Can I use PKCS#11 to create a signature in a HSM?
https://stackoverflow.com/questions/13011949
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Can I configure XAdES4J to delegate the signature creation to a hardware-security-module (HSM) using a PKCS#11 infrastructure? If yes - how?
Infos on these sites let me assume, that only a key-transfer using PKCS#11 is possible:
- https://code.google.com/p/xades4j/wiki/DefiningKeyingData (the terms keying-data, -provider)
- http://code.google.com/p/xades4j/wiki/QeA (discussion of onur)
- http://xades4j.googlecode.com/svn/release/1.3.0/javadoc/reference/xades4j/providers/impl/KeyStoreKeyingDataProvider.html (Step 3: "Return the entry's private key")
Solution
As previously stated, you can use PKCS#11 keying data by using PKCS11KeyingDataProvider. You just need to configure it with the native PKCS#11 lib of your HSM.
The PrivateKey interface is just a marker interface for opaque key representations. When your using the PKCS#11 provider, returned PrivateKey instances are just handles (representatives) of the key, since the key material doesn't actually leave the HSM. The signature engine will be selected using delayed provider selection, accordingly to the PrivateKey provider, since this provider is the one that knows how to handle that specific PrivateKey. In this case, both the key and the signature value calculation are fully handled by the HSM.
XAdES4j's PKCS11KeyingDataProvider is just a wrapper around a Java KeyStore created from a specific PKCS#11 provider instance which is configured with the supplied native lib path.
OTHER TIPS
Simple browsing brought me to:
https://code.google.com/p/xades4j/wiki/DefiningKeyingData
There's a section about PKCS#11 there. Does that not work for you?
