Is there a way to create a PKCS#7 (S/MIME) signature with a PKCS#11 compliant HSM device (card reader) using pure PHP, i.e. without explicit shell command call, e.g. using PHP OpenSSL library or some other glue?
I can successfully create a PKCS#7 signature using CLI openssl with PKCS#11 engine like so:
putenv('PIN='.$secret_card_pin);
shell_exec("export PIN; OPENSSL_CONF=openssl.cnf openssl smime -sign -engine pkcs11 -md sha1 -binary -in {$tmpFileIn} -out {$tmpFileOut} -outform der -keyform engine -inkey id_ed0007 -signer pubcert.pem");
I want to clean this but it seems impossible using pure PHP because as far as I can tell openssl_pkcs7_sign() function can only be used with a private key file without any support for pkcs11-engine provided keys. Am I missing something?
There is not, while there are PKCS#11 bindings for many languages there is not one for PHP.
You would need this, then you could then construct a PKCS#7 and sign it using that library.
Unfortunately absent that you will need to use a CLI.