I never used this engine, so I can't help, but maybe I'll be able to provide some patch if necessary.
I usually check if the specified config file and engine is loaded using strace. I remember that it is never loaded when openssl is linked statically. On Tue, 9 Feb 2021, 21:01 Jaromir Talir, <[email protected]> wrote: > I guess I tried that and failed, but I'll give it another try. There is > at least question how to identify key. Did you use the same approach as > in nss crypto with KeyName in template? > > Regards, > Jaromir > > On Tue, 2021-02-09 at 20:50 +0100, Dmitry Belyavsky wrote: > > It's rather simple to use the engine via config. > > > > Smth like > > ====== > > openssl_conf = openssl_def > > [openssl_def] > > engines = engine_section > > > > [engine_section] > > pkcs11 = pkcs11_section > > > > [pkcs11_section] > > engine_id = pkcs11 > > dynamic_path = /path/to/engine.so > > default_algorithms = ALL > > ====== > > and OPENSSL_CONF=openssl.conf xmlsec1... should allow the engine to > > load if the library is not built statically. > > > > Not sure it will ask the password. > > > > > > > > On Tue, Feb 9, 2021 at 8:46 PM Jaromir Talir <[email protected]> > > wrote: > > > Hi Dmitry, > > > > > > this would be great. I was able to use openssl with 'engine pkcs11 > > > - > > > keyform engine -inkey "pkcs11:..."' but haven't found a way how to > > > pass this to xmlsec1. In the xmlsec1 mailing list archives it is > > > mentioned there may be a way to get this into openssl config but > > > without conclusion. > > > > > > Can you please share what was your approach? > > > > > > Regards, > > > Jaromir > > > > > > On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote: > > > > Hi Jaromir, > > > > > > > > I had some experience using xmlsec-openssl with PKCS#11-capable > > > > engine and PKCS11-based keys, so I think it could be possible to > > > do > > > > it using openssl pkcs11 engine. > > > > > > > > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir > > > <[email protected]> > > > > wrote: > > > > > Hi Aleksey, > > > > > > > > > > I'm afraid this needs much deeper understanding of internals > > > than I > > > > > have. It's quite surprising nobody tried it in 15? years. Maybe > > > > > author > > > > > of libreoffice xmlsec client could assist in debugging where > > > this > > > > > PIN > > > > > enters the API and than CLI could be updated to follow the same > > > > > path? > > > > > > > > > > Regards, > > > > > Jaromir > > > > > > > > > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote: > > > > > > Hi Jaromir, > > > > > > > > > > > > I never tested passing password to the token from CLI. If you > > > can > > > > > > debug it then I would gladly accept patches :) > > > > > > > > > > > > Best, > > > > > > > > > > > > Aleksey > > > > > > > > > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote: > > > > > > > Hi Miklos, > > > > > > > > > > > > > > I tried LibreOffice with NSS backend and I was able to sign > > > ODT > > > > > > > document with the key on the token. I was asked for PIN in > > > GUI. > > > > > > > > > > > > > > So the question for the audience is - how to pass PIN to > > > NSS in > > > > > > > xmlsec1 > > > > > > > cli? > > > > > > > > > > > > > > The last possible problem can be in KeyName so the other > > > > > question > > > > > > > is - > > > > > > > is the described process to guess KeyName from token > > > correct? > > > > > > > > > > > > > > Regards, > > > > > > > Jaromir > > > > > > > > > > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote: > > > > > > > > Hi Jaromir, > > > > > > > > > > > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir Talir > > > > > > > > <[email protected]> wrote: > > > > > > > > > good to hear you have succeeded. I played with nss and > > > > > pkcs11 > > > > > > > > > and > > > > > > > > > seems > > > > > > > > > like I'm almost there but still not fully. I guess I > > > > > managed to > > > > > > > > > get > > > > > > > > > over task how to find proper keyname but xmlsec1 still > > > > > cannot > > > > > > > > > find > > > > > > > > > the > > > > > > > > > key in the token. I suspect that problem may be in PIN > > > code > > > > > > > > > (i.e > > > > > > > > > "123456") that needs to be entered and I'm not sure if > > > > > xmlsec1 > > > > > > > > > "-- > > > > > > > > > pwd" > > > > > > > > > parameter is used for this. > > > > > > > > > > > > > > > > To be clear, we only use the library part of xmlsec1, > > > it's > > > > > > > > invoked by > > > > > > > > LibreOffice. Perhaps see if your HW works with > > > LibreOffice > > > > > (try > > > > > > > > to > > > > > > > > sign > > > > > > > > e.g. an ODT file), and if so, track down how your code vs > > > > > xmlsec1 > > > > > > > > cli > > > > > > > > vs > > > > > > > > LibreOffice uses the xmlsec1 library? > > > > > > > > > > > > > > > > Seeing you're on Linux, I only tried this with the NSS > > > > > backend of > > > > > > > > xmlsec1. > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > Miklos > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > xmlsec mailing list > > > > > > > [email protected] > > > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > xmlsec mailing list > > > > > [email protected] > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > > > > > > >
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
