3

I needed to generate XML on server but sign it in client using clients private key. But , for the sake of bandwidth consumption & some security issue, we do not want to send the whole xml from server to client for signing. We only want to send the hash/digest of the XML to the client. The sequence of events will look like this:

  • server generates digest of XML and sends the digest to client
  • client signs the digest/hash with client`s private key and sends it to server
  • server merges the signed hash with the XML file to get the signed XML.

Previously , I have done similar decoupling for signing a pdf on server, using a client-side private key- I used itext library for that . But, finding it difficult for doing similar thing for XML signing using Oracles XML signing Library. The wellknown APIs available for signing xml does not seem to offer this function of signing an xml externally(decoupling the hash and signing part ) . So my question is, how can i externally sign a XML on server, using client`s privatekey ( sending only hash, instead of the full xml)?

Mahdi Matin
  • 53
  • 5

1 Answers1

0

You can build it yourself, but I suggest you use a library as you have done for PDFs (The XML signature is terribly complicated)

Check esig-dss and this sample SignXmlXadesBTest.java

 //SERVER SIDE.
 // Get the SignedInfo XML segment that need to be signed.
 ToBeSigned dataToSign = service.getDataToSign(toSignDocument, parameters);

//CLIENT SIDE
// This function obtains the signature value for signed information using the
// private key and specified algorithm
SignatureValue signatureValue = signingToken.sign(dataToSign, parameters.getDigestAlgorithm(), privateKey);

// SERVER SIDE
// We invoke the service to sign the document with the signature value obtained in
// the previous step.
DSSDocument signedDocument = service.signDocument(toSignDocument, parameters, signatureValue);

On the client side, signingToken.sign() simply signs the digest (byte array) prepared by the server with the private key. You don't have to use DSS if you don't use java because it is a simple cryptographic operation available in most programming languages

Also note that DSS can be used as a library or as a server with REST or SOAP interfaces

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Thank you so much. The links given in the comment is really really useful – Mahdi Matin Nov 03 '19 at 05:49
  • Hi guys, I'm trying to get the signature value in client side using c# but I get the following error validating the signature: SIG_CRYPTO_FAILURE BBB_CV_ISI_ANS: The signature is not intact! I'm using this piece of code in C# : RSA privateKeyRSA = x509Certificate.GetRSAPrivateKey(); byte[] signatureValue = privateKeyRSA.SignData(dataToSign, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); – jhuamanchumo Nov 22 '22 at 23:48