[xmlsec] PKCS11 - Key not found
Pablo Gabriel Gallardo
pggllrd at gmail.com
Tue Nov 8 17:05:22 PST 2016
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
this error:
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008 had
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from smartcard\n");
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
More information about the xmlsec
mailing list