Skip to main content
Skip table of contents

Algorithm Support

This Crypto Token relies on support for different algorithms in Java and the SunPKCS11 provider/wrapper as well as support in the PKCS#11 standard, the used PKCS#11 driver from the HSM vendor, and the supported algorithms in the HSM. A complete list of supported algorithms can thus not be compiled here and the following lists algorithms that are tested and known to work with an HSM supporting it. Also, see the specific SignServer Signer for algorithms that signers can work with and review signer-specific algorithm support pages.

Signature Algorithms

Algorithm Name

Also Known As

Comment

(tick)

SHA1withRSA

RSASSA-PKCS_v1.5 using SHA1

(tick)

SHA224withRSA

RSASSA-PKCS_v1.5 using SHA224

(tick)

SHA256withRSA

RSASSA-PKCS_v1.5 using SHA256

(tick)

SHA384withRSA

RSASSA-PKCS_v1.5 using SHA384

(tick)

SHA512withRSA

RSASSA-PKCS_v1.5 using SHA512

(tick)

NONEwithRSA

RSASSA-PKCS_v1.5

Depending on the Signer. Generally only supported by Plain Signer.

(tick)

SHA1withRSAandMGF1

RSASSA-PSS using SHA1

(tick)

SHA224withRSAandMGF1

RSASSA-PSS using SHA224

(tick)

SHA256withRSAandMGF1

RSASSA-PSS using SHA256

(tick)

SHA384withRSAandMGF1

RSASSA-PSS using SHA384

(tick)

SHA512withRSAandMGF1

RSASSA-PSS using SHA512

(error)

NONEwithRSAandMGF1

RSASSA-PSS

Not supported by Java/SunPKCS11.

(tick)

SHA1withECDSA

ECDSA using SHA1

(tick)

SHA224withECDSA

ECDSA using SHA224

(tick)

SHA256withECDSA

ECDSA using SHA256

(tick)

SHA384withECDSA

ECDSA using SHA384

(tick)

SHA512withECDSA

ECDSA using SHA512

(tick)

NONEwithECDSA

ECDSA

Depending on the Signer. Generally only supported by Plain Signer.

Key Algorithms

Algorithm Name

Key Specification

Comment

(tick)

RSA

1024
2048
4096

Other key lengths are likely also working.

(tick)

ECDSA

Named curves:

  • secp256r1 / prime256v1 / P-256

  • secp384r1

  • secp521r1

More named curves are likely working.

(error)

ECDSA

Explicit Parameters

A signer can be configured using the EXPLICTECC parameter (see Other Properties) to encode the EC parameters explicitly in the request. This goes for the supported named curves but a named curve is still needed when generating the key-pair.

Certificates with explicit EC parameters cannot be read from the token.

If the token contains certificates with explicit parameters, the token can not be used by this crypto token until those certificates have been removed.

Instead, store the certificates with explicit EC parameters in the worker configuration, which allows them to be used that way.

(tick)

AES

128
256

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close