OpenPGPPlain Signer

The OpenPGPPlain signer has the fully qualified class name: org.signserver.module.openpgp.enterprise.signer.OpenPGPPlainSigner

Overview

The OpenPGPPlain signer signs arbitrary hashed data and produces a signature using NONEwithX signature algorithms (NONEwithRSA or NONEwithECDSA ) and expects that hash digest is supplied for signing not the data itself.

The signature algorithm is chosen depending on the signing key: NONEwithECDSA for ECDSA keys, and otherwise NONEwithRSA. When using an RSA key, the input must be in an appropriate format, refer to RFC#3447 for details.

Note that this signer uses OpenPGP and not X.509 certificates. You can instead obtain the OpenPGP public key from the worker status output. Additionally, the generate CSR functionality allows adding a user ID to the public key and storing the new public key in the PGPPUBLICKEY worker property.

The key management operations are the same as for the generic OpenPGP Signer.

Available Properties

Property	Default	Description
CERT_GEN_USE_LEGACY_RSA_SIGN	True	(Optional) `RSA_SIGN` is deprecated and should be replaced with `RSA_GENERAL`. For backward compatibility, this flag can still be used during PGP certificate generation (via CSR generation in SignServer) to specify whether to use the legacy `RSA_SIGN` (algorithm ID 3) or the newer `RSA_GENERAL` (algorithm ID 1). If the flag is not explicitly set, the default value is true, meaning the legacy `RSA_SIGN` will be used. In the `openpgpsigner.properties` file, however, the flag is set to `false`. This means that when creating a new worker from the properties file, `RSA_GENERAL` will be used instead.
DO_LOGREQUEST_DIGEST	True	Specifies if the message digest of the requested document should be put in the log.
GENERATE_REVOCATION_CERTIFICATE	False	(Optional) Setting this property to true, switches the behavior of the generate CSR functionality to not add user ID / certification but instead generate an OpenPGP revocation certificate. The idea is to only switch this to true temporarily, generate the revocation certificate, and then switch it back to false. The header for the PGP public key block, `-----BEGIN PGP PUBLIC KEY BLOCK-----`, is prefixed by a colon to prevent accidentally importing a revocation certificate. Before importing the certificate, this colon must be removed so that line only contains the text`-----BEGIN PGP PUBLIC KEY BLOCK-----.`
LOGREQUEST_DIGESTALGORITHM	SHA256	Specifies the algorithm used to create the message digest (hash) of the request document to put in the log.
PGPPUBLICKEY	Empty	(Optional) Property for storing the latest OpenPGP public key in ASCII armored form after adding user IDs / certifications to it. Remember to store the updated public key in this property so that the current user IDs are kept when new ones are added later on.
SELFSIGNED_VALIDITY	Empty	(Optional) Specifies the number of seconds the key is valid for after its creation. This property is used when a certification is added to the key so to extend the current validity, set a higher value, and perform the certification again. An empty value or zero means that the key does not expire (default).

Worker Log Fields

Field	Description
REQUEST_DIGEST	A message digest (hash) for the request document in hex encoding.
REQUEST_DIGEST_ALGORITHM	The name of the message digest (hash) algorithm used for the request digest in the log.
RESPONSE_ENCODED	The response document (plain signature) in base64 encoding.