Support PKCS11

[jtalir]

I'm not aware about any way how to use PKCS11 device (token, hsm) with this library. This is critical feature for many use cases.

[jtalir]

NSS crypto engine in xmlsec should be capable of using PKCS11. Is it possible to switch to NSS crypto with python-xmlsec?

[hoefling]

@jtalir first thing I would check is whether you can sign/verify or encrypt/decrypt the document with just xmlsec1 - there's the command line tool for that. As for building against xmlsec1-nss - never done that, but I suppose this should be possible once the constants that are not supported by the NSS engine are sorted out in constants.c. I will create an experimental branch you can build the package from, so you can try it out locally.

[hoefling]

@jtalir try out the nss-crypto branch:

$ PYXMLSEC_CRYPTO_ENGINE=nss pip install git+https://github.com/hoefling/xmlsec.git@nss-crypto

should build against xmlsec1-nss. You need to install the lib first - on my Fedora 33, it's dnf install xmlsec1-nss xmlsec1-nss-devel.

[jtalir]

Thanks. I was able to build it. Any hint where to provide content of --crypto-config parametr from CLI xmlsec1?

[hoefling]

@jtalir this is yet missing :-) Let me add a sample impl first.

[hoefling]

@jtalir try reinstalling from the same branch again. I have hardcoded nss as crypto engine for the sake of testing, otherwise xmlsec1 overwrites it for me - will need a better way of passing the crypto engine way than what's implemented currently.

[hoefling]

@jtalir you can pass the config path via xmlsec.init:

import xmlsec

xmlsec.init('path/to/ssl.conf')

...

If it doesn't work, try a shutdown before reinitialization:

import xmlsec

xmlsec.shutdown()
xmlsec.init('path/to/ssl.conf')

[jtalir]

No success. Trying simple nss with local keystore (no pkcs11). Simple xmlsec1 call works, python script doesnt. See bellow:

[/tmp/test-nss]$ cat test-mykey.xml 
<RootElement>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
   <CanonicalizationMethod Algorithm=
      "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm=
      "http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <Reference URI="">
      <Transforms>
       <Transform Algorithm=
         "http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
      </Transforms>
       <DigestMethod Algorithm=
          "http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue></DigestValue>
     </Reference>
  </SignedInfo>
  <SignatureValue />
  <KeyInfo>
    <KeyName>mykey</KeyName>
  </KeyInfo>
 </Signature>
</RootElement>
[/tmp/test-nss]$ xmlsec1 --sign --crypto nss --crypto-config nss test-mykey.xml
<?xml version="1.0"?>
<RootElement>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
   <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <Reference URI="">
      <Transforms>
       <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
      </Transforms>
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>4uafMBC7xp0uZh7G+Pwl6OTlRLk=</DigestValue>
     </Reference>
  </SignedInfo>
  <SignatureValue>KX2IQezSULSOzPRSLEDW5Ra1xx5fq01VWsXClu627lOrXlJKZEwTNFj/F4JmxJ+C
v8Qk1h2gB57x8vFzWUEAZJe6APW6W7rkyRfYZR4UlqO+L6lfycdp9PwpEKyrtwLg
g2kWsd9f/VuzAMfoFTq45WQg0D4QizRSObXoqutSNWtO0KnfQVPLqMkh4ENU1iht
gCUdrA3BAO/qy9v9Ts/3WFB6QCcAdePk3ofeaN4WQyNP4MRx82e5eSJTz58IDoel
urT/bA0T7PHyBaeokP9ve4ngSl/BPWC+0cng1DrFO5GZlxmgPRBJt7X/oGttUSAt
R+2XhQoZxtmgU3hCxl5Psw==</SignatureValue>
  <KeyInfo>
    <KeyName>mykey</KeyName>
  </KeyInfo>
 </Signature>
</RootElement>
[/tmp/test-nss]$ PYXMLSEC_CRYPTO_ENGINE=nss pip install --target=/tmp/xmlsec/ git+https://github.com/hoefling/xmlsec.git@nss-crypto
Collecting git+https://github.com/hoefling/xmlsec.git@nss-crypto
  Cloning https://github.com/hoefling/xmlsec.git (to revision nss-crypto) to /tmp/pip-req-build-fku86ufe
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Installing backend dependencies ... done
    Preparing wheel metadata ... done
Collecting lxml>=3.8
  Using cached lxml-4.6.2-cp39-cp39-manylinux1_x86_64.whl (5.4 MB)
Building wheels for collected packages: xmlsec
  Building wheel for xmlsec (PEP 517) ... done
  Created wheel for xmlsec: filename=xmlsec-1.3.8.dev31+g3531b39-cp39-cp39-linux_x86_64.whl size=150210 sha256=92f6564c121e7dc79f83291a93faae8e1ab32cecda2a42f92cf1f9296c2a26bc
  Stored in directory: /tmp/pip-ephem-wheel-cache-az21zazg/wheels/07/74/18/199e74712eb369fa5def70e1f8c05ddaad1e4c721bb36f096f
Successfully built xmlsec
Installing collected packages: lxml, xmlsec
Successfully installed lxml-4.6.2 xmlsec-1.3.8.dev31+g3531b39
[/tmp/test-nss]$ cat sign.py 
from lxml import etree
import xmlsec
xmlsec.shutdown()
xmlsec.init('./nss/')
template = etree.parse('test-mykey.xml').getroot()
signature_node = xmlsec.tree.find_node(template, xmlsec.constants.NodeSignature)
ctx = xmlsec.SignatureContext()
ctx.sign(signature_node)
print(etree.tostring(template))
[/tmp/test-nss]$ PYTHONPATH=/tmp/xmlsec/ python sign.py 
func=xmlSecDSigCtxProcessKeyInfoNode:file=xmldsig.c:line=793:obj=unknown:subj=unknown:error=45:key is not found:details=NULL
func=xmlSecDSigCtxProcessSignatureNode:file=xmldsig.c:line=508:obj=unknown:subj=xmlSecDSigCtxProcessKeyInfoNode:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxSign:file=xmldsig.c:line=291:obj=unknown:subj=xmlSecDSigCtxProcessSignatureNode:error=1:xmlsec library function failed: 
Traceback (most recent call last):
  File "/tmp/test-nss/sign.py", line 8, in <module>
    ctx.sign(signature_node)
xmlsec.InternalError: (-1, 'failed to sign')

[jtalir]

Maybe it's related to the fact that in nss crypto engine, key is identified by name in template.

[jtalir]

There is recent release of xmlsec-1.2.33 there is a new attribute --privkey-openssl-engine that can pass pkcs11 parameters to openssl engine as discussed in this thread https://www.aleksey.com/pipermail/xmlsec/2021/010434.html.

How hard is it to get this through python-xmlsec to be able to use it the same way as command line client?

[jtalir]

Is anybody able to evaluate if this change in xmlsec-1.2.33 is callable via python-xmlsec?