diff --git a/docs/index.html b/docs/index.html index 41b47cdc..1a1c39ba 100644 --- a/docs/index.html +++ b/docs/index.html @@ -887,17 +887,20 @@

Signing with HashiCorp Vault

Signing with Keyfactor SignServer

-

SignServer is an on-premises open source signing service developed by Keyfactor. +

SignServer is an on-premises (or cloud) open source signing service developed by Keyfactor. SignServer supports various signing operations handled by signer workers. Jsign requires a Plain Signer -worker configured with the CLIENTSIDEHASHING or ALLOW_CLIENTSIDEHASHING_OVERRIDE properties -set to true, and the SIGNATUREALGORITHM property set to NONEwithRSA or -NONEwithECDSA.

+worker configured with the CLIENTSIDEHASHING property not set or set to false or +ALLOW_CLIENTSIDEHASHING_OVERRIDE property set to true, and the SIGNATUREALGORITHM property +set to a supported algorithm that ends in withRSA or withECDSA. +It is important that the hashing algorithm that is configured for the worker is consistent with the hashing +algorithm configured for Jsign, otherwise the signature verification will fail.

The authentication is performed by specifying the username/password or the TLS client certificate in the -storepass parameter. If the TLS client certificate is stored in a password protected keystore, the password -is specified in the keypass parameter. The keystore parameter references the URL of the -SignServer REST API. The alias parameter specifies the id or the name of the worker.

+storepass parameter if authentication is necessary. If the TLS client certificate is stored in +a password protected keystore, the password is specified in the keypass parameter. +The keystore parameter references the URL of the SignServer REST API. The alias parameter +specifies the id or the name of the worker.

Authenticating with a username and a password:

diff --git a/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java b/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java index 3f92aa29..3a1196c1 100644 --- a/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java +++ b/jsign-crypto/src/main/java/net/jsign/KeyStoreType.java @@ -561,14 +561,17 @@ Provider getProvider(KeyStoreBuilder params) { }, /** - * Keyfactor SignServer. This keystore requires a Plain Signer worker configured to allow client-side hashing (with - * the properties CLIENTSIDEHASHING or ALLOW_CLIENTSIDEHASHING_OVERRIDE set to true), and - * the SIGNATUREALGORITHM property set to NONEwithRSA or NONEwithECDSA. + * Keyfactor SignServer. This keystore requires a Plain Signer worker configured to allow server-side hashing (with + * the property CLIENTSIDEHASHING not set or set to false or + * ALLOW_CLIENTSIDEHASHING_OVERRIDE set to true), and the SIGNATUREALGORITHM + * property set to a supported algorithm that ends in withRSA or withECDSA. + * It is important that the hashing algorithm that is configured for the worker is consistent with the hashing + * algorithm configured for Jsign, otherwise the signature verification will fail. * *

The authentication is performed by specifying the username/password or the TLS client certificate in the - * storepass parameter. If the TLS client certificate is stored in a password protected keystore, the password is - * specified in the keypass parameter. The keystore parameter references the URL of the SignServer REST API. The - * alias parameter specifies the id or the name of the worker.

+ * storepass parameter if authentication is necessary. If the TLS client certificate is stored in a password + * protected keystore, the password is specified in the keypass parameter. The keystore parameter references + * the URL of the SignServer REST API. The alias parameter specifies the id or the name of the worker.

*/ SIGNSERVER(false, false) { @Override diff --git a/jsign-crypto/src/main/java/net/jsign/jca/SignServerSigningService.java b/jsign-crypto/src/main/java/net/jsign/jca/SignServerSigningService.java index fc39f87a..cd6797fa 100644 --- a/jsign-crypto/src/main/java/net/jsign/jca/SignServerSigningService.java +++ b/jsign-crypto/src/main/java/net/jsign/jca/SignServerSigningService.java @@ -94,7 +94,13 @@ public List aliases() throws KeyStoreException { public Certificate[] getCertificateChain(String alias) throws KeyStoreException { if (!certificates.containsKey(alias)) { try { - Map response = client.post("/rest/v1/workers/" + alias + "/process", "{\"data\":\"\"}"); + Map request = new HashMap<>(); + request.put("data", ""); + Map metadata = new HashMap<>(); + metadata.put("USING_CLIENTSUPPLIED_HASH", "false"); + request.put("metaData", metadata); + + Map response = client.post("/rest/v1/workers/" + alias + "/process", JsonWriter.format(request)); String encodedCertificate = response.get("signerCertificate").toString(); byte[] certificateBytes = Base64.getDecoder().decode(encodedCertificate); Certificate certificate = CertificateFactory.getInstance("X.509") @@ -120,15 +126,11 @@ public SigningServicePrivateKey getPrivateKey(String alias, char[] password) thr @Override public byte[] sign(SigningServicePrivateKey privateKey, String algorithm, byte[] data) throws GeneralSecurityException { - DigestAlgorithm digestAlgorithm = DigestAlgorithm.of(algorithm.substring(0, algorithm.toLowerCase().indexOf("with"))); - data = digestAlgorithm.getMessageDigest().digest(data); - Map request = new HashMap<>(); request.put("data", Base64.getEncoder().encodeToString(data)); request.put("encoding", "BASE64"); Map metadata = new HashMap<>(); - metadata.put("USING_CLIENTSUPPLIED_HASH", "true"); - metadata.put("CLIENTSIDE_HASHDIGESTALGORITHM", digestAlgorithm.id); + metadata.put("USING_CLIENTSUPPLIED_HASH", "false"); request.put("metaData", metadata); try {