PKCS#7 signature in PHP using PKCS#11 without a CLI call

1k views Asked by At

Is there a way to create a PKCS#7 (S/MIME) signature with a PKCS#11 compliant HSM device (card reader) using pure PHP, i.e. without explicit shell command call, e.g. using PHP OpenSSL library or some other glue?

I can successfully create a PKCS#7 signature using CLI openssl with PKCS#11 engine like so:

putenv('PIN='.$secret_card_pin);
shell_exec("export PIN; OPENSSL_CONF=openssl.cnf openssl smime -sign -engine pkcs11 -md sha1 -binary -in {$tmpFileIn} -out {$tmpFileOut} -outform der -keyform engine -inkey id_ed0007 -signer pubcert.pem");

I want to clean this but it seems impossible using pure PHP because as far as I can tell openssl_pkcs7_sign() function can only be used with a private key file without any support for pkcs11-engine provided keys. Am I missing something?

1

There are 1 answers

3
rmhrisk On BEST ANSWER

There is not, while there are PKCS#11 bindings for many languages there is not one for PHP.

You would need this, then you could then construct a PKCS#7 and sign it using that library.

Unfortunately absent that you will need to use a CLI.