JackNJI11CryptoToken

ENTERPRISE EDITION This is a SignServer Enterprise Edition (EE) feature.

Overview

Crypto token using PKCS#11 for talking with the HSM but using a different provider than the SunPKCS11 provider used by for instance the regular PKCS11CryptoToken.

CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.p11ng.common.cryptotoken.JackNJI11CryptoToken

Available Properties

Property

Description

DEFAULTKEY

The key alias. Required.

PIN

Authentication code for activation. Only required for auto-activation, otherwise manual activation can be performed.

SHAREDLIBRARYNAME

Name of pre-defined PKCS11 library to be used. The available libraries can be configured in signserver_deploy.properties. Required.

SLOTLABELTYPE

Indicates how the slot should be identified. Supported values are SLOT_NUMBER, or SLOT_INDEX. Required.

SLOTLABELVALUE

The slot to use, identified with the type specified in SLOTLABELTYPE:

  • SLOT_NUMBER is the number (ID) of the slot

  • SLOT_INDEX is the zero-base index of the slot in the list of available slots as returned by the PKCS#11 provider

Required.

images/s/en_US/7901/58be3fa11e9ad58113c0ea45e7063389a7c7d344/_/images/icons/emoticons/warning.svg SLOT_LABEL is currently not supported.

ATTRIBUTE.x.y.z

Specify a PKCS#11 attribute to use when generating a key.

Where x is the object class: PUBLIC or PRIVATE.
Where y is the key type: RSA, ECDSA, etc.
Where z is the attribute name or ID as decimal number, or a hexadecimal number prefixed with "0x". An exception to this is CKA_ALLOWED_MECHANISMS, which currently cannot be specified in decimal or hexadecimal form.

Examples:

ATTRIBUTE.PUBLIC.RSA.CKA_ENCRYPT = false
ATTRIBUTE.PUBLIC.RSA.CKA_VERIFY = false
ATTRIBUTE.PUBLIC.RSA.CKA_WRAP = false
ATTRIBUTE.PRIVATE.RSA.CKA_SIGN = true
ATTRIBUTE.PRIVATE.RSA.CKA_PRIVATE = true
ATTRIBUTE.PRIVATE.RSA.CKA_SENSITIVE = true
ATTRIBUTE.PRIVATE.RSA.CKA_EXTRACTABLE = false
ATTRIBUTE.PRIVATE.RSA.CKA_DECRYPT = false
ATTRIBUTE.PRIVATE.RSA.CKA_UNWRAP = false
ATTRIBUTE.PRIVATE.RSA.0X0000010C=FALSE
ATTRIBUTE.PRIVATE.RSA.CKA_ALLOWED_MECHANISMS=CKM_RSA_PKCS, CKM_SHA256_RSA_PKCS, 0x00000043, CKM_RSA_PKCS_PSS

USE_CACHE

Specify if key and certificate search results from the HSM should be cached. This can prevent problems due to too many find object requests under high load with some PKCS#11 implementations. Optional: default true.

Secret Key generation

If generating a secret key through the JackNJI11CryptoToken, the algorithm name can be supplied in the following ways. See also Crypto Token Generate Key Page.

Standard Java Name

Example: AES, DES.

If the specified key algorithm name is not present in the predefined list of known secret key algorithms, the key algorithm name must be specified with the prefix "SEC:", for example: SEC:Blowfish. Currently, the secret key list contains the algorithms AES and DES.

CKM Long value

Example: SEC:4224. Here 4224 represents the long value for the AES_KEY_GEN constant as per the PKCS11 specification. "SEC:" is used as prefix.

CKM Hexadecimal value

Example: SEC:0x00001080. Here 0x00001080 represents a hexadecimal value for the AES_KEY_GEN constant as per the PKCS11 specification. "SEC:" is used as prefix.

Know Limitations

  • Multiple different CA certificates with the same subject DN cannot be stored in the token (see DSS-1544).

  • Changes made in an HSM slot from a different process (i.e. outside the application server) might not be visible within SignServer without a restart of the application server. To use new key-pairs directly, it is recommended to generate the keys from within SignServer.