Is there any way to make XAdES signature using Google Cloud KMS? I cannot find any info about it.
Asked
Active
Viewed 195 times
1
-
2Here's the supported keys and algorithms: https://cloud.google.com/kms/docs/algorithms – sethvargo May 07 '20 at 17:32
1 Answers
1
Wow, XAdES is a maze of twisty standards documents, it's tough to find what is supported. From what I can tell, XMLDSIG originally supported DSA and RSA-SHA1 which are now pretty dated and neither is supported by Cloud KMS's algorithms.
In 2013 XML Signature Syntax and Processing Version 1.1 which specified some more algorithms, including an RSA algorithm with SHA-256 which should be compatible with Cloud KMS's RSA_SIGN_PKCS1_2048_SHA256, RSA_SIGN_PKCS1_3072_SHA256 and RSA_SIGN_PKCS1_4096_SHA256. and I believe its ECDSAwithSHA384 should be compatible with Cloud KMS's EC_SIGN_P384_SHA384.
There may have been further developments since then with other supported algorithms. I suspect that particular XAdES implementations or interoperability groups may only support a selection of algorithms, so you may need to check with those for interoperable algorithms.
All that said, Cloud KMS does not provide the tooling to encode the documents for signing nor encode the signatures in a way compatible with XAdES, so while I believe, if you had algorithmic compatibility, you could implement signing with keys stored in Cloud KMS, but it would take a chunk of work to do the various format conversions.
Thanks for using GCP and Cloud KMS. If you have more info on what you wish it could do, I'd be happy to get the request.
Tim Dierks
- 2,168
- 15
- 28