[xmlsec] xmlsec1 and pkcs11

Jaromir Talir jaromir.talir at nic.cz
Tue Feb 9 11:27:45 PST 2021


There is at least one big "client" for CLI that is pysaml2
https://github.com/IdentityPython/pysaml2/blob/master/docs/howto/config.rst#xmlsec-binary
Simple way to add PIN would allow to use pysaml2 and hw tokens easily.

At least seems to me that if someone managed to call this outside CLI,
it is promising that CLI version is not impossible. 

Regards,
Jaromir

On Tue, 2021-02-09 at 11:11 -0800, Aleksey Sanin wrote:
> All known to me use cases for reading keys from token do not use CLI
> :)
> 
> Aleksey
> 
> On 2/9/21 10:59 AM, Jaromir Talir wrote:
> > Hi Aleksey,
> > 
> > I'm afraid this needs much deeper understanding of internals than I
> > have. It's quite surprising nobody tried it in 15? years. Maybe
> > author
> > of libreoffice xmlsec client could assist in debugging where this
> > PIN
> > enters the API and than CLI could be updated to follow the same
> > path?
> > 
> > Regards,
> > Jaromir
> > 
> > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote:
> > > Hi Jaromir,
> > > 
> > > I never tested passing password to the token from CLI. If you can
> > > debug it then I would gladly accept patches :)
> > > 
> > > Best,
> > > 
> > > Aleksey
> > > 
> > > On 2/9/21 1:42 AM, Jaromir Talir wrote:
> > > > Hi Miklos,
> > > > 
> > > > I tried LibreOffice with NSS backend and I was able to sign ODT
> > > > document with the key on the token. I was asked for PIN in GUI.
> > > > 
> > > > So the question for the audience is - how to pass PIN to NSS in
> > > > xmlsec1
> > > > cli?
> > > > 
> > > > The last possible problem can be in KeyName so the other
> > > > question
> > > > is -
> > > > is the described process to guess KeyName from token correct?
> > > > 
> > > > Regards,
> > > > Jaromir
> > > > 
> > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote:
> > > > > Hi Jaromir,
> > > > > 
> > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir
> > > > > <jaromir.talir at nic.cz> wrote:
> > > > > > good to hear you have succeeded. I played with nss and
> > > > > > pkcs11
> > > > > > and
> > > > > > seems
> > > > > > like I'm almost there but still not fully. I guess I
> > > > > > managed to
> > > > > > get
> > > > > > over task how to find proper keyname but xmlsec1 still
> > > > > > cannot
> > > > > > find
> > > > > > the
> > > > > > key in the token. I suspect that problem may be in PIN code
> > > > > > (i.e
> > > > > > "123456") that needs to be entered and I'm not sure if
> > > > > > xmlsec1
> > > > > > "--
> > > > > > pwd"
> > > > > > parameter is used for this.
> > > > > 
> > > > > To be clear, we only use the library part of xmlsec1, it's
> > > > > invoked by
> > > > > LibreOffice. Perhaps see if your HW works with LibreOffice
> > > > > (try
> > > > > to
> > > > > sign
> > > > > e.g. an ODT file), and if so, track down how your code vs
> > > > > xmlsec1
> > > > > cli
> > > > > vs
> > > > > LibreOffice uses the xmlsec1 library?
> > > > > 
> > > > > Seeing you're on Linux, I only tried this with the NSS
> > > > > backend of
> > > > > xmlsec1.
> > > > > 
> > > > > Regards,
> > > > > 
> > > > > Miklos
> > > > 
> > > > 
> > > > _______________________________________________
> > > > xmlsec mailing list
> > > > xmlsec at aleksey.com
> > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > 
> > 
> > 




More information about the xmlsec mailing list