You don't need to load the file but you need somehow tell xmlsec which key to use. The easiest way is to use KeyName.
Sorry again, I don't have direct experience with smart cards and xmlsec Aleksey On 10/6/11 9:26 AM, Si St wrote:
(Main stuff at "SUPPOSITIONS" further down) I have tried out a openssl.cnf config together with commandline that performes openssl-processes according to the examples in: http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart But I modified the openssl.cnf for my own smartcard with /usr/lib/libiid.so.5.3.1.31 I have also put in a request for help to define the key_id in openssl.cnf at the page: http://old.nabble.com/sufficient-engine-configuration-i-openssl.cnf-for-signing-with-smartcard-xmlsec1-td32596200.html Testwise, I have full contact with the smartcard, when defining the right key_id and pincode,eagerly blinking and hanging until the process is fulfilled. This is good. Upon trying the xmlsec1 with "--crypto" there is blinking and hang also, but because I am not able to define the key_id in the openssl.cnf I have this error: xmlsec1 sign --crypto openssl --output signed_template_KOM.xml template_KOM.xml func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/C=NO/O=STORSET SIGBJ\xC3\x98RN/CN=STORSET SIGBJ\xC3\x98RN/serialNumber=981789261;err=20;msg=unable to get local issuer certificate func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=20;msg=unable to get local issuer certificate func=xmlSecKeysMngrGetKey:file=keys.c:line=1370:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: Error: signature failed Error: failed to sign file "template_KOM.xml" The reason for the first error part is that in the template, a definition of the certificate by pasting it into the element <Certificate/> is mandatory. With the --privkey keyfile.pem switch and the corresponding CA cert-file defined to the --trusted switch, this error disappears. In all, the file is signed with or without the --trusted switch, when I experimentally tried the signing with the "wrong" key as keyFILE.pem . SUPPOSITIONS: In the instance with the --privkey I do not need the element<KeyName/>: The msg.xml is signed and "xmlsec1 verify" gives "OK". I would assume that this is also true with --crypto, as long as the the key_id is defined correctly in the openssl.cnf. I understand this so that --crypto will substitute a similar call that --privkey performes on a keyfile.pem, assuming that the key is there ready for signing, when once found. (?). But a quick glance at the keys.c and the more it could be that this is not so. I cannot tell. In addition there is no way of getting the key out of the smartcard as FILE. At the particular level of this smartcard certificate ("person high") the security policy definition has decided it so. - The whole thing would be in box if a keyfile.pem could have been used. It works with xmlsec1 exactly right. I have even asked for export of the key as file, but there is only a no-answer. It is quite incredible that a key.pem cannot be handed out as long as the keyfile can be thoroughly encrypted and password protected with pkcs6 and topk8, - at least for responsible people.
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
