-openssl version 0.9.8a- OS:SuSE Linux Enterprise (SLED_10_SP3) CardMan 3021 OmneyKey BuyPass smartcard, http://buypass.no
I am trying to have a --crypto switch with xmlsec1 working for a necessary signature The setup for a key-file is like this: xmlsec1 sign --privkey key.pem --output signed_msg-file.xml msg-file.xml The setup with crypto-engine and a smartcard residing key will be like this: xmlsec1 sign --crypto openssl --output signed_msg-file.xml msg-file.xml The openssl should be configured in such a way that the engine with its content should be loaded,and loaded in such a way that the xmlsec1 will use the smartcard key and perform a sign. There is not going to be openssl switches behind the "--crypto openssl" part, as far as Aleksey Sanin personally has stated. I have tried with the following of a preliminary openssl.cnf and it works: #HOME = . #RANDFILE = $ENV::HOME/.rnd openssl_conf = openssl_init [ openssl_init ] engines = engine_section [ engine_section ] pkcs11 = pkcs11_section [ pkcs11_section ] engine_id = pkcs11 dynamic_path = /usr/lib/opensc/engine_pkcs11.so MODULE_PATH = /usr/lib/libiidp11.so.5.3.1.31 PIN = **** init = 1 # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid #oid_section = new_oids It works by this commandline: OpenSSL> req -config /home/sigbj/etc_ssl_openssl.cnf -x509 -engine pkcs11 -new -key id_1 -keyform engine -out req.pem -text -subj "/CN=Firstname Lastname" engine "pkcs11" set. OpenSSL> :giving a produced req.pem with the sc-cert from the card in question. This is just a test, of course, to see how many of the switches can be removed from the commandline to the openssl.cnf file. I cannot establish the right cmd-name with the remaining switches, so I need help to get them right. My project is serious business dealing with a production system. Side Note: For the encryption part 'openssl cms' is applied successfully with pubkey.pem on the msg-file, thanks to help from the IT-people of the Official State Health Department. This part is solved. The remaining is the crypto-engine because a personal smartcard residing key signature is the demand. I have got quite a help from the site: http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart and some from xml...@aleksey.com http://www.aleksey.com/xmlsec/ http://www.mail-archive.com/xmlsec@aleksey.com/msg02507.html clizio merli has not answered my mail so far Help from a openssl Forum or the like is necessary at this stage. Thanks in advance SiSt -- View this message in context: http://old.nabble.com/sufficient-engine-configuration-i-openssl.cnf-for-signing-with-smartcard-xmlsec1-tp32606851p32606851.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
