[xmlsec] Microsoft CAPI support with hardware token

Edward Shallow ed.shallow at rogers.com
Sat Sep 11 10:30:44 PDT 2004


Hi,

   Yes I have successfully used an Aladdin eToken Pro in a Windows XP
environment with XMLsec 1.2.1 using the command line and template below.

Key points:

1) use --crypto mscrypto
2) point xmlsec at your token using dsig:KeyName in the template
3) make sure your keys were generated on the token and the returned
certificate is bound to those token-resident keys
4) if you can't get the key/cert working in other Windows applications, then
it won't work with XMLsec either
5) xmlsec (with --mscrypto) is just using CAPI with appropriate CSP as
dictated by particular cert you choose
6) xmlsec (with --mscrypto) really doesn't even know its using the token,
that is standard CAPI/CSP functionality support

Cheers,
Ed

P.S. Good job Aleksey and Wouter ;)

 

xmlsec sign --crypto mscrypto --output inout/edsigned3-enveloped.xml
tmpl/tmpl-EPM-signtoken-enveloped.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
Signature created by EPMSigner V1.12 - Sign Template - enveloped-simple - Ed
Shallow June 27, 2003
-->
<Document>
	<Data>
		<SubData1>
			<SubSubData1 MimeType="text/plain">This is the data
to be signed.</SubSubData1>
			<SubSubData2 MimeType="text/plain">This is the data
to be signed.</SubSubData2>
			<SubSubData3 MimeType="text/plain">This is the data
to be signed.</SubSubData3>
		</SubData1>
		<SubData2>This is the data to be signed.</SubData2>
		<SubData3>This is the data to be signed.</SubData3>
	</Data>
	<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
		<dsig:SignedInfo>
			<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
			<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
				<dsig:Reference URI="">
					<dsig:Transforms>
						<dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
					</dsig:Transforms>
					<dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
	
<dsig:DigestValue></dsig:DigestValue>
				</dsig:Reference>
		</dsig:SignedInfo>
		<dsig:SignatureValue>
		</dsig:SignatureValue>
		<dsig:KeyInfo>
			<dsig:KeyName>CN=Thawte Freemail Member,
E=edissecure at yahoo.ca</dsig:KeyName>
			<dsig:X509Data>
	
<dsig:X509Certificate></dsig:X509Certificate>
	
<dsig:X509SubjectName></dsig:X509SubjectName>
	
<dsig:X509IssuerSerial></dsig:X509IssuerSerial>
			</dsig:X509Data>
		</dsig:KeyInfo>
	</dsig:Signature>
</Document>




More information about the xmlsec mailing list