Closed maartenbynens closed 2 years ago
bdhess
commented
2 years ago The configuration option experimental_generate_certs causes the library to generate an ephemeral X.509 certificate for each keypair to meet this SunPKCS11 requirement. Does that help?
maartenbynens
commented
2 years ago Thank you @bdhess for your response. With that configuration option it works indeed. Unfortunately, that is not a sufficient solution for signing with actual certificates. In the meantime we found a way to use KMS directly.
bdhess
commented
2 years ago Hrmm... well, a certificate simply binds a keypair to an identity. The underlying signature primitive (RSA or ECDSA) doesn't have knowledge of any certificates, and a certificate isn't referenced or included in the RSA or ECDSA signature.
In any case, I'm glad you found a suitable workaround.
Can this library be used from java? Issue seems to be that the java PKCS11 implementation ignores private keys without a matching certificate (https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-F068390B-EB41-48A0-A713-B4CBCC72285D) and the keys in KMS are stored without a certificate.