[xmlsec] PKCS11 - Key not found
Aleksey Sanin
aleksey at aleksey.com
Fri Nov 11 21:46:08 PST 2016
Can you try this patch (it is already merged to the master on github --
you will need to recompile the library and ensure you are loading
the recompiled libs instead of the default ones):
https://github.com/lsh123/xmlsec/pull/59
I believe this should help with RSA. I have no idea what to do with DSA
since I don't see any indication in the debug printout that this key is
private.
Aleksey
On 11/11/16 2:42 PM, Pablo Gabriel Gallardo wrote:
> Aleksey,
>
> Here you have the RSA and DSA objects from my smart card in execution time:
> RSA:
> $1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
> 0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
> = 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
> 1, flags = 6,
> _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
> bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
>
> RSA->meth:
> (gdb) p *pKey.pkey->rsa->meth
> $3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
> rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
> <pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
> <pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
> bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
> = 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
> rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}
>
> RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0
>
> DSA:
> (gdb) p *pKey.pkey->dsa
> $2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
> 0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
> = 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
> = {sk = 0x0, dummy = 1},
> meth = 0x6, engine = 0x0}
>
>
> I've tried to debug the sources on GitHub but I've got this error:
> func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
> library function failed:mode=abi compatible;expected minor
> version=2;real minor version=2;expected subminor version=20;real
> subminor version=23
> Error: loaded xmlsec library version is not compatible.
>
> But with the information above RSA is recognized as a public key
> because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.
>
> Thank you for your interest in my case. What can I do to fix this?
> Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
> public key and one for the private key)?
>
> Regards,
>
> Pablo G. Gallardo
>
> 2016-11-11 1:39 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:
>> Can you check what's going on in these two places?
>>
>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
>>
>> Unfortunately, there is no good way to determine if a PKEY is public
>> or private. Thus we use a hack. I am curious what is going on there
>> in your case.
>>
>> Aleksey
>>
>> On 11/10/16 5:35 PM, Pablo Gabriel Gallardo wrote:
>>> Hello Aleksey,
>>>
>>> I've used the RSA key from my smartcard by it is still being
>>> recognized as a public key. Is it because, as a smart card RSA key, it
>>> doesn't have the d member (because the private key never leaves the
>>> smart card)?
>>>
>>> Regards,
>>>
>>> Pablo
>>>
>>> 2016-11-09 8:43 GMT-02:00 Pablo G. Gallardo <pggllrd at gmail.com>:
>>>> Hi Aleksey,
>>>>
>>>> Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
>>>>
>>>> I'll fix that and then I'll came with the result.
>>>>
>>>> Thank you!
>>>>
>>>> Pablo
>>>>
>>>> Em 9 de novembro de 2016 00:17:27 BRST, Aleksey Sanin <aleksey at aleksey.com> escreveu:
>>>>> Assuming that the key type matches the requested signature type
>>>>> in the template (i.e. RSA signatures require RSA keys)...
>>>>>
>>>>> Can you try to print the key type with
>>>>>
>>>>> xmlSecKeyGetType(key)
>>>>>
>>>>> Basically, I suspect that it doesn't recognize the key as private
>>>>> thus can't find a proper key for the signature.
>>>>>
>>>>> Best,
>>>>>
>>>>> Aleksey
>>>>>
>>>>> On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote:
>>>>>> Hello there!
>>>>>>
>>>>>> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
>>>>>> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
>>>>>> this error:
>>>>>>
>>>>>>
>>>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>>>>> is not found:
>>>>>>
>>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>>>>> library function failed:
>>>>>>
>>>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
>>>>>> library function failed:
>>>>>> Error: signature failed
>>>>>>
>>>>>> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
>>>>>> card but I'm sure that I am missing something.
>>>>>>
>>>>>> Could someone please help me to see what else I should be doing to
>>>>>> make this work? I've checked this mailing list and someone in 2008
>>>>> had
>>>>>> the same problem but he didn't mention how to solve it.
>>>>>>
>>>>>> Here are the parts I've modified from sign3.c. Complete source is on
>>>>>>
>>>>> https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
>>>>>>
>>>>>> static xmlSecKeyPtr load_key(const char *pwd) {
>>>>>>
>>>>>> xmlSecKeyPtr key = NULL;
>>>>>> xmlSecKeyDataPtr data;
>>>>>> EVP_PKEY *pKey = NULL;
>>>>>> int ret;
>>>>>>
>>>>>> pKey = get_private_key(pwd);
>>>>>> if(pKey == NULL)
>>>>>> return NULL;
>>>>>>
>>>>>> data = xmlSecOpenSSLEvpKeyAdopt(pKey);
>>>>>> if(data == NULL) {
>>>>>> EVP_PKEY_free(pKey);
>>>>>> return NULL;
>>>>>> }
>>>>>>
>>>>>> key = xmlSecKeyCreate();
>>>>>> if(key == NULL) {
>>>>>> xmlSecKeyDataDestroy(data);
>>>>>> return NULL;
>>>>>> }
>>>>>>
>>>>>> ret = xmlSecKeySetValue(key, data);
>>>>>> if(ret < 0) {
>>>>>> xmlSecKeyDestroy(key);
>>>>>> xmlSecKeyDataDestroy(data);
>>>>>> return NULL;
>>>>>> }
>>>>>> return key;
>>>>>> }
>>>>>>
>>>>>> int sign_file(const char* xml_file, char *password) {
>>>>>>
>>>>>> .....
>>>>>>
>>>>>>
>>>>>> /* load private key */
>>>>>> dsigCtx->signKey = load_key(password);
>>>>>> if(dsigCtx->signKey == NULL) {
>>>>>> fprintf(stderr,"Error: failed to load private key from
>>>>> smartcard\n");
>>>>>> goto done;
>>>>>> }
>>>>>>
>>>>>> /* load certificate and add to the key
>>>>>> if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
>>>>>> xmlSecKeyDataFormatPem) < 0) {
>>>>>> fprintf(stderr,"Error: failed to load pem certificate
>>>>>> \"%s\"\n", cert_file);
>>>>>> goto done;
>>>>>> }*/
>>>>>>
>>>>>> /* set key name to the file name, this is just an example!
>>>>>> if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
>>>>>> fprintf(stderr,"Error: failed to set key name for key from
>>>>>> \"%s\"\n", key_file);
>>>>>> goto done;
>>>>>> } */
>>>>>>
>>>>>> /* sign the template */
>>>>>> if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
>>>>>> fprintf(stderr,"Error: signature failed\n");
>>>>>> goto done;
>>>>>> }
>>>>>>
>>>>>> ....
>>>>>> }
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thank you!
>>>>>>
>>>>>> Pablo G. Gallardo
>>>>>> _______________________________________________
>>>>>> xmlsec mailing list
>>>>>> xmlsec at aleksey.com
>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>
>>>>
>>>> --
>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>> _______________________________________________
>>> xmlsec mailing list
>>> xmlsec at aleksey.com
>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
More information about the xmlsec
mailing list