Re: [xmlsec] Signing xml using etoken
Aleksey Sanin escribió: I think that you need to figure out how does -engine option is handled for openssl command line tool. Then you will need to do similar openssl initialization in xmlsec. I figured that out. Just to try that, i added the engine initialization on the same openssl engine. However, it cannot find the key yet. I guess the key is not being called through the engine, an so far, i havent found where in the code to look at.. Thanks Aleksey Ivan Barrera A. wrote: Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Maybe it cannot be done, i dont know, so ill explain a little more of what i have : - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Using openssl, ive been able to sign digest using : openssl dgst -engine pkcs11 -keyform engine -sign id-of-the-key-inside-token xmlfile.xml It seems to work, as it ask to enter the etoken password and output some raw data. I havent been able to make xmlsec use openssl this way, so the token can do the signing of the document. Any ideas ? Ivan Barrera A. escribió: I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) Error: signature failed Error: failed to sign file test4.xml Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
OK, the next step is to figure out how to get EVP for the key on the token. Check what -keyform engine command line option does. Aleksey Ivan Barrera A. wrote: Aleksey Sanin escribió: I think that you need to figure out how does -engine option is handled for openssl command line tool. Then you will need to do similar openssl initialization in xmlsec. I figured that out. Just to try that, i added the engine initialization on the same openssl engine. However, it cannot find the key yet. I guess the key is not being called through the engine, an so far, i havent found where in the code to look at.. Thanks Aleksey Ivan Barrera A. wrote: Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Maybe it cannot be done, i dont know, so ill explain a little more of what i have : - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Using openssl, ive been able to sign digest using : openssl dgst -engine pkcs11 -keyform engine -sign id-of-the-key-inside-token xmlfile.xml It seems to work, as it ask to enter the etoken password and output some raw data. I havent been able to make xmlsec use openssl this way, so the token can do the signing of the document. Any ideas ? Ivan Barrera A. escribió: I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) Error: signature failed Error: failed to sign file test4.xml Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
Ivan Barrera A. wrote: Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Hmm. I don' think that xmlsec support engines. Did you found a patch ? Maybe it cannot be done, i dont know, so ill explain a little more of what i have : - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Since this is you environment, could you propose a patch to xmlsec that support openssl engines? Using openssl, ive been able to sign digest using : openssl dgst -engine pkcs11 -keyform engine -sign id-of-the-key-inside-token xmlfile.xml It seems to work, as it ask to enter the etoken password and output some raw data. [SNIP] Aleksey, I think that first we has to enable xmlsec to use openssl config file. In the configuration file we can specify which engine to use. Samples can be found as search for opensc pkcs11 engine. To work --crypto-config option we has to update: src/openssl/app.c:53:OPENSSL_config(NULL); Also if function argument is not set we may look for environment variable is OPENSSL_CONF. Next I think is specific to engine - how to identify key(token) to use for the operation. Roumen ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
Roumen Petrov escribió: Ivan Barrera A. wrote: Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Hmm. I don' think that xmlsec support engines. Did you found a patch ? Nope - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Since this is you environment, could you propose a patch to xmlsec that support openssl engines? Yep :) As soon as i have something working, ill clean it up, and propose a patch. So far, ive done a dirty hack to select engine inside openssl/app.c. Now im on to replicating the -keyform part on ssl. Using openssl, ive been able to sign digest using : openssl dgst -engine pkcs11 -keyform engine -sign id-of-the-key-inside-token xmlfile.xml It seems to work, as it ask to enter the etoken password and output some raw data. [SNIP] Aleksey, I think that first we has to enable xmlsec to use openssl config file. In the configuration file we can specify which engine to use. Samples can be found as search for opensc pkcs11 engine. To work --crypto-config option we has to update: src/openssl/app.c:53:OPENSSL_config(NULL); Also if function argument is not set we may look for environment variable is OPENSSL_CONF. Next I think is specific to engine - how to identify key(token) to use for the operation. Roumen ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
Ivan Barrera A. wrote: Roumen Petrov escribió: Ivan Barrera A. wrote: Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Hmm. I don' think that xmlsec support engines. Did you found a patch ? Nope - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Since this is you environment, could you propose a patch to xmlsec that support openssl engines? Yep :) As soon as i have something working, ill clean it up, and propose a patch. So far, ive done a dirty hack to select engine inside openssl/app.c. I think that passing function argument config to OPENSSL_config is enough to select engine set by openssl config file (line 53 in src/openssl/app.c). I expect this file to be from command line option --crypto-config :-/ . Now im on to replicating the -keyform part on ssl. Did you mark private key as external so that xmlsec function will not try to load it and to ask engine for operation ? [SNIP] Roumen ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
