It's rather simple to use the engine via config. Smth like ====== openssl_conf = openssl_def [openssl_def] engines = engine_section
[engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /path/to/engine.so default_algorithms = ALL ====== and OPENSSL_CONF=openssl.conf xmlsec1... should allow the engine to load if the library is not built statically. Not sure it will ask the password. On Tue, Feb 9, 2021 at 8:46 PM Jaromir Talir <[email protected]> wrote: > Hi Dmitry, > > this would be great. I was able to use openssl with 'engine pkcs11 - > keyform engine -inkey "pkcs11:..."' but haven't found a way how to > pass this to xmlsec1. In the xmlsec1 mailing list archives it is > mentioned there may be a way to get this into openssl config but > without conclusion. > > Can you please share what was your approach? > > Regards, > Jaromir > > On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote: > > Hi Jaromir, > > > > I had some experience using xmlsec-openssl with PKCS#11-capable > > engine and PKCS11-based keys, so I think it could be possible to do > > it using openssl pkcs11 engine. > > > > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir <[email protected]> > > wrote: > > > Hi Aleksey, > > > > > > I'm afraid this needs much deeper understanding of internals than I > > > have. It's quite surprising nobody tried it in 15? years. Maybe > > > author > > > of libreoffice xmlsec client could assist in debugging where this > > > PIN > > > enters the API and than CLI could be updated to follow the same > > > path? > > > > > > Regards, > > > Jaromir > > > > > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote: > > > > Hi Jaromir, > > > > > > > > I never tested passing password to the token from CLI. If you can > > > > debug it then I would gladly accept patches :) > > > > > > > > Best, > > > > > > > > Aleksey > > > > > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote: > > > > > Hi Miklos, > > > > > > > > > > I tried LibreOffice with NSS backend and I was able to sign ODT > > > > > document with the key on the token. I was asked for PIN in GUI. > > > > > > > > > > So the question for the audience is - how to pass PIN to NSS in > > > > > xmlsec1 > > > > > cli? > > > > > > > > > > The last possible problem can be in KeyName so the other > > > question > > > > > is - > > > > > is the described process to guess KeyName from token correct? > > > > > > > > > > Regards, > > > > > Jaromir > > > > > > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote: > > > > > > Hi Jaromir, > > > > > > > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir > > > > > > <[email protected]> wrote: > > > > > > > good to hear you have succeeded. I played with nss and > > > pkcs11 > > > > > > > and > > > > > > > seems > > > > > > > like I'm almost there but still not fully. I guess I > > > managed to > > > > > > > get > > > > > > > over task how to find proper keyname but xmlsec1 still > > > cannot > > > > > > > find > > > > > > > the > > > > > > > key in the token. I suspect that problem may be in PIN code > > > > > > > (i.e > > > > > > > "123456") that needs to be entered and I'm not sure if > > > xmlsec1 > > > > > > > "-- > > > > > > > pwd" > > > > > > > parameter is used for this. > > > > > > > > > > > > To be clear, we only use the library part of xmlsec1, it's > > > > > > invoked by > > > > > > LibreOffice. Perhaps see if your HW works with LibreOffice > > > (try > > > > > > to > > > > > > sign > > > > > > e.g. an ODT file), and if so, track down how your code vs > > > xmlsec1 > > > > > > cli > > > > > > vs > > > > > > LibreOffice uses the xmlsec1 library? > > > > > > > > > > > > Seeing you're on Linux, I only tried this with the NSS > > > backend of > > > > > > xmlsec1. > > > > > > > > > > > > Regards, > > > > > > > > > > > > Miklos > > > > > > > > > > > > > > > _______________________________________________ > > > > > xmlsec mailing list > > > > > [email protected] > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > _______________________________________________ > > > xmlsec mailing list > > > [email protected] > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > -- SY, Dmitry Belyavsky
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
