[xmlsec] PKCS11 - Key not found
Aleksey Sanin
aleksey at aleksey.com
Thu Sep 14 12:11:39 PDT 2017
Just a heads up that I've got a report that this change
cause problems for other users. I will be rolling it back
(and I still don't have a good way to determine RSA key
type).
Aleksey
On 11/12/16 8:17 AM, Pablo Gabriel Gallardo wrote:
> Aleksey,
>
> It worked! Thank you so much for your help and time!
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> XML Security Library example: Original XML doc file for sign3 example.
> -->
> <Envelope xmlns="urn:envelope">
> <Data>
> Hello, World!
> </Data>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <Reference>
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>HjY8ilZAIEM2tBbPn5mYO1ieIX4=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>Pep0e8/pVZV/gmFNOqgfCN9hryv+k5gVP/wyzOSa49ui8K/VfIu3Nkcm2FWDphAo
> PJBMOw8BEA9htmsgrmmdhWPIM5bsM1rfn072FczBCqbW+/G6x26cG++ZkJ7E8jBG
> Z33vAXLFLdYOJvCXtsWwn4IvAPoRyYdVyz1b6FEB0KwUMr4ryLWpEXG+K0jQpC3k
> uP2o06fUs5M3IBW1+PTDqiN6AyiwUg85l1Ulqamq5QUKm7VJMokBXL8evmLS171r
> 1PhwWWHKP6aQJa6ydfw3xkY4RdDSJEx0E0mlkapwCkdBfmB52OY2QaCCrAZOEfzg
> hXUit89sIQfAWnAAOfsAMA==</SignatureValue>
> <KeyInfo>
> <X509Data>
> <X509SubjectName/>
> <X509Certificate/>
> </X509Data>
> </KeyInfo>
> </Signature></Envelope>
>
> Regards,
>
> Pablo G. Gallardo
>
> 2016-11-12 3:46 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:
>> Can you try this patch (it is already merged to the master on github --
>> you will need to recompile the library and ensure you are loading
>> the recompiled libs instead of the default ones):
>>
>> https://github.com/lsh123/xmlsec/pull/59
>>
>> I believe this should help with RSA. I have no idea what to do with DSA
>> since I don't see any indication in the debug printout that this key is
>> private.
>>
>> Aleksey
>>
>> On 11/11/16 2:42 PM, Pablo Gabriel Gallardo wrote:
>>> Aleksey,
>>>
>>> Here you have the RSA and DSA objects from my smart card in execution time:
>>> RSA:
>>> $1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
>>> 0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
>>> = 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
>>> 1, flags = 6,
>>> _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
>>> bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
>>>
>>> RSA->meth:
>>> (gdb) p *pKey.pkey->rsa->meth
>>> $3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
>>> rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
>>> <pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
>>> <pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
>>> bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
>>> = 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
>>> rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}
>>>
>>> RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0
>>>
>>> DSA:
>>> (gdb) p *pKey.pkey->dsa
>>> $2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
>>> 0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
>>> = 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
>>> = {sk = 0x0, dummy = 1},
>>> meth = 0x6, engine = 0x0}
>>>
>>>
>>> I've tried to debug the sources on GitHub but I've got this error:
>>> func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
>>> library function failed:mode=abi compatible;expected minor
>>> version=2;real minor version=2;expected subminor version=20;real
>>
>>
>>> subminor version=23
>>> Error: loaded xmlsec library version is not compatible.
>>>
>>> But with the information above RSA is recognized as a public key
>>> because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.
>>>
>>> Thank you for your interest in my case. What can I do to fix this?
>>> Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
>>> public key and one for the private key)?
>>>
>>> Regards,
>>>
>>> Pablo G. Gallardo
>>>
>>> 2016-11-11 1:39 GMT-02:00 Aleksey Sanin <aleksey at aleksey.com>:
>>>> Can you check what's going on in these two places?
>>>>
>>>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
>>>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
>>>>
>>>> Unfortunately, there is no good way to determine if a PKEY is public
>>>> or private. Thus we use a hack. I am curious what is going on there
>>>> in your case.
>>>>
>>>> Aleksey
>>>>
>>>> On 11/10/16 5:35 PM, Pablo Gabriel Gallardo wrote:
>>>>> Hello Aleksey,
>>>>>
>>>>> I've used the RSA key from my smartcard by it is still being
>>>>> recognized as a public key. Is it because, as a smart card RSA key, it
>>>>> doesn't have the d member (because the private key never leaves the
>>>>> smart card)?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Pablo
>>>>>
>>>>> 2016-11-09 8:43 GMT-02:00 Pablo G. Gallardo <pggllrd at gmail.com>:
>>>>>> Hi Aleksey,
>>>>>>
>>>>>> Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
>>>>>>
>>>>>> I'll fix that and then I'll came with the result.
>>>>>>
>>>>>> Thank you!
