[xmlsec] Signing xml using etoken

Ivan Barrera A. ivan.barrera at will.cl
Tue Jul 8 16:11:23 PDT 2008


Hi again.

Ive tried almost all solutions ive found on the web, and still no luck.

Maybe it cannot be done, i dont know, so ill explain a little more of
what i have :

- USB etoken (Aladdin Pro32K, using its own format)
- Library from aladdin to access de eToken
(/usr/lib//usr/lib/libeTPkcs11.so)
- a X509 Cert inside the eToken, along private and public keys (that
cannot be exported. The eToken has to sign all data itself)

Using openssl, ive been able to sign digest using :
openssl dgst -engine pkcs11  -keyform engine -sign
<id-of-the-key-inside-token> xmlfile.xml

It seems to work, as it ask to enter the etoken password and output some
raw data.

I havent been able to make xmlsec use openssl this way, so the token can
do the signing of the document.

Any ideas ?


Ivan Barrera A. escribió:
> I've been fighting the last week on trying to sign xmldocuments, using a
> cert stored on an etoken. (aladdin 32K).
> Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying
> to sign the document in any way.
> 
> So far, ive tried openssl, and nss with no luck. Using openssl alone, i
> can get the system to sign smime documents using the token (  openssl
> smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem
> -keyform engine -inkey
> 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
> )
> And adding the etoken lib to nss :
> modutil -list gives
>   2. eToken
>         library name: /usr/lib/libeTPkcs11.so
>          slots: 17 slots attached
>         status: loaded
> 
>          slot: AKS ifdh 00 00
>         token: eToken
> 
> 
> 
> However, when i try to sign anything using xmlsec1, i only get
> 
> # xmlsec1 --sign --crypto nss   --output a.xml test4.xml
> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
> library function failed: ;last nss error=0 (0x00000000)
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> is not found: ;last nss error=0 (0x00000000)
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed: ;last nss error=0 (0x00000000)
> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
> library function failed: ;last nss error=0 (0x00000000)
> Error: signature failed
> Error: failed to sign file "test4.xml"
> 
> 
> 
> Ive tried using keyname, keyvalue, keys.xml file. Nothing worked.  Most
> probably, im doing something wrong.
> Someone has done , or know how can i achieve this ?
> 
> BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec.
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 




More information about the xmlsec mailing list