[xmlsec] xmlsec1 and pkcs11

Dmitry Belyavsky beldmit at gmail.com
Tue Feb 9 23:36:16 PST 2021


Dear Jaromir,

You are correct, the argument passed in the command line is used on loading
the key - but the engine loaded via config is already loaded and provides
the crypto-operations.

So the necessary patch should provide the engine (name) to the
openssl-based xmlsec function loading the key.

On Tue, Feb 9, 2021 at 10:34 PM Jaromir Talir <jaromir.talir at nic.cz> wrote:

> Hi Dmitry,
>
> I don't think such openssl.conf can define default "engine" as the
> replacement for command line parametr "-engine pkcs11", see bellow:
>
> # ------------ test regular openssl signing with token
> $ echo "data" | openssl rsautl -engine pkcs11 -keyform engine -inkey
> "pkcs11:token=PIV_II;pin-value=123456" -sign  -out /tmp/signature -in
> /dev/stdin
> engine "pkcs11" set.
> # ------------ define openssl.conf
> $ cat openssl.conf
> openssl_conf = openssl_def
>
> [openssl_def]
> engines=engine_section
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
> dynamic_path = /usr/lib64/engines-1.1/pkcs11.so
> #MODULE_PATH = /usr/lib64/softhsm/libsofthsm.so
> MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so
> init = 1
> default_algorithms = ALL
> # ----------- use openssl.conf and remove commandline parameter "-engine
> pkcs11"
> $ echo "data" | OPENSSL_CONF=./openssl.conf openssl rsautl -keyform engine
> -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign  -out /tmp/signature
> -in /dev/stdin
> no engine specified
> unable to load Private Key
> # ----------- check that openssl.conf is read by adding strace to previous
> call
> $ echo "data" | OPENSSL_CONF=./openssl.conf strace openssl rsautl -keyform
> engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign  -out
> /tmp/signature -in /dev/stdin 2>&1 | grep openssl.conf
> openat(AT_FDCWD, "./openssl.conf", O_RDONLY) = 3
> read(3, "openssl_conf = openssl_def\n\n[ope"..., 4096) = 323
>
> Regards,
> Jaromir
>
> On Tue, 2021-02-09 at 21:06 +0100, Dmitry Belyavsky wrote:
> > I never used this engine, so I can't help, but maybe I'll be able to
> > provide some patch if necessary.
> >
> > I usually check if the specified config file and engine is loaded
> > using strace. I remember that it is never loaded when openssl is
> > linked statically.
> >
> > On Tue, 9 Feb 2021, 21:01 Jaromir Talir, <jaromir.talir at nic.cz>
> > wrote:
> > > I guess I tried that and failed, but I'll give it another try.
> > > There is
> > > at least question how to identify key. Did you use the same
> > > approach as
> > > in nss crypto with KeyName in template?
> > >
> > > Regards,
> > > Jaromir
> > >
> > > On Tue, 2021-02-09 at 20:50 +0100, Dmitry Belyavsky wrote:
> > > > It's rather simple to use the engine via config.
> > > >
> > > > Smth like
> > > > ======
> > > > openssl_conf = openssl_def
> > > > [openssl_def]
> > > > engines = engine_section
> > > >
> > > > [engine_section]
> > > > pkcs11 = pkcs11_section
> > > >
> > > > [pkcs11_section]
> > > > engine_id = pkcs11
> > > > dynamic_path = /path/to/engine.so
> > > > default_algorithms = ALL
> > > > ======
> > > > and OPENSSL_CONF=openssl.conf xmlsec1... should allow the engine
> > > to
> > > > load if the library is not built statically.
> > > >
> > > > Not sure it will ask the password.
> > > >
> > > >
> > > >
> > > > On Tue, Feb 9, 2021 at 8:46 PM Jaromir Talir
> > > <jaromir.talir at nic.cz>
> > > > wrote:
> > > > > Hi Dmitry,
> > > > >
> > > > > this would be great. I was able to use openssl with 'engine
> > > pkcs11
> > > > > -
> > > > > keyform engine -inkey "pkcs11:..."'  but haven't found a way
> > > how to
> > > > > pass this to xmlsec1. In the xmlsec1 mailing list archives it
> > > is
> > > > > mentioned there may be a way to get this into openssl config
> > > but
> > > > > without conclusion.
> > > > >
> > > > > Can you please share what was your approach?
> > > > >
> > > > > Regards,
> > > > > Jaromir
> > > > >
> > > > > On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote:
> > > > > > Hi Jaromir,
> > > > > >
> > > > > > I had some experience using xmlsec-openssl with PKCS#11-
> > > capable
