Well, it is hard to say how far away you are but these are the steps that should help you:
1) Configure OpenSSL or NSS to use the PKCS12 modules that came from your smart card. Since you already have it working in Firefox, this means that you have necessary stuff for NSS. However, it might be possible that your Firefox uses a *private* NSS instance and you need to repeat the configuration to be for the global instance as well. 2) Figure out the "key name" for this key if you can. 3) Add <KeyName>...</KeyName> to your xml message to tell xmlsec which key to load. 4) Sign the message with the right crypto engine loaded (nss or openssl) xmlsec1 sign --crypto ??? msg.xml Sorry, I don't have a lot of experience with smart cards thus it is only high-level instructions. Aleksey On 9/27/11 11:56 AM, Si St wrote:
I have read through the threads concerning this issue as the following: http://www.aleksey.com/pipermail/xmlsec/2006/007519.html http://www.mail-archive.com/[email protected]/msg02523.html I am working in the health sector in Norway as privat doctor. Coming up there will in the future be a mandatory claim to send messages via a MSH and ebXML, and the message.xml as Payload would have to be signed. At this stage xmlsec can be used for this with the following setup: 1. make ready the msg.xml with the necessary signature elements and pasted-in x509-cert added 2. run xmlsec1 as this: xmlsec1 [sign] [--privkey key-to-be-used.pem] [--trusted x509cert-to-be-used_ca.pem] [msg.xml] Verification test gives OK. The signature would have to be done with a personal key and not a organisational key as in the instance above. The key resides in a smartcard delivered from buypass.no and is the only standard until now. The buypass.no delivers an accessCD with the necessary PKCS11 machinery on. Installing this I get contact with the smartcard through Firefox. This edition is for linux, other edition exists for MS Windows. I apply linux to produce the msg.xml as a ready file. To sign the file for simplicity it doesnt matter weather I use Windows or linux, but the working day is on a linux machine, so I would prefer linux by choice. The msg.xml file is sent with "Hermes2" - CECID,Hong Kong University - as the Message Service Handler. I am so far able to pass all servers up to the point where the receiver actually is dealing with the content in the msg.xml directly. But here am I stopped because the signature has to be done with the key inside the smartcard, and the error message asks for the organisational cert to be exchanged with the personal cert. So the question is: How far am I from succeeding, what help can I get from you to achieve the missing part in this run? I am not a programmer able to write the eventual necessary programs myself, but maybe and hopefully only small configuration changes is necessary from this point on. Sincerely Yours, S. Storset
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
