[xmlsec] PKCS11 - Key not found

Aleksey Sanin aleksey at aleksey.com
Tue Nov 8 18:17:27 PST 2016


Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...

Can you try to print the key type with

xmlSecKeyGetType(key)

Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.

Best,

Aleksey

On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote:
> Hello there!
> 
> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
> this error:
> 
> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
> is not found:
> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
> library function failed:
> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
> library function failed:
> Error: signature failed
> 
> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
> card but I'm sure that I am missing something.
> 
> Could someone please help me to see what else I should be doing to
> make this work? I've checked this mailing list and someone in 2008 had
> the same problem but he didn't mention how to solve it.
> 
> Here are the parts I've modified from sign3.c. Complete source is on
> https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
> 
> static xmlSecKeyPtr load_key(const char *pwd) {
> 
>     xmlSecKeyPtr key = NULL;
>     xmlSecKeyDataPtr data;
>     EVP_PKEY *pKey = NULL;
>     int ret;
> 
>     pKey = get_private_key(pwd);
>     if(pKey == NULL)
>         return NULL;
> 
>     data = xmlSecOpenSSLEvpKeyAdopt(pKey);
>     if(data == NULL) {
>         EVP_PKEY_free(pKey);
>         return NULL;
>     }
> 
>     key = xmlSecKeyCreate();
>     if(key == NULL) {
>         xmlSecKeyDataDestroy(data);
>         return NULL;
>     }
> 
>     ret = xmlSecKeySetValue(key, data);
>     if(ret < 0) {
>         xmlSecKeyDestroy(key);
>         xmlSecKeyDataDestroy(data);
>         return NULL;
>     }
>     return key;
> }
> 
> int sign_file(const char* xml_file, char *password) {
> 
> .....
> 
> 
>     /* load private key */
>     dsigCtx->signKey = load_key(password);
>     if(dsigCtx->signKey == NULL) {
>         fprintf(stderr,"Error: failed to load private key from smartcard\n");
>     goto done;
>     }
> 
>     /* load certificate and add to the key
>     if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
> xmlSecKeyDataFormatPem) < 0) {
>         fprintf(stderr,"Error: failed to load pem certificate
> \"%s\"\n", cert_file);
>         goto done;
>     }*/
> 
>     /* set key name to the file name, this is just an example!
>     if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
>         fprintf(stderr,"Error: failed to set key name for key from
> \"%s\"\n", key_file);
>         goto done;
>     } */
> 
>     /* sign the template */
>     if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
>         fprintf(stderr,"Error: signature failed\n");
>         goto done;
>     }
> 
>     ....
> }
> 
> 
> 
> Thank you!
> 
> Pablo G. Gallardo
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list