I have learned a few lessons about working with the Luna JSP.
#1: Even though you use the same KeyStore interface for accessing a file-based Java keystore (*.jks) and an HSM, don’t make the mistake of thinking that the objects that you get out of the keystore are the same. The HSM does not return actual credentials to you; it only gives you a reference to an object stored on the HSM. You cannot read or use the object, you can only pass the reference back to methods implemented by the HSM security provider.
More specifically, do not try to assign objects that you get from a keystore to a variable name. You are likely to encounter problems later, when you try to access that stored object and it’s not really there.
#2: This should have been self-evident, but I made the mistake of simply copying code from the iText examples without completely understanding it. You must use the Luna security provider when accessing stored credentials. IText’s default provider, Bouncy Castle, knows nothing about pointers to keys stored on an HSM, and you are likely to get a “Cannot access sensitive attributes…” error indicating that an attempt to get a key stored on the HSM failed.
KeyStore keystore = KeyStore.getInstance('Luna') keystore.load(null, null) PrivateKey privateKey = keystore.getKey('private_key_label') ... PdfPKCS7 sgn = new PdfPKCS7( (PrivateKey) privateKey, (Certificate) certificateChain, null, 'SHA1', null, false )
KeyStore keystore = KeyStore.getInstance('Luna') keystore.load(null, null) ... PdfPKCS7 sgn = new PdfPKCS7( (PrivateKey) keystore.getKey('private_key_label'), (Certificate) keystore.getCertificateChain('ca_chain_label'), null, 'SHA1', 'LunaProvider', false )