Uploaded image for project: 'SignServer'
  1. SignServer
  2. DSS-1756

PKCS#11 support for authentication key in SignClient



      Currently SignClient can only use TLS client keys i JKS keystores (with recent Java versions PKCS#12 is also supported out of the box). Like with the (old) AdminGUI it should be possible to have this key on a hardware like a smartcard or USB token/HSM etc.


      • Add "-keystoretype" option to SignClient which similarly to AdminGUI could have options JKS, (in future: Windows-MY) and PKCS11
        • (Future: The keystore path for Windows-MY would not be required or could be set to "NONE")
        • The  keystore path for PKCS11 would be the path to the shared library file and the SunPKCS11 provider would be used
      • Add "-truststoretype" option which similarly to AdminGUI could have options like JKS, PEM, (in future: Windows-ROOT), "from keystore" / KEYSTORE
        • (Future: The truststore path for Windows-ROOT would not be required or could be set to "NONE")
        • The truststore path for "from keystore"/KEYSTORE would not be required or could be set to "NONE" and the keystore would be used as truststore
      • [-] Option for specifying which key entry to use. Already exists
      • If no key entry is chosen on command line the tool should prompt for which key entry to use (Note that due to bug in SunMSCAPI the key alias might be the same for multiple entries so if possible we should display more info to distinguishes between them and let the user choose not simply be key alias but maybe be number in the provided list.
      • If PIN is not provided on the command line, it should be prompted for (without echoing the password).
      • [-] Optional slot (or slotListIndex?) flag (normally not required for smartcards for could help in testing when using an HSM emulator). Skipped. Instead -keystoretype PKCS11_CONFIG -keystore sunpkcs.cfg can be used to pass a SunPKCS11 config file where all options can be made.


      • See the code in AdminGUI with similar functionality.
      • First test with HSM emulator
      • Later test with the real smart cards. Do not lock the PIN (3 attempts)!
      • Systemtests using HSM emulator



      • [✔] MK: Migrate code from AdminGUI to SignClient
      • [✔] MK: Add the flags/options (see above)
      • [✔] ML: Add commented example for JAVA_OPTS to run with TLSv1.1
      • [✔] ML: Document error message and solution for the Java RSASSA-PSS/TLS issue in the troubleshooting chapter
      • [✔] ML: Test with HSM emulator (remember also batch mode with multiple files and multiple threads) (tested with Eracom, using 1000 infiles in batch mode, both default 1 thread and with 20 threads, using Java 8 and Java 11)
      • [/] VS: Create PKCS#11 system tests. Test for keyaliasprompt broken out to its own ticket: DSS-2000
      • [✔] MK: Write delivery/manual test procedures
      • [✔] ML: Final testing with customer smart cards (tested the smartcards with Java 8 and Java 11, using TLSv1.1 workaround when both server and signclient use Java 11).
      • [✔] ML: Test the test cases in the delivery document (tested the SignClient P11 case with Smartcard reader in Windows and Eracom emulator in Linux)


      Guestimate max 5d.


          Issue Links



              vinays Vinay Singh (Inactive)
              markus Markus Kilås
              Verified by:
              Marcus Lundblad
              0 Vote for this issue
              5 Start watching this issue



                  Time Tracking

                  Original Estimate - 1 week
                  Remaining Estimate - 0 minutes
                  Time Spent - 3 days, 1 hour, 24 minutes Time Not Required
                  3d 1h 24m