Sign with a remote sign server

[fchristol]

Hi Luis,

I’m French, so I apologise in advance for the typos.

We are using your library, and we really like it. But we would need a little improvement : the possibility to sign the inner bytes with a remote sign server. In other words, we do not have the private key locally, so we need your library to pass the ‘bytes to sign’ to an object of us. That object would call our remote sign server to get the signature, and would return that signature to your library. An interface called SignatureProvider, similar to the one you did for the TimeStampTokenProvider would be great. This interface should indicate that the returned signature must be a PKCS1 signature that signs an ASN1 structure containing the AlgoOID and the hash of the bytes to sign. What Sha256WithRsa does for instance.

Please let me know if this is possible and if you need some more detailled specs.

Big thanks, Fred

[luisgoncalves]

Hi Fred,

Thanks for your interest in xades4j!

I didn't have time yet to fully think about this I understand the usecase, but from a first analysis I have some thoughts/concerns:

• xades4j builds on top of Apache Santuario and their API isn't designed to match what you describe. Implementing this would require not using the XMLSignature#sign method but instead mimic it considering the new "signature provivder".
• What would your KeyingDataProvider be in that scenario? Namely, what would getSigningKey return? I guess it would have to be either a dummy object or something that the new "signature provider" recognizes.
• Building on the previous item and considering that - IINM - Apache Santuario will use the PrivateKey's provider to get a Signature instance (e.g. Sha256WithRsa), wouldn't this scenario be better implemented by a custom JCE provider?

[fchristol]

Hi Luis,

Thank you for your answer. I have indeed already coded a custom JCA provider to perform the remote signature. But I wanted to know if you could provide a simplier solution. I understand that, as Xades4j is built on Apache Santuario, it's not possible. I will then use my custom provider.

You can reject my ticket. Again, thank you for maintening Xades4j.

Fred

Le lun. 14 juin 2021 à 16:33, Luís Gonçalves @.***> a écrit :

Hi Fred,

Thanks for your interest in xades4j!

I didn't have time yet to fully think about this I understand the usecase, but from a first analysis I have some thoughts/concerns:

• xades4j builds on top of Apache Santuario and their API isn't designed to match what you describe. Implementing this would require not using the XMLSignature#sign https://github.com/apache/santuario-xml-security-java/blob/master/src/main/java/org/apache/xml/security/signature/XMLSignature.java#L767 method but instead mimic it considering the new "signature provivder".
• What would your KeyingDataProvider be in that scenario? Namely, what would getSigningKey return? I guess it would have to be either a dummy object or something that the new "signature provider" recognizes.
• Building on the previous item and considering that - IINM - Apache Santuario will use the PrivateKey's provider to get a Signature instance (e.g. Sha256WithRsa), wouldn't this scenario be better implemented by a custom JCE provider?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/luisgoncalves/xades4j/issues/232#issuecomment-860733577, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEGAIL6GV6T4S7RDWXXAWSLTSYHKJANCNFSM46KX3RAA .

[luisgoncalves]

Ah, ok. The fact that both of us thought of the same solution also validates it somehow. Since other approaches aren't a good fit, lets leave it as is for now. If this scenario comes up again, I'll revisit the approach.