This Crypto Token relies on support for different algorithms in Java and the SunPKCS11 provider/wrapper as well as support in the PKCS#11 standard, the used PKCS#11 driver from the HSM vendor, and the supported algorithms in the HSM. A complete list of supported algorithms can thus not be compiled here and the following lists algorithms that are tested and known to work with an HSM supporting it. Also, see the specific SignServer Signer for algorithms that signers can work with and review signer-specific algorithm support pages.

Signature Algorithms


Algorithm NameAlso Known AsComment
(tick)SHA1withRSARSASSA-PKCS_v1.5 using SHA1
(tick)SHA224withRSARSASSA-PKCS_v1.5 using SHA224
(tick)SHA256withRSARSASSA-PKCS_v1.5 using SHA256
(tick)SHA384withRSARSASSA-PKCS_v1.5 using SHA384
(tick)SHA512withRSARSASSA-PKCS_v1.5 using SHA512
(tick)NONEwithRSARSASSA-PKCS_v1.5Depending on the Signer. Generally only supported by Plain Signer.
(tick)

SHA1withRSAandMGF1

RSASSA-PSS using SHA1Using Java 11 or using Java 8 only for key size => 4096 bits.
(tick)

SHA224withRSAandMGF1

RSASSA-PSS using SHA224Using Java 11 or using Java 8 only for key size => 4096 bits.
(tick)

SHA256withRSAandMGF1

RSASSA-PSS using SHA256Using Java 11 or using Java 8 only for key size => 4096 bits.
(tick)

SHA384withRSAandMGF1

RSASSA-PSS using SHA384Using Java 11 or using Java 8 only for key size => 4096 bits.
(tick)SHA512withRSAandMGF1RSASSA-PSS using SHA512Using Java 11 or using Java 8 only for key size => 4096 bits.
(error)NONEwithRSAandMGF1RSASSA-PSSNot supported by Java/SunPKCS11.
(tick)

SHA1withECDSA

ECDSA using SHA1
(tick)

SHA224withECDSA

ECDSA using SHA224
(tick)

SHA256withECDSA

ECDSA using SHA256
(tick)

SHA384withECDSA

ECDSA using SHA384
(tick)SHA512withECDSAECDSA using SHA512
(tick)NONEwithECDSAECDSADepending on the Signer. Generally only supported by Plain Signer.

Key Algorithms


Algorithm NameKey SpecificationComment
(tick)RSA

1024
2048
4096

Other key lengths are likely also working.
(tick)ECDSA

Named curves:

  • secp256r1 / prime256v1 / P-256
  • secp384r1
  • secp521r1
More named curves are likely working.
(error)ECDSAExplicit Parameters

A signer can be configured using the EXPLICTECC parameter (see Other Properties) to encode the EC parameters explicitly in the request. This goes for the supported named curves but a named curve is still needed when generating the key-pair.

But certificates with explicit EC parameters can no be read from the token.

(warning) If the token contains certificates with explicit parameters the token can not be used by this crypto token until those certificates has been removed!

Instead store the certificates in the worker configuration and certificates with explicit EC parameters can be used that way.

(tick)AES128
256

Related Content