Bug 68483 - Exception when Sign office with private key in HSM - Private Exponent value is sensitive.
Summary: Exception when Sign office with private key in HSM - Private Exponent value i...
Status: NEW
Alias: None
Product: POI
Classification: Unclassified
Component: XWPF (show other bugs)
Version: 5.2.3-FINAL
Hardware: PC Linux
: P2 blocker (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-15 18:01 UTC by Nguyen Dat
Modified: 2024-01-15 18:01 UTC (History)
0 users


Attachments
Exception (7.65 KB, text/plain)
2024-01-15 18:01 UTC, Nguyen Dat 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nguyen Dat 2024-01-15 18:01:47 UTC 
Created attachment 39519 [details]
Exception

I try to sign a Office Document with HSM in java. When I use p12 or pfx file. Sign success and no problem. But when I try to use HSM (Utimaco) to do that, I have a Exeption: java.lang.UnsupportedOperationException: Private Exponent value is sensitive. May be in Apache Poi, load private key from HSM is not allowed. I can sign pdf( with itext) or sign XML with HSM => no problem

What should I do in this case?
My sample:

    OPCPackage pkg = null;
        try{
         pkg=OPCPackage.open(tempDoc);
        }catch(InvalidFormatException ex){
        ex.printStackTrace();
        }
        ProviderConfig providerConfig=new ProviderConfig(cryptoSource.getModule(),cryptoSource.getSlot(),
        cryptoSource.getPin());
        Provider provider=providerConfig.getProvider();
        Security.addProvider(provider);
        SignatureConfig sic=new SignatureConfig();
        sic.setKey(keyAndCert.getPrivateKey());
        sic.setDigestAlgo(HashAlgorithm.sha256);
        sic.setSigningCertificateChain(Collections.singletonList(keyAndCert.getCertificate()));

        sic.setIncludeEntireCertificateChain(false);
        sic.setSignatureDescription("Thích");

        sic.setExecutionTime(new Date());
        sic.setXadesDigestAlgo(HashAlgorithm.sha256);


        SignatureInfo si=new SignatureInfo();
        si.setSignatureConfig(sic);
        si.setOpcPackage(pkg);
        boolean isValid=si.verifySignature();
        log.error("verifySignature: {} ",isValid);
        si.confirmSignature();