# Sample configuration of a PKCS#11 crypto worker
#

# Type of worker and implementation
WORKERGENID1.TYPE=CRYPTO_WORKER
WORKERGENID1.IMPLEMENTATION_CLASS=org.signserver.server.signers.CryptoWorker

# Uses a HSM or smart card through PKCS#11:
WORKERGENID1.CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.PKCS11CryptoToken

# Name for other workers to reference this worker:
WORKERGENID1.NAME=CryptoTokenP11

# Name of the PKCS#11 shared library to use:
# The samples below corresponds to the ones set by default in the deploy
# configuration.
# To add new definitions or customize existing ones, see
# conf/signserver_deploy.properties.sample.
WORKERGENID1.SHAREDLIBRARYNAME=SafeNet ProtectServer Gold
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet ProtectServer Gold Emulator
#WORKERGENID1.SHAREDLIBRARYNAME=SoftHSM
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna Client
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna SA
#WORKERGENID1.SHAREDLIBRARYNAME=SafeNet Luna PCI
#WORKERGENID1.SHAREDLIBRARYNAME=Utimaco
#WORKERGENID1.SHAREDLIBRARYNAME=nCipher
#WORKERGENID1.SHAREDLIBRARYNAME=OpenSC

# Method for pointing out which slot to use:
WORKERGENID1.SLOTLABELTYPE=SLOT_NUMBER
#WORKERGENID1.SLOTLABELTYPE=SLOT_INDEX
#WORKERGENID1.SLOTLABELTYPE=SLOT_LABEL

# Which slot to use:
WORKERGENID1.SLOTLABELVALUE=1
#WORKERGENID1.SLOTLABELVALUE=0
#WORKERGENID1.SLOTLABELVALUE=MySlot

# Optional password of the slot. If specified the token is "auto-activated".
#WORKERGENID1.PIN=foo123

# Optional PKCS#11 attributes file or attributes
#WORKERGENID1.ATTRIBUTESFILE=/opt/signserver/doc/sample-config/p11attributes.cfg
WORKERGENID1.ATTRIBUTES=\
    attributes(generate,CKO_PUBLIC_KEY,*) \= {\n   \
       CKA_TOKEN \= false\n   \
       CKA_ENCRYPT \= false\n   \
       CKA_VERIFY \= true\n   \
       CKA_WRAP \= false\n\
    }\n\
    attributes(generate, CKO_PRIVATE_KEY,*) \= {\n   \
       CKA_TOKEN \= true\n   \
       CKA_PRIVATE \= true\n   \
       CKA_SENSITIVE \= true\n   \
       CKA_EXTRACTABLE \= false\n   \
       CKA_DECRYPT \= false\n   \
       CKA_SIGN \= true\n   \
       CKA_UNWRAP \= false\n\
    }

# Optional PKCS#11 attributes to override those specified statically in the ATTRIBUTES
# property or file
#WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_ALLOWED_MECHANISMS=CKM_RSA_PKCS, CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS
#WORKERGENID1.ATTRIBUTE.PRIVATE.RSA.CKA_ALLOWED_MECHANISMS=CKM_RSA_PKCS_PSS, CKM_SHA256_RSA_PKCS_PSS, CKM_SHA384_RSA_PKCS_PSS, CKM_SHA512_RSA_PKCS_PSS
#WORKERGENID1.ATTRIBUTE.PRIVATE.ECDSA.CKA_ALLOWED_MECHANISMS=CKM_ECDSA

# One key to test activation with is required. If this key does not already
# exist generate it after the worker has been created.
WORKERGENID1.DEFAULTKEY=testkey0