Interoperability
The following provides an overview of SignServer's capabilities and support, with relevant links to documentation and external standards.
SignServer supports multiple application servers and standard, high-performance databases. For more information on SignServer requirements, see Prerequisites.
Algorithms
SignServer supports* the following algorithm types and key size/curves.
Algorithm | Key Size/curve |
---|---|
RSA | Keys up to and including 8192 bits. |
DSA** | Keys up to and including 1024 bits. |
ECDSA | ECDSA key algorithm with named curves. |
EdDSA | Pure EdDSA with Edwards25519 or Edwards448 |
Hash algorithms | Hash algorithms for signatures, SHA-1, SHA-2. |
NSA SUITE B | Compliant with NSA SUITE B algorithms and certificates. |
*See individual workers and crypto tokens for information about what they support. For more information, see Signers Algorithm Support.
**Use of DSA is deprecated since SignServer 6.2.
Signature Formats
Document Signing
SignServer can easily be adapted to customer-specific needs by using plug-ins and supports document signing formats such as the ones listed below.
Format | Documentation |
---|---|
PDF (ISO 32000) PDF document processing, including support for:
| PDF Signer |
PAdES (-B, -T, -LT, -LTA) (PDF Advanced Electronic Signatures) | ENTERPRISE |
XAdES (–B, -T, -LT, -LTA) (XML Advanced Electronic Signatures) | ENTERPRISE |
XAdES (XAdES-BES and XAdES-T) | XAdES Signer |
XML (XMLdSig) | XML Signer |
CMS/PKCS#7 Generic CMS (PKCS#7) signer signs any document or file with support for encapsulated content or detached signatures and client-side hashing. | CMS Signer |
CMS signing with support for time-stamping | ENTERPRISE |
Code Signing
SignServer supports code signing formats such as the following.
Format | Documentation |
---|---|
Plain signing | Plain Signer |
CMS signing | CMS Signer |
OpenPGP signing | OpenPGP Signer |
Java code signing including
| JArchive Signer |
CMS signing + time-stamping | ENTERPRISE |
OpenPGP signing with client-side hashing | ENTERPRISE |
Authenticode signing including:
| ENTERPRISE |
Microsoft APPX package signing (AppX) | ENTERPRISE |
Java code signing with client-side hashing | ENTERPRISE |
Android (APK) signing v1, v2 and v3 | ENTERPRISE |
Debian package signing (dpkg-sig) |
ePassport
SignServer is used both for MRTD signing and for ICAO CSCA Master list signing.
ePassport | Documentation |
---|---|
Document (MRTD SOD) signing with Logical Data Structure (LDS) version 1.7 and 1.8 support | MRTD SOD Signer |
Document (MRTD) signing | (Legacy) |
ICAO CSCA Master list signing | ENTERPRISE |
Additional algorithm support Subject to SoW/support agreement including for instance:
|
Time-stamping
SignServer can be used as the time stamp unit within a Time Stamp Authority (TSA) to generate digitally signed time stamps and includes monitoring of time synchronization, offering both RFC 3161 and MS Authenticode time-stamps.
Format | External References | Documentation |
---|---|---|
Basic Time-stamping | RFC 3161, RFC 5816 | Time Stamp Signer |
Professional Time-stamping including:
| ENTERPRISE |
Validation Service
Validators for signed documents, built-in support for XML validation, and XAdES (XAdES-BES and XAdES-T).
The SignServer Validation Service also allows you to make your own validator plug-in.
Third-party Hardware
Hardware Security Modules
SignServer supports Hardware Security Modules (HSMs) and has built-in support for various HSMs such as the ones listed below, and other HSMs with a good PKCS#11 library. SignServer additionally supports software-based keys for lower security requirements or development.
Vendor | Model |
---|---|
Generic PKCS#11 Provider | |
nChipher | nShield/netHSM |
SafeNet | Luna |
SafeNet | ProtectServer Gold |
SafeNet | ProtectServer Gold Emulator |
SoftHSM | SoftHSMv2 |
Utimaco | CryptoServer |
Microsoft Azure | Key Vault |
Fortanix | Data Security Manager (DSM) |
For HSM vendor specific installation and configuration information, refer to the EJBCA Documentation section Vendor Specific Information.
Integration Interfaces
SignServer provides multiple integration interfaces such as:
- Client HTTP Interface.
- Client Web Service (WS) interface and Admin WS Interface.
- Client CLI Interface (a.k.a. SignClient) and Administration CLI.