apt install libengine-pkcs11-openssl
To sign using the smart card, one uses openssl smime
, but I could not find
out how to have it read a config file
yet. Let me know / send me a patch if you know a way.
Using the openssl shell:
$ pkcs15-tool --read-certificate 01 > /tmp/cert01.pem
$ openssl
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -pre VERBOSE
OpenSSL> smime -sign -engine pkcs11 -keyform engine -inkey 1:1 -in file.xml -out file.xml.p7m -binary -signer /tmp/cert01.pem -outform DER -nodetach
Do verify the paths to the various .so
files, as they may be different in
your system.
I have logged into the Infocamere.
I have created an unsigned fattura elettronica.
I have clicked on "Sign" and choose manual signature.
I have downloaded the zip file and extracted the xml file.
I have signed it using the commands in the Setting up OpenSSL to work with smart cards section above.
I have uploaded the resulting p7m file.
Infocamere reported that the file was signed correctly.
I have submitted the fattura elettronica and it has been successfully sent. However, it has been rejected by the "Sistema di Interscambio" with error code 00104 "CA (Certification Authority) non affidabile : Certification Authority non attendibile".
Further attempts need to be made.
On using smart cards with OpenSSL: