Use Signature slot in Identity Manager

This article includes updates for Smart ID 23.04.4.

Separate signature slots containing a signature certificate, protected by an additional PIN, is an additional security measure, typically used for Qualified Electronic Signatures(QES). Currently, Identity Manager supports the signature slot for the following middleware:

Gemalto (since PRIME 3.12)
Personal Desktop Client middleware (since Identity Manager 22.10.2)
Idopte (since Identity Manager 23.04.4)

In this article you can find general information regarding signature slot. For use cases for a specific middleware, follow the links above.

Prerequisites

A token that supports the signature slot. For details, see the section referring to the signature slot in the middleware pages linked above.

Use cases

Write to the signature slot

To explicitly select the signature slot as a target for your application, use the Location keyword in the respective Application_* section. Location supports only one value: Signature. Any other value will point to the default slot, as will omitting the Location keyword altogether. The value can either be hard coded in the encoding description (e.g. Location=#Signature) or it can reference a field (for example, Location=LOCATION_FIELD)

In the following example a certificate is written to the default slot (authenticated by PIN), one to the signature slot (authenticated by SignPIN) and one's location is determined at runtime by the field LOCATION_FIELD.

Explicitly selecting slots

[Fields]
PIN=
SIGN_PIN=
LOCATION_FIELD=
  
[Description]
PKCS11Library=yourMiddleware.dll
ApplicationList=ABC
# Default slot credentials
PIN=PIN
# Signature slot credentials
SignPIN=SIGN_PIN

[Application_A]
# Write a certificate to the default slot
KeySize=2048
CertTempl=myAuthCertTemplate
 
[Application_B]
# Write a certificate to the signature slot
KeySize=2048
CertTempl=myAuthCertTemplate
Location=#signature
 
[Application_C]
# Determine the slot to Write a certificate using process variables
KeySize=2048
CertTempl=mySigCertTemplate
Location=LOCATION_FIELD

Change signature slot credentials

The PINs for the signature slot can be changed similarly to the standard P11 PIN/PUK handling, but with different keywords:

Standard P11 PIN/PUK keywords	Signature PIN/PUK keywords
PIN	SignPIN
PUK	SignPUK
InitialPUK	InitialSignPUK
Pin_Validation	SignPin_Validation

Examples

Example: Change signature PUK and signature PIN using field values

[Fields]
OLD_SIGN_PUK=
NEW_SIGN_PUK=
NEW_SIGN_PIN=
 
[Description]
PKCS11Library=yourMiddleware.dll
SetPin=true
InitialSignPUK=OLD_SIGN_PUK
SignPUK=NEW_SIGN_PUK
SignPIN=NEW_SIGN_PIN

Example: Change signature PIN by entering old and new values. PIN must be at least 4 digits long

[Description] PKCS11Library=yourMiddleware.dll
SetPin=true
SignPIN=!FROM_USER_DIALOG_3_FIELD
SignPin_Validation=reg_exp([0-9]{4,})