How to sign xml file with HSM Device?

Question

I can get certificate from HSM device but it doesn't give me private key for signing. How can I sign xml file and what should I do with it?

Thanks for helps.

We're gonna need a bit more detail than that. What model of HSM device? What OS? — Roger Lipscombe, Apr 11 '18 at 16:08
@RogerLipscombe Device is Gemalto SafeNet ProtectServer, OS is x64. — TEngineer, Apr 11 '18 at 19:00

score 1 · Answer 1 · answered Apr 20 '18 at 23:10

TEngineer,

Microsoft has a nice article here that will help you: https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-sign-xml-documents-with-digital-signatures

The key thing you need to understand is that the role of a HSM is to protect the private key, as such, largely, it is not possible to export the private key.

The good news it is not necessary.

What Windows does is give you an abstraction for cryptographic algorithms that can be implemented by hardware devices like an HSM.

There are actually several of those abstractions, that said the article I link to above points at Cryptographic Service Provider (CSP).

The basic concept is that when you go to do the cryptographic operation it is remoted to the device which does the 'math' and returns the ciphertext.

In other platforms a different abstraction is used, it is called PKCS#11, if you were looking to write crossplatform code you would at using a binding to that interface. Also if you needed to do other operations with the HSM you would look at using something like https://pkcs11interop.net/ to call that interface from C#.

Ryan

How to sign xml file with HSM Device?

1 Answers1