Emmanuel Bourg
Emmanuel Bourg
The generation of XML signatures in Java is documented here: https://docs.oracle.com/javase/8/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html
I've played a bit with the XML signature API, the code snippet below is enough to sign a file but I don't think it makes a valid manifest signature yet:...
Thank you for the info, I didn't realize there were two signature schemes. I've found some references about strong name signatures: https://learn.microsoft.com/en-us/archive/msdn-magazine/2006/july/clr-inside-out-using-strong-name-signatures https://learn.microsoft.com/en-us/dotnet/standard/assembly/create-use-strong-named It's not clear to me if the...
I agree it would be nice to support it, but this service is very expensive ($1600/month) and I can't spend that much for this project. If someone using AWS CloudHSM...
I got a look at the [AWS documentation](https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html), and as I understand the [CloudHSM REST API](https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_Operations.html) allows one to only manage the HSM instances, and not to perform cryptographic operations....
Also worth noting, the name "LiquidSecurity" appears in the [documentation](https://docs.aws.amazon.com/cloudhsm/latest/userguide/troubleshooting-lost-connection.html) and in the native library, that's most likely the name of the [Marvell HSM hardware](https://www.marvell.com/products/security-solutions/liquidsecurity2.html) used by AWS. It seems...
@hellais Did you check if the CloudHSM instance is available as a keystore for AWS KMS? > We were able to get authentication to work using: > > jsign --storetype...
@hellais You could try setting the `--alias` parameter, for example: jsign --storetype PKCS11 --keystore sunpkcs.cfg --storepass XXXX --certfile chain.p7b --alias XXXX_2024-04-26_6 binary.exe or: jsign --storetype PKCS11 --keystore sunpkcs.cfg --storepass XXXX...
You may get some hints about the underlying issue by enabling the SunPKCS11 debugging mode: JSIGN_OPTS=-Djava.security.debug=sunpkcs11 jsign --storetype PKCS1 ...
I don't have a SafeNet token so I'm unable to reproduce this unfortunately. This looks clearly like a driver bug, the best I could do at the Jsgin level is...