> > > > > > engine and PKCS11-based keys, so I think it could be possible
> > > to
> > > > > do
> > > > > > it using openssl pkcs11 engine.
> > > > > >
> > > > > > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir
> > > > > <jaromir.talir at nic.cz>
> > > > > > wrote:
> > > > > > > Hi Aleksey,
> > > > > > >
> > > > > > > I'm afraid this needs much deeper understanding of
> > > internals
> > > > > than I
> > > > > > > have. It's quite surprising nobody tried it in 15? years.
> > > Maybe
> > > > > > > author
> > > > > > > of libreoffice xmlsec client could assist in debugging
> > > where
> > > > > this
> > > > > > > PIN
> > > > > > > enters the API and than CLI could be updated to follow the
> > > same
> > > > > > > path?
> > > > > > >
> > > > > > > Regards,
> > > > > > > Jaromir
> > > > > > >
> > > > > > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote:
> > > > > > > > Hi Jaromir,
> > > > > > > >
> > > > > > > > I never tested passing password to the token from CLI. If
> > > you
> > > > > can
> > > > > > > > debug it then I would gladly accept patches :)
> > > > > > > >
> > > > > > > > Best,
> > > > > > > >
> > > > > > > > Aleksey
> > > > > > > >
> > > > > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote:
> > > > > > > > > Hi Miklos,
> > > > > > > > >
> > > > > > > > > I tried LibreOffice with NSS backend and I was able to
> > > sign
> > > > > ODT
> > > > > > > > > document with the key on the token. I was asked for PIN
> > > in
> > > > > GUI.
> > > > > > > > >
> > > > > > > > > So the question for the audience is - how to pass PIN
> > > to
> > > > > NSS in
> > > > > > > > > xmlsec1
> > > > > > > > > cli?
> > > > > > > > >
> > > > > > > > > The last possible problem can be in KeyName so the
> > > other
> > > > > > > question
> > > > > > > > > is -
> > > > > > > > > is the described process to guess KeyName from token
> > > > > correct?
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > Jaromir
> > > > > > > > >
> > > > > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote:
> > > > > > > > > > Hi Jaromir,
> > > > > > > > > >
> > > > > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir
> > > Talir
> > > > > > > > > > <jaromir.talir at nic.cz> wrote:
> > > > > > > > > > > good to hear you have succeeded. I played with nss
> > > and
> > > > > > > pkcs11
> > > > > > > > > > > and
> > > > > > > > > > > seems
> > > > > > > > > > > like I'm almost there but still not fully. I guess
> > > I
> > > > > > > managed to
> > > > > > > > > > > get
> > > > > > > > > > > over task how to find proper keyname but xmlsec1
> > > still
> > > > > > > cannot
> > > > > > > > > > > find
> > > > > > > > > > > the
> > > > > > > > > > > key in the token. I suspect that problem may be in
> > > PIN
> > > > > code
> > > > > > > > > > > (i.e
> > > > > > > > > > > "123456") that needs to be entered and I'm not sure
> > > if
> > > > > > > xmlsec1
> > > > > > > > > > > "--
> > > > > > > > > > > pwd"
> > > > > > > > > > > parameter is used for this.
> > > > > > > > > >
> > > > > > > > > > To be clear, we only use the library part of xmlsec1,
> > > > > it's
> > > > > > > > > > invoked by
> > > > > > > > > > LibreOffice. Perhaps see if your HW works with
> > > > > LibreOffice
> > > > > > > (try
> > > > > > > > > > to
> > > > > > > > > > sign
> > > > > > > > > > e.g. an ODT file), and if so, track down how your
> > > code vs
> > > > > > > xmlsec1
> > > > > > > > > > cli
> > > > > > > > > > vs
> > > > > > > > > > LibreOffice uses the xmlsec1 library?
> > > > > > > > > >
> > > > > > > > > > Seeing you're on Linux, I only tried this with the
> > > NSS
> > > > > > > backend of
> > > > > > > > > > xmlsec1.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > Miklos
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > xmlsec mailing list
> > > > > > > > > xmlsec at aleksey.com
> > > > > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > xmlsec mailing list
> > > > > > > xmlsec at aleksey.com
> > > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
>
>
>

-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.aleksey.com/pipermail/xmlsec/attachments/20210210/17b6950f/attachment.htm>


More information about the xmlsec mailing list