Can I configure XAdES4J to delegate the signature creation to a hardware-security-module (HSM) using a PKCS#11 infrastructure? If yes - how?
Infos on these sites let me assume, that only a key-transfer using PKCS#11 is possible:
- https://code.google.com/p/xades4j/wiki/DefiningKeyingData (the terms keying-data, -provider)
- http://code.google.com/p/xades4j/wiki/QeA (discussion of onur)
- http://xades4j.googlecode.com/svn/release/1.3.0/javadoc/reference/xades4j/providers/impl/KeyStoreKeyingDataProvider.html (Step 3: "Return the entry's private key")
As previously stated, you can use PKCS#11 keying data by using PKCS11KeyingDataProvider. You just need to configure it with the native PKCS#11 lib of your HSM.
The
PrivateKeyinterface is just a marker interface for opaque key representations. When your using the PKCS#11 provider, returnedPrivateKeyinstances are just handles (representatives) of the key, since the key material doesn't actually leave the HSM. The signature engine will be selected using delayed provider selection, accordingly to thePrivateKeyprovider, since this provider is the one that knows how to handle that specificPrivateKey. In this case, both the key and the signature value calculation are fully handled by the HSM.XAdES4j's
PKCS11KeyingDataProvideris just a wrapper around a JavaKeyStorecreated from a specific PKCS#11 provider instance which is configured with the supplied native lib path.