Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-3525

Do not use the HSM for hashing when signing data


    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.2.0
    • Component/s: PKI core
    • Labels:


      At present when signing some data, all data to be signed is sent to the HSM. The data is sent by one or several C_SignUpdate. The HSM adds each C_SignUpdate to the hash to be signed. The actual signing is done with the private key when C_SignFinal is received byt the HSM.
      If the size of the data to be signed is large then it will take a lot of time to transfer this data to the HSM. If it is a local HSM (PCI card) then this time might be neglected but still it might be faster to do the signing with the application since the hashing will be done faster by the computer than for the HSM in most cases. If the HSM is remote then it could be that it will take too long time to transfer data to the HSM to fulfill requirements.
      But if no mechanism exist in the HSM for a "hashing signing" algorithm then the hashing will be done by the provider on the computer and then the hash will be sent to the HSM that will do the signing. This will also be done if this algorithm is defined in the "don't use this mechanism list" in the configuration (disabledMechanisms).
      So this fix will just add all "hash sign" mechanisms of the HSM the disabledMechanisms in the default configuration.
      The clientToolBox HSM stress test will also be enhances with the option to test sign any file instead of just a short string in order to test this properly.


          Issue Links



              lars Lars Silvén
              lars Lars Silvén
              Verified by:
              Tomas Gustavsson
              0 Vote for this issue
              2 Start watching this issue