Reputation: 15
Signing XML (XML-DSig) using HSM and PKCS11 token in .Net Core 7.0
I have X509 certificate which contains public key only in my database. The corresponding private key is store inside HSM. I found out that SignedXml class in .NET does not support signing XML in HSM.
Is there any other alternative? A replacement for SignedXml or other option that I can use to achieve this ?
Upvotes: 0
Views: 803
Answers (2)
Reputation: 63
You can apply transforms to the xml, canonicalize the document, take a hash and sign the hash using pkcs11.
once you the signature value, you can then use xpath to insert signaturevalue in the signature element for an enveloped signature.
the x509 cert goes into the keyinfo element in the signedxml.
Upvotes: 0
Reputation: 12108
You can use Pkcs11Interop.X509Store library which provides easy to use PKCS#11 based X.509 certificate store and contains Pkcs11RsaProvider class inherited from System.Security.Cryptography.RSA class that you can use as a SigningKey with SignedXml class.
There's also a code sample available which demonstrates your use case.
Upvotes: 0
Related Questions
- How can I convert the private key stored in HSM to SignedXml.SigningKey in C#
- Making a private method public to unit test it...good idea?
- Generate and Sign Certificate Request using pure .net Framework
- How to change CSP parameter of RSACryptoServiceProvider
- Verify ECDSA signature from PyKCS11
- .Net 4.0 C# When loading SHA256 key SignatureAlgorithm changes to SHA1
- Sign XML with ECDsa and SHA256 in .Net