Hi Jaromir, I had some experience using xmlsec-openssl with PKCS#11-capable engine and PKCS11-based keys, so I think it could be possible to do it using openssl pkcs11 engine.
On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir <[email protected]> wrote: > Hi Aleksey, > > I'm afraid this needs much deeper understanding of internals than I > have. It's quite surprising nobody tried it in 15? years. Maybe author > of libreoffice xmlsec client could assist in debugging where this PIN > enters the API and than CLI could be updated to follow the same path? > > Regards, > Jaromir > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote: > > Hi Jaromir, > > > > I never tested passing password to the token from CLI. If you can > > debug it then I would gladly accept patches :) > > > > Best, > > > > Aleksey > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote: > > > Hi Miklos, > > > > > > I tried LibreOffice with NSS backend and I was able to sign ODT > > > document with the key on the token. I was asked for PIN in GUI. > > > > > > So the question for the audience is - how to pass PIN to NSS in > > > xmlsec1 > > > cli? > > > > > > The last possible problem can be in KeyName so the other question > > > is - > > > is the described process to guess KeyName from token correct? > > > > > > Regards, > > > Jaromir > > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote: > > > > Hi Jaromir, > > > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir > > > > <[email protected]> wrote: > > > > > good to hear you have succeeded. I played with nss and pkcs11 > > > > > and > > > > > seems > > > > > like I'm almost there but still not fully. I guess I managed to > > > > > get > > > > > over task how to find proper keyname but xmlsec1 still cannot > > > > > find > > > > > the > > > > > key in the token. I suspect that problem may be in PIN code > > > > > (i.e > > > > > "123456") that needs to be entered and I'm not sure if xmlsec1 > > > > > "-- > > > > > pwd" > > > > > parameter is used for this. > > > > > > > > To be clear, we only use the library part of xmlsec1, it's > > > > invoked by > > > > LibreOffice. Perhaps see if your HW works with LibreOffice (try > > > > to > > > > sign > > > > e.g. an ODT file), and if so, track down how your code vs xmlsec1 > > > > cli > > > > vs > > > > LibreOffice uses the xmlsec1 library? > > > > > > > > Seeing you're on Linux, I only tried this with the NSS backend of > > > > xmlsec1. > > > > > > > > Regards, > > > > > > > > Miklos > > > > > > > > > _______________________________________________ > > > xmlsec mailing list > > > [email protected] > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > _______________________________________________ > xmlsec mailing list > [email protected] > http://www.aleksey.com/mailman/listinfo/xmlsec > -- SY, Dmitry Belyavsky
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
