On 11/10/2011 9:12 AM, weizhong qiang wrote: > > On Nov 10, 2011, at 3:40 PM, Alon Bar-Lev wrote: > >> On Thu, Nov 10, 2011 at 4:06 PM, weizhong qiang<weizhongqi...@gmail.com> >> wrote: >>> As I mentioned that I need to use EEC credential to generate a proxy >>> credential (process is the same as you use CA credential to generate a EEC >>> credential). >>> The the generation step, I need to use X509_sign (int X509_sign(X509 *x, >>> EVP_PKEY *pkey, const EVP_MD *md)) which needs private key for signing a >>> X509 certificate. >>> That is the reason I need to take private key out. >>> Could you tell me how to use pkcs11-helper lib to sign a certificate without >>> taking the private key out? to use pkcs11h_certificate_sign? >>> Thanks >>> Weizhong Qiang
An example of signing a certificate using an engine, can be found in the OpenSSL apps/ca.c. Look for engine, keyform, and lines: 747 pkey = load_key(bio_err, keyfile, keyform, 0, key, e, 748 "CA private key"); 2151 if (!X509_sign(ret,pkey,dgst)) 2152 goto err; And in apps.c look at the load_key routine. to see how it associates the engine with the pkey. If you still want to use the NSS softtoken, Have you tried calling it using OpenSC pkcs11-tool? I don't know if it can be used standalone without the rest of NSS. This is an example of using an engine to sign a digest of a file. openssl << EOT engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:$OPENSC_PATH/opensc-pkcs11.so dgst -engine pkcs11 -keyform engine -sign slot_1-id_02 -c -out /tmp/test.ec.sig.out fake.ec.key/ec.msg.txt EOT >>> >>> >>> >> >> No, you should use X509_sign(). >> Why not use EVP_PKEY_assign_RSA(pk,rsa) and use pk? > > This pk here assigned seems to be public key. > >> Not sure but maybe X509_set_pubkey(x509,pk) will be needed. > > I need the private key to sign a X509 certificate, not the public key. > > > Weizhong > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel