.png){kind=logo}
CMS Signer
The CMS signer has the fully qualified class name: org.signserver.module.cmssigner.CMSSigner.
Overview
The CMS signer can sign arbitrary data and produces a CMS (RFC 3852) SignedData structure in binary format with or without the content encapsulated. Currently the signer certificate is always included.
Available Properties
Property | Default | Description |
|---|---|---|
ACCEPTED_HASH_DIGEST_ALGORITHMS | None | Comma-separated list of accepted hash digest algorithms. When a request is consisting of a pre-computed hash, the requested digest algorithm must be among the values specified in this property. The property does not have a default value, and must be specified if client-side hashing is set as the default, or if overriding via the request is allowed. |
ALLOW_CLIENTSIDEHASHING_OVERRIDE | False | Property specifying if the request is allowed to override the behavior defined via |
ALLOW_CONTENTOID_OVERRIDE | False | Property specifying if the content OID to use in the signedData object should be allowed to be overridden by request metadata (CONTENTOID request parameter). |
ALLOW_DETACHEDSIGNATURE_OVERRIDE | False | Property specifying if the requestor can request an other value for |
CLIENTSIDEHASHING | False | Property specifying if the request data should be considered to be a pre-computed (by the requesting client) hash. If this is set to to true, |
CONTENTOID | CMS data OID (1.2.840.113549.1.7.1) | Property specifying the content OID to use in the signedData object by default. If not specified, the default CMS data OID (1.2.840.113549.1.7.1) is used. |
DER_RE_ENCODE | False | Property specifying if the resulting data structure should be parsed and re-encoded using DER encoding. This option is performed in memory and thus does not support large files. |
DETACHEDSIGNATURE | False | Property specifying if a detached signature ("external signature") should be used. The detached signature is a signature where the content is not included/encapsulated. |
DIRECTSIGNATURE | False | Property specifying that the signature should be calculated directly over the content and not over signed attributes. If the property is set to true, the signature will not contain any signed attributes. Setting this to true is not allowed when |
DO_LOGRESPONSE_DIGEST | False | (Optional) Specifies if a digest of the response should be computed and logged. |
DO_LOGREQUEST_DIGEST | False | (Optional) Specifies if a digest of the request should be computed and logged. |
LOGRESPONSE_DIGESTALGORITHM | SHA256 | Algorithm used to create the message digest (hash) of the response document to put in the log. |
LOGREQUEST_DIGESTALGORITHM | SHA256 | Algorithm used to create the message digest (hash) of the request document to put in the log. |
SIGNATUREALGORITHM | Depends on the signing key | Property specifying the algorithm used to sign the data. Depending on the signing key, the default is either:
|
Request Parameters
The following meta data parameters can be specified in a request:
Property | Description |
|---|---|
CONTENTOID | Specifies the content OID to use in the signedData structure. This is only allowed if the signer is configures to allow overriding content OID. |
CLIENTSIDE_HASHDIGESTALGORITHM | The hash digest algorithm of the pre-computed hash. |
USING_CLIENTSUPPLIED_HASH | If this property is set and defined as true, treat the request data as a pre-computed hash. This requires the |
Signing a Pre-computed Hash
For background and information on how to use this mode with CMS signatures, see Client Side Hashing.