2 Replies Latest reply: Jul 21, 2011 12:50 PM by 446516 RSS

    Sign XML file with PKCS11

      I'm trying to sign a XML document but I don't know how to do this if I don't have the private key - I use a PKCS11 token.
      What should I use instead keyPair.getPrivate()?
      DOMSignContext domSignContext = new DOMSignContext (keyPair.getPrivate(), document.getDocumentElement());
        • 1. Re: Sign XML file with PKCS11
          If you use the same PKCS11 provider for your crypto operations, getPrivate() should only return a reference to the key in your token and not the key itself. The provider then uses this reference to perform the operation in the token.

          • 2. Re: Sign XML file with PKCS11
            In this guide http://download.oracle.com/javase/6/docs/technotes/guides/security/p11guide.html it's explained how to access a PKCS#11 device. It's very simple. Once you archieve the keyStore, you can tell it "getPriveteKey()", and so you get a PrivateKey, as you get with keyPair.getPrivate().

            Important: You must got the deveice drivers installed on your PC... to access the token you need to specify the PKCS11 implementation of your device ( .dll for win or .so for Linux). Take a look at piont 2.2 in that guide.

            Hope this helps. Regards, Gervasio