SMIME with HSM

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SMIME with HSM

mehmet mumcu
Hi, I have started to use smime module for my project. It works great, when I use it as it is given in the example. However, I need to use an HSM device for signing purposes. How may I change the signing phase with a custom one?

Thanks.
--
Mehmet Emin Mumcu
Reply | Threaded
Open this post in threaded view
|

Re: SMIME with HSM

David Hook-3

You can provider a custom implementation of the ContentSigner interface. The main thing to pay attention to is that you set the AlgorithmIdentifier values correctly - usually the signing step is straightforward.

Regards,

David

On 02/10/18 00:21, mehmet mumcu wrote:
Hi, I have started to use smime module for my project. It works great, when I use it as it is given in the example. However, I need to use an HSM device for signing purposes. How may I change the signing phase with a custom one?

Thanks.
--
Mehmet Emin Mumcu


Reply | Threaded
Open this post in threaded view
|

Re: SMIME with HSM

mehmet mumcu
Hi David, 
I have figured that out afterwards.

Thanks.

7 Eki 2018 Paz 08:57 tarihinde David Hook <[hidden email]> şunu yazdı:

You can provider a custom implementation of the ContentSigner interface. The main thing to pay attention to is that you set the AlgorithmIdentifier values correctly - usually the signing step is straightforward.

Regards,

David


On 02/10/18 00:21, mehmet mumcu wrote:
Hi, I have started to use smime module for my project. It works great, when I use it as it is given in the example. However, I need to use an HSM device for signing purposes. How may I change the signing phase with a custom one?

Thanks.
--
Mehmet Emin Mumcu


Reply | Threaded
Open this post in threaded view
|

Re: SMIME with HSM

Uri Blumenthal
And the solution is...?

I'm asking because creating digital signature with the keys kept in hard tokens is an important issue for quite a few developers.

Sent from my iPhone 6+

On Oct 7, 2018, at 02:28, mehmet mumcu <[hidden email]> wrote:

Hi David, 
I have figured that out afterwards.

Thanks.

7 Eki 2018 Paz 08:57 tarihinde David Hook <[hidden email]> şunu yazdı:

You can provider a custom implementation of the ContentSigner interface. The main thing to pay attention to is that you set the AlgorithmIdentifier values correctly - usually the signing step is straightforward.

Regards,

David


On 02/10/18 00:21, mehmet mumcu wrote:
Hi, I have started to use smime module for my project. It works great, when I use it as it is given in the example. However, I need to use an HSM device for signing purposes. How may I change the signing phase with a custom one?

Thanks.
--
Mehmet Emin Mumcu



smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SMIME with HSM

David Hook-3

In a bit more detail, the high-level BC classes that use signatures for the generation of certificates, CMS messages, timestamps and the like all use:

org.bouncycastle.operator.ContentSigner

to perform the signature calculation and to get the details of the signature. ContentSigner is an interface with three methods on it, if you provide an implementation of ContentSigner which passes the data through to whatever your hardware based API uses the BC APIs will happily generate signatures for you. ContentSigner provides an OutputStream to collect input for the signature calculation, a getSignature() method to retrieve the actual signature and a getAlgorithmIdentifier() method which returns the AlgorithmIdentifier required to describe the signature.

There's an equivalent interface for PGP as well

org.bouncycastle.openpgp.operator.PGPContentSigner

Fundamentally it is the same deal as ContentSigner, with the equivalent to the getAlgorithmIdentifier() method being the methods that return the keyId, hash algorithm, key algorithm, and signature type. One thing you need to be aware of with the PGP side of things is that PGP signatures often require the value of the raw digest used as well and there is a method on PGPContentSigner for this as well - generally a HSM will not expose this as part of the signature calculation and may not make it available as a direct service either. In a case like that you normally need a hybrid solution which generates the signature using the HSM but uses a software API, such as BC, to provide the functionality to support the digest calculation.

As I said, they're both interfaces though, people are free to implement them with whatever API is available as long as the methods on the interface provide the correct outputs for the high-level BC APIs to use.

Does that cover it?

Regards,

David

On 08/10/18 03:32, Uri Blumenthal wrote:
And the solution is...?

I'm asking because creating digital signature with the keys kept in hard tokens is an important issue for quite a few developers.

Sent from my iPhone 6+

On Oct 7, 2018, at 02:28, mehmet mumcu <[hidden email]> wrote:

Hi David, 
I have figured that out afterwards.

Thanks.

7 Eki 2018 Paz 08:57 tarihinde David Hook <[hidden email]> şunu yazdı:

You can provider a custom implementation of the ContentSigner interface. The main thing to pay attention to is that you set the AlgorithmIdentifier values correctly - usually the signing step is straightforward.

Regards,

David


On 02/10/18 00:21, mehmet mumcu wrote:
Hi, I have started to use smime module for my project. It works great, when I use it as it is given in the example. However, I need to use an HSM device for signing purposes. How may I change the signing phase with a custom one?

Thanks.
--
Mehmet Emin Mumcu