Question using Node-signpdf with pkcs11js?

[chayakornjj]

Hi,

Currently we are working on digital signature with HSM Module, As we plan using AWS CloudHSM as our HSM.

Now we are testing your lib with p12 file everything working great so far.

After that we had try to swap to use HSM (In this case we use SoftHSM for POC) and with PKCS#11 (With pkcs11js) We try to adapt this with signing. But no luck.

It would be great if anyone can recommend me or guide me how i can signing PDF with HSM. I'm already try a lot of way still not success for signing PDF with HSM

Here is my Snippet with PKCS11#JS We got this as a result: https://ibb.co/L96VDLM

My question is: Any idea that how i can apply PKCS11 with node-signpdf (Using PCKS11 to gen .p12 something like this or it can be sign directly with PKCS11)?

Note: Sorry for asking in this repository but would be great if you can recommend me to use this with node-signpdf

const pkcs11js = require("pkcs11js");
const helpers = require('node-signpdf/dist/helpers');
const pkcs11 = new pkcs11js.PKCS11();
pkcs11.load("/usr/local/lib/softhsm/libsofthsm2.so");

(async => {
  try {

    pkcs11.C_Initialize();

    // Getting info about PKCS11 Module
    var module_info = pkcs11.C_GetInfo();
    console.log(module_info)

    // Getting list of slots
    var slots = pkcs11.C_GetSlotList(true);
    var slot = slots[0];

    // Getting info about slot
    var slot_info = pkcs11.C_GetSlotInfo(slot);
    console.log(slot_info)
    // Getting info about token
    var token_info = pkcs11.C_GetTokenInfo(slot);
    console.log(token_info)
    // Getting info about Mechanism
    // var mechs = pkcs11.C_GetMechanismList(slot);
    // var mech_info = pkcs11.C_GetMechanismInfo(slot, mechs[0]);

    // Set session
    var session = pkcs11.C_OpenSession(slot, pkcs11js.CKF_RW_SESSION | pkcs11js.CKF_SERIAL_SESSION);

    // // Getting info about Session
    // var info = pkcs11.C_GetSessionInfo(session);
    pkcs11.C_Login(session, 1, "1234");

    const publicKeyTemplate = [
      { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_PUBLIC_KEY },
      { type: pkcs11js.CKA_TOKEN, value: false },
      { type: pkcs11js.CKA_LABEL, value: 'My RSA Public Key' },
      { type: pkcs11js.CKA_PUBLIC_EXPONENT, value: Buffer.from([1, 0, 1]) },
      { type: pkcs11js.CKA_MODULUS_BITS, value: 2048 },
      { type: pkcs11js.CKA_VERIFY, value: true }
    ];

    const privateKeyTemplate = [
      { type: pkcs11js.CKA_CLASS, value: pkcs11js.CKO_PRIVATE_KEY },
      { type: pkcs11js.CKA_TOKEN, value: false },
      { type: pkcs11js.CKA_LABEL, value: 'My RSA Private Key' },
      { type: pkcs11js.CKA_SIGN, value: true },
    ];

    const keys = pkcs11.C_GenerateKeyPair(session, { mechanism: pkcs11js.CKM_RSA_PKCS_KEY_PAIR_GEN }, publicKeyTemplate, privateKeyTemplate);

    pkcs11.C_SignInit(session, { mechanism: pkcs11js.CKM_SHA256_RSA_PKCS }, keys.privateKey);

    let pdfBuffer = fs.readFileSync('./RAW_PDF.pdf');

    pdfBuffer = helpers.plainAddPlaceholder({
      pdfBuffer,
      reason: 'POC-SIGNED',
      signatureLength: 1612,
    });

    pkcs11.C_SignUpdate(session, new Buffer(pdfBuffer));

    const signature = pkcs11.C_SignFinal(session, new Buffer(256));

    pkcs11.C_VerifyInit(session, { mechanism: pkcs11js.CKM_SHA256_RSA_PKCS }, keys.publicKey);

    pkcs11.C_VerifyUpdate(session, new Buffer(pdfBuffer));

    const verify = pkcs11.C_VerifyFinal(session, signature);

    console.log(keys)
    console.log('Verify sign data result:', verify)

    fs.writeFileSync('PDF-A-A.pdf', pdfBuffer)

    pkcs11.C_Logout(session);
    pkcs11.C_CloseSession(session);
  }
  catch(e){
    console.error(e);
  }
  finally {
    pkcs11.C_Finalize();
  }
})()``

[chayakornjj]

FYI, I will close this issue.

I manage to use other language programming due my condition. But this package is really good if you already have p12 file.

Cheers!.