2

Can I configure XAdES4J to delegate the signature creation to a hardware-security-module (HSM) using a PKCS#11 infrastructure? If yes - how?

Infos on these sites let me assume, that only a key-transfer using PKCS#11 is possible:

leppie
  • 115,091
  • 17
  • 196
  • 297
Andy
  • 1,964
  • 1
  • 15
  • 29

2 Answers2

4

As previously stated, you can use PKCS#11 keying data by using PKCS11KeyingDataProvider. You just need to configure it with the native PKCS#11 lib of your HSM.

The PrivateKey interface is just a marker interface for opaque key representations. When your using the PKCS#11 provider, returned PrivateKey instances are just handles (representatives) of the key, since the key material doesn't actually leave the HSM. The signature engine will be selected using delayed provider selection, accordingly to the PrivateKey provider, since this provider is the one that knows how to handle that specific PrivateKey. In this case, both the key and the signature value calculation are fully handled by the HSM.

XAdES4j's PKCS11KeyingDataProvider is just a wrapper around a Java KeyStore created from a specific PKCS#11 provider instance which is configured with the supplied native lib path.

lgoncalves
  • 2,040
  • 1
  • 14
  • 12
1

Simple browsing brought me to:

https://code.google.com/p/xades4j/wiki/DefiningKeyingData

There's a section about PKCS#11 there. Does that not work for you?

Martin Paljak
  • 4,119
  • 18
  • 20
  • The info on the pointed wiki page should be enough. In addition, check the java docs for the PKCS11KeyingDataProvider (http://xades4j.googlecode.com/svn/release/1.3.0/javadoc/reference/xades4j/providers/impl/PKCS11KeyStoreKeyingDataProvider.html). – lgoncalves Oct 22 '12 at 21:27
  • It seemed to me that only key-transfer is possible, not signature creation in a crypto-module. I rephrased my question. **is signature creation within a HSM possible?** (i.e. the application does not know about the private key) – Andy Oct 23 '12 at 11:15