Skip to main content
Skip table of contents

P11NGKeyWrappingCryptoToken

ENTERPRISE

Overview

Crypto token generating keys in the token and exporting them wrapped with a symmetric key and stored in the database.

As of SignServer 6.0, JackNJI11CryptoToken has been renamed P11NGCryptoToken.

CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.p11ng.common.cryptotoken.P11NGKeyWrappingCryptoToken

In most cases this crypto token is not used directly but instead using a P11NGKeyWrappingCryptoWorker.

Required Properties

Property

Description

DEFAULTKEY

Specifies the key alias of the secret/symmetric wrapping key in the token that should be used to wrap and unwrap keys.

PIN

Specifies the authentication code for activation.

Only required for auto-activation. Otherwise, manual activation can be performed.

SHAREDLIBRARYNAME

Specifies the name of pre-defined PKCS11 library to be used. The available libraries can be configured in signserver_deploy.properties.

SLOTLABELTYPE

Indicates how the slot should be identified. Supported values are SLOT_NUMBER or SLOT_INDEX.

SLOTLABELVALUE

The slot to use, identified with the type specified in SLOTLABELTYPE:

  • SLOT_NUMBER is the number (ID) of the slot

  • SLOT_INDEX is the zero-base index of the slot in the list of available slots as returned by the PKCS#11 provider

SLOT_LABEL is currently not supported.

Available Properties

Property

Description

USE_CACHE

Specifies if the key and certificate search results from the HSM should be cached. This can prevent problems due to too many find object requests under high load with some PKCS#11 implementations.

Default: True.

WRAPPING_CIPHER_ALGORITHM

Specifies the cipher algorithm used to wrap the keys by secret/symmetric key. The value can be provided as PKCS#11 mechanism name, long constant value, or hexadecimal constant value. See Wrapping Cipher Algorithm below.

Default: CKM_AES_CBC_PAD

WRAPPED_TESTKEY

Specifies the key alias of wrapped key stored in the database that can be used to test that unwrapping is working. If specified, the worker will be offline if a test signing cannot be performed with this key.

Wrapping Cipher Algorithm

The Wrapping Cipher Algorithm is used to wrap the keys by secret/symmetric key. Values can be supplied in the following ways:

PKCS#11 mechanism name

Stating with CKM_. Example: CKM_AES_CBC_PAD

CKM Long value

Example: 4229. Here 4229 represents long value for CKM_AES_CBC_PAD constant, as per PKCS11 specification.

CKM Hexadecimal value

Example: 0x00001085. Here 0x00001085 represents hexadecimal value for CKM_AES_CBC_PAD constant, as per PKCS11 specification.

The algorithm which can be used depends on the underlying CryptoToken and the Hardware Security Module.

Specifically, SoftHSMv2 does not support CKM_AES_CBC_PAD. See SoftHSMv2 issue #229 for more information. As described above, other mechanisms can potentially be used and even using numeric value in case there is not yet a constant for it in SignServer. For instance, it has been reported that CKM_AES_KEY_WRAP works if it is specified as value 8457.

NoDB Mode

Crypto token features like generate key, remove key, generate CSR, and import certificate are not supported by this token in NoDB mode since it requires a database connection.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close