Discussion:
[xmlsec] Signing with key on token
majkl majkl
2017-08-01 07:56:46 UTC
Permalink
I need to sign XML documents with certificate and key, stored on USB token.
I have Linux library (.so) with API, which works in openssl (command line)
and also in Firefox, for example.

I need to tell xmlsec to use the token library to access the key. (Or,
when crypto openssl is used, make opensl work as it is run with -keyform
ENGINE -engine pkcs11 -inkey ABC -passin pass:PASS).

Thanks, Michal
Aleksey Sanin
2017-08-08 19:12:32 UTC
Permalink
It was discussed in the mailing list in the past. You need to
create openssl config file to use the engine by default and
pass it to xmlsec1 command line tool.

Aleksey
Post by majkl majkl
I need to sign XML documents with certificate and key, stored on USB
token. I have Linux library (.so) with API, which works in openssl
(command line) and also in Firefox, for example.
I need to tell xmlsec to use the token library to access the key. (Or,
when crypto openssl is used, make opensl work as it is run with -keyform
ENGINE -engine pkcs11 -inkey ABC -passin pass:PASS).
Thanks, Michal
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Aleksey Sanin
2017-08-09 21:07:16 UTC
Permalink
Sure. I think it will work for a simple use cases when there is only
one key. And yes, for anything more sophisticated custom code is required.

Aleksey
Post by Aleksey Sanin
It was discussed in the mailing list in the past. You need to
create openssl config file to use the engine by default and
Hmm, in general this configuration will not work.
Engines that operate with keys material stored externally cannot be set
as default - usually this break operations with keys stored differently
(file and etc.).
Post by Aleksey Sanin
pass it to xmlsec1 command line tool.
Perhaps it will work for simple command line case with single key.
On other side openssl command line option -engine specify where is
located key (call method ENGINE_load_private_key).
Regards,
Roumen
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
majkl majkl
2017-08-12 17:08:56 UTC
Permalink
I am sorry, but I can not get it.

Yes, I've found the same question in one historic -very historic-
list, but no solution.

What I am supposed to do to use key on token to sign in xmlsec,
please? Use appropriate openssl config?
I have spent a whole week by searching for it, no luck. It works only
when I directly run opennsl from command line.

I am supposed to patch xmlsec sources? Or openssl sources? Does xmlsec
uses its own libraries for openssl engine,
or it uses system/openssl shared libraries?

I am quite lost in this moment, but I really need to sign xmls with token.

Thanks,

Michal


******************************

Sure. I think it will work for a simple use cases when there is only
one key. And yes, for anything more sophisticated custom code is required.

Aleksey
*>>* It was discussed in the mailing list in the past. You need to
*>>* create openssl config file to use the engine by default and
*>* Hmm, in general this configuration will not work.
*> >* Engines that operate with keys material stored externally cannot be set
*>* as default - usually this break operations with keys stored differently
*>* (file and etc.).
*> >>* pass it to xmlsec1 command line tool.
*>* Perhaps it will work for simple command line case with single key.
*> >* On other side openssl command line option -engine specify where is
*>* located key (call method ENGINE_load_private_key).
*> >* Regards,
*>* Roumen*
Post by Aleksey Sanin
It was discussed in the mailing list in the past. You need to
create openssl config file to use the engine by default and
pass it to xmlsec1 command line tool.
Aleksey
Post by majkl majkl
I need to sign XML documents with certificate and key, stored on USB
token. I have Linux library (.so) with API, which works in openssl
(command line) and also in Firefox, for example.
I need to tell xmlsec to use the token library to access the key. (Or,
when crypto openssl is used, make opensl work as it is run with -keyform
ENGINE -engine pkcs11 -inkey ABC -passin pass:PASS).
Thanks, Michal
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Leif Johansson
2017-08-12 21:20:48 UTC
Permalink
Post by majkl majkl
I am sorry, but I can not get it.
Yes, I've found the same question in one historic -very historic- list, but no solution.
What I am supposed to do to use key on token to sign in xmlsec, please? Use appropriate openssl config?
I have spent a whole week by searching for it, no luck. It works only when I directly run opennsl from command line.
I am supposed to patch xmlsec sources? Or openssl sources? Does xmlsec uses its own libraries for openssl engine,
or it uses system/openssl shared libraries?
I am quite lost in this moment, but I really need to sign xmls with token.
When I reached this point I gave up and rolled my own.

Find pyXMLSecurity - supports pkcs11. There is a cmdline in there
for signing.
Post by majkl majkl
Thanks,
Michal
******************************
Sure. I think it will work for a simple use cases when there is only
one key. And yes, for anything more sophisticated custom code is required.
Aleksey
/Aleksey Sanin wrote: />>/It was discussed in the mailing list in the past. You need to />>/create openssl config file to use the engine by default and />/Hmm, in general this configuration will not work. />//>/Engines that operate with keys material stored externally cannot be set />/as default - usually this break operations with keys stored differently />/(file and etc.). />//>>/pass it to xmlsec1 command line tool. />/Perhaps it will work for simple command line case with single key. />//>/On other side openssl command line option -engine specify where is />/located key (call method ENGINE_load_private_key). />//>/Regards, />/Roumen/
It was discussed in the mailing list in the past. You need to
create openssl config file to use the engine by default and
pass it to xmlsec1 command line tool.
Aleksey
I need to sign XML documents with certificate and key, stored on USB
token. I have Linux library (.so) with API, which works in openssl
(command line) and also in Firefox, for example.
I need to tell xmlsec to use the token library to access the key. (Or,
when crypto openssl is used, make opensl work as it is run with
-keyform
ENGINE -engine pkcs11 -inkey ABC -passin pass:PASS).
Thanks, Michal
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
<http://www.aleksey.com/mailman/listinfo/xmlsec>
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Loading...