0

Is there a way to create a PKCS#7 (S/MIME) signature with a PKCS#11 compliant HSM device (card reader) using pure PHP, i.e. without explicit shell command call, e.g. using PHP OpenSSL library or some other glue?

I can successfully create a PKCS#7 signature using CLI openssl with PKCS#11 engine like so:

putenv('PIN='.$secret_card_pin);
shell_exec("export PIN; OPENSSL_CONF=openssl.cnf openssl smime -sign -engine pkcs11 -md sha1 -binary -in {$tmpFileIn} -out {$tmpFileOut} -outform der -keyform engine -inkey id_ed0007 -signer pubcert.pem");

I want to clean this but it seems impossible using pure PHP because as far as I can tell openssl_pkcs7_sign() function can only be used with a private key file without any support for pkcs11-engine provided keys. Am I missing something?

cprn
  • 1,561
  • 1
  • 19
  • 25

1 Answers1

1

There is not, while there are PKCS#11 bindings for many languages there is not one for PHP.

You would need this, then you could then construct a PKCS#7 and sign it using that library.

Unfortunately absent that you will need to use a CLI.

rmhrisk
  • 1,814
  • 10
  • 16
  • It's one of those rare moments when being right saddens me greatly. I'll wait a bit, though, before accepting this answer. Maybe someone comes up with a solution and we both will get bit happier about being wrong. – cprn Dec 17 '17 at 00:01
  • A friend makes a PDF signing library in PHP, its something we discuss regularly. I would like to say I am wrong but I know I am not :) – rmhrisk Dec 17 '17 at 05:21
  • I looked for few more days but couldn't overthrow your answer. Accepted. Unfortunately. Btw., PDF signing and XML signing seem similar (as far as we talk about PAdES and XAdES). Any chance the mentioned library will cover both subjects? – cprn Dec 19 '17 at 13:19