<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Dear xmlsec community,</p>
<br /><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">I'd like to share with you a patch I developed to allow usage of an OpenSSL's engine in xmlsec.</p>
<br /><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">The usage with command line is simple, I added the option <span style="font-family:Noto Sans;"><span style="color:#000000;"><span style="background-color:#ffffff;">--privkey-openssl-engine to supply the engine's name and the key specs.</span></span></span></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"><br /> --privkey-openssl-engine[:<name>] <openssl-engine>;<openssl-key-id>,[,<crtfile>[,<cafile>[...]]] <br /> load private key by OpenSSL ENGINE interface; specify the name of engine</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"> (like with -engine params), the key specs (like with -inkey or -key params) <br /> and certificates that verify this key</p>
<p> <p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">At moment I tested only pkcs11 engine with SoftHSM2 but I'd like that all of you interested in using HSM or smartcard with xmlsec make a test .</p>
<br /><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">To setup a token with SoftHSM run:</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"> softhsm2-util --init-token --free --label "XmlsecToken" --pin password --so-pin password<br /></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">To create a key pair in token run:</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"> pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type rsa:2048 --id 1000 --label XmlsecKey --pin password<br /></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">To generate a certificate run:</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"> openssl req -new -x509 -subj "/CN=Xmlsec" -engine pkcs11 -keyform engine -key "pkcs11:token=XmlsecToken;object=XmlsecKey;type=private;pin-value=password" -out Xmlsec.pem<br /></p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">To sign an xml with a patched xmlsec run:</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;"> xmlsec1 --sign "--privkey-openssl-engine:XmlsecKey" "pkcs11;pkcs11:token=XmlsecToken;object=XmlsecKey;pin-value=password,Xmlsec.pem" sample.xml</p>
<br /><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Best regards</p>
<br /><br /><br /><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">-- </p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">--------------------------------------------------------------------------</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">Leonardo Secci</p>
<p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">mailto:leonardo.secci@unirel.com</p>
<br /><p style="margin-top:0;margin-bottom:0;margin-left:0;margin-right:0;">UniRel s.r.l.</p>
<br /></body>
</html>