OK, the next step is to figure out how to get EVP for the
key on the token. Check what "-keyform engine" command line
option does.
Aleksey
Ivan Barrera A. wrote:
Aleksey Sanin escribió:
I think that you need to figure out how does "-engine" option
is handled for openssl command line tool. Then you will need
to do similar openssl initialization in xmlsec.
I figured that out.
Just to try that, i added the engine initialization on the same openssl
engine. However, it cannot find the key yet.
I guess the key is not being called through the engine, an so far, i
havent found where in the code to look at..
Thanks
Aleksey
Ivan Barrera A. wrote:
Hi again.
Ive tried almost all solutions ive found on the web, and still no luck.
Maybe it cannot be done, i dont know, so ill explain a little more of
what i have :
- USB etoken (Aladdin Pro32K, using its own format)
- Library from aladdin to access de eToken
(/usr/lib//usr/lib/libeTPkcs11.so)
- a X509 Cert inside the eToken, along private and public keys (that
cannot be exported. The eToken has to sign all data itself)
Using openssl, ive been able to sign digest using :
openssl dgst -engine pkcs11 -keyform engine -sign
<id-of-the-key-inside-token> xmlfile.xml
It seems to work, as it ask to enter the etoken password and output some
raw data.
I havent been able to make xmlsec use openssl this way, so the token can
do the signing of the document.
Any ideas ?
Ivan Barrera A. escribió:
I've been fighting the last week on trying to sign xmldocuments, using a
cert stored on an etoken. (aladdin 32K).
Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying
to sign the document in any way.
So far, ive tried openssl, and nss with no luck. Using openssl alone, i
can get the system to sign smime documents using the token ( openssl
smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem
-keyform engine -inkey
39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
)
And adding the etoken lib to nss :
modutil -list gives
2. eToken
library name: /usr/lib/libeTPkcs11.so
slots: 17 slots attached
status: loaded
slot: AKS ifdh 00 00
token: eToken
However, when i try to sign anything using xmlsec1, i only get
# xmlsec1 --sign --crypto nss --output a.xml test4.xml
func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec
library function failed: ;last nss error=0 (0x00000000)
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
is not found: ;last nss error=0 (0x00000000)
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed: ;last nss error=0 (0x00000000)
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec
library function failed: ;last nss error=0 (0x00000000)
Error: signature failed
Error: failed to sign file "test4.xml"
Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most
probably, im doing something wrong.
Someone has done , or know how can i achieve this ?
BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec.
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
xmlsec@aleksey.com
http://www.aleksey.com/mailman/listinfo/xmlsec
