Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix algorithm check to not assume software key instances to work with PKCS#11 #76
DNSSEC signing does not currently work with PKCS#11 keys as the checkAlgorithm() method assumes the key instance is a software key and not an unextractable key in an HSM.
When providing a private key instance from SunPKCS11 such as a P11PrivateKey the following exception is thrown:
This patch suggests changing from checking the key type using instanceof, as one can not know which instances will be provided and corresponds to which key type, to instead use the Key.getAlgorithm() method. https://docs.oracle.com/javase/9/docs/api/java/security/Key.html#getAlgorithm--
This way signing also works with PKCS#11.