[xmlsec] OpenSSL engine patch
Aleksey Sanin
aleksey at aleksey.com
Thu Sep 23 13:37:18 UTC 2021
Hi Leonardo,
Thank you for the patch! Is there any chance you can submit a PR
on github? That way it will be easier to discuss the patch there.
Thanks,
Aleksey
On 9/22/21 1:06 PM, LS wrote:
> Dear xmlsec community,
>
>
> I'd like to share with you a patch I developed to allow usage of an
> OpenSSL's engine in xmlsec.
>
>
> The usage with command line is simple, I added the option
> --privkey-openssl-engine to supply the engine's name and the key specs.
>
>
> --privkey-openssl-engine[:<name>]
> <openssl-engine>;<openssl-key-id>,[,<crtfile>[,<cafile>[...]]]
> load private key by OpenSSL ENGINE interface; specify the name
> of engine
>
> (like with -engine params), the key specs (like with -inkey or
> -key params)
> and certificates that verify this key
>
> At moment I tested only pkcs11 engine with SoftHSM2 but I'd like that
> all of you interested in using HSM or smartcard with xmlsec make a test .
>
>
> To setup a token with SoftHSM run:
>
> softhsm2-util --init-token --free --label "XmlsecToken" --pin
> password --so-pin password
>
> To create a key pair in token run:
>
> pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type
> rsa:2048 --id 1000 --label XmlsecKey --pin password
>
> To generate a certificate run:
>
> openssl req -new -x509 -subj "/CN=Xmlsec" -engine pkcs11 -keyform
> engine -key
> "pkcs11:token=XmlsecToken;object=XmlsecKey;type=private;pin-value=password"
> -out Xmlsec.pem
>
> To sign an xml with a patched xmlsec run:
>
> xmlsec1 --sign "--privkey-openssl-engine:XmlsecKey"
> "pkcs11;pkcs11:token=XmlsecToken;object=XmlsecKey;pin-value=password,Xmlsec.pem"
> sample.xml
>
>
> Best regards
>
>
>
>
> --
>
> --------------------------------------------------------------------------
>
> Leonardo Secci
>
> mailto:leonardo.secci at unirel.com
>
>
> UniRel s.r.l.
>
>
>
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
>
More information about the xmlsec
mailing list