Hi,
I need to produce a small JSON object and its signature, which can be read, shared and verified using offline mobile devices and the public key . I am thinking on doing this using a QR code, which can fit 3KB, and can be read from offline devices. I did a proof of concept using plain openssl and it worked as expected, now we would like to use SignServer.
I tested the CMS detached signer, send my SHA256 hash and was able to received the p7s signature, but is too large for a QR code (46KB).
Next, I tried using the PlaingSigner with the NONwithRSA option, however the SHA256 hash I am sending is missing the required structure according to RFC#3447, as stated in the docs; I think is RSA PKCS1 Padding but I haven't found clean easy way to do it.
So, given that the p7s file is too big to fit in a QR code. I think my options are to either find a way to extract the signed object out of the p7s, or build the PKCS padding myself and hope that it would stay small enough to fit in a QR code.
Thank you for your thoughts and comments.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
SOLVED!!!!!
I managed to get the plain signer to work after much trial and error; it turns out that not the entire PKCS1 padding is needed, jut need to append the algorithm OID as per RFC 3447.
as an Example, if you have SHA256 data hash like:
06bd0df149ba6261bbf9439e4f0ecacc1fa51e562cdb0ea95b6ce9293707f4da
and the corresponding SHA256 OID according to RFC 3447 is:
3031300d060960864801650304020105000420
Then you need the concatenate both strings and turn it into binary before passing it to the PlainSigner, like this.
Thanks for sharing, that cone for sure be useful for some.
We have had some ideas for the future to maybe add a feature to SignClient where you could specify algorithm with a flag and it would take care of concatenating the right values. Or possibly this could also go into a feature in the worker itself and the algorithm could be passed as a Request Metadata parameter and this would be take care of by the worker. https://jira.primekey.se/browse/DSS-1498
Cheers,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I need to produce a small JSON object and its signature, which can be read, shared and verified using offline mobile devices and the public key . I am thinking on doing this using a QR code, which can fit 3KB, and can be read from offline devices. I did a proof of concept using plain openssl and it worked as expected, now we would like to use SignServer.
I tested the CMS detached signer, send my SHA256 hash and was able to received the p7s signature, but is too large for a QR code (46KB).
Next, I tried using the PlaingSigner with the NONwithRSA option, however the SHA256 hash I am sending is missing the required structure according to RFC#3447, as stated in the docs; I think is RSA PKCS1 Padding but I haven't found clean easy way to do it.
So, given that the p7s file is too big to fit in a QR code. I think my options are to either find a way to extract the signed object out of the p7s, or build the PKCS padding myself and hope that it would stay small enough to fit in a QR code.
Thank you for your thoughts and comments.
SOLVED!!!!!
I managed to get the plain signer to work after much trial and error; it turns out that not the entire PKCS1 padding is needed, jut need to append the algorithm OID as per RFC 3447.
as an Example, if you have SHA256 data hash like:
06bd0df149ba6261bbf9439e4f0ecacc1fa51e562cdb0ea95b6ce9293707f4da
and the corresponding SHA256 OID according to RFC 3447 is:
3031300d060960864801650304020105000420
Then you need the concatenate both strings and turn it into binary before passing it to the PlainSigner, like this.
echo "3031300d06096086480165030402010500042006bd0df149ba6261bbf9439e4f0ecacc1fa51e562cdb0ea95b6ce9293707f4da" | xxd -r -p > pre-computed-hash.bin
Hope this is helpful to others ...
Hi Eric,
Thanks for sharing, that cone for sure be useful for some.
We have had some ideas for the future to maybe add a feature to SignClient where you could specify algorithm with a flag and it would take care of concatenating the right values. Or possibly this could also go into a feature in the worker itself and the algorithm could be passed as a Request Metadata parameter and this would be take care of by the worker.
https://jira.primekey.se/browse/DSS-1498
Cheers,
Markus