[xmlsec] Signing with key on token

Leif Johansson leifj at mnt.se
Sat Aug 12 14:20:48 PDT 2017



On 2017-08-12 19:08, majkl majkl wrote:
> I am sorry, but I can not get it.
> 
> Yes, I've found the same question in one historic -very historic- list, but no solution.
> 
> What I am supposed to do to use key on token to sign in xmlsec, please? Use appropriate openssl config? 
> I have spent a whole week by searching for it, no luck. It works only when I directly run opennsl from command line.
> 
> I am supposed to patch xmlsec sources? Or openssl sources? Does xmlsec uses its own libraries for openssl engine, 
> or it uses system/openssl shared libraries? 
> 
> I am quite lost in this moment, but I really need to sign xmls with token.
> 

When I reached this point I gave up and rolled my own.

Find pyXMLSecurity - supports pkcs11. There is a cmdline in there
for signing.

> Thanks,
> 
>                     Michal
> 
> 
> ******************************
> 
> Sure. I think it will work for a simple use cases when there is only
> one key. And yes, for anything more sophisticated custom code is required.
> 
> Aleksey
> 
> On 8/9/17 10:58 AM, Roumen Petrov wrote:
>>/Aleksey Sanin wrote: />>/It was discussed in the mailing list in the past. You need to />>/create openssl config file to use the engine by default and />/Hmm, in general this configuration will not work. />//>/Engines that operate with keys material stored externally cannot be set />/as default - usually this break operations with keys stored differently />/(file and etc.). />//>>/pass it to xmlsec1 command line tool. />/Perhaps it will work for simple command line case with single key. />//>/On other side openssl command line option -engine specify where is />/located key (call method ENGINE_load_private_key). />//>/Regards, />/Roumen/
> 
> 
> 2017-08-08 21:12 GMT+02:00 Aleksey Sanin <aleksey at aleksey.com
> <mailto:aleksey at aleksey.com>>:
> 
>     It was discussed in the mailing list in the past. You need to
>     create openssl config file to use the engine by default and
>     pass it to xmlsec1 command line tool.
> 
>     Aleksey
> 
>     On 8/1/17 12:56 AM, majkl majkl wrote:
>     > I need to sign XML documents with certificate and key, stored on USB
>     > token. I have Linux library (.so) with API, which works in openssl
>     > (command line) and also in Firefox, for example.
>     >
>     > I need to tell xmlsec to use the token library to access the key. (Or,
>     > when crypto openssl is used, make opensl work as it is run with
>     -keyform
>     > ENGINE -engine pkcs11 -inkey ABC -passin pass:PASS).
>     >
>     > Thanks, Michal
>     >
>     >
>     > _______________________________________________
>     > xmlsec mailing list
>     > xmlsec at aleksey.com <mailto:xmlsec at aleksey.com>
>     > http://www.aleksey.com/mailman/listinfo/xmlsec
>     <http://www.aleksey.com/mailman/listinfo/xmlsec>
>     >
> 
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list