signserver-ce icon indicating copy to clipboard operation
signserver-ce copied to clipboard
verified publisher icon Keyfactor

Possibility to specify a SIGNATUREALGORITHM when invoking PlainSigner via REST interface

Open Vampire opened this issue 1 year ago • 2 comments

Is your feature request related to a problem or specific use case? Please describe. It would be nice to be able to specify the signature algorithm the PlainSigner uses when being invoked via the REST interface. For example when using Jsign, you can specify which signature algorithm should be used. But when using server-side hashing, there is no way to specify which signature algorithm should be used.

Describe the solution you'd like It would be nice if you could include in the REST request metadata the signature algorithm that should be used, or at least the hash algorithm, so that you for example can request SHA1withRSA or SHA256withRSA and the signer will use that if it is a workable algorithm. It might also be sufficient being able to specify the hash algorithm, so that you can just request SHA1 or SHA256 and the RSA part comes from the configuration of the worker or determined from the token capabilities.

Describe alternatives you've considered Alternative considered was using client-side hashing, but for example with a Nitrokey HSM 2 we were not able to set this up properly, but got a Caused by: java.security.NoSuchAlgorithmException: No such algorithm: RSA/ECB/PKCS1Padding exception when trying to use NONEwithRSA for the worker.

Product deployment Please complete the following information:

  • Deployment format: container
  • Version 6.3.0.Final

Vampire avatar Nov 19 '24 18:11 Vampire

I guess this could possibly be implemented similarly to how other overridable properties are handled via request metadata (using the metadata map).

This should probably also be something that would be disabled by default, that would need to be explicitly enabled in the worker. And a way to restrict the possible allowed algorithms.

mlundblad avatar Nov 27 '24 13:11 mlundblad

Probably one should be able to specify the whole signature algorithm in order to choose between for instance SHA256withRSA and SHA256withRSAandMGF1.

Sounds like it would make sense then to add ALLOW_PROPERTY_OVERRIDE (if we do not already have it for PlainSigner?) and make "SIGNATUREALGORITHM" one of the properties one can choose to allow to be overridden. Then the user could provide the value for that within the request metadata.

netmackan avatar Jun 30 '25 17:06 netmackan