Aleksey Sanin wrote:
You are right.In the scenario you describe (private key is sitting on the smart card) the signature will be done on *this* smart card no matter what simply because you are not allowed (most of the time) to export private key from the smart card.
Aleksey
But in NSS that part is actually resolved by the function SGN_End routine (via PK11_Sign routine and the slot already connected to the selected private-key structure). You call SGN_End in 'nss/signatures.c' module.
But looking at the way NSS handles it in the normal PKCS7 scenario, SGN_End is called as the final action of a sequence which sees:
- first the selection of slot/token,
- then the verification that the token and the certificate is good for signing,
- and finally the signature, that is actually performed by the card (in fact NSS handles private-keys of PKCS11 devices - smart-cards or software simulations - only as logical descriptors of keys that are handled only by the devices).
What I don't understand is how I can realize such a sequence in a XmlSec1 application.
Clizio
-- ---------------------------- Clizio dr. Merli
C.E.O. 4u Srl, Italy ISACA CISM (Certified Information Security Manager) EUCIP Certified Socio AIP (Associazione Informatici Professionisti) ----------------------------
_______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
