Update the code of the C4_01_SignWithPKCS11HSM.java signature sample as explained in the following sections.
Updating the properties path
The C4_01_SignWithPKCS11HSM.java code loads the signkey.properties file from the C:/ root folder.
properties.load(new FileInputStream("C:/signkey.properties"));Update this line to use the relative path of the signkey.properties file.
properties.load(new FileInputStream("./config/signkey.properties"));Selecting the certificate
The following line of the C4_01_SignWithPKCS11HSM.java code selects the alias of the signing certificate.
String alias = ks.aliases().nextElement();However, this code line may select the alias of an invalid certificate – for example, when the token includes successive renewals of the signing certificate. To update this code line, list all the certificate labels with the signingclient list certificates command.
If each certificate has a unique label, set this line as follows.
String alias = "<label>";If different certificates share the same label, set this line as follows.
String alias = "<label>/<issuer>/<sn>"Where:
<label>is the label returned by the signingclient list certificates command.<issuer>is the DN (Distinguished Name) of the issuer's certificate.<sn>is the Serial Number of the certificate in decimal representation, as opposed to the hexadecimal representation printed by the signingclient list certificates command.
As explained in the Oracle documentation:
If multiple certificates share the same CKA_LABEL, then the alias is derived from the CKA_LABEL plus the end entity certificate issuer and serial number ("MyCert/CN=foobar/1234", for example).
Checking certificate selection
Under this line of the C4_01_SignWithPKCS11HSM.java code.
Certificate[] chain = ks.getCertificateChain(alias);Add a clause to throw an exception when the selected alias does not correspond to a valid signing certificate.
if (pk == null || chain == null) { throw new IllegalArgumentException("Couldn't find a certificate with the specified label");}