I think that you need to figure out how does "-engine" option is handled for openssl command line tool. Then you will need to do similar openssl initialization in xmlsec.
Aleksey Ivan Barrera A. wrote:
Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Maybe it cannot be done, i dont know, so ill explain a little more of what i have : - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Using openssl, ive been able to sign digest using : openssl dgst -engine pkcs11 -keyform engine -sign <id-of-the-key-inside-token> xmlfile.xml It seems to work, as it ask to enter the etoken password and output some raw data. I havent been able to make xmlsec use openssl this way, so the token can do the signing of the document. Any ideas ? Ivan Barrera A. escribió:I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x00000000) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x00000000) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x00000000) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x00000000) Error: signature failed Error: failed to sign file "test4.xml" Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
