CMS Signer
The CMS signer has the fully qualified class name: org.signserver.module.cmssigner.CMSSigner.
Overview
The CMS signer can sign arbitrary data and produces a CMS (RFC 3852) SignedData structure in binary format with or without the content encapsulated. Currently the signer certificate is always included.
Available Properties
| Property | Description |
|---|---|
| SIGNATUREALGORITHM | Property specifying the algorithm used to sign the data. Default: depending on the signing key: SHA256withDSA for DSA keys, SHA256withECDSA for ECDSA keys, Ed25519 or Ed448 or EdDSA keys, otherwise SHA256withRSA. |
| DETACHEDSIGNATURE | Property specifying if a detached signature ("external signature") should be used. Thus a signature where the content is not included/encapsulated. Default: false. |
| ALLOW_DETACHEDSIGNATURE_OVERRIDE | Property specifying if the requestor can request an other value for DETACHEDSIGNATURE than what is configured. Default: false. If set to true, a request could include a metadata property with an other value for DETACHEDSIGNATURE. |
| CLIENTSIDEHASHING | Property specifying if the request data should be considered to be a pre-computed (by the requesting client) hash. If this is set to to true, ACCEPTED_HASH_DIGEST_ALGORITHMS must be defined. Default: false. |
| ALLOW_CLIENTSIDEHASHING_OVERRIDE | Property specifying if the request is allowed to override the behavior defined via CLIENTSIDEHASHING as to if the request data is to be considered the actual data to be signed or a pre-computed hash. Default: false. |
| ACCEPTED_HASH_DIGEST_ALGORITHMS | Comma-separated list of accepted hash digest algorithms. When a request is consisting of a pre-computed hash, the requested digest algorithm must be among the values specified in this property. The property does not have a default value, and must be specified if client-side hashing is set as the default, or if overriding via the request is allowed. |
| DER_RE_ENCODE | Property specifying if the resulting data structure should be parsed and re-encoded using DER encoding. Default: false.
|
| CONTENTOID | Property specifying the content OID to use in the signedData object by default. If not specified, the default CMS data OID (1.2.840.113549.1.7.1) is used. |
| ALLOW_CONTENTOID_OVERRIDE | Property specifying if the content OID to use in the signedData object should be allowed to be overridden by request metadata (CONTENTOID request parameter). Default: false. |
| DIRECTSIGNATURE | Property specifying that the signature should be calculated directly over the content and not over signed attributes. Thus the signature would not contain any signed attributes if this property is set to true. Default: false.
|
| DO_LOGREQUEST_DIGEST | If a digest of the request should be computed and logged. Optional, default: false. |
| LOGREQUEST_DIGESTALGORITHM | Algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256. |
| DO_LOGRESPONSE_DIGEST | If a digest of the response should be computed and logged. Optional, default: false. |
| LOGRESPONSE_DIGESTALGORITHM | Algorithm used to create the message digest (hash) of the response document to put in the log. Default: SHA256. |
This option is performed in memory and thus does not support large files. Request parameters
The following meta data parameters can be specified in a request
| Property | Description |
|---|---|
| USING_CLIENTSUPPLIED_HASH | If this property is set and defined as true, treat the request data as a pre-computed hash. This requires the CLIENTSIDE_HASHDIGESTALGORITHM meta data property to be set and is only allowed if either the signer is configured by default to assume client-side hashing, or if overriding is allowed. |
| CLIENTSIDE_HASHDIGESTALGORITHM | The hash digest algorithm of the pre-computed hash. |
| CONTENTOID | Specifies the content OID to use in the signedData structure. This is only allowed if the signer is configures to allow overriding content OID. |
Signing a pre-computed hash
For background and information on how to use this mode with CMS signatures, see Client Side Hashing.