Algorithm Support
This Crypto Token relies on support for different algorithms in Java and the SunPKCS11 provider/wrapper as well as support in the PKCS#11 standard, the used PKCS#11 driver from the HSM vendor, and the supported algorithms in the HSM. A complete list of supported algorithms can thus not be compiled here and the following lists algorithms that are tested and known to work with an HSM supporting it. Also, see the specific SignServer Signer for algorithms that signers can work with and review signer-specific algorithm support pages.
Signature Algorithms
Algorithm Name | Also Known As | Comment | |
---|---|---|---|
SHA1withRSA | RSASSA-PKCS_v1.5 using SHA1 | ||
SHA224withRSA | RSASSA-PKCS_v1.5 using SHA224 | ||
SHA256withRSA | RSASSA-PKCS_v1.5 using SHA256 | ||
SHA384withRSA | RSASSA-PKCS_v1.5 using SHA384 | ||
SHA512withRSA | RSASSA-PKCS_v1.5 using SHA512 | ||
NONEwithRSA | RSASSA-PKCS_v1.5 | Depending on the Signer. Generally only supported by Plain Signer. | |
SHA1withRSAandMGF1 | RSASSA-PSS using SHA1 | Using Java 11 or using Java 8 only for key size => 4096 bits. | |
SHA224withRSAandMGF1 | RSASSA-PSS using SHA224 | Using Java 11 or using Java 8 only for key size => 4096 bits. | |
SHA256withRSAandMGF1 | RSASSA-PSS using SHA256 | Using Java 11 or using Java 8 only for key size => 4096 bits. | |
SHA384withRSAandMGF1 | RSASSA-PSS using SHA384 | Using Java 11 or using Java 8 only for key size => 4096 bits. | |
SHA512withRSAandMGF1 | RSASSA-PSS using SHA512 | Using Java 11 or using Java 8 only for key size => 4096 bits. | |
NONEwithRSAandMGF1 | RSASSA-PSS | Not supported by Java/SunPKCS11. | |
SHA1withECDSA | ECDSA using SHA1 | ||
SHA224withECDSA | ECDSA using SHA224 | ||
SHA256withECDSA | ECDSA using SHA256 | ||
SHA384withECDSA | ECDSA using SHA384 | ||
SHA512withECDSA | ECDSA using SHA512 | ||
NONEwithECDSA | ECDSA | Depending on the Signer. Generally only supported by Plain Signer. |
Key Algorithms
Algorithm Name | Key Specification | Comment | |
---|---|---|---|
RSA | 1024 | Other key lengths are likely also working. | |
ECDSA | Named curves:
| More named curves are likely working. | |
ECDSA | Explicit Parameters | A signer can be configured using the EXPLICTECC parameter (see Other Properties) to encode the EC parameters explicitly in the request. This goes for the supported named curves but a named curve is still needed when generating the key-pair. But certificates with explicit EC parameters can no be read from the token. If the token contains certificates with explicit parameters the token can not be used by this crypto token until those certificates has been removed! Instead store the certificates in the worker configuration and certificates with explicit EC parameters can be used that way. | |
AES | 128 256 |