Aleksey Sanin escribió: > I think that you need to figure out how does "-engine" option > is handled for openssl command line tool. Then you will need > to do similar openssl initialization in xmlsec.
I figured that out. Just to try that, i added the engine initialization on the same openssl engine. However, it cannot find the key yet. I guess the key is not being called through the engine, an so far, i havent found where in the code to look at.. Thanks > > Aleksey > > Ivan Barrera A. wrote: >> Hi again. >> >> Ive tried almost all solutions ive found on the web, and still no luck. >> >> Maybe it cannot be done, i dont know, so ill explain a little more of >> what i have : >> >> - USB etoken (Aladdin Pro32K, using its own format) >> - Library from aladdin to access de eToken >> (/usr/lib//usr/lib/libeTPkcs11.so) >> - a X509 Cert inside the eToken, along private and public keys (that >> cannot be exported. The eToken has to sign all data itself) >> >> Using openssl, ive been able to sign digest using : >> openssl dgst -engine pkcs11 -keyform engine -sign >> <id-of-the-key-inside-token> xmlfile.xml >> >> It seems to work, as it ask to enter the etoken password and output some >> raw data. >> >> I havent been able to make xmlsec use openssl this way, so the token can >> do the signing of the document. >> >> Any ideas ? >> >> >> Ivan Barrera A. escribió: >>> I've been fighting the last week on trying to sign xmldocuments, using a >>> cert stored on an etoken. (aladdin 32K). >>> Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying >>> to sign the document in any way. >>> >>> So far, ive tried openssl, and nss with no luck. Using openssl alone, i >>> can get the system to sign smime documents using the token ( openssl >>> smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem >>> -keyform engine -inkey >>> 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 >>> >>> ) >>> And adding the etoken lib to nss : >>> modutil -list gives >>> 2. eToken >>> library name: /usr/lib/libeTPkcs11.so >>> slots: 17 slots attached >>> status: loaded >>> >>> slot: AKS ifdh 00 00 >>> token: eToken >>> >>> >>> >>> However, when i try to sign anything using xmlsec1, i only get >>> >>> # xmlsec1 --sign --crypto nss --output a.xml test4.xml >>> func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec >>> >>> library function failed: ;last nss error=0 (0x00000000) >>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key >>> >>> is not found: ;last nss error=0 (0x00000000) >>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec >>> >>> library function failed: ;last nss error=0 (0x00000000) >>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec >>> >>> library function failed: ;last nss error=0 (0x00000000) >>> Error: signature failed >>> Error: failed to sign file "test4.xml" >>> >>> >>> >>> Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most >>> probably, im doing something wrong. >>> Someone has done , or know how can i achieve this ? >>> >>> BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. >>> >>> _______________________________________________ >>> xmlsec mailing list >>> [email protected] >>> http://www.aleksey.com/mailman/listinfo/xmlsec >>> >> >> _______________________________________________ >> xmlsec mailing list >> [email protected] >> http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
