[xmlsec] Signing xml using etoken

Aleksey Sanin aleksey at aleksey.com
Tue Jul 8 17:21:02 PDT 2008


I think that you need to figure out how does "-engine" option
is handled for openssl command line tool. Then you will need
to do similar openssl initialization in xmlsec.

Aleksey

Ivan Barrera A. wrote:
> Hi again.
> 
> Ive tried almost all solutions ive found on the web, and still no luck.
> 
> Maybe it cannot be done, i dont know, so ill explain a little more of
> what i have :
> 
> - USB etoken (Aladdin Pro32K, using its own format)
> - Library from aladdin to access de eToken
> (/usr/lib//usr/lib/libeTPkcs11.so)
> - a X509 Cert inside the eToken, along private and public keys (that
> cannot be exported. The eToken has to sign all data itself)
> 
> Using openssl, ive been able to sign digest using :
> openssl dgst -engine pkcs11  -keyform engine -sign
> <id-of-the-key-inside-token> xmlfile.xml
> 
> It seems to work, as it ask to enter the etoken password and output some
> raw data.
> 
> I havent been able to make xmlsec use openssl this way, so the token can
> do the signing of the document.
> 
> Any ideas ?
> 
> 
> Ivan Barrera A. escribió:
>> I've been fighting the last week on trying to sign xmldocuments, using a
>> cert stored on an etoken. (aladdin 32K).
>> Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying
>> to sign the document in any way.
>>
>> So far, ive tried openssl, and nss with no luck. Using openssl alone, i
>> can get the system to sign smime documents using the token (  openssl
>> smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem
>> -keyform engine -inkey
>> 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
>> )
>> And adding the etoken lib to nss :
>> modutil -list gives
>>   2. eToken
>>         library name: /usr/lib/libeTPkcs11.so
>>          slots: 17 slots attached
>>         status: loaded
>>
>>          slot: AKS ifdh 00 00
>>         token: eToken
>>
>>
>>
>> However, when i try to sign anything using xmlsec1, i only get
>>
>> # xmlsec1 --sign --crypto nss   --output a.xml test4.xml
>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
>> library function failed: ;last nss error=0 (0x00000000)
>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>> is not found: ;last nss error=0 (0x00000000)
>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>> library function failed: ;last nss error=0 (0x00000000)
>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
>> library function failed: ;last nss error=0 (0x00000000)
>> Error: signature failed
>> Error: failed to sign file "test4.xml"
>>
>>
>>
>> Ive tried using keyname, keyvalue, keys.xml file. Nothing worked.  Most
>> probably, im doing something wrong.
>> Someone has done , or know how can i achieve this ?
>>
>> BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec.
>>
>> _______________________________________________
>> xmlsec mailing list
>> xmlsec at aleksey.com
>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec



More information about the xmlsec mailing list