doc: pkcs11 info #274
doc: pkcs11 info #274
Conversation
Signed-off-by: Ivan Wallis <[email protected]>
|
Thank you for the PR, I agree the PKCS#11 documentation could be improved. Regarding Venafi I think there are too many PKCS#11 implementations to list them all, I prefer mentioning a few of the most popular hardware based ones. However it looks like Venafi CodeSign Protect is a cloud signing service, it could be integrated directly into Jsign without using the PKCS#11 module. Do you know if its API is documented? |
|
Venafi CodeSign Protect is currently only a self-hosted solution with a well-documented API. That said it may be much easier to use the PKCS#11 integration approach with a roadmap item to integrate natively via API. Thoughts? |
|
I think I prefer the API integration, PKCS#11 is a pain to use. I got a look at the documentation, the REST API seems pretty straightforward: https://docs.venafi.com/Docs/24.1API/#?route=post-/vedhsm/api/sign |
|
Sounds good. Let me know how I can provide help with the API integration given that I work at Venafi (A CyberArk Company). |
|
If you want to implement it I can guide you through the process. There are several examples in the jsign-crypto module. Otherwise I'd need a temporary access to a CodeSign Protect instance. |
|
I can work on getting this implemented and will open a separate PR. It would still be good to include an example of how to use the PKCS#11 keystore. |
|
I've implemented a new signing service for SignPath (5a44185), you can use this commit as a template for CodeSign Protect. |
Add Venafi CodeSign Protect as a PKCS#11 provider and provide some basic documentation on how to leverage PKCS#11 for signing.