EuroCert Cloud Signing
This post is to record collected information about EuroCert cloud signing.
It seems EuroCert provides a PKCS11 driver DLL for Windows: ECSPKCS11.dll.
Question: Does this driver DLL communicate with the EuroCert servers to do the signing in the Cloud? (i.e. where the hash to be signed is sent via some REST API to a EuroCert server to be signed by a specified HSM in the cloud?) This is how AWS CloudHSM works. The local Windows application interacts with AWS’s CloudHSM PKCS11 driver, and the driver communicates with the AWS server where the signing happens on an HSM on the AWS server.
Here is the information we received from EuroCert: “The PKCS#11 library is not standalone and it requires the ECSigner Desktop client to function. The library itself is merely a standard PKCS#11 interface that invokes the ECSigner Desktop application for session establishment, OTP request and submission, and create requests to the REST API at https://ecsigner.eurocert.pl. Therefore, the PKCS#11 component itself does not communicate with the cloud in any way; it merely passes information to the ECSigner Desktop, which then build the request to the REST API. The ECSigner Desktop is a client to provides a cloud-only service.”
Also, it seems that EuroCert provides a CNG CSP (Cryptographic Service Provider) named “EC Signer CSP”. I think the “EC Signer CSP” also communicates with the ECSigner Desktop application. Assuming your EuroCert certificate is installed on Windows and can be seen in certmgr.msc, then it should already be associated with the “EC Signer CSP” and to use in Chilkat you would load the Chilkat.Cert object by calling Cert.LoadByCommonName. There may be an issue where Chilkat may think there is no actual private key available for signing. It depends on what information Chilkat receives when communicating with the CSP. In other words, the CSP should indicate the private key exists, but is non-exportable (because the key exists in the cloud).
It would seem that it should be possible to sign with a EuroCert loaded via Cert.LoadByCommonName if the ECSigner Deskop Client application is running and the user is signed in (i.e. a session exists).