You are not logged in.
- Topics: Active | Unanswered
#1 2026-06-05 13:31:20
- ttomas
- Member
- Registered: 2013-03-08
- Posts: 163
Create/sign jwt using Hardware Security Modules (HSM) usb token
Do we have all needed code to create/compute/sign jwt, using HSM. Any example?
I need RSA-SHA256 algorithm. TJwtRs256 use only file certificate!
Last edited by ttomas (2026-06-05 13:34:11)
Offline
#2 Yesterday 11:25:21
- ttomas
- Member
- Registered: 2013-03-08
- Posts: 163
Re: Create/sign jwt using Hardware Security Modules (HSM) usb token
I success Sign using low level mormot.lib.pkcs11 and high level mormot.crypt.pkcs11.
One of my usb token raise exception at TCryptCertPkcs11.Create
CKO_CERTIFICATE:
if fX509 <> nil then
RaiseError('Create: duplicated certificates')
First two certificate CA Root and CA return empty string StorageID=''. Small changes at TCryptCertAlgoPkcs11.BackgroundLoad, resolve the problem
for j := 0 to high(obj) do
if (obj[j].ObjClass in [CKO_CERTIFICATE, CKO_PUBLIC_KEY]) and
(obj[j].StorageID<>'') then // Add
AddRawUtf8(ids, obj[j].StorageID, {nodup=}true);My second usb token raise exception with fX509.LoadFromDer. Small changes at TCryptCertPkcs11.Create, resolve the problem
CKO_CERTIFICATE:
if fX509 <> nil then
RaiseError('Create: duplicated certificates')
else
begin
fX509 := TX509.Create;
if not fX509.LoadFromDer(aValues[i]) then
begin
FreeAndNilSafe(fX509);
// RaiseError('Create: invalid CKO_CERTIFICATE content'); Just ignore this certificates
end
else
begin
fIsX509 := true;
xka := fX509.Signed.SubjectPublicKeyAlgorithm // more precise
end;
end Offline
#3 Yesterday 19:46:11
Re: Create/sign jwt using Hardware Security Modules (HSM) usb token
Nice findings.
Please try with
https://github.com/synopse/mORMot2/commit/0817ffc3d
Offline