WS-Security SOAP Signing with HSM (FIPS / PKCS#11)

Question:

We are implementing a web service integration that requires WS-Security signing of SOAP envelopes using a Hardware Security Module (HSM). Our HSM runs in FIPS mode and private keys are non-exportable.

Requirements (per official specification)

Blocks to sign: TimeStamp and Body
Key identifier: DirectReference in the signature header
Canonicalization algorithm: http://www.w3.org/2001/10/xml-exc-c14n#
Signature method algorithm: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
Certificate type: Qualified certificate accessed via PKCS#11

Review & Observations

We have reviewed the Chilkat examples (including WSSE SecurityTokenReference and XMLDSig), but did not find a direct way to authenticate to an HSM via PKCS#11 and perform the signing operation without exporting the key or using a PFX.

Note: The HSM’s private keys are non-exportable and the device operates in FIPS mode, so the signature must be performed inside the HSM using PKCS#11 sessions.

Confirmation Requested

Does Chilkat currently support WSSE XML signature directly with HSM (PKCS#11) keys?

Answer:

Chilkat supports WSSE XML signatures with HSM (PKCS#11) keys. The process begins by loading a certificate into a Cert object using Cert.LoadFromSmartcard.

This method automatically detects connected HSMs and loads the first certificate with an available private key. It also chooses the correct interface (PKCS#11, Windows ScMinidriver, or MS CryptoAPI) based on the environment. You can target a specific certificate by attributes such as Subject CN or serial number.

For advanced scenarios, Chilkat offers lower-level PKCS11 and ScMinidriver classes to directly inspect and select certificates from an HSM.

Once loaded, the certificate is used by passing it to XmlDSigGen.SetX509Cert.

Supported Certificate Sources

HSM with non-exportable hardware keys
Windows certificate store (exportable or non-exportable keys)
.pfx / .p12 files
Apple Keychain
PEM files