Hi Dmitry, I don't think such openssl.conf can define default "engine" as the replacement for command line parametr "-engine pkcs11", see bellow:
# ------------ test regular openssl signing with token $ echo "data" | openssl rsautl -engine pkcs11 -keyform engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign -out /tmp/signature -in /dev/stdin engine "pkcs11" set. # ------------ define openssl.conf $ cat openssl.conf openssl_conf = openssl_def [openssl_def] engines=engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib64/engines-1.1/pkcs11.so #MODULE_PATH = /usr/lib64/softhsm/libsofthsm.so MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so init = 1 default_algorithms = ALL # ----------- use openssl.conf and remove commandline parameter "-engine pkcs11" $ echo "data" | OPENSSL_CONF=./openssl.conf openssl rsautl -keyform engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign -out /tmp/signature -in /dev/stdin no engine specified unable to load Private Key # ----------- check that openssl.conf is read by adding strace to previous call $ echo "data" | OPENSSL_CONF=./openssl.conf strace openssl rsautl -keyform engine -inkey "pkcs11:token=PIV_II;pin-value=123456" -sign -out /tmp/signature -in /dev/stdin 2>&1 | grep openssl.conf openat(AT_FDCWD, "./openssl.conf", O_RDONLY) = 3 read(3, "openssl_conf = openssl_def\n\n[ope"..., 4096) = 323 Regards, Jaromir On Tue, 2021-02-09 at 21:06 +0100, Dmitry Belyavsky wrote: > I never used this engine, so I can't help, but maybe I'll be able to > provide some patch if necessary. > > I usually check if the specified config file and engine is loaded > using strace. I remember that it is never loaded when openssl is > linked statically. > > On Tue, 9 Feb 2021, 21:01 Jaromir Talir, <[email protected]> > wrote: > > I guess I tried that and failed, but I'll give it another try. > > There is > > at least question how to identify key. Did you use the same > > approach as > > in nss crypto with KeyName in template? > > > > Regards, > > Jaromir > > > > On Tue, 2021-02-09 at 20:50 +0100, Dmitry Belyavsky wrote: > > > It's rather simple to use the engine via config. > > > > > > Smth like > > > ====== > > > openssl_conf = openssl_def > > > [openssl_def] > > > engines = engine_section > > > > > > [engine_section] > > > pkcs11 = pkcs11_section > > > > > > [pkcs11_section] > > > engine_id = pkcs11 > > > dynamic_path = /path/to/engine.so > > > default_algorithms = ALL > > > ====== > > > and OPENSSL_CONF=openssl.conf xmlsec1... should allow the engine > > to > > > load if the library is not built statically. > > > > > > Not sure it will ask the password. > > > > > > > > > > > > On Tue, Feb 9, 2021 at 8:46 PM Jaromir Talir > > <[email protected]> > > > wrote: > > > > Hi Dmitry, > > > > > > > > this would be great. I was able to use openssl with 'engine > > pkcs11 > > > > - > > > > keyform engine -inkey "pkcs11:..."' but haven't found a way > > how to > > > > pass this to xmlsec1. In the xmlsec1 mailing list archives it > > is > > > > mentioned there may be a way to get this into openssl config > > but > > > > without conclusion. > > > > > > > > Can you please share what was your approach? > > > > > > > > Regards, > > > > Jaromir > > > > > > > > On Tue, 2021-02-09 at 20:38 +0100, Dmitry Belyavsky wrote: > > > > > Hi Jaromir, > > > > > > > > > > I had some experience using xmlsec-openssl with PKCS#11- > > capable > > > > > engine and PKCS11-based keys, so I think it could be possible > > to > > > > do > > > > > it using openssl pkcs11 engine. > > > > > > > > > > On Tue, Feb 9, 2021 at 8:00 PM Jaromir Talir > > > > <[email protected]> > > > > > wrote: > > > > > > Hi Aleksey, > > > > > > > > > > > > I'm afraid this needs much deeper understanding of > > internals > > > > than I > > > > > > have. It's quite surprising nobody tried it in 15? years. > > Maybe > > > > > > author > > > > > > of libreoffice xmlsec client could assist in debugging > > where > > > > this > > > > > > PIN > > > > > > enters the API and than CLI could be updated to follow the > > same > > > > > > path? > > > > > > > > > > > > Regards, > > > > > > Jaromir > > > > > > > > > > > > On Tue, 2021-02-09 at 08:19 -0800, Aleksey Sanin wrote: > > > > > > > Hi Jaromir, > > > > > > > > > > > > > > I never tested passing password to the token from CLI. If > > you > > > > can > > > > > > > debug it then I would gladly accept patches :) > > > > > > > > > > > > > > Best, > > > > > > > > > > > > > > Aleksey > > > > > > > > > > > > > > On 2/9/21 1:42 AM, Jaromir Talir wrote: > > > > > > > > Hi Miklos, > > > > > > > > > > > > > > > > I tried LibreOffice with NSS backend and I was able to > > sign > > > > ODT > > > > > > > > document with the key on the token. I was asked for PIN > > in > > > > GUI. > > > > > > > > > > > > > > > > So the question for the audience is - how to pass PIN > > to > > > > NSS in > > > > > > > > xmlsec1 > > > > > > > > cli? > > > > > > > > > > > > > > > > The last possible problem can be in KeyName so the > > other > > > > > > question > > > > > > > > is - > > > > > > > > is the described process to guess KeyName from token > > > > correct? > > > > > > > > > > > > > > > > Regards, > > > > > > > > Jaromir > > > > > > > > > > > > > > > > On Tue, 2021-02-09 at 09:46 +0100, Miklos Vajna wrote: > > > > > > > > > Hi Jaromir, > > > > > > > > > > > > > > > > > > On Mon, Feb 08, 2021 at 10:16:17PM +0100, Jaromir > > Talir > > > > > > > > > <[email protected]> wrote: > > > > > > > > > > good to hear you have succeeded. I played with nss > > and > > > > > > pkcs11 > > > > > > > > > > and > > > > > > > > > > seems > > > > > > > > > > like I'm almost there but still not fully. I guess > > I > > > > > > managed to > > > > > > > > > > get > > > > > > > > > > over task how to find proper keyname but xmlsec1 > > still > > > > > > cannot > > > > > > > > > > find > > > > > > > > > > the > > > > > > > > > > key in the token. I suspect that problem may be in > > PIN > > > > code > > > > > > > > > > (i.e > > > > > > > > > > "123456") that needs to be entered and I'm not sure > > if > > > > > > xmlsec1 > > > > > > > > > > "-- > > > > > > > > > > pwd" > > > > > > > > > > parameter is used for this. > > > > > > > > > > > > > > > > > > To be clear, we only use the library part of xmlsec1, > > > > it's > > > > > > > > > invoked by > > > > > > > > > LibreOffice. Perhaps see if your HW works with > > > > LibreOffice > > > > > > (try > > > > > > > > > to > > > > > > > > > sign > > > > > > > > > e.g. an ODT file), and if so, track down how your > > code vs > > > > > > xmlsec1 > > > > > > > > > cli > > > > > > > > > vs > > > > > > > > > LibreOffice uses the xmlsec1 library? > > > > > > > > > > > > > > > > > > Seeing you're on Linux, I only tried this with the > > NSS > > > > > > backend of > > > > > > > > > xmlsec1. > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > Miklos > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > xmlsec mailing list > > > > > > > > [email protected] > > > > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > xmlsec mailing list > > > > > > [email protected] > > > > > > http://www.aleksey.com/mailman/listinfo/xmlsec > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
