roblabla · Copilot · May 12, 2026
diff --git a/src/OpenVsixSignTool/Program.cs b/src/OpenVsixSignTool/Program.cs
@@ -28,6 +28,7 @@ internal static int Main(string[] args)
                     var pkcs11Module = signConfiguration.Option("--pkcs11-module", "Path to the PKCS11 module to use.", CommandOptionType.SingleValue);
                     var pkcs11Cert = signConfiguration.Option("--pkcs11-cert", "Name of the PKCS11 object representing the certificate to use.", CommandOptionType.SingleValue);
                     var pkcs11Key = signConfiguration.Option("--pkcs11-key", "Name of the PKCS11 object representing the private key to use.", CommandOptionType.SingleValue);
+                    var pkcs11Token = signConfiguration.Option("--pkcs11-token", "The label of the PKCS11 token to use.", CommandOptionType.SingleValue);
 
                     signConfiguration.OnExecute(() =>
                     {
@@ -38,7 +39,7 @@ internal static int Main(string[] args)
                         }
                         else if (pkcs11Module.HasValue() || pkcs11Cert.HasValue() || pkcs11Key.HasValue())
                         {
-                            return sign.SignPkcs11(pkcs11Module, pkcs11Cert, pkcs11Key, timestamp, timestampAlgorithm, fileDigest, force, file);
+                            return sign.SignPkcs11(pkcs11Module, pkcs11Cert, pkcs11Key, pkcs11Token, timestamp, timestampAlgorithm, fileDigest, force, file);
                         }
                         else
                         {

diff --git a/src/OpenVsixSignTool/SignCommand.cs b/src/OpenVsixSignTool/SignCommand.cs
@@ -122,6 +122,7 @@ internal Task<int> SignPkcs11
             CommandOption pkcs11Module,
             CommandOption pkcs11Cert,
             CommandOption pkcs11Key,
+            CommandOption pkcs11Token,
             CommandOption timestampUrl,
             CommandOption timestampAlgorithm,
             CommandOption fileDigest,
@@ -179,14 +180,15 @@ internal Task<int> SignPkcs11
                 timestampDigestAlgorithm = timestampDigestResult.Value;
             }
 
-            RSAOpenSsl key = GetSigningKeyFromPkcs11(pkcs11Module.Value(), pkcs11Key.Value());
+            var tokenLabel = pkcs11Token.HasValue() ? pkcs11Token.Value() : null;
+            RSAOpenSsl key = GetSigningKeyFromPkcs11(pkcs11Module.Value(), pkcs11Key.Value(), tokenLabel);
             if (key == null)
             {
                 _signCommandApplication.Out.WriteLine("Unable to locate key on token.");
                 return Task.FromResult(EXIT_CODES.FAILED);
             }
 
-            X509Certificate2 certificate = GetCertificateFromPkcs11(pkcs11Cert.Value());
+            X509Certificate2 certificate = GetCertificateFromPkcs11(pkcs11Cert.Value(), tokenLabel);
             if (certificate == null)
             {
                 _signCommandApplication.Out.WriteLine("Unable to locate certificate on token.");
@@ -432,7 +434,7 @@ private struct Parms
             public IntPtr cert; // X509*
         }
 
-        private X509Certificate2 GetCertificateFromPkcs11(string certName)
+        private X509Certificate2 GetCertificateFromPkcs11(string certName, string tokenLabel)
         {
             IntPtr engine = ENGINE_by_id("pkcs11");
             X509Certificate2 cert = null;
@@ -441,6 +443,11 @@ private X509Certificate2 GetCertificateFromPkcs11(string certName)
             {
                 if (ENGINE_init(engine) != 0)
                 {
+                    if (tokenLabel != null)
+                    {
+                        ENGINE_ctrl_cmd_string(engine, "TOKEN_LABEL", tokenLabel, 0);
+                    }
+
                     Parms parms = new Parms { id = certName, cert = (IntPtr)0 };
 
                     if (ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, ref parms, (IntPtr)0, 1) != 0) {
@@ -462,7 +469,7 @@ private X509Certificate2 GetCertificateFromPkcs11(string certName)
             return cert;
         }
 
-        private RSAOpenSsl GetSigningKeyFromPkcs11(string module, string keyName)
+        private RSAOpenSsl GetSigningKeyFromPkcs11(string module, string keyName, string tokenLabel)
         {
             RSAOpenSsl key = null;
 
@@ -479,6 +486,11 @@ private RSAOpenSsl GetSigningKeyFromPkcs11(string module, string keyName)
                 {
                     ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", module, 0);
 
+                    if (tokenLabel != null)
+                    {
+                        ENGINE_ctrl_cmd_string(engine, "TOKEN_LABEL", tokenLabel, 0);
+                    }
+
                     key = new RSAOpenSsl(SafeEvpPKeyHandle.OpenPrivateKeyFromEngine("pkcs11", keyName));
 
                     ENGINE_finish(engine);