Signing an XML using pkcs11 Wrappers in JAVA

Question

I have written a program to sign XMl file using Digital signature API provided by Java (ie., classes from javax.xml.crypto.dsig package). But to sign an xml document , the private key had to be provided, to create a signing context, before specifying a digest like in the below statement .

DOMSignContext dsc = new DOMSignContext(priv_key, doc.getDocumentElement());

I want to sign the xml when i store private key in a secure storage like HSM. I have wrapper classes to access HSM in JAVA,so I can get a handle for the private key, but do not know how to use it for signing.

Can anyone guide me on how to sign XML in this way...

Answer 1

Signing is supported by the PKCS#11 provider that is delivered by Oracle. You may currently have a C style handle in the wrapper class, but that is not much use. The handle must be within a JCA provider to be used with the XML signing classes. And the provider must be signed by an Oracle provided code signing certificate.

To use the private key with the PKCS#11 provider, make sure that a certificate with the same ID is present in the PKCS#11 token. That way the combined private key/certificate entry will show up in the "PKCS11" KeyStore. You can use that to sign the XML data.