Info |
---|
This article includes updates for Smart ID 23.04.4. |
Separate signature slots containing a signature certificate, protected by an additional PIN, is an additional security measure, typically used for Qualified Electronic Signatures(QES). Currently, Identity Manager supports the signature slot for the following middleware:
- Gemalto (since PRIME 3.12)
- Personal (since Identity Manager 22.10.2)
- Idopte (since Identity Manager 23.04.4)
In this article you can find general information regarding signature slot. For use cases for a specific middleware, follow the links above.
Prerequisites
Expand |
---|
|
A token that supports the signature slot. For details, see the section referring to the signature slot in the middleware pages linked above. |
Use cases
Expand |
---|
title | Write to the signature slot |
---|
|
To explicitly select the signature slot as a target for your application, use the Location keyword in the respective Application_* section. Location supports only one value: Signature. Any other value will point to the default slot, as will omitting the Location keyword altogether. The value can either be hard coded in the encoding description (e.g. Location=#Signature) or it can reference a field (for example, Location=LOCATION_FIELD) In the following example a certificate is written to the default slot (authenticated by PIN), one to the signature slot (authenticated by SignPIN) and one's location is determined at runtime by the field LOCATION_FIELD. Code Block |
---|
title | Explicitly selecting slots |
---|
| [Fields]
PIN=
SIGN_PIN=
LOCATION_FIELD=
[Description]
PKCS11Library=yourMiddleware.dll
ApplicationList=ABC
# Default slot credentials
PIN=PIN
# Signature slot credentials
SignPIN=SIGN_PIN
[Application_A]
# Write a certificate to the default slot
KeySize=2048
CertTempl=myAuthCertTemplate
[Application_B]
# Write a certificate to the signature slot
KeySize=2048
CertTempl=myAuthCertTemplate
Location=#signature
[Application_C]
# Determine the slot to Write a certificate using process variables
KeySize=2048
CertTempl=mySigCertTemplate
Location=LOCATION_FIELD |
|
Expand |
---|
title | Change signature slot credentials |
---|
|
The PINs for the signature slot can be changed similarly to the standard P11 PIN/PUK handling, but with different keywords: Standard P11 PIN/PUK keywords | Signature PIN/PUK keywords |
---|
PIN | SignPIN | PUK | SignPUK | InitialPUK | InitialSignPUK | Pin_Validation | SignPin_Validation |
Examples Code Block |
---|
title | Example: Change signature PUK and signature PIN using field values |
---|
| [Fields]
OLD_SIGN_PUK=
NEW_SIGN_PUK=
NEW_SIGN_PIN=
[Description]
PKCS11Library=yourMiddleware.dll
SetPin=true
InitialSignPUK=OLD_SIGN_PUK
SignPUK=NEW_SIGN_PUK
SignPIN=NEW_SIGN_PIN |
Code Block |
---|
title | Example: Change signature PIN by entering old and new values. PIN must be at least 4 digits long |
---|
| [Description] PKCS11Library=yourMiddleware.dll
SetPin=true
SignPIN=!FROM_USER_DIALOG_3_FIELD
SignPin_Validation=reg_exp([0-9]{4,}) |
|
...
Related information