Discussion:
[xmlsec] PKCS11 - Key not found
Pablo Gabriel Gallardo
2016-11-09 01:05:22 UTC
Permalink
Hello there!

I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
this error:

func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
is not found:
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
library function failed:
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
library function failed:
Error: signature failed

I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.

Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008 had
the same problem but he didn't mention how to solve it.

Here are the parts I've modified from sign3.c. Complete source is on
https://github.com/pablogallardo/livrenfe/blob/development/src/sign.c:

static xmlSecKeyPtr load_key(const char *pwd) {

xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;

pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;

data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}

key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}

ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}

int sign_file(const char* xml_file, char *password) {

.....


/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from smartcard\n");
goto done;
}

/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/

/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */

/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}

....
}



Thank you!

Pablo G. Gallardo
Aleksey Sanin
2016-11-09 02:17:27 UTC
Permalink
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...

Can you try to print the key type with

xmlSecKeyGetType(key)

Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.

Best,

Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008 had
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from smartcard\n");
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Pablo G. Gallardo
2016-11-09 10:43:23 UTC
Permalink
Hi Aleksey,

Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.

I'll fix that and then I'll came with the result.

Thank you!

Pablo
Post by Aleksey Sanin
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...
Can you try to print the key type with
xmlSecKeyGetType(key)
Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.
Best,
Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Post by Pablo Gabriel Gallardo
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008
had
Post by Pablo Gabriel Gallardo
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from
smartcard\n");
Post by Pablo Gabriel Gallardo
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Pablo Gabriel Gallardo
2016-11-11 01:35:29 UTC
Permalink
Hello Aleksey,

I've used the RSA key from my smartcard by it is still being
recognized as a public key. Is it because, as a smart card RSA key, it
doesn't have the d member (because the private key never leaves the
smart card)?

Regards,

Pablo
Post by Pablo G. Gallardo
Hi Aleksey,
Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
I'll fix that and then I'll came with the result.
Thank you!
Pablo
Post by Aleksey Sanin
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...
Can you try to print the key type with
xmlSecKeyGetType(key)
Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.
Best,
Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Post by Pablo Gabriel Gallardo
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008
had
Post by Pablo Gabriel Gallardo
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from
smartcard\n");
Post by Pablo Gabriel Gallardo
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Aleksey Sanin
2016-11-11 03:39:55 UTC
Permalink
Can you check what's going on in these two places?

https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887

Unfortunately, there is no good way to determine if a PKEY is public
or private. Thus we use a hack. I am curious what is going on there
in your case.

Aleksey
Post by Pablo Gabriel Gallardo
Hello Aleksey,
I've used the RSA key from my smartcard by it is still being
recognized as a public key. Is it because, as a smart card RSA key, it
doesn't have the d member (because the private key never leaves the
smart card)?
Regards,
Pablo
Post by Pablo G. Gallardo
Hi Aleksey,
Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
I'll fix that and then I'll came with the result.
Thank you!
Pablo
Post by Aleksey Sanin
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...
Can you try to print the key type with
xmlSecKeyGetType(key)
Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.
Best,
Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Post by Pablo Gabriel Gallardo
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008
had
Post by Pablo Gabriel Gallardo
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from
smartcard\n");
Post by Pablo Gabriel Gallardo
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Pablo Gabriel Gallardo
2016-11-11 22:42:48 UTC
Permalink
Aleksey,

Here you have the RSA and DSA objects from my smart card in execution time:
RSA:
$1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
= 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
1, flags = 6,
_method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}

RSA->meth:
(gdb) p *pKey.pkey->rsa->meth
$3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
<pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
<pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
= 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}

RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0

DSA:
(gdb) p *pKey.pkey->dsa
$2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
= 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
= {sk = 0x0, dummy = 1},
meth = 0x6, engine = 0x0}


I've tried to debug the sources on GitHub but I've got this error:
func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
library function failed:mode=abi compatible;expected minor
version=2;real minor version=2;expected subminor version=20;real
subminor version=23
Error: loaded xmlsec library version is not compatible.

But with the information above RSA is recognized as a public key
because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.

