Document toolboxDocument toolbox

Use Signature slot in Identity Manager

This article includes updates for Smart ID 23.04.4. 



Separate signature slots containing a signature certificate, protected by an additional PIN, is an additional security measure, typically used for Qualified Electronic Signatures(QES). Currently, Identity Manager supports the signature slot for the following middleware:

  • Gemalto (since PRIME 3.12)

  • Personal (since Identity Manager 22.10.2) 

  • Idopte  (since Identity Manager 23.04.4)

In this article you can find general information regarding signature slot. For use cases for a specific middleware, follow the links above.

Prerequisites

A token that supports the signature slot. For details, see the section referring to the signature slot in the middleware pages linked above.

Use cases

To explicitly select the signature slot as a target for your application, use the Location keyword in the respective Application_* section. Location supports only one value: Signature. Any other value will point to the default slot, as will omitting the Location keyword altogether. The value can either be hard coded in the encoding description (e.g. Location=#Signature) or it can reference a field (for example, Location=LOCATION_FIELD)

In the following example a certificate is written to the default slot (authenticated by PIN), one to the signature slot (authenticated by SignPIN) and one's location is determined at runtime by the field LOCATION_FIELD.

Explicitly selecting slots
[Fields] PIN= SIGN_PIN= LOCATION_FIELD=    [Description] PKCS11Library=yourMiddleware.dll ApplicationList=ABC # Default slot credentials PIN=PIN # Signature slot credentials SignPIN=SIGN_PIN [Application_A] # Write a certificate to the default slot KeySize=2048 CertTempl=myAuthCertTemplate [Application_B] # Write a certificate to the signature slot KeySize=2048 CertTempl=myAuthCertTemplate Location=#signature [Application_C] # Determine the slot to Write a certificate using process variables KeySize=2048 CertTempl=mySigCertTemplate Location=LOCATION_FIELD





The PINs for the signature slot can be changed similarly to the standard P11 PIN/PUK handling, but with different keywords:

Standard P11 PIN/PUK keywords

Signature PIN/PUK keywords

Standard P11 PIN/PUK keywords

Signature PIN/PUK keywords

PIN

SignPIN

PUK

SignPUK

InitialPUK

InitialSignPUK

Pin_Validation

SignPin_Validation

Examples

Example: Change signature PUK and signature PIN using field values
[Fields] OLD_SIGN_PUK= NEW_SIGN_PUK= NEW_SIGN_PIN= [Description] PKCS11Library=yourMiddleware.dll SetPin=true InitialSignPUK=OLD_SIGN_PUK SignPUK=NEW_SIGN_PUK SignPIN=NEW_SIGN_PIN



Example: Change signature PIN by entering old and new values. PIN must be at least 4 digits long
[Description] PKCS11Library=yourMiddleware.dll SetPin=true SignPIN=!FROM_USER_DIALOG_3_FIELD SignPin_Validation=reg_exp([0-9]{4,})



Related information

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions