JackNJI11KeyWrappingCryptoToken
ENTERPRISE This is a SignServer Enterprise feature.
Overview
Crypto token generating keys in the token and exporting them wrapped with a symmetric key and stored in the database.
CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.p11ng.common.cryptotoken.JackNJI11KeyWrappingCryptoToken
In most cases this crypto token is not used directly but instead using a JackNJI11KeyWrappingCryptoWorker.
Available Properties
Property |
Description |
DEFAULTKEY |
Key alias of the secret/symmetric wrapping key in the token that should be used to wrap and unwrap keys. Required. |
WRAPPED_TESTKEY |
Key alias of wrapped key stored in the database that can be used to test that unwrapping is working. If specified, the worker will be offline if a test signing cannot be performed with this key. Optional. |
PIN |
Authentication code for activation. Only required for auto-activation, otherwise manual activation can be performed. |
SHAREDLIBRARYNAME |
Name of pre-defined PKCS11 library to be used. The available libraries can be configured in signserver_deploy.properties. Required. |
SLOTLABELTYPE |
Indicates how the slot should be identified. Supported values are SLOT_NUMBER, or SLOT_INDEX. Required. |
SLOTLABELVALUE |
The slot to use, identified with the type specified in SLOTLABELTYPE:
Required. SLOT_LABEL is currently not supported. |
WRAPPING_CIPHER_ALGORITHM |
Cipher algorithm used to wrap the keys by secret/symmetric key. The value can be provided as PKCS#11 mechanism name, long constant value, or hexadecimal constant value. See Wrapping Cipher Algorithm below. (Optional). Default value is CKM_AES_CBC_PAD. |
USE_CACHE |
Specify if key and certificate search results from the HSM should be cached. This can prevent problems due to too many find object requests under high load with some PKCS#11 implementations. Optional: default true. |
Wrapping Cipher Algorithm
The Wrapping Cipher Algorithm is used to wrap the keys by secret/symmetric key. Values can be supplied in the following ways:
PKCS#11 mechanism name
Stating with "CKM_". Example: CKM_AES_CBC_PAD.
CKM Long value
Example: 4229. Here 4229 represents long value for CKM_AES_CBC_PAD constant, as per PKCS11 specification.
CKM Hexadecimal value
Example: 0x00001085. Here 0x00001085 represents hexadecimal value for CKM_AES_CBC_PAD constant, as per PKCS11 specification.
NoDB Mode
Crypto token features like generate key, remove key, generate CSR, and import certificate are not supported by this token in NoDB mode since it requires a database connection.