Oh, Forgot to mention, using NSS , didnt work either : # xmlsec/apps/xmlsec1 --sign --crypto nss --crypto-config /root/.netscape/ --output a.xml xml1.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=-8174 (0xE012) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=875:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=-8174 (0xE012) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=-8174 (0xE012) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=-8174 (0xE012) Error: signature failed Error: failed to sign file xml1.xml I have properly set the configurations for nss DB, and KeyName in the xml1.xml file. Also, the pcscd daemon shows activity when running xmlsec, but there is no input for the etoken password. # certutil -K -h eToken -X -d /root/.netscape/ Enter Password or Pin for eToken: 0 rsa -35ED---:0 eTCAPI private key 1 rsa -35ED---:1 eTCAPI private key Ivan Barrera A. escribió: I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) Error: signature failed Error: failed to sign file test4.xml Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Maybe it cannot be done, i dont know, so ill explain a little more of what i have : - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Using openssl, ive been able to sign digest using : openssl dgst -engine pkcs11 -keyform engine -sign id-of-the-key-inside-token xmlfile.xml It seems to work, as it ask to enter the etoken password and output some raw data. I havent been able to make xmlsec use openssl this way, so the token can do the signing of the document. Any ideas ? Ivan Barrera A. escribió: I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) Error: signature failed Error: failed to sign file test4.xml Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Maybe it cannot be done, i dont know, so ill explain a little more of what i have : - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Using openssl, ive been able to sign digest using : openssl dgst -engine pkcs11 -keyform engine -sign id-of-the-key-inside-token xmlfile.xml It seems to work, as it ask to enter the etoken password and output some raw data. I havent been able to make xmlsec use openssl this way, so the token can do the signing of the document. Any ideas ? Ivan Barrera A. escribió: I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) Error: signature failed Error: failed to sign file test4.xml Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
I think that you need to figure out how does -engine option is handled for openssl command line tool. Then you will need to do similar openssl initialization in xmlsec. Aleksey Ivan Barrera A. wrote: Hi again. Ive tried almost all solutions ive found on the web, and still no luck. Maybe it cannot be done, i dont know, so ill explain a little more of what i have : - USB etoken (Aladdin Pro32K, using its own format) - Library from aladdin to access de eToken (/usr/lib//usr/lib/libeTPkcs11.so) - a X509 Cert inside the eToken, along private and public keys (that cannot be exported. The eToken has to sign all data itself) Using openssl, ive been able to sign digest using : openssl dgst -engine pkcs11 -keyform engine -sign id-of-the-key-inside-token xmlfile.xml It seems to work, as it ask to enter the etoken password and output some raw data. I havent been able to make xmlsec use openssl this way, so the token can do the signing of the document. Any ideas ? Ivan Barrera A. escribió: I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) Error: signature failed Error: failed to sign file test4.xml Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
It looks like the key could not be found. Try to look at the code under debugger to make sure you use correct key name. It is a little tricky with NSS but with openssl you can put the key into xmlsec keymanager as long as you have an EVP. You might need to write some code to load the correct crypto engine though. Aleksey Ivan Barrera A. wrote: Hi ! I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) Error: signature failed Error: failed to sign file test4.xml Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] Signing xml using etoken
Aleksey Sanin escribió: It looks like the key could not be found. Try to look at the code under debugger to make sure you use correct key name. It is a little tricky with NSS but with openssl you can put the key into xmlsec keymanager as long as you have an EVP. You might need to write some code to load the correct crypto engine though. Ok, ill read and try that. Im kinda new into this topic, so if anyone can share some examples ill be most grateful :) Thanks Aleksey Ivan Barrera A. wrote: Hi ! I've been fighting the last week on trying to sign xmldocuments, using a cert stored on an etoken. (aladdin 32K). Im using the lib /usr/lib/libeTPkcs11.so provided by aladdin, and trying to sign the document in any way. So far, ive tried openssl, and nss with no luck. Using openssl alone, i can get the system to sign smime documents using the token ( openssl smime -sign -engine pkcs11 -in test.xml -out a.xml -signer my-cert.pem -keyform engine -inkey 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 ) And adding the etoken lib to nss : modutil -list gives 2. eToken library name: /usr/lib/libeTPkcs11.so slots: 17 slots attached status: loaded slot: AKS ifdh 00 00 token: eToken However, when i try to sign anything using xmlsec1, i only get # xmlsec1 --sign --crypto nss --output a.xml test4.xml func=xmlSecKeysMngrGetKey:file=keys.c:line=1364:obj=unknown:subj=xmlSecKeysMngrFindKey:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=871:obj=unknown:subj=unknown:error=45:key is not found: ;last nss error=0 (0x) func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=565:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) func=xmlSecDSigCtxSign:file=xmldsig.c:line=303:obj=unknown:subj=xmlSecDSigCtxSigantureProcessNode:error=1:xmlsec library function failed: ;last nss error=0 (0x) Error: signature failed Error: failed to sign file test4.xml Ive tried using keyname, keyvalue, keys.xml file. Nothing worked. Most probably, im doing something wrong. Someone has done , or know how can i achieve this ? BTW, Running on fedora core 9, using latest openct/pcscd/xmlsec. ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec