The Plain signer has the fully qualified class name: org.signserver.module.cmssigner.PlainSigner


The Plain signer can sign arbitrary data and simply produces a signature in the format determined by the configured signature algorithm.

Available Properties


Property specifying the algorithm used to sign the data. Default value depends on the signing key: SHA256withDSA for DSA keys, SHA256withECDSA for ECDSA keys, otherwise SHA256withRSA.

Algorithms NONEwithRSA and NONEwithECDSA are also supported and should be used when hash digest is supplied for signing not the data itself. When using NONEwithRSA algorithm, the input should be in a particular format, refer to RFC#3447 for details.

The algorithm NONEwithRSAandMGF1 (RSASSA-PSS) is supported by this signer when using specific request metadata properties (see Client-Side Hashing) but note that the configured crypto token also needs to support this algorithm. Currently, the PKCS11CryptoToken relaying in Java support for PKCS#11 does not while the JackNJI11CryptoToken supports this algorithm.

CLIENTSIDEHASHINGProperty specifying if the request data should be considered to be a pre-computed (by the requesting client) hash. If this is set to true, ACCEPTED_HASH_DIGEST_ALGORITHMS must be defined. Default: false.
ALLOW_CLIENTSIDEHASHING_OVERRIDEProperty specifying if the request is allowed to override the behavior defined via CLIENTSIDEHASHING as to if the request data is to be considered the actual data to be signed or a pre-computed hash. Default: false.

Comma-separated list of accepted hash digest algorithms. When a request is consisting of a pre-computed hash, the requested digest algorithm must be among the values specified in this property.

The property does not have a default value and must be specified if client-side hashing is set as the default, or if overriding via the request is allowed.


Property specifying the algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.

DO_LOGREQUEST_DIGESTProperty specifying if the message digest of the requested document should be put in the log. Default: true.

Request Parameters

The following meta data parameters can be specified in a request


If this property is set and defined as true, treat the request data as a pre-computed hash. This requires the CLIENTSIDE_HASHDIGEST_ALGORITHM meta data property to be set and is only allowed if either the signer is configured by default to assume client-side hashing, or if overriding is allowed.

CLIENTSIDE_HASHDIGESTALGORITHMThe hash digest algorithm of the pre-computed hash.

Worker Log Fields

REQUEST_DIGESTA message digest (hash) for the request document in hex encoding.
REQUEST_DIGEST_ALGORITHMThe name of the message digest (hash) algorithm used for the request digest in the log.
RESPONSE_ENCODEDThe response document (plain signature) in base64 encoding.