>>>>>>
>>>>>> Pablo
>>>>>>
>>>>>> Em 9 de novembro de 2016 00:17:27 BRST, Aleksey Sanin <aleksey at aleksey.com> escreveu:
>>>>>>> Assuming that the key type matches the requested signature type
>>>>>>> in the template (i.e. RSA signatures require RSA keys)...
>>>>>>>
>>>>>>> Can you try to print the key type with
>>>>>>>
>>>>>>> xmlSecKeyGetType(key)
>>>>>>>
>>>>>>> Basically, I suspect that it doesn't recognize the key as private
>>>>>>> thus can't find a proper key for the signature.
>>>>>>>
>>>>>>> Best,
>>>>>>>
>>>>>>> Aleksey
>>>>>>>
>>>>>>> On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote:
>>>>>>>> Hello there!
>>>>>>>>
>>>>>>>> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
>>>>>>>> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
>>>>>>>> this error:
>>>>>>>>
>>>>>>>>
>>>>>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
>>>>>>>> is not found:
>>>>>>>>
>>>>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
>>>>>>>> library function failed:
>>>>>>>>
>>>>>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
>>>>>>>> library function failed:
>>>>>>>> Error: signature failed
>>>>>>>>
>>>>>>>> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
>>>>>>>> card but I'm sure that I am missing something.
>>>>>>>>
>>>>>>>> Could someone please help me to see what else I should be doing to
>>>>>>>> make this work? I've checked this mailing list and someone in 2008
>>>>>>> had
>>>>>>>> the same problem but he didn't mention how to solve it.
>>>>>>>>
>>>>>>>> Here are the parts I've modified from sign3.c. Complete source is on
>>>>>>>>
>>>>>>> https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:
>>>>>>>>
>>>>>>>> static xmlSecKeyPtr load_key(const char *pwd) {
>>>>>>>>
>>>>>>>> xmlSecKeyPtr key = NULL;
>>>>>>>> xmlSecKeyDataPtr data;
>>>>>>>> EVP_PKEY *pKey = NULL;
>>>>>>>> int ret;
>>>>>>>>
>>>>>>>> pKey = get_private_key(pwd);
>>>>>>>> if(pKey == NULL)
>>>>>>>> return NULL;
>>>>>>>>
>>>>>>>> data = xmlSecOpenSSLEvpKeyAdopt(pKey);
>>>>>>>> if(data == NULL) {
>>>>>>>> EVP_PKEY_free(pKey);
>>>>>>>> return NULL;
>>>>>>>> }
>>>>>>>>
>>>>>>>> key = xmlSecKeyCreate();
>>>>>>>> if(key == NULL) {
>>>>>>>> xmlSecKeyDataDestroy(data);
>>>>>>>> return NULL;
>>>>>>>> }
>>>>>>>>
>>>>>>>> ret = xmlSecKeySetValue(key, data);
>>>>>>>> if(ret < 0) {
>>>>>>>> xmlSecKeyDestroy(key);
>>>>>>>> xmlSecKeyDataDestroy(data);
>>>>>>>> return NULL;
>>>>>>>> }
>>>>>>>> return key;
>>>>>>>> }
>>>>>>>>
>>>>>>>> int sign_file(const char* xml_file, char *password) {
>>>>>>>>
>>>>>>>> .....
>>>>>>>>
>>>>>>>>
>>>>>>>> /* load private key */
>>>>>>>> dsigCtx->signKey = load_key(password);
>>>>>>>> if(dsigCtx->signKey == NULL) {
>>>>>>>> fprintf(stderr,"Error: failed to load private key from
>>>>>>> smartcard\n");
>>>>>>>> goto done;
>>>>>>>> }
>>>>>>>>
>>>>>>>> /* load certificate and add to the key
>>>>>>>> if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
>>>>>>>> xmlSecKeyDataFormatPem) < 0) {
>>>>>>>> fprintf(stderr,"Error: failed to load pem certificate
>>>>>>>> \"%s\"\n", cert_file);
>>>>>>>> goto done;
>>>>>>>> }*/
>>>>>>>>
>>>>>>>> /* set key name to the file name, this is just an example!
>>>>>>>> if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
>>>>>>>> fprintf(stderr,"Error: failed to set key name for key from
>>>>>>>> \"%s\"\n", key_file);
>>>>>>>> goto done;
>>>>>>>> } */
>>>>>>>>
>>>>>>>> /* sign the template */
>>>>>>>> if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
>>>>>>>> fprintf(stderr,"Error: signature failed\n");
>>>>>>>> goto done;
>>>>>>>> }
>>>>>>>>
>>>>>>>> ....
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thank you!
>>>>>>>>
>>>>>>>> Pablo G. Gallardo
>>>>>>>> _______________________________________________
>>>>>>>> xmlsec mailing list
>>>>>>>> xmlsec at aleksey.com
>>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>>> _______________________________________________
>>>>> xmlsec mailing list
>>>>> xmlsec at aleksey.com
>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec
>>>>>
More information about the xmlsec
mailing list