How to sign data through hardware token?

digitalbazaar / forge

A native implementation of TLS in Javascript and tools to write crypto-based and network-heavy webapps

https://digitalbazaar.com/

Other

5.04k stars 778 forks source link

How to sign data through hardware token? #694

Open fereydoun opened 5 years ago

fereydoun commented 5 years ago

@davidlehn how to sign data using certificate inside hardware token??? I have linux driver .so file i can login to hardware token using library pkcs11js! but i want sign data with pkcs 7 format.

theclabs commented 5 years ago

@fereydoun Essentially, if you want to sign a piece of information:

First you have to get the hash of the data you want to sign. (sha256(data))
Second, you must start a secure session on the hardware, either by pin, password or biometrically.
Third, you must select in the hardware, the certificate private key you will use, the algorithm and the type of hash you want to use. ( select the Key file inside, the hash, and the padding, - Ex. key file 1, PKCS#1v1.5 padding and SHA256 hash)
Fourth, you must send the hash that was obtained in the first point.
Fifth, you must start the digital signature process with the corresponding command, and this will return the digital signature hash.
for PKCS#7 you can use any version 1.5 of PKCS in js

fereydoun commented 5 years ago

@theclabs thanks for you can you show me that steps with a simple example?

theclabs commented 5 years ago

@fereydoun What hardware are you using? The previous example is based on a proprietary cryptographic identification card, but is standardized. Do you have knowledge about APDU commands? I think you should look for APDU commands on your device to get a clearer idea

fereydoun commented 5 years ago

@theclabs is node-forge has sample for connect to any model of hardware token?

nicenemo commented 5 years ago

Maybe the question could be rephrased to:

Please give an example on how to create a valid pkcs7(DER or PEM encoded) using forge. Given that you have the sha256 hash, the certificate and the signature obtained via an external device or service.

I think I want to do more or less the same. I want to get a pkcs7 (der or pem encoded) file. But instead I want to use Azure KeyVault. (hardware device in the cloud).

I have a working solution in Java using bouncy castle but want to remove the need for Java. the rest of our solution is NodeJS based.

I guess I should construct it starting from the pkcs7 enveloppe but not sure on how to proceed.