[xmlsec] OpenSSL engine patch

Aleksey Sanin aleksey at aleksey.com
Thu Sep 23 13:37:18 UTC 2021


Hi Leonardo,

Thank you for the patch! Is there any chance you can submit a PR
on github? That way it will be easier to discuss the patch there.

Thanks,

Aleksey

On 9/22/21 1:06 PM, LS wrote:
> Dear xmlsec community,
> 
> 
> I'd like to share with you a patch I developed to allow usage of an 
> OpenSSL's engine in xmlsec.
> 
> 
> The usage with command line is simple, I added the option 
> --privkey-openssl-engine to supply the engine's name and the key specs.
> 
> 
>   --privkey-openssl-engine[:<name>] 
> <openssl-engine>;<openssl-key-id>,[,<crtfile>[,<cafile>[...]]]
>         load private key by OpenSSL ENGINE interface; specify the name 
> of engine
> 
>         (like with -engine params), the key specs (like with -inkey or 
> -key params)
>         and certificates that verify this key
> 
> At moment I tested only pkcs11 engine with SoftHSM2 but I'd like that 
> all of you interested in using HSM or smartcard with xmlsec make a test .
> 
> 
> To setup a token with SoftHSM run:
> 
>    softhsm2-util --init-token --free --label "XmlsecToken" --pin 
> password --so-pin password
> 
> To create a key pair in token run:
> 
>    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type 
> rsa:2048 --id 1000 --label XmlsecKey --pin password
> 
> To generate a certificate run:
> 
>    openssl req -new -x509 -subj "/CN=Xmlsec" -engine pkcs11 -keyform 
> engine -key 
> "pkcs11:token=XmlsecToken;object=XmlsecKey;type=private;pin-value=password" 
> -out Xmlsec.pem
> 
> To sign an xml with a patched xmlsec run:
> 
>    xmlsec1 --sign "--privkey-openssl-engine:XmlsecKey" 
> "pkcs11;pkcs11:token=XmlsecToken;object=XmlsecKey;pin-value=password,Xmlsec.pem" 
> sample.xml
> 
> 
> Best regards
> 
> 
> 
> 
> -- 
> 
> --------------------------------------------------------------------------
> 
> Leonardo Secci
> 
> mailto:leonardo.secci at unirel.com
> 
> 
> UniRel s.r.l.
> 
> 
> 
> _______________________________________________
> xmlsec mailing list
> xmlsec at aleksey.com
> http://www.aleksey.com/mailman/listinfo/xmlsec
> 


More information about the xmlsec mailing list