The Plain signer has the fully qualified class name: org.signserver.module.cmssigner.PlainSigner

Overview

The Plain signer can sign arbitrary data and simply produces a signature in the format determined by the configured signature algorithm.

Available Properties

Property

Description

SIGNATUREALGORITHM

Property specifying the algorithm used to sign the data. Default value depends on the signing key: SHA256withDSA for DSA keys, SHA256withECDSA for ECDSA keys, Ed25519 or Ed448 for EdDSA keys, otherwise SHA256withRSA.

Client-Side Hashing:

For Client-Side Hashing, use one of the NONEwith... signature algorithm values and either use CLIENTSIDEHASHING=true or ALLOW_CLIENTSIDEHASHING_OVERRIDE=true, or alternatively make sure the input is encoded in the expected way for the chosen signature algorithm.

For NONEwithRSA (RSASSA-PKCS1-v1.5) specifically, ensure that the required properties are set. If these properties are not configured, the input should adhere to a DER encoded DigestInfo structure as outlined in RFC#3447, page 42, which provides examples. Alternatively, if the DigestInfo/ASN.1 structure is not desired, it can be omitted when invoking the signer. Note that this is the legacy way of configuring client-side hashing with the plain signer. As of SignServer 5.9, it is recommended to instead use one of the CLIENTSIDEHASHING and ALLOW_CLIENTSIDEHASHING_OVERRIDE properties, as the client then does not have to care of any special encoding.

The other NONEwith... signature algorithms are all supported by this signer provided that:

  • One of the CLIENTSIDEHASHING and ALLOW_CLIENTSIDEHASHING_OVERRIDE properties are set to true.
  • The client includes the request parameters.
  • The underlying crypto token supports the algorithm.

In this case, the input data should be the hash value without any special encoding.

Currently, the PKCS11CryptoToken relying on Java support for PKCS#11 does not support NONEwithRSAandMGF1 (RSASSA-PSS) while the P11NGCryptoToken supports this algorithm. For more information, see Algorithm Support and Algorithm Support

CLIENTSIDEHASHING

Property specifying if the request data should be considered to be a pre-computed (by the requesting client) hash. If this is set to true, ACCEPTED_HASH_DIGEST_ALGORITHMS must be defined. Default: false.

With this option set to true, the input to the signer should be the hash value and the request parameter CLIENTSIDE_HASHDIGESTALGORITHM must also be provided.

ALLOW_CLIENTSIDEHASHING_OVERRIDE

Property specifying if the request is allowed to override the behavior defined via CLIENTSIDEHASHING as to if the request data is to be considered the actual data to be signed or a pre-computed hash. Default: false.

With this option set to true, it is possible for the client to include the request parameters USING_CLIENTSUPPLIED_HASH=true and CLIENTSIDE_HASHDIGESTALGORITHM and only send in the hash value and make the signer take care of proper encoding of the signature.

ACCEPTED_HASH_DIGEST_ALGORITHMS

Comma-separated list of accepted hash digest algorithms. When a request is consisting of a pre-computed hash, the requested digest algorithm must be among the values specified in this property.

The property does not have a default value and must be specified if client-side hashing is set as the default, or if overriding via the request is allowed.

LOGREQUEST_DIGESTALGORITHM

Property specifying the algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.

DO_LOGREQUEST_DIGEST

Property specifying if the message digest of the requested document should be put in the log. Default: true.

Request Parameters

The following meta data parameters can be specified in a request

USING_CLIENTSUPPLIED_HASH

If this property is set and defined as true, treat the request data as a pre-computed hash. This requires the CLIENTSIDE_HASHDIGESTALGORITHM meta data property to be set and is only allowed if either the signer is configured by default to assume client-side hashing, or if overriding is allowed.

CLIENTSIDE_HASHDIGESTALGORITHM

The hash digest algorithm of the pre-computed hash.

Worker Log Fields

Field

Description

REQUEST_DIGEST

A message digest (hash) for the request document in hex encoding.

REQUEST_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the request digest in the log.

RESPONSE_ENCODED

The response document (plain signature) in base64 encoding.