Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3525

Do not use the HSM for hashing when signing data

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.2.0
    • Component/s: PKI core
    • Labels:
      None

      Description

      At present when signing some data, all data to be signed is sent to the HSM. The data is sent by one or several C_SignUpdate. The HSM adds each C_SignUpdate to the hash to be signed. The actual signing is done with the private key when C_SignFinal is received byt the HSM.
      If the size of the data to be signed is large then it will take a lot of time to transfer this data to the HSM. If it is a local HSM (PCI card) then this time might be neglected but still it might be faster to do the signing with the application since the hashing will be done faster by the computer than for the HSM in most cases. If the HSM is remote then it could be that it will take too long time to transfer data to the HSM to fulfill requirements.
      But if no mechanism exist in the HSM for a "hashing signing" algorithm then the hashing will be done by the provider on the computer and then the hash will be sent to the HSM that will do the signing. This will also be done if this algorithm is defined in the "don't use this mechanism list" in the configuration (disabledMechanisms).
      So this fix will just add all "hash sign" mechanisms of the HSM the disabledMechanisms in the default configuration.
      The clientToolBox HSM stress test will also be enhances with the option to test sign any file instead of just a short string in order to test this properly.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              lars Lars Silvén
              Reporter:
              lars Lars Silvén
              Verified by:
              Tomas Gustavsson
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: