Can I use PKCS#11 to create a signature in a HSM?

Question

Can I configure XAdES4J to delegate the signature creation to a hardware-security-module (HSM) using a PKCS#11 infrastructure? If yes - how?

Infos on these sites let me assume, that only a key-transfer using PKCS#11 is possible:

• https://code.google.com/p/xades4j/wiki/DefiningKeyingData (the terms keying-data, -provider)
• http://code.google.com/p/xades4j/wiki/QeA (discussion of onur)
• http://xades4j.googlecode.com/svn/release/1.3.0/javadoc/reference/xades4j/providers/impl/KeyStoreKeyingDataProvider.html (Step 3: "Return the entry's private key")

Answer 1

As previously stated, you can use PKCS#11 keying data by using PKCS11KeyingDataProvider. You just need to configure it with the native PKCS#11 lib of your HSM.

The PrivateKey interface is just a marker interface for opaque key representations. When your using the PKCS#11 provider, returned PrivateKey instances are just handles (representatives) of the key, since the key material doesn't actually leave the HSM. The signature engine will be selected using delayed provider selection, accordingly to the PrivateKey provider, since this provider is the one that knows how to handle that specific PrivateKey. In this case, both the key and the signature value calculation are fully handled by the HSM.

XAdES4j's PKCS11KeyingDataProvider is just a wrapper around a Java KeyStore created from a specific PKCS#11 provider instance which is configured with the supplied native lib path.