3

I need to install a xades library in a web-application, this webapp will produce xades documents using remote-sign certificates.

The private key of this certificates are placed on a remote HSM device, so if i have to sign (i mean produce a RSA of a digest) i need to pass the hash to the remote device, this will produce the rsa and will give it to the webapp that with xades4j will create the xades structure

Can you tell me if xades4j already can do this, and if not how can i implement a sort of signatureProvider for xades4j that delegate the production of the RSA to a remote device?

Thanks

Michele Bortolato
  • 707
  • 2
  • 11
  • 27
  • You mean that the signature is calculated on client-side and the hash and the final XML are created server-side? If so, xades4j deosn't support this, since digest and signature are created on a "single" operation, using the Apache Santuario API. – lgoncalves Feb 01 '15 at 20:39
  • I mean that i need to delegate the rsa signature to a remote webapp, the digest is done by xmlsec – Michele Bortolato Feb 02 '15 at 07:47
  • I'm not sure if I understood, but it seems xades4j doesn't support this. Digest calculation is part of the signature production. – lgoncalves Feb 02 '15 at 22:04
  • The digest is still produced by xmlsec/xades4j, but i need to RSA-sign it externally, i can intercept, for example, the method sign in SignerBES for example, made the rsa signature with a fake rsa private key, and then pass the digest to sign to the remote signature procedure, it will return me the right RSA signature and i will put in into the fake content of SignatureValue. It this procedure possible in your opinion?Thanks – Michele Bortolato Feb 02 '15 at 22:20
  • If that signature generation is made "asynchronously" from the rest of the process, only some hack like the one you described would eventually work. But nothing clean to integrate.. – lgoncalves Feb 07 '15 at 02:09

1 Answers1

0

Old-but-gold question: I'm stucking at the same point too, but... I found a different (maybe cleaner) way to get the result, so that's my suggestion:

  1. Implement a Provider (https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#Provider)` with it's own "SHA256WithRSA" algorithm implementation, that delegates the signature production to something out of the application
  2. Pass this Provider to the sign() method

I don't know if this can work, but it seems like a nicer try...

Marco Carlo Moriggi
  • 324
  • 4
  • 11