Great to hear your problem is solved! Aleksey
On 11/12/16 8:17 AM, Pablo Gabriel Gallardo wrote: > Aleksey, > > It worked! Thank you so much for your help and time! > > <?xml version="1.0" encoding="UTF-8"?> > <!-- > XML Security Library example: Original XML doc file for sign3 example. > --> > <Envelope xmlns="urn:envelope"> > <Data> > Hello, World! > </Data> > <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";> > <SignedInfo> > <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <Reference> > <Transforms> > <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > </Transforms> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <DigestValue>HjY8ilZAIEM2tBbPn5mYO1ieIX4=</DigestValue> > </Reference> > </SignedInfo> > <SignatureValue>Pep0e8/pVZV/gmFNOqgfCN9hryv+k5gVP/wyzOSa49ui8K/VfIu3Nkcm2FWDphAo > PJBMOw8BEA9htmsgrmmdhWPIM5bsM1rfn072FczBCqbW+/G6x26cG++ZkJ7E8jBG > Z33vAXLFLdYOJvCXtsWwn4IvAPoRyYdVyz1b6FEB0KwUMr4ryLWpEXG+K0jQpC3k > uP2o06fUs5M3IBW1+PTDqiN6AyiwUg85l1Ulqamq5QUKm7VJMokBXL8evmLS171r > 1PhwWWHKP6aQJa6ydfw3xkY4RdDSJEx0E0mlkapwCkdBfmB52OY2QaCCrAZOEfzg > hXUit89sIQfAWnAAOfsAMA==</SignatureValue> > <KeyInfo> > <X509Data> > <X509SubjectName/> > <X509Certificate/> > </X509Data> > </KeyInfo> > </Signature></Envelope> > > Regards, > > Pablo G. Gallardo > > 2016-11-12 3:46 GMT-02:00 Aleksey Sanin <[email protected]>: >> Can you try this patch (it is already merged to the master on github -- >> you will need to recompile the library and ensure you are loading >> the recompiled libs instead of the default ones): >> >> https://github.com/lsh123/xmlsec/pull/59 >> >> I believe this should help with RSA. I have no idea what to do with DSA >> since I don't see any indication in the debug printout that this key is >> private. >> >> Aleksey >> >> On 11/11/16 2:42 PM, Pablo Gabriel Gallardo wrote: >>> Aleksey, >>> >>> Here you have the RSA and DSA objects from my smart card in execution time: >>> RSA: >>> $1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n = >>> 0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1 >>> = 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references = >>> 1, flags = 6, >>> _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0, >>> bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0} >>> >>> RSA->meth: >>> (gdb) p *pKey.pkey->rsa->meth >>> $3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570, >>> rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20 >>> <pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0 >>> <pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790, >>> bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish >>> = 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0, >>> rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0} >>> >>> RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0 >>> >>> DSA: >>> (gdb) p *pKey.pkey->dsa >>> $2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q = >>> 0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r >>> = 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data >>> = {sk = 0x0, dummy = 1}, >>> meth = 0x6, engine = 0x0} >>> >>> >>> I've tried to debug the sources on GitHub but I've got this error: >>> func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec >>> library function failed:mode=abi compatible;expected minor >>> version=2;real minor version=2;expected subminor version=20;real >> >> >>> subminor version=23 >>> Error: loaded xmlsec library version is not compatible. >>> >>> But with the information above RSA is recognized as a public key >>> because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0. >>> >>> Thank you for your interest in my case. What can I do to fix this? >>> Should I create 2 functions in xmlsec for setting EVP_PKEY (one for >>> public key and one for the private key)? >>> >>> Regards, >>> >>> Pablo G. Gallardo >>> >>> 2016-11-11 1:39 GMT-02:00 Aleksey Sanin <[email protected]>: >>>> Can you check what's going on in these two places? >>>> >>>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012 >>>> https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887 >>>> >>>> Unfortunately, there is no good way to determine if a PKEY is public >>>> or private. Thus we use a hack. I am curious what is going on there >>>> in your case. >>>> >>>> Aleksey >>>> >>>> On 11/10/16 5:35 PM, Pablo Gabriel Gallardo wrote: >>>>> Hello Aleksey, >>>>> >>>>> I've used the RSA key from my smartcard by it is still being >>>>> recognized as a public key. Is it because, as a smart card RSA key, it >>>>> doesn't have the d member (because the private key never leaves the >>>>> smart card)? >>>>> >>>>> Regards, >>>>> >>>>> Pablo >>>>> >>>>> 2016-11-09 8:43 GMT-02:00 Pablo G. Gallardo <[email protected]>: >>>>>> Hi Aleksey, >>>>>> >>>>>> Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). >>>>>> I'll check why is it recognized as a public key. As you said, I'm not >>>>>> passing the correct key object (RSA), just adopting EVP_PKEY. >>>>>> >>>>>> I'll fix that and then I'll came with the result. >>>>>> >>>>>> Thank you! >>>>>> >>>>>> Pablo >>>>>> >>>>>> Em 9 de novembro de 2016 00:17:27 BRST, Aleksey Sanin >>>>>> <[email protected]> escreveu: >>>>>>> Assuming that the key type matches the requested signature type >>>>>>> in the template (i.e. RSA signatures require RSA keys)... >>>>>>> >>>>>>> Can you try to print the key type with >>>>>>> >>>>>>> xmlSecKeyGetType(key) >>>>>>> >>>>>>> Basically, I suspect that it doesn't recognize the key as private >>>>>>> thus can't find a proper key for the signature. >>>>>>> >>>>>>> Best, >>>>>>> >>>>>>> Aleksey >>>>>>> >>>>>>> On 11/8/16 5:05 PM, Pablo Gabriel Gallardo wrote: >>>>>>>> Hello there! >>>>>>>> >>>>>>>> I want to use xmlsec to sign XMLs with a smart card. I'm using libp11 >>>>>>>> and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting >>>>>>>> this error: >>>>>>>> >>>>>>>> >>>>>>> func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key >>>>>>>> is not found: >>>>>>>> >>>>>>> func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec >>>>>>>> library function failed: >>>>>>>> >>>>>>> func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec >>>>>>>> library function failed: >>>>>>>> Error: signature failed >>>>>>>> >>>>>>>> I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart >>>>>>>> card but I'm sure that I am missing something. >>>>>>>> >>>>>>>> Could someone please help me to see what else I should be doing to >>>>>>>> make this work? I've checked this mailing list and someone in 2008 >>>>>>> had >>>>>>>> the same problem but he didn't mention how to solve it. >>>>>>>> >>>>>>>> Here are the parts I've modified from sign3.c. Complete source is on >>>>>>>> >>>>>>> https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c: >>>>>>>> >>>>>>>> static xmlSecKeyPtr load_key(const char *pwd) { >>>>>>>> >>>>>>>> xmlSecKeyPtr key = NULL; >>>>>>>> xmlSecKeyDataPtr data; >>>>>>>> EVP_PKEY *pKey = NULL; >>>>>>>> int ret; >>>>>>>> >>>>>>>> pKey = get_private_key(pwd); >>>>>>>> if(pKey == NULL) >>>>>>>> return NULL; >>>>>>>> >>>>>>>> data = xmlSecOpenSSLEvpKeyAdopt(pKey); >>>>>>>> if(data == NULL) { >>>>>>>> EVP_PKEY_free(pKey); >>>>>>>> return NULL; >>>>>>>> } >>>>>>>> >>>>>>>> key = xmlSecKeyCreate(); >>>>>>>> if(key == NULL) { >>>>>>>> xmlSecKeyDataDestroy(data); >>>>>>>> return NULL; >>>>>>>> } >>>>>>>> >>>>>>>> ret = xmlSecKeySetValue(key, data); >>>>>>>> if(ret < 0) { >>>>>>>> xmlSecKeyDestroy(key); >>>>>>>> xmlSecKeyDataDestroy(data); >>>>>>>> return NULL; >>>>>>>> } >>>>>>>> return key; >>>>>>>> } >>>>>>>> >>>>>>>> int sign_file(const char* xml_file, char *password) { >>>>>>>> >>>>>>>> ..... >>>>>>>> >>>>>>>> >>>>>>>> /* load private key */ >>>>>>>> dsigCtx->signKey = load_key(password); >>>>>>>> if(dsigCtx->signKey == NULL) { >>>>>>>> fprintf(stderr,"Error: failed to load private key from >>>>>>> smartcard\n"); >>>>>>>> goto done; >>>>>>>> } >>>>>>>> >>>>>>>> /* load certificate and add to the key >>>>>>>> if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file, >>>>>>>> xmlSecKeyDataFormatPem) < 0) { >>>>>>>> fprintf(stderr,"Error: failed to load pem certificate >>>>>>>> \"%s\"\n", cert_file); >>>>>>>> goto done; >>>>>>>> }*/ >>>>>>>> >>>>>>>> /* set key name to the file name, this is just an example! >>>>>>>> if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) { >>>>>>>> fprintf(stderr,"Error: failed to set key name for key from >>>>>>>> \"%s\"\n", key_file); >>>>>>>> goto done; >>>>>>>> } */ >>>>>>>> >>>>>>>> /* sign the template */ >>>>>>>> if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) { >>>>>>>> fprintf(stderr,"Error: signature failed\n"); >>>>>>>> goto done; >>>>>>>> } >>>>>>>> >>>>>>>> .... >>>>>>>> } >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Thank you! >>>>>>>> >>>>>>>> Pablo G. Gallardo >>>>>>>> _______________________________________________ >>>>>>>> xmlsec mailing list >>>>>>>> [email protected] >>>>>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>>>>> >>>>>> >>>>>> -- >>>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >>>>> _______________________________________________ >>>>> xmlsec mailing list >>>>> [email protected] >>>>> http://www.aleksey.com/mailman/listinfo/xmlsec >>>>> _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
