SID-CRYPTO-01 — PKCS#11 HSM Key Protection

Property	Value
Owner	platform
Category	technical
CSF Function	protect
Group	Cryptography Controls

Description

Hardware Security Module integration via PKCS#11 for issuer key protection. Supports ECDSA (P-256/P-384/P-521) and RSA signing without key export. Keys never leave the HSM boundary. Multi-backend signer interface abstracts software keys, PKCS#11, and cloud KMS.

Components

• VC Issuer/Verifier
• WSCA / HSM

Source References

• vc/pki/pkcs11.go
• vc/pki/signer.go

Framework Requirements

EUDI Security Requirements: GEN-7.5-02, GEN-7.5-03, WIN-8.4.4-02

FitCEM Wallet Instance: FIT-CR-01

ISO 27001 Annex A: A.8.24

GDPR Checklist: Encrypt, pseudonymize, or anonymize

OWASP ASVS 4.0.3 Level 3: V1.6, V2.9, V2.10, V6.2, V6.4

STRIDE Threat Model: WF-I-2, WF-T-1, WF-R-1, WF-T-2, VC-S-1