Thank you for your interest in my case. What can I do to fix this?
Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
public key and one for the private key)?

Regards,

Pablo G. Gallardo
Post by Aleksey Sanin
Can you check what's going on in these two places?
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
Unfortunately, there is no good way to determine if a PKEY is public
or private. Thus we use a hack. I am curious what is going on there
in your case.
Aleksey
Post by Pablo Gabriel Gallardo
Hello Aleksey,
I've used the RSA key from my smartcard by it is still being
recognized as a public key. Is it because, as a smart card RSA key, it
doesn't have the d member (because the private key never leaves the
smart card)?
Regards,
Pablo
Post by Pablo G. Gallardo
Hi Aleksey,
Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
I'll fix that and then I'll came with the result.
Thank you!
Pablo
Post by Aleksey Sanin
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...
Can you try to print the key type with
xmlSecKeyGetType(key)
Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.
Best,
Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Post by Pablo Gabriel Gallardo
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008
had
Post by Pablo Gabriel Gallardo
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from
smartcard\n");
Post by Pablo Gabriel Gallardo
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Aleksey Sanin
2016-11-12 05:46:08 UTC
Permalink
Can you try this patch (it is already merged to the master on github --
you will need to recompile the library and ensure you are loading
the recompiled libs instead of the default ones):

https://github.com/lsh123/xmlsec/pull/59

I believe this should help with RSA. I have no idea what to do with DSA
since I don't see any indication in the debug printout that this key is
private.

Aleksey
Post by Pablo G. Gallardo
Aleksey,
$1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
= 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
1, flags = 6,
_method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
(gdb) p *pKey.pkey->rsa->meth
$3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
<pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
<pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
= 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}
RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0
(gdb) p *pKey.pkey->dsa
$2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
= 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
= {sk = 0x0, dummy = 1},
meth = 0x6, engine = 0x0}
func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
library function failed:mode=abi compatible;expected minor
version=2;real minor version=2;expected subminor version=20;real
subminor version=23
Error: loaded xmlsec library version is not compatible.
But with the information above RSA is recognized as a public key
because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.
Thank you for your interest in my case. What can I do to fix this?
Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
public key and one for the private key)?
Regards,
Pablo G. Gallardo
Post by Aleksey Sanin
Can you check what's going on in these two places?
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
Unfortunately, there is no good way to determine if a PKEY is public
or private. Thus we use a hack. I am curious what is going on there
in your case.
Aleksey
Post by Pablo Gabriel Gallardo
Hello Aleksey,
I've used the RSA key from my smartcard by it is still being
recognized as a public key. Is it because, as a smart card RSA key, it
doesn't have the d member (because the private key never leaves the
smart card)?
Regards,
Pablo
Post by Pablo G. Gallardo
Hi Aleksey,
Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
I'll fix that and then I'll came with the result.
Thank you!
Pablo
Post by Aleksey Sanin
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...
Can you try to print the key type with
xmlSecKeyGetType(key)
Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.
Best,
Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Post by Pablo Gabriel Gallardo
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008
had
Post by Pablo Gabriel Gallardo
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from
smartcard\n");
Post by Pablo Gabriel Gallardo
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Pablo Gabriel Gallardo
2016-11-12 16:17:38 UTC
Permalink
Aleksey,

It worked! Thank you so much for your help and time!

<?xml version="1.0" encoding="UTF-8"?>
<!--
XML Security Library example: Original XML doc file for sign3 example.
-->
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>HjY8ilZAIEM2tBbPn5mYO1ieIX4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Pep0e8/pVZV/gmFNOqgfCN9hryv+k5gVP/wyzOSa49ui8K/VfIu3Nkcm2FWDphAo
PJBMOw8BEA9htmsgrmmdhWPIM5bsM1rfn072FczBCqbW+/G6x26cG++ZkJ7E8jBG
Z33vAXLFLdYOJvCXtsWwn4IvAPoRyYdVyz1b6FEB0KwUMr4ryLWpEXG+K0jQpC3k
uP2o06fUs5M3IBW1+PTDqiN6AyiwUg85l1Ulqamq5QUKm7VJMokBXL8evmLS171r
1PhwWWHKP6aQJa6ydfw3xkY4RdDSJEx0E0mlkapwCkdBfmB52OY2QaCCrAZOEfzg
hXUit89sIQfAWnAAOfsAMA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName/>
<X509Certificate/>
</X509Data>
</KeyInfo>
</Signature></Envelope>

