Hi Dmitry, this would be great. I was able to use openssl with 'engine pkcs11 - keyform engine -inkey "pkcs11:..."' but haven't found a way how to pass this to xmlsec1. In the xmlsec1 mailing list archives it is mentioned there may be a way to get this into openssl config but without conclusion.
Can you please share what was your approach? Regards, Jaromir On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote: > Hi Jaromir, > > I had some experience using xmlsec-openssl with PKCS#11-capable > engine and PKCS11-based keys, so I think it could be possible to do > it using openssl pkcs11 engine. > > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir <[email protected]> > wrote: > > Hi Aleksey, > > > > I'm afraid this needs much deeper understanding of internals than I > > have. It's quite surprising nobody tried it in 15? years. Maybe > > author > > of libreoffice xmlsec client could assist in debugging where this > > PIN > > enters the API and than CLI could be updated to follow the same > > path? > > > > Regards, > > Jaromir > > > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote: > > > Hi Jaromir, > > > > > > I never tested passing password to the token from CLI. If you can > > > debug it then I would gladly accept patches :) > > > > > > Best, > > > > > > Aleksey > > > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote: > > > > Hi Miklos, > > > > > > > > I tried LibreOffice with NSS backend and I was able to sign ODT > > > > document with the key on the token. I was asked for PIN in GUI. > > > > > > > > So the question for the audience is - how to pass PIN to NSS in > > > > xmlsec1 > > > > cli? > > > > > > > > The last possible problem can be in KeyName so the other > > question > > > > is - > > > > is the described process to guess KeyName from token correct? > > > > > > > > Regards, > > > > Jaromir > > > > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote: > > > > > Hi Jaromir, > > > > > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir > > > > > <[email protected]> wrote: > > > > > > good to hear you have succeeded. I played with nss and > > pkcs11 > > > > > > and > > > > > > seems > > > > > > like I'm almost there but still not fully. I guess I > > managed to > > > > > > get > > > > > > over task how to find proper keyname but xmlsec1 still > > cannot > > > > > > find > > > > > > the > > > > > > key in the token. I suspect that problem may be in PIN code > > > > > > (i.e > > > > > > "123456") that needs to be entered and I'm not sure if > > xmlsec1 > > > > > > "-- > > > > > > pwd" > > > > > > parameter is used for this. > > > > > > > > > > To be clear, we only use the library part of xmlsec1, it's > > > > > invoked by > > > > > LibreOffice. Perhaps see if your HW works with LibreOffice > > (try > > > > > to > > > > > sign > > > > > e.g. an ODT file), and if so, track down how your code vs > > xmlsec1 > > > > > cli > > > > > vs > > > > > LibreOffice uses the xmlsec1 library? > > > > > > > > > > Seeing you're on Linux, I only tried this with the NSS > > backend of > > > > > xmlsec1. > > > > > > > > > > Regards, > > > > > > > > > > Miklos > > > > > > > > > > > > _______________________________________________ > > > > xmlsec mailing list > > > > [email protected] > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > _______________________________________________ > > xmlsec mailing list > > [email protected] > > http://www.aleksey.com/mailman/listinfo/xmlsec > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
