How to sign a digest generated by signtool /dg #199

liammacisaac · 2024-02-08T16:12:45Z

liammacisaac
Feb 8, 2024

I have a question that is similar to #171 and #176.

I have a REST API that provides a centralised code signing service. I'd like to migrate the server side to JSign rather than signtool to avoid HSM PIN entry. At present, the API can do two things:

Accept an uploaded executable file, sign it and send the signed file in the response. This is easily achieved with JSign.
Accept a digest generated with signtool /dg (generated on client side), sign the digest using signtool /ds (server side) and then use signtool /di on the client side to ingest the signed digest into the executable.

Is there a way that I can use JSign to achieve the signtool /ds (sign digest) task, specifically with a YubiKey? I'm happy enough to write the Java code myself, but it's not obvious which interface I need to hook into to achieve this.

Answered by ebourg

Feb 8, 2024

Implementing .dig signing shouldn't be difficult, you just have to implement the Signable interface and add a SignableProvider for .dig files. That's a bit a degenerated case because the file doesn't really contain the signature, and the signature isn't a full PKCS7 message, but that could work.

If your REST API is in Java you can also use the Jsign API instead of the command line tool. You can use the JCA provider with the standard Java crypto classes like this:

Provider provider = new JsignJcaProvider();
KeyStore keystore = KeyStore.getInstance(YUBIKEY.name(), provider);
keystore.load(null, accessToken);

PrivateKey key = (PrivateKey) keystore.getKey(alias, null);

Signature signature = S…

View full answer

ebourg · 2024-02-08T17:16:10Z

ebourg
Feb 8, 2024
Maintainer

Implementing .dig signing shouldn't be difficult, you just have to implement the Signable interface and add a SignableProvider for .dig files. That's a bit a degenerated case because the file doesn't really contain the signature, and the signature isn't a full PKCS7 message, but that could work.

If your REST API is in Java you can also use the Jsign API instead of the command line tool. You can use the JCA provider with the standard Java crypto classes like this:

Provider provider = new JsignJcaProvider();
KeyStore keystore = KeyStore.getInstance(YUBIKEY.name(), provider);
keystore.load(null, accessToken);

PrivateKey key = (PrivateKey) keystore.getKey(alias, null);

Signature signature = Signature.getInstance("SHA256withRSA", provider);
signature.initSign(key);
signature.update(message.getBytes());
signature.sign();

That said, did you consider using Jsign on the client side. By implementing a SigningService Jsign could call directly your REST API.

1 reply

liammacisaac Feb 12, 2024
Author

That solution works perfectly. Thank you for the quick reply. I ultimately didn't create the SignableProvider for the digest files but instead used the Java API. We'll also take the suggestion of using JSign on the client side as well.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to sign a digest generated by signtool /dg #199

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

How to sign a digest generated by signtool /dg #199

liammacisaac Feb 8, 2024

Replies: 1 comment · 1 reply

ebourg Feb 8, 2024 Maintainer

liammacisaac Feb 12, 2024 Author

liammacisaac
Feb 8, 2024

Replies: 1 comment 1 reply

ebourg
Feb 8, 2024
Maintainer

liammacisaac Feb 12, 2024
Author