Regards,

Pablo G. Gallardo
Post by Aleksey Sanin
Can you try this patch (it is already merged to the master on github --
you will need to recompile the library and ensure you are loading
https://github.com/lsh123/xmlsec/pull/59
I believe this should help with RSA. I have no idea what to do with DSA
since I don't see any indication in the debug printout that this key is
private.
Aleksey
Post by Pablo G. Gallardo
Aleksey,
$1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
= 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
1, flags = 6,
_method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
(gdb) p *pKey.pkey->rsa->meth
$3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
<pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
<pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
= 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}
RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0
(gdb) p *pKey.pkey->dsa
$2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
= 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
= {sk = 0x0, dummy = 1},
meth = 0x6, engine = 0x0}
func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
library function failed:mode=abi compatible;expected minor
version=2;real minor version=2;expected subminor version=20;real
subminor version=23
Error: loaded xmlsec library version is not compatible.
But with the information above RSA is recognized as a public key
because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.
Thank you for your interest in my case. What can I do to fix this?
Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
public key and one for the private key)?
Regards,
Pablo G. Gallardo
Post by Aleksey Sanin
Can you check what's going on in these two places?
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
Unfortunately, there is no good way to determine if a PKEY is public
or private. Thus we use a hack. I am curious what is going on there
in your case.
Aleksey
Post by Pablo Gabriel Gallardo
Hello Aleksey,
I've used the RSA key from my smartcard by it is still being
recognized as a public key. Is it because, as a smart card RSA key, it
doesn't have the d member (because the private key never leaves the
smart card)?
Regards,
Pablo
Post by Pablo G. Gallardo
Hi Aleksey,
Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
I'll fix that and then I'll came with the result.
Thank you!
Pablo
Post by Aleksey Sanin
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...
Can you try to print the key type with
xmlSecKeyGetType(key)
Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.
Best,
Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Post by Pablo Gabriel Gallardo
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008
had
Post by Pablo Gabriel Gallardo
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from
smartcard\n");
Post by Pablo Gabriel Gallardo
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Aleksey Sanin
2016-11-13 15:20:59 UTC
Permalink
Great to hear your problem is solved!

