This Crypto Token relies on support for different algorithms in Java and the SunPKCS11 provider/wrapper as well as support in the PKCS#11 standard, the used PKCS#11 driver from the HSM vendor, and the supported algorithms in the HSM. A complete list of supported algorithms can thus not be compiled here and the following lists algorithms that are tested and known to work with an HSM supporting it. Also, see the specific SignServer Signer for algorithms that signers can work with and review signer-specific algorithm support pages.

Signature Algorithms


Algorithm Name

Also Known As

Comment

(bock)

SHA1withRSA

RSASSA-PKCS_v1.5 using SHA1


(bock)

SHA224withRSA

RSASSA-PKCS_v1.5 using SHA224


(bock)

SHA256withRSA

RSASSA-PKCS_v1.5 using SHA256


(bock)

SHA384withRSA

RSASSA-PKCS_v1.5 using SHA384


(bock)

SHA512withRSA

RSASSA-PKCS_v1.5 using SHA512


(bock)

NONEwithRSA

RSASSA-PKCS_v1.5

Depending on the Signer. Generally only supported by Plain Signer.

(bock)

SHA1withRSAandMGF1

RSASSA-PSS using SHA1

Using Java 11 or using Java 8 only for key size => 4096 bits.

(bock)

SHA224withRSAandMGF1

RSASSA-PSS using SHA224

Using Java 11 or using Java 8 only for key size => 4096 bits.

(bock)

SHA256withRSAandMGF1

RSASSA-PSS using SHA256

Using Java 11 or using Java 8 only for key size => 4096 bits.

(bock)

SHA384withRSAandMGF1

RSASSA-PSS using SHA384

Using Java 11 or using Java 8 only for key size => 4096 bits.

(bock)

SHA512withRSAandMGF1

RSASSA-PSS using SHA512

Using Java 11 or using Java 8 only for key size => 4096 bits.

(fel)

NONEwithRSAandMGF1

RSASSA-PSS

Not supported by Java/SunPKCS11.

(bock)

SHA1withECDSA

ECDSA using SHA1


(bock)

SHA224withECDSA

ECDSA using SHA224


(bock)

SHA256withECDSA

ECDSA using SHA256


(bock)

SHA384withECDSA

ECDSA using SHA384


(bock)

SHA512withECDSA

ECDSA using SHA512


(bock)

NONEwithECDSA

ECDSA

Depending on the Signer. Generally only supported by Plain Signer.

Key Algorithms


Algorithm Name

Key Specification

Comment

(bock)

RSA

1024
2048
4096

Other key lengths are likely also working.

(bock)

ECDSA

Named curves:

  • secp256r1 / prime256v1 / P-256
  • secp384r1
  • secp521r1

More named curves are likely working.

(fel)

ECDSA

Explicit Parameters

A signer can be configured using the EXPLICTECC parameter (see Other Properties) to encode the EC parameters explicitly in the request. This goes for the supported named curves but a named curve is still needed when generating the key-pair.

But certificates with explicit EC parameters can no be read from the token.

(varning) If the token contains certificates with explicit parameters the token can not be used by this crypto token until those certificates has been removed!

Instead store the certificates in the worker configuration and certificates with explicit EC parameters can be used that way.

(bock)

AES

128
256


Related Content

  • Sida:
    (5.8.1) JackNJI11CryptoToken Algorithm Support
  • Sida:
    (5.8.1) PKCS11CryptoToken Algorithm Support
  • Sida:
    (5.8.1) Time Stamp Signer Algorithm Support
  • Sida:
    (5.8.1) Plain Signer Algorithm Support
  • Sida:
    (5.8.1) PDF Signer Algorithm Support
  • Sida:
    (5.8.1) MS Authenticode Signer Algorithm Support
  • Sida:
    (5.8.1) CMS Signer Algorithm Support
  • Sida:
    (5.8.1) AdES Signer Algorithm Support
  • Sida:
    (5.8.1) Signers Algorithm Support
  • Sida:
    (5.8.2) JackNJI11CryptoToken Algorithm Support
  • Sida:
    (5.8.2) PKCS11CryptoToken Algorithm Support
  • Sida:
    (5.8.2) Plain Signer Algorithm Support
  • Sida:
    (5.8.2) MS Authenticode Signer Algorithm Support
  • Sida:
    (5.8.2) CMS Signer Algorithm Support
  • Sida:
    (5.8.2) AdES Signer Algorithm Support