Hi Leonardo,
Thank you for the patch! Is there any chance you can submit a PR
on github? That way it will be easier to discuss the patch there.
Thanks,
Aleksey
On 9/22/21 1:06 PM, LS wrote:
Dear xmlsec community,
I'd like to share with you a patch I developed to allow usage of an
OpenSSL's engine in xmlsec.
The usage with command line is simple, I added the option
--privkey-openssl-engine to supply the engine's name and the key specs.
--privkey-openssl-engine[:<name>]
<openssl-engine>;<openssl-key-id>,[,<crtfile>[,<cafile>[...]]]
load private key by OpenSSL ENGINE interface; specify the name
of engine
(like with -engine params), the key specs (like with -inkey or
-key params)
and certificates that verify this key
At moment I tested only pkcs11 engine with SoftHSM2 but I'd like that
all of you interested in using HSM or smartcard with xmlsec make a test .
To setup a token with SoftHSM run:
softhsm2-util --init-token --free --label "XmlsecToken" --pin
password --so-pin password
To create a key pair in token run:
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type
rsa:2048 --id 1000 --label XmlsecKey --pin password
To generate a certificate run:
openssl req -new -x509 -subj "/CN=Xmlsec" -engine pkcs11 -keyform
engine -key
"pkcs11:token=XmlsecToken;object=XmlsecKey;type=private;pin-value=password"
-out Xmlsec.pem
To sign an xml with a patched xmlsec run:
xmlsec1 --sign "--privkey-openssl-engine:XmlsecKey"
"pkcs11;pkcs11:token=XmlsecToken;object=XmlsecKey;pin-value=password,Xmlsec.pem"
sample.xml
Best regards
--
--------------------------------------------------------------------------
Leonardo Secci
mailto:[email protected]
UniRel s.r.l.
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
_______________________________________________
xmlsec mailing list
[email protected]
http://www.aleksey.com/mailman/listinfo/xmlsec
