Cosign API: How to sign a document hash using SAPI?

Question

Cosign API documentation talks about signing a hash as an alternative to a stream buffer. How would I go about obtaining the hash and then signing it with SAPI?

Is signing the hash secure enough for a business application? Is it a common practice? I'm asking because sending a hash might be more efficient than sending a large document for signing.

From the answers I got I understand now that the client SAPI actually takes care of the hashing for me and only sends the hash to be signed. Although the SAPI web service is more generic (can be accessed from any platform), it does require either sending the whole document over the network or computing the hash before invoking the service.

Now, if I use the client SAPI, is it enough to deploy the DLL/assembly or do I also need to install the CoSign client?

Answer 1

Depending on the document type that you want to sign, computing the hash value might not be an easy task. Adobe PDF format, for example, supports embedding of digital signatures in the document itself, but in order to properly do that the hash value must be computed in a specific manner, according to Adobe PDF standard.

For document types that do not support digital signature standards, obtaining the hash for the whole file is easier and can be done using any external cryptographic library or tool.

The question is, why would you want to separate the hash computing process from the signing operation while SAPI (CoSign Signature API) takes care of computing the hash according to the standard, digitally signing it and embedding it back in to the document?

SAPI will always compute the hash of the file/document on the client machine and then will send that hash (and only the hash) to the CoSign server for signing (and yes- signing the hash indeed is a common practice). This also applies to documents that support embedded signatures (e.g. PDF, XML, DOCX, XLSX, etc.).

Having said that, if you still interested in signing a document hash only using SAPI, you can do it by calling the BufferSignEx function and insert the AR_SAPI_SIG_HASH_ONLY constant into the Flags parameter.

Answer 2

Re: Is signing the hash secure enough for a business application?

Yes, all standard digital signatures sign a hash value. Since a good hash, such as SHA-2, represents the content of the document and any changes to the document will change the SHA-2 value, the hash is signed, not the document.

Re: Is it a common practice?

Yes, this is the standard way to create standard digital signatures for PDF, Word, Excel, XML, and for anything else, too.

The SAPI Windows library handles the hashing issues for you. If you're using SAPI Web Services to sign PDF, Word, or Excel, you need to send the entire document to be signed or you'll need to handle the hashing on the client side. Computing the hash correctly is a significant task for most document types since the hash has to be computed in the standard way and must use just the right data objects from source file.

Everything needs to be exact since the Relying Party (the person who receives the digitally document) will be using different software than yours to verify the document. The output of your hashing sw needs to exactly match their hashing software. Otherwise the signature won't verify.