jsign doc: pkcs11 info

Add Venafi CodeSign Protect as a PKCS#11 provider and provide some basic documentation on how to leverage PKCS#11 for signing.

Jan 29 '25 03:01 zosocanuck

Thank you for the PR, I agree the PKCS#11 documentation could be improved.

Regarding Venafi I think there are too many PKCS#11 implementations to list them all, I prefer mentioning a few of the most popular hardware based ones.

However it looks like Venafi CodeSign Protect is a cloud signing service, it could be integrated directly into Jsign without using the PKCS#11 module. Do you know if its API is documented?

Jan 29 '25 07:01 ebourg

Venafi CodeSign Protect is currently only a self-hosted solution with a well-documented API. That said it may be much easier to use the PKCS#11 integration approach with a roadmap item to integrate natively via API. Thoughts?

Jan 29 '25 14:01 zosocanuck

I think I prefer the API integration, PKCS#11 is a pain to use.

I got a look at the documentation, the REST API seems pretty straightforward:

https://docs.venafi.com/Docs/24.1API/#?route=post-/vedhsm/api/sign

Jan 29 '25 15:01 ebourg

Sounds good. Let me know how I can provide help with the API integration given that I work at Venafi (A CyberArk Company).

Jan 29 '25 15:01 zosocanuck

If you want to implement it I can guide you through the process. There are several examples in the jsign-crypto module. Otherwise I'd need a temporary access to a CodeSign Protect instance.

Jan 30 '25 23:01 ebourg

I can work on getting this implemented and will open a separate PR. It would still be good to include an example of how to use the PKCS#11 keystore.

Jan 31 '25 19:01 zosocanuck

I've implemented a new signing service for SignPath (5a4418562414dd71080d0ee74c59c95e135dcd4c), you can use this commit as a template for CodeSign Protect.

Feb 07 '25 13:02 ebourg