How can I use key material from a PKCS#11 compliant HSM 开发者_JAVA技巧(for example a SafeNet iKey 2032 [USB] or a Aladdin eToken PRO [USB]) in PHP application running on a Linux server?
I have not seen, and a cursory search has not found, a PCKS#11 glue library for PHP. Probably not the answer you're looking for. (: If you have better search fu than I, do update this thread.
I think your best bet would be to write a C program that calls PKCS#11 and accesses the HSM, and call that from your PHP app as an external binary. Even if a PKCS#11 wrapper emerges for PHP, this approach will give you the full API available to the C code rather than having to make do with whatever the author of the wrapper needed to satisfy their own requirements. PKCS#11 is a large API, and wrapper implementations are often less than complete.
You need to look at the pkcs11-helper from OpenSC project. It will be a hard way if you will try to access the PKCS#11 module directly from PHP.
You should use php-pkcs11 which allows keeping your private keys into a HSM (Hardware vault) based on the PKCS11 standard from the Oasis organisation. See: https://github.com/gamringer/php-pkcs11
Your HSM can be a USB stick, a TPM or a SmartCard.
i am assuming you are asking about users using their tokens to generate signatures. the signatures are generated on the client side, i.e. in the browser. the fact that your solution is on linux/php does not matter.
you have to add a software component called a signer, which will read the certificate and generate the signature.
existing open source signers are written in java, with the reason that a java applet is still the most available client side technology.
精彩评论