Aleksey
Post by Pablo G. Gallardo
Aleksey,
It worked! Thank you so much for your help and time!
<?xml version="1.0" encoding="UTF-8"?>
<!--
XML Security Library example: Original XML doc file for sign3 example.
-->
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>HjY8ilZAIEM2tBbPn5mYO1ieIX4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Pep0e8/pVZV/gmFNOqgfCN9hryv+k5gVP/wyzOSa49ui8K/VfIu3Nkcm2FWDphAo
PJBMOw8BEA9htmsgrmmdhWPIM5bsM1rfn072FczBCqbW+/G6x26cG++ZkJ7E8jBG
Z33vAXLFLdYOJvCXtsWwn4IvAPoRyYdVyz1b6FEB0KwUMr4ryLWpEXG+K0jQpC3k
uP2o06fUs5M3IBW1+PTDqiN6AyiwUg85l1Ulqamq5QUKm7VJMokBXL8evmLS171r
1PhwWWHKP6aQJa6ydfw3xkY4RdDSJEx0E0mlkapwCkdBfmB52OY2QaCCrAZOEfzg
hXUit89sIQfAWnAAOfsAMA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName/>
<X509Certificate/>
</X509Data>
</KeyInfo>
</Signature></Envelope>
Regards,
Pablo G. Gallardo
Post by Aleksey Sanin
Can you try this patch (it is already merged to the master on github --
you will need to recompile the library and ensure you are loading
https://github.com/lsh123/xmlsec/pull/59
I believe this should help with RSA. I have no idea what to do with DSA
since I don't see any indication in the debug printout that this key is
private.
Aleksey
Post by Pablo G. Gallardo
Aleksey,
$1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
= 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
1, flags = 6,
_method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
(gdb) p *pKey.pkey->rsa->meth
$3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
<pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
<pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
= 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}
RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0
(gdb) p *pKey.pkey->dsa
$2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
= 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
= {sk = 0x0, dummy = 1},
meth = 0x6, engine = 0x0}
func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
library function failed:mode=abi compatible;expected minor
version=2;real minor version=2;expected subminor version=20;real
subminor version=23
Error: loaded xmlsec library version is not compatible.
But with the information above RSA is recognized as a public key
because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.
Thank you for your interest in my case. What can I do to fix this?
Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
public key and one for the private key)?
Regards,
Pablo G. Gallardo
Post by Aleksey Sanin
Can you check what's going on in these two places?
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
Unfortunately, there is no good way to determine if a PKEY is public
or private. Thus we use a hack. I am curious what is going on there
in your case.
Aleksey
Post by Pablo Gabriel Gallardo
Hello Aleksey,
I've used the RSA key from my smartcard by it is still being
recognized as a public key. Is it because, as a smart card RSA key, it
doesn't have the d member (because the private key never leaves the
smart card)?
Regards,
Pablo
Post by Pablo G. Gallardo
Hi Aleksey,
Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
I'll fix that and then I'll came with the result.
Thank you!
Pablo
Post by Aleksey Sanin
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...
Can you try to print the key type with
xmlSecKeyGetType(key)
Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.
Best,
Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Post by Pablo Gabriel Gallardo
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008
had
Post by Pablo Gabriel Gallardo
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from
smartcard\n");
Post by Pablo Gabriel Gallardo
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Aleksey Sanin
2017-09-14 19:11:39 UTC
Permalink
Just a heads up that I've got a report that this change
cause problems for other users. I will be rolling it back
(and I still don't have a good way to determine RSA key
type).

Aleksey
Post by Pablo G. Gallardo
Aleksey,
It worked! Thank you so much for your help and time!
<?xml version="1.0" encoding="UTF-8"?>
<!--
XML Security Library example: Original XML doc file for sign3 example.
-->
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
</Data>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference>
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>HjY8ilZAIEM2tBbPn5mYO1ieIX4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>Pep0e8/pVZV/gmFNOqgfCN9hryv+k5gVP/wyzOSa49ui8K/VfIu3Nkcm2FWDphAo
PJBMOw8BEA9htmsgrmmdhWPIM5bsM1rfn072FczBCqbW+/G6x26cG++ZkJ7E8jBG
Z33vAXLFLdYOJvCXtsWwn4IvAPoRyYdVyz1b6FEB0KwUMr4ryLWpEXG+K0jQpC3k
uP2o06fUs5M3IBW1+PTDqiN6AyiwUg85l1Ulqamq5QUKm7VJMokBXL8evmLS171r
1PhwWWHKP6aQJa6ydfw3xkY4RdDSJEx0E0mlkapwCkdBfmB52OY2QaCCrAZOEfzg
hXUit89sIQfAWnAAOfsAMA==</SignatureValue>
<KeyInfo>
<X509Data>
<X509SubjectName/>
<X509Certificate/>
</X509Data>
</KeyInfo>
</Signature></Envelope>
Regards,
Pablo G. Gallardo
Post by Aleksey Sanin
Can you try this patch (it is already merged to the master on github --
you will need to recompile the library and ensure you are loading
https://github.com/lsh123/xmlsec/pull/59
I believe this should help with RSA. I have no idea what to do with DSA
since I don't see any indication in the debug printout that this key is
private.
Aleksey
Post by Pablo G. Gallardo
Aleksey,
$1 = {pad = 0, version = 0, meth = 0x8185bb8, engine = 0x0, n =
0x8186158, e = 0x8186a30, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1
= 0x0, iqmp = 0x0, ex_data = {sk = 0x8185c10, dummy = 0}, references =
1, flags = 6,
_method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0,
bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
(gdb) p *pKey.pkey->rsa->meth
$3 = {name = 0x8185bf8 "libp11 RSA method", rsa_pub_enc = 0xb7d65570,
rsa_pub_dec = 0xb7d650d0, rsa_priv_enc = 0xb7cbbb20
<pkcs11_rsa_priv_enc_method>, rsa_priv_dec = 0xb7cbbbb0
<pkcs11_rsa_priv_dec_method>, rsa_mod_exp = 0xb7d64790,
bn_mod_exp = 0xb7d3dbf0 <BN_mod_exp_mont>, init = 0xb7d64720, finish
= 0xb7cbb5c0 <pkcs11_rsa_free_method>, flags = 0, app_data = 0x0,
rsa_sign = 0x0, rsa_verify = 0x0, rsa_keygen = 0x0}
RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0
(gdb) p *pKey.pkey->dsa
$2 = {pad = 0, version = 0, write_params = 135814072, p = 0x0, q =
0x8186158, g = 0x8186a30, pub_key = 0x0, priv_key = 0x0, kinv = 0x0, r
= 0x0, flags = 0, method_mont_p = 0x0, references = 135814160, ex_data
= {sk = 0x0, dummy = 1},
meth = 0x6, engine = 0x0}
func=xmlSecCheckVersionExt:file=xmlsec.c:line=170:obj=unknown:subj=unknown:error=1:xmlsec
library function failed:mode=abi compatible;expected minor
version=2;real minor version=2;expected subminor version=20;real
subminor version=23
Error: loaded xmlsec library version is not compatible.
But with the information above RSA is recognized as a public key
because rsa->d = NULL and RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) = 0.
Thank you for your interest in my case. What can I do to fix this?
Should I create 2 functions in xmlsec for setting EVP_PKEY (one for
public key and one for the private key)?
Regards,
Pablo G. Gallardo
Post by Aleksey Sanin
Can you check what's going on in these two places?
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1012
https://github.com/lsh123/xmlsec/blob/master/src/openssl/evp.c#L1887
Unfortunately, there is no good way to determine if a PKEY is public
or private. Thus we use a hack. I am curious what is going on there
in your case.
Aleksey
Post by Pablo Gabriel Gallardo
Hello Aleksey,
I've used the RSA key from my smartcard by it is still being
recognized as a public key. Is it because, as a smart card RSA key, it
doesn't have the d member (because the private key never leaves the
smart card)?
Regards,
Pablo
Post by Pablo G. Gallardo
Hi Aleksey,
Thank you! You are right. xmlSecKeyGetType(key) returned 1 (public key). I'll check why is it recognized as a public key. As you said, I'm not passing the correct key object (RSA), just adopting EVP_PKEY.
I'll fix that and then I'll came with the result.
Thank you!
Pablo
Post by Aleksey Sanin
Assuming that the key type matches the requested signature type
in the template (i.e. RSA signatures require RSA keys)...
Can you try to print the key type with
xmlSecKeyGetType(key)
Basically, I suspect that it doesn't recognize the key as private
thus can't find a proper key for the signature.
Best,
Aleksey
Post by Pablo Gabriel Gallardo
Hello there!
I want to use xmlsec to sign XMLs with a smart card. I'm using libp11
and when I call xmlSecDSigCtxSign(), it returns -1 and I'm getting
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec
func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSignatureProcessNode:error=1:xmlsec
Post by Pablo Gabriel Gallardo
Error: signature failed
I use xmlSecOpenSSLEvpKeyAdopt() to set the EVP_PKEY from my smart
card but I'm sure that I am missing something.
Could someone please help me to see what else I should be doing to
make this work? I've checked this mailing list and someone in 2008
had
Post by Pablo Gabriel Gallardo
the same problem but he didn't mention how to solve it.
Here are the parts I've modified from sign3.c. Complete source is on
static xmlSecKeyPtr load_key(const char *pwd) {
xmlSecKeyPtr key = NULL;
xmlSecKeyDataPtr data;
EVP_PKEY *pKey = NULL;
int ret;
pKey = get_private_key(pwd);
if(pKey == NULL)
return NULL;
data = xmlSecOpenSSLEvpKeyAdopt(pKey);
if(data == NULL) {
EVP_PKEY_free(pKey);
return NULL;
}
key = xmlSecKeyCreate();
if(key == NULL) {
xmlSecKeyDataDestroy(data);
return NULL;
}
ret = xmlSecKeySetValue(key, data);
if(ret < 0) {
xmlSecKeyDestroy(key);
xmlSecKeyDataDestroy(data);
return NULL;
}
return key;
}
int sign_file(const char* xml_file, char *password) {
.....
/* load private key */
dsigCtx->signKey = load_key(password);
if(dsigCtx->signKey == NULL) {
fprintf(stderr,"Error: failed to load private key from
smartcard\n");
Post by Pablo Gabriel Gallardo
goto done;
}
/* load certificate and add to the key
if(xmlSecCryptoAppKeyCertLoad(dsigCtx->signKey, cert_file,
xmlSecKeyDataFormatPem) < 0) {
fprintf(stderr,"Error: failed to load pem certificate
\"%s\"\n", cert_file);
goto done;
}*/
/* set key name to the file name, this is just an example!
if(xmlSecKeySetName(dsigCtx->signKey, key_file) < 0) {
fprintf(stderr,"Error: failed to set key name for key from
\"%s\"\n", key_file);
goto done;
} */
/* sign the template */
if(xmlSecDSigCtxSign(dsigCtx, signNode) < 0) {
fprintf(stderr,"Error: signature failed\n");
goto done;
}
....
}
Thank you!
Pablo G. Gallardo
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
xmlsec mailing list
http://www.aleksey.com/mailman/listinfo/xmlsec
Pablo Gabriel Gallardo
2017-09-17 16:46:56 UTC
Permalink
Post by Aleksey Sanin
Just a heads up that I've got a report that this change
cause problems for other users. I will be rolling it back
(and I still don't have a good way to determine RSA key
type).
Hello Aleksey!

