Dear xmlsec community, I'd like to share with you a patch I developed to allow usage of an OpenSSL's engine in xmlsec.
The usage with command line is simple, I added the option
--privkey-openssl-engine to supply the engine's name and the key specs.
--privkey-openssl-engine[:<name>]
<openssl-engine>;<openssl-key-id>,[,<crtfile>[,<cafile>[...]]]
load private key by OpenSSL ENGINE interface; specify the name of engine
(like with -engine params), the key specs (like with -inkey or -key
params)
and certificates that verify this key
At moment I tested only pkcs11 engine with SoftHSM2 but I'd like that all of
you interested in using HSM or smartcard with xmlsec make a test .
To setup a token with SoftHSM run:
softhsm2-util --init-token --free --label "XmlsecToken" --pin password
--so-pin password
To create a key pair in token run:
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type
rsa:2048 --id 1000 --label XmlsecKey --pin password
To generate a certificate run:
openssl req -new -x509 -subj "/CN=Xmlsec" -engine pkcs11 -keyform engine -key
"pkcs11:token=XmlsecToken;object=XmlsecKey;type=private;pin-value=password"
-out Xmlsec.pem
To sign an xml with a patched xmlsec run:
xmlsec1 --sign "--privkey-openssl-engine:XmlsecKey"
"pkcs11;pkcs11:token=XmlsecToken;object=XmlsecKey;pin-value=password,Xmlsec.pem"
sample.xml
Best regards
--
--------------------------------------------------------------------------
Leonardo Secci
mailto:[email protected]
UniRel s.r.l.
xmlsec1-1.2.32-openssl-engine.diff.gz
Description: application/gzip
_______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
