[xmlsec] Use of smart-cards to perform cryptographic operations

Clizio Merli clizio at net4u.it
Mon May 16 04:45:29 PDT 2005


If I did well understand the XmlSec docs, I believe that the interface 
proposed by XmlSec to perform cryptographic operations cannot be used 
with the support of smart-cards, especially when adoptig mozilla-nss 
library. In fact in the 'critical' APIs (for signing and encrypting) the 
calling program cannot specify the slot name and the token name (as 
reported by PKCS11 interface), neither a callback to a routine for the 
password (PIN) specification.

For now I'm modifying the underlying nss-layer of XmlSec (version 1.2.8) 
to check some internal environment variables specifying the slot name, 
the token name and the PIN (in a hard-coded encrypted form): if these 
variables are not present the nss-layer performs normally, otherwise it 
uses the given values to properly select and authenticate the requested 
slot/token.
Meanwhile I'm developing some extra APIs to assign the requested values 
to the internal environment variables.
But this is only a functional patch to limit the work for using smart cards.

What about an extension of the XmlSec interface with some extra APIs for 
the specification of requested slot/token and of a PIN callback routines?

For example:
- xmlSecSetSlotName,
- xmlSecSetTokenName,
- xmlSecSetPINCallback,
independent of the underlying crypto layer (i.e. valid not only for 
mozilla-nss, but for openssl engines as well).

I've read somewhere (don't remembere where, sorry) that someone was 
arguing about the use of 'best-slot'. But in real application, supported 
by a graphical interface or by a server infrastructure using HSMs (Hw 
security modules), the application has these infos from othe sources 
(the end-user or some application configs), so I believe that the XmlSec 
should perform what previously selected by the application, not doing 
some sort of 'best-selection' whose criteria are not well defined.

I excuse for my criticism, but I believe this is an important point to 
clarify.

Clizio Merli

-- 
----------------------------
Clizio dr. Merli

C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
EUCIP Certified
Socio AIP (Associazione Informatici Professionisti)
----------------------------



More information about the xmlsec mailing list