I'm sorry to hear that :(. I depend of that condition to sign xml documents
with smartkeys.

I'll investigate to check what else can we do to determine whether an
EVP_PKEY is private or not. I'm not an OpenSSL expert but I want to help
with that.

Regards,

Pablo G. Gallardo
Pablo Gabriel Gallardo
2017-09-17 17:36:50 UTC
Permalink
Post by Pablo Gabriel Gallardo
I'll investigate to check what else can we do to determine whether an
EVP_PKEY is private or not. I'm not an OpenSSL expert but I want to help
with that.
Regards,
Pablo G. Gallardo
Aleksey,

I have a question. This is the code:

```c
RSA_get0_key(rsa, &n, &e, &d);
if(n != NULL && e != NULL) {
if(d != NULL) {
return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
} else if(RSA_test_flags(rsa, (RSA_FLAG_EXT_PKEY |
RSA_FLAG_CACHE_PRIVATE)) != 0) {
/*
* !!! HACK !!! Also see DSA key
* We assume here that engine *always* has private key.
* This might be incorrect but it seems that there is no
* way to ask engine if given key is private or not.
*/
return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
} else {
return(xmlSecKeyDataTypePublic);
}
}
```

First we check whether d is NULL or not `if(d != NULL)`. If we are
dealing with a public key generally d is, indeed, NULL. In the case of
smartkeys, even if we are dealing with a private key d is also NULL
because d is inside the smartkey (never transmitted to the memory or
CPU).

So we are failing in the second condition `RSA_test_flags(rsa,
(RSA_FLAG_EXT_PKEY | RSA_FLAG_CACHE_PRIVATE)) != 0`, the question is:
Those users that are reporting problems, What type of key they are
using? If they are using a private key in a file, how can d be NULL?
And if they are using a private key in another device, how they were
doing that before the change in the condition so I can do the same?

