问题
How can I use key material from a PKCS#11 compliant HSM (for example a SafeNet iKey 2032 [USB] or a Aladdin eToken PRO [USB]) in PHP application running on a Linux server?
回答1:
I have not seen, and a cursory search has not found, a PCKS#11 glue library for PHP. Probably not the answer you're looking for. (: If you have better search fu than I, do update this thread.
I think your best bet would be to write a C program that calls PKCS#11 and accesses the HSM, and call that from your PHP app as an external binary. Even if a PKCS#11 wrapper emerges for PHP, this approach will give you the full API available to the C code rather than having to make do with whatever the author of the wrapper needed to satisfy their own requirements. PKCS#11 is a large API, and wrapper implementations are often less than complete.
回答2:
You need to look at the pkcs11-helper from OpenSC project. It will be a hard way if you will try to access the PKCS#11 module directly from PHP.
回答3:
i am assuming you are asking about users using their tokens to generate signatures. the signatures are generated on the client side, i.e. in the browser. the fact that your solution is on linux/php does not matter.
you have to add a software component called a signer, which will read the certificate and generate the signature.
existing open source signers are written in java, with the reason that a java applet is still the most available client side technology.
来源:https://stackoverflow.com/questions/3231293/how-to-interface-with-pkcs11-compliant-hsm-device-in-php