Extended CMS Signer
ENTERPRISE
The signer has the fully qualified class name: org.signserver.module.extendedcmssigner.ExtendedCMSSigner.
Overview
The extended CMS signer, in addition to all the features provided by the regular CMS signer, has support for timestamping and additional features.
The extended CMS signer also supports CMS re-signing, enabling signing software and firmware using multiple algorithms. It is possible to produce two signatures using different signing algorithms by signing data with one algorithm and using the output of the first signing operation as input in a second signing operation targeting an extended CMS signer configured for re-signing with a different algorithm. CMS re-signing can be used for crypto agile CMS signing in general and for transitioning from traditional to post-quantum algorithms.
To download a sample configuration file for this worker, see Sample Worker Configurations.
For information on the interfaces this worker can be called through, see Supported Interfaces by Worker.
Available Properties
Property | Default | Description |
|---|---|---|
EXCLUDE_NULL_PARAMETERS_FROM_MESSAGE_DIGEST | False | (Optional) Enable if the message digest parameters should be encoded as <ABSENT> instead of NULL when performing client-side hashing. By default, the parameters are encoded as NULL. |
EXCLUDE_SIGNED_ATTRIBUTES | Unset (no attributes skipped) | (Optional) Comma-separated list of OIDs of signed attributes that should be excluded in the signature. |
INCLUDECMSALGORITHMPROTECTATTRIBUTE | True | (Optional) Specifies if the cmsAlgorithmProtect (RFC#6211) signed attribute should be included in the response. Setting this to false is equivalent to adding the corresponding OID (1.2.840.113549.1.9.52) in |
INCLUDESIGNINGTIMEATTRIBUTE | True | (Optional) Specifies if the signingTime signed CMS attribute should be included in the response. Setting this to false is equivalent to adding the corresponding OID (1.2.840.113549.1.9.5) in |
SIGNING_MODE | New | (Optional) Mode to use when signing. For more information, see Signing Mode. |
TSA_DIGESTALGORITHM | SHA-256 | (Optional) Algorithm for timestamp digests. |
TSA_PASSWORD | None | Login password used if the TSA uses HTTP Basic Auth. Required if |
TSA_URL | None | (Optional) URL of external timestamp authority. This property cannot be combined with TSA_WORKER. |
TSA_USERNAME | None | (Optional) Login username used if the TSA uses HTTP Basic Auth. |
TSA_WORKER | None | (Optional) Worker ID or name of internal timestamp signer in the same SignServer. This property cannot be combined with TSA_URL. |
USE_LEGACY_RSA_ENCRYPTION_OID | False | (Optional) Enable if the signature algorithm should specify the legacy rsaEncryption OID (1.2.840.113549.1.1) instead of a signature algorithm also specifying a digest algorithm, such as sha256WithRSA (1.2.840.113549.1.11) |
Signing Mode
CMS re-signing enables signing software and firmware using multiple algorithms. Using the signing mode Append, it is possible to produce two signatures using different signing algorithms by signing data with one algorithm and using the output of the first signing operation as input in a second signing operation targeting an extended CMS signer configured for re-signing with a different algorithm. CMS re-signing can be used for crypto agile CMS signing in general and for transitioning from traditional to post-quantum algorithms.
The following signing modes are available:
NEW: A new CMS signature is calculated based on the digest of the input data. This is the default.
APPEND: An additional signature is calculated based on the existing message digest in input data, which must be an existing CMS structure.