[xmlsec] PKCS11 - Key not found
Pablo Gabriel Gallardo
pggllrd at gmail.com
Thu Nov 10 17:35:29 PST 2016
Hello Aleksey,
I've used the RSA key from my smartcard by it is still being
recognized as a public key. Is it because, as a smart card RSA key, it
doesn't have the d member (because the private key never leaves the
smart card)?
Regards,
Pablo
2016-11-09 8:43 GMT-02:00 Pablo G. Gallardo <pggllrd at gmail.com>:
> Hi Aleksey,
>
> Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
>
> I'll fix that and then I'll came with the result.
>
> Thank you!
>
> Pablo
>
> Em 9 de novembro de 2016 00:17:27 BRST, Aleksey Sanin <aleksey at aleksey.com> escreveu:
>>Assuming that the key type matches the requested signature type
>>in the template (i.e. RSA signatures require RSA keys)...
>>
>>Can you try to print the key type with
>>
>>xmlSecKeyGetType(key)
>>
>>Basically, I suspect that it doesn't recognize the key as private
>>thus can't find a proper key for the signature.
>>
>>Best,
>>
>>Aleksey
>>
>>On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote:
>>> Hello there!
>>>
>>> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
>>> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
>>> this error:
>>>
>>>
>>func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>> is not found:
>>>
>>func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>> library function failed:
>>>
>>func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
>>> library function failed:
>>> Error: signature failed
>>>
>>> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
>>> card but I'm sure that I am missing something.
>>>
>>> Could someone please help me to see what else I should be doing to
>>> make this work? I've checked this mailing list and someone in 2008
>>had
>>> the same problem but he didn't mention how to solve it.
>>>
>>> Here are the parts I've modified from sign3.c. Complete source is on
>>>
>>https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
>>>
>>> static xmlSecKeyPtr load_key(const char *pwd) {
>>>
>>> xmlSecKeyPtr key = NULL;
>>> xmlSecKeyDataPtr data;
>>> EVP_PKEY *pKey = NULL;
>>> int ret;
>>>
>>> pKey = get_private_key(pwd);
>>> if(pKey == NULL)
>>> return NULL;
>>>
>>> data = xmlSecOpenSSLEvpKeyAdopt(pKey);
>>> if(data == NULL) {
>>> EVP_PKEY_free(pKey);
>>> return NULL;
>>> }
>>>
>>> key = xmlSecKeyCreate();
>>> if(key == NULL) {
>>> xmlSecKeyDataDestroy(data);
>>> return NULL;
>>> }
>>>
>>> ret = xmlSecKeySetValue(key, data);
>>> if(ret < 0) {
>>> xmlSecKeyDestroy(key);
>>> xmlSecKeyDataDestroy(data);
>>> return NULL;
>>> }
>>> return key;
>>> }
>>>
>>> int sign_file(const char* xml_file, char *password) {
>>>
>>> .....
>>>
>>>
>>> /* load private key */
>>> dsigCtx->signKey = load_key(password);
>>> if(dsigCtx->signKey == NULL) {
>>> fprintf(stderr,"Error: failed to load private key from
>>smartcard\n");
>>> goto done;
>>> }
>>>
>>> /* load certificate and add to the key
>>> if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
>>> xmlSecKeyDataFormatPem) < 0) {
>>> fprintf(stderr,"Error: failed to load pem certificate
>>> \"%s\"\n", cert_file);
>>> goto done;
>>> }*/
>>>
>>> /* set key name to the file name, this is just an example!
>>> if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
>>> fprintf(stderr,"Error: failed to set key name for key from
>>> \"%s\"\n", key_file);
>>> goto done;
>>> } */
>>>
>>> /* sign the template */
>>> if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
>>> fprintf(stderr,"Error: signature failed\n");
>>> goto done;
>>> }
>>>
>>> ....
>>> }
>>>
>>>
>>>
>>> Thank you!
>>>
>>> Pablo G. Gallardo
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
More information about the xmlsec
mailing list