Safenet HSM

https://connect2id.com/products/nimbus-jose-jwt/examples/pkcs11

Is it really possible to get the private key out of HSM? How JWSSigning can be done inside hsm itself using private key ?

public class JwsSigninghsm { public String constructSignedPayload(String Input) throws Exception{ // The path to the HSM config file String configFile = "hsm-config.cfg"; //path

// Load the HSM as a Java crypto provider
Provider hsmProvider = new sun.security.pkcs11.SunPKCS11(configFile);   
// Get a handle to the private RSA key for signing
KeyStore hsmKeyStore = KeyStore.getInstance("PKCS11", hsmProvider);
String userPin = "123456"; // The pin to unlock the HSM  //pareametr
hsmKeyStore.load(null, userPin.toCharArray());
String keyID = "1"; // The key identifier or alias
String keyPin = ""; // Optional pin to unlock the key
PrivateKey privateKey = (PrivateKey)hsmKeyStore.getKey(keyID, keyPin.toCharArray());

// Create an RSA signer and configure it to use the HSM
// We can now RSA sign JWS
Payload payload = new Payload(tokenGenerationInput);/*create Payload*/              
JWSHeader jwsHeader = new JWSHeader(JWSAlgorithm.RS256); /*Create Header with RSASHA256*/              
JWSSigner signer = new RSASSASigner(privateKey);  //RSASSASigner supports SHA256   
signer.getJCAContext().setProvider(hsmProvider);
final JWSObject jwsObject = new JWSObject(jwsHeader,payload);
jwsObject.sign(signer);  /*Sign the content*/       
String SignedInput = jwsObject.serialize(); /*[header-base64url].[payload-base64url].[signature-base64url]*/    
return SignedInput ;

}

Comments (1)