Plain Signing

The simplest format for a signature in SignServer is called a "plain signature". The plain signature is simply the output bytes from the chosen signature algorithm.

Supported signature algorithms include:

Key TypeSignature Algorithm
DSASHAxWithDSA
ECDSA

SHAxWithECDSA

NONEwithECDSA

RSA

SHAxWithRSA (RSASSA-PKCS1_v1.5)

SHAxWithRSAandMGF1 (RSASSA-PSS)

NONEwithRSA

Cryptographic hash functions can be SHA-1, SHA-256, SHA-384, and SHA-512 etc. For information on using the signature algorithms NONEwithRSA and NONEwithECDSA, refer to the SignServer documentation on Client-side Hashing, and RFC#3447.

As the plain signature does not contain any public key or certificate nor the original document, it is useful in situations where the receiver already has access to them in some other way. For instance, for firmware of embedded devices, it could be that a list of trusted certificates (or simply public keys) is already available in the device. Or it could be that the plain signature is just a part in a protocol which encodes certificates some other way in a custom format.

Adding a Plain Signer

  1. Access the SignServer Administration Web.
  2. On the Workers page, click Add and select From Template.
  3. Select plainsigner.properties and click Next.
  4. Click Apply.
  5. Select the worker name PlainSigner.
  6. Click the Configuration tab and make the appropriate adjustments for:

    • NAME: Specify a name.

    • CRYPTOTOKEN: If using SignServer Enterprise, this should match the name of the crypto token configured in the SignServer Enterprise (Software) section. If you are on an Appliance, this crypto token was created for you with the name HSMCryptoToken10.

  7. Generate a new key-pair for the signer, by clicking the Status Summary tab and then Renew Key.

  8. Choose a key algorithm, such as RSA and a key specification such as 2048 and click Generate.

  9. Create a Certificate Signing Request (CSR) for the new key-pair by clicking Generate CSR.

  10. Choose a signature algorithm like SHA256withRSA and fill in a subject DN (name) for the new certificate such as CN=Plain Signer Test,O=My Company, C=SE, and click Generate.

  11. Click Download and save the CSR file.
  12. Bring the CSR file to your Certification Authority to get the certificate and the CA certificates in return.

    Before installing certificates in a production system, check the signers authorization as the signer will be fully functional and ready to receive requests once the certificates are installed.

  13. Click Install certificates and browse for the certificate files. Start by providing the signer certificate and then follow with the issuing CA certificates in turn. Click Add to have the certificates listed in the chain.

  14. When all certificates have been added in the right order click Install.
  15. Once the certificates have been installed, the signer should be in state ACTIVE. If not, check the top of its Status Summary page for any errors.

Using the Plain Signer 

The files to be signed can be submitted using any of the available interfaces:

  • Web Form Upload: Upload file using the SignServer Signing and Validation web form in your web browser.
  • Scripting using cURL or wget: Use an HTTP client such as cURL or wget.
  • Client CLI: Use the SignServer Client Command Line Interface (CLI). 
  • Web Services: Integrate in a custom application using the SignServer Client Web Services (WS) interface (SOAP).

Web Form Upload

The web form for uploading is available on the SignServer web pages by clicking the Signing and Validation Demo link.

Use the Generic page allowing text input or file upload by specifying the worker name:

Web form upload

Scripting using cURL or wget

The following displays a cURL upload example. Replace http://localhost:8080/ with the address of your server or appliance:

cURL Upload Example

curl -F "workerName=PlainSigner1" -F "file=@firmware.bin" \
http://localhost:8080/signserver/process > firmware.sig

Showing the HTTP traffic between the browser and the server:

Showing the HTTP traffic between the browser and the server

Example of response with signature file:

Response with the signature file

Client CLI

To submit the Plain Signer via the Client CLI, run the following command:

SignClient Example

bin/signclient signdocument -workername PlainSigner1 -infile firmware.bin -outfile firmware.sig

The Client CLI can also run (as User) in batch mode where all input files in one directory are processed in a number of parallel requests and written to an output directory like the following:

SignClient Batch Example

bin/signclient signdocument -workername PlainSigner1 -indir ./input/ -removefromindir -outdir ./output/ -threads 10

Web Services (SOAP)

The SOAP-based Web Services can be used to send requests to SignServer.

The following displays a sample Java code using the ClientWS Web Services (SOAP) interface:

Sample Java code using the ClientWS web services (SOAP) interface

The following example displays the SOAP request and response (in the SoapUI):

Showing the SOAP request and response (in SoapUI)

Verifying a Plain Signature 

To verify a signature, use the OpenSSL dgst command. Note that the command expects the public key, thus it is first extracted from the certificate.

Run the following commands:

OpenSSL Signature Verification Example

openssl x509 -in plainsigner1.pem -noout -pubkey > plainsigner1-pubkey.pem 
openssl dgst -signature firmware.bin.sig -verify plainsigner1-pubkey.pem -sha1
    firmware.bin 
Verified OK

Replace -sha1 with the digest algorithm used as part of the signature process, for example -sha256.

Plain Signer Configuration Options 

The most relevant property to configure for the Plain Signer is:

Worker propertyDescription
SIGNATUREALGORITHMSpecifying the algorithm used to sign the data.
Example: "SHA256withRSA"

For all available properties, refer to the SignServer documentation on Plain Signer.