm not sure<br>
> > if<br>
> > > > > > xmlsec1<br>
> > > > > > > > > > "--<br>
> > > > > > > > > > pwd"<br>
> > > > > > > > > > parameter is used for this.<br>
> > > > > > > > > <br>
> > > > > > > > > To be clear, we only use the library part of xmlsec1,<br>
> > > > it's<br>
> > > > > > > > > invoked by<br>
> > > > > > > > > LibreOffice. Perhaps see if your HW works with<br>
> > > > LibreOffice<br>
> > > > > > (try<br>
> > > > > > > > > to<br>
> > > > > > > > > sign<br>
> > > > > > > > > e.g. an ODT file), and if so, track down how your<br>
> > code vs<br>
> > > > > > xmlsec1<br>
> > > > > > > > > cli<br>
> > > > > > > > > vs<br>
> > > > > > > > > LibreOffice uses the xmlsec1 library?<br>
> > > > > > > > > <br>
> > > > > > > > > Seeing you're on Linux, I only tried this with the<br>
> > NSS<br>
> > > > > > backend of<br>
> > > > > > > > > xmlsec1.<br>
> > > > > > > > > <br>
> > > > > > > > > Regards,<br>
> > > > > > > > > <br>
> > > > > > > > > Miklos<br>
> > > > > > > > <br>
> > > > > > > > <br>
> > > > > > > > _______________________________________________<br>
> > > > > > > > xmlsec mailing list<br>
> > > > > > > > <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
> > > > > > > > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" rel="noreferrer" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> > > > > > > > <br>
> > > > > > <br>
> > > > > > <br>
> > > > > > _______________________________________________<br>
> > > > > > xmlsec mailing list<br>
> > > > > > <a href="mailto:xmlsec@aleksey.com" target="_blank">xmlsec@aleksey.com</a><br>
> > > > > > <a href="http://www.aleksey.com/mailman/listinfo/xmlsec" rel="noreferrer" target="_blank">http://www.aleksey.com/mailman/listinfo/xmlsec</a><br>
> > > > > <br>
> > > > > <br>
> > > > <br>
> > > > <br>
> > > <br>
> > > <br>
> > <br>
> > <br>
<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">SY, Dmitry Belyavsky</div>