- changed status to invalid
Safenet HSM
Issue #371
invalid
https://connect2id.com/products/nimbus-jose-jwt/examples/pkcs11
Is it really possible to get the private key out of HSM? How JWSSigning can be done inside hsm itself using private key ?
public class JwsSigninghsm { public String constructSignedPayload(String Input) throws Exception{ // The path to the HSM config file String configFile = "hsm-config.cfg"; //path
// Load the HSM as a Java crypto provider
Provider hsmProvider = new sun.security.pkcs11.SunPKCS11(configFile);
// Get a handle to the private RSA key for signing
KeyStore hsmKeyStore = KeyStore.getInstance("PKCS11", hsmProvider);
String userPin = "123456"; // The pin to unlock the HSM //pareametr
hsmKeyStore.load(null, userPin.toCharArray());
String keyID = "1"; // The key identifier or alias
String keyPin = ""; // Optional pin to unlock the key
PrivateKey privateKey = (PrivateKey)hsmKeyStore.getKey(keyID, keyPin.toCharArray());
// Create an RSA signer and configure it to use the HSM
// We can now RSA sign JWS
Payload payload = new Payload(tokenGenerationInput);/*create Payload*/
JWSHeader jwsHeader = new JWSHeader(JWSAlgorithm.RS256); /*Create Header with RSASHA256*/
JWSSigner signer = new RSASSASigner(privateKey); //RSASSASigner supports SHA256
signer.getJCAContext().setProvider(hsmProvider);
final JWSObject jwsObject = new JWSObject(jwsHeader,payload);
jwsObject.sign(signer); /*Sign the content*/
String SignedInput = jwsObject.serialize(); /*[header-base64url].[payload-base64url].[signature-base64url]*/
return SignedInput ;
}
}
Comments (1)
-
- Log in to comment
Yes, it is possible to a sign a JWT with a private key stored in a HSM :)
This is what HSMs do, if they are not capable of performing such an operation, or allow the key to be extracted, then it's no HSM by definition.