Assuming all messages and their signatures are available to the attacker, is it secure to use the same RSA private key to sign many messages (roughly $10^{6}$) via PKCS#11 CKM_SHA256_RSA_PKCS using a reasonably long (i.e. 2048 bit) key?
For reference, CKM_SHA256_RSA_PKCS is described as follows:
The PKCS #1 v1.5 RSA signature with SHA-256 mechanism, denoted
CKM_SHA256_RSA_PKCS, performs single- and multiple-part digital signatures and verification operations without message recovery. The operations performed are as described initially in PKCS #1 v1.5 with the object identifiersha256WithRSAEncryption, and as in the schemeRSASSA-PKCS1-v1_5in the current version of PKCS #1, where the underlying hash function is SHA-256.