Best,

Pablo G. Gallardo
Aleksey Sanin
2017-09-17 20:01:26 UTC
Permalink
The issue is that checking RSA_FLAG_CACHE_PRIVATE was a hack.
This flag doesn't really say that this is a private key but
rather that caching should be used in private key operations.
It worked in your case and didn't work for someone else.

As I suggested in another reply, I think you should mark the
key as private yourself. This is a better way to do it.

Aleksey
Post by Pablo G. Gallardo
Post by Pablo Gabriel Gallardo
I'll investigate to check what else can we do to determine whether an
EVP_PKEY is private or not. I'm not an OpenSSL expert but I want to help
with that.
Regards,
Pablo G. Gallardo
Aleksey,
```c
RSA_get0_key(rsa, &n, &e, &d);
if(n != NULL && e != NULL) {
if(d != NULL) {
return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
} else if(RSA_test_flags(rsa, (RSA_FLAG_EXT_PKEY |
RSA_FLAG_CACHE_PRIVATE)) != 0) {
/*
* !!! HACK !!! Also see DSA key
* We assume here that engine *always* has private key.
* This might be incorrect but it seems that there is no
* way to ask engine if given key is private or not.
*/
return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
} else {
return(xmlSecKeyDataTypePublic);
}
}
```
First we check whether d is NULL or not `if(d != NULL)`. If we are
dealing with a public key generally d is, indeed, NULL. In the case of
smartkeys, even if we are dealing with a private key d is also NULL
because d is inside the smartkey (never transmitted to the memory or
CPU).
So we are failing in the second condition `RSA_test_flags(rsa,
Those users that are reporting problems, What type of key they are
using? If they are using a private key in a file, how can d be NULL?
And if they are using a private key in another device, how they were
doing that before the change in the condition so I can do the same?
Best,
Pablo G. Gallardo
Aleksey Sanin
2017-09-17 19:58:48 UTC
Permalink
The best approach would be to call RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY)
from your code when you load the key (if you are sure this is a private
key).

Aleksey
Post by Aleksey Sanin
Just a heads up that I've got a report that this change
cause problems for other users. I will be rolling it back
(and I still don't have a good way to determine RSA key
type).
Hello Aleksey!
I'm sorry to hear that :(. I depend of that condition to sign xml
documents with smartkeys.
I'll investigate to check what else can we do to determine whether an
EVP_PKEY is private or not. I'm not an OpenSSL expert but I want to help
with that.
Regards,
Pablo G. Gallardo
Pablo Gabriel Gallardo
2017-09-17 22:38:40 UTC
Permalink
Post by Aleksey Sanin
The best approach would be to call RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY)
from your code when you load the key (if you are sure this is a private
key).
Nice! I'll try that and will let you know. I didn't know that I could
set that flag manually. I think it will work :).

Thank you for the advice.

Pablo G. Gallardo
Pablo Gabriel Gallardo
2017-09-18 22:47:56 UTC
Permalink
Post by Pablo Gabriel Gallardo
Post by Aleksey Sanin
The best approach would be to call RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY)
from your code when you load the key (if you are sure this is a private
key).
Nice! I'll try that and will let you know. I didn't know that I could
set that flag manually. I think it will work :).
Aleksey,

I've applied your suggestion in my code and is working! Removing
RSA_FLAG_CACHE_PRIVATE from the condition doesn't affect my project
anymore.

Thank you for your help.

Best,

Pablo G. Gallardo
Aleksey Sanin
2017-09-18 22:49:40 UTC
Permalink
Glad to hear that!

Aleksey
Post by Pablo G. Gallardo
Post by Pablo Gabriel Gallardo
Post by Aleksey Sanin
The best approach would be to call RSA_set_flags(rsa, RSA_FLAG_EXT_PKEY)
from your code when you load the key (if you are sure this is a private
key).
Nice! I'll try that and will let you know. I didn't know that I could
set that flag manually. I think it will work :).
Aleksey,
I've applied your suggestion in my code and is working! Removing
RSA_FLAG_CACHE_PRIVATE from the condition doesn't affect my project
anymore.
Thank you for your help.
Best,
Pablo G. Gallardo
Loading...