[xmlsec] Microsoft CAPI support with hardware token

Sat, 11 Sep 2004 10:31:22 -0700 

Hi,

   Yes I have successfully used an Aladdin eToken Pro in a Windows XP
environment with XMLsec 1.2.1 using the command line and template below.

Key points:

1) use --crypto mscrypto
2) point xmlsec at your token using dsig:KeyName in the template
3) make sure your keys were generated on the token and the returned
certificate is bound to those token-resident keys
4) if you can't get the key/cert working in other Windows applications, then
it won't work with XMLsec either
5) xmlsec (with --mscrypto) is just using CAPI with appropriate CSP as
dictated by particular cert you choose
6) xmlsec (with --mscrypto) really doesn't even know its using the token,
that is standard CAPI/CSP functionality support

Cheers,
Ed

P.S. Good job Aleksey and Wouter ;)

 

xmlsec sign --crypto mscrypto --output inout/edsigned3-enveloped.xml
tmpl/tmpl-EPM-signtoken-enveloped.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
Signature created by EPMSigner V1.12 - Sign Template - enveloped-simple - Ed
Shallow June 27, 2003
-->
<Document>
        <Data>
                <SubData1>
                        <SubSubData1 MimeType="text/plain">This is the data
to be signed.</SubSubData1>
                        <SubSubData2 MimeType="text/plain">This is the data
to be signed.</SubSubData2>
                        <SubSubData3 MimeType="text/plain">This is the data
to be signed.</SubSubData3>
                </SubData1>
                <SubData2>This is the data to be signed.</SubData2>
                <SubData3>This is the data to be signed.</SubData3>
        </Data>
        <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
                <dsig:SignedInfo>
                        <dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
                        <dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                                <dsig:Reference URI="">
                                        <dsig:Transforms>
                                                <dsig:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                        </dsig:Transforms>
                                        <dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        
<dsig:DigestValue></dsig:DigestValue>
                                </dsig:Reference>
                </dsig:SignedInfo>
                <dsig:SignatureValue>
                </dsig:SignatureValue>
                <dsig:KeyInfo>
                        <dsig:KeyName>CN=Thawte Freemail Member,
[EMAIL PROTECTED]</dsig:KeyName>
                        <dsig:X509Data>
        
<dsig:X509Certificate></dsig:X509Certificate>
        
<dsig:X509SubjectName></dsig:X509SubjectName>
        
<dsig:X509IssuerSerial></dsig:X509IssuerSerial>
                        </dsig:X509Data>
                </dsig:KeyInfo>
        </dsig:Signature>
</Document>


_______________________________________________
xmlsec mailing list
[EMAIL PROTECTED]
http://www.aleksey.com/mailman/listinfo/xmlsec

Reply via email to