[xmlsec] Use of smart-cards to perform cryptographic operations

Clizio Merli clizio at net4u.it
Mon May 16 10:29:58 PDT 2005


Aleksey Sanin wrote:

>
> > But looking at the way NSS handles it in the normal PKCS7 scenario,
> > SGN_End is called as the final action of a sequence which sees:
> > - first the selection of slot/token,
> > - then the verification that the token and the certificate is good for
> > signing,
> > - and finally the signature, that is actually performed by the card (in
> > fact NSS handles private-keys of PKCS11 devices - smart-cards or
> > software simulations - only as logical descriptors of keys that are
> > handled only by the devices).
>
> The slot is associated with a key. If you already have a key then
> you already have a slot. xmlsec uses "GetBestSlot" only if it reads
> key from the input (e.g. from a certificate) or for hash operations.
>
> Thus, if you want to sign something with a given key then you already
> did the first two steps in your application. xmlsec is doing the last
> step only (fo the final signature on a device and get back the result).
>
> BTW, I did not wrote the xmlsec-nss myself. It was done by one of NSS
> developers from AOL :)
>
> Aleksey
>

OK

I'll do my best (not only slot :-)).

Looking at you're example sign3.c I was wandering if the signing 
sequence could be realised by modifying the underlying NSS layer so that:
- ...
- xmlSecCryptoAppKeyLoad could actually prepare a key structure for a 
pseudo-file whose name is something like 'slot-name : token-name'
  (and here the API already provide PIN parameters);
- xmlSecCryptoAppKeyCertLoad could be used to actually select a 
certificate (ant its key) via a nickname specified with cert-file name;
- xmlSecKeySetName - as now
- xmlSecDSigCtxSign - performing the signature with the supplied infos abore
- ...

Thanks for your patience.

Clizio




-- 
----------------------------
Clizio dr. Merli

C.E.O. 4u Srl, Italy
ISACA CISM (Certified Information Security Manager)
EUCIP Certified
Socio AIP (Associazione Informatici Professionisti)
----------------------------



More information about the xmlsec mailing list