|
This article explains how to generate electronic signatures using TrustedX.
Electronic signature generation
Electronic signature generation consists in encrypting the summary of the data, which are to be signed, with the private component of an asymmetrical key. This is done in such a way that subsequent verification may be performed using a public component.
The types of signatures possible are as follows:
- Enveloped signatures, where the signature is embedded in the signed data (e.g., in PDF documents)
- Enveloping signatures, where the signed data is included in the same file (typical example in XML documents) or
- Detached signatures, where the data are stored in different files.
The most widely used and recognized formats in the sector are:
- PKCS#7/CMS, CAdES, PDF signature, XML-Dsig and XAdES for documents
- S/MIME for electronic messaging
- WS-Security for securing SOAP messages
Critical factors of electronic signature generation are the security and custody of the private key. It is essential that the private key is always under the signer's exclusive control, as a means of guaranteeing the non-repudiation of the electronic signature. Therefore, electronic signature systems must manage a secure keystore, in order to impede copying or the unauthorized use of keys.
Electronic signatures can be produced in the user's own system (e.g. in a PC or telephone) or through automated business processes (e.g. electronic invoicing). In the former case, keys are usually stored in intelligent cards or SIM cards. The latter, however, uses HSM devices, which must be integrated into the corporate applications.
TrustedX is particularly involved in the latter case. TrustedX facilitates the integration of the management of all signature types and formats into the applications, it enables large volumes of signatures to be managed, and it provides a secure, by using HSM, and easy-to-audit environment for managing private keys.
Electronic signature generation using TrustedX
From the point of view of the application, and just like the rest of the functions related to the electronic signature, implementation of the signature generation process will consist in consuming a TrustedX service. The application must send the document or the document's hash to TrustedX, indicating the desired signature format. TrustedX will, then, generate the signature.
One of the advantages of TrustedX, is, that it provides a secure and easy-to-audit environment in which to custody the application's private keys. All management tasks (requests, revocation and key renewal) are automated and are transparent to the applications.
The delegation of signature policy management to TrustedX, makes for a centralized system in which the signature parameters (algorithms, signer roles, signature commitments, the signature production place and time-stamp inclusion) are established.
Just like the rest of the TrustedX services, the electronic signature service can be used as SOAP/WS or REST/WS, or via the TrustedX Java API. To learn about the different integration architectures of TrustedX, consult the howto “TrustedX Integration Architectures ”.
Next, you will see an example of an XML signature request, using the OASIS DSS standard, where the documents to be signed will be included in the <dss:SignRequest> element: The key to be used, and for which one has use privileges, is identified by its corresponding DN.
<SOAP-ENV:Envelope Attributes>
<SOAP-ENV:Header>
...
</SOAP-ENV:Header>
<SOAP-ENV:Body Attributes>
<dss:SignRequest Profile=" urn:safelayer:tws:dss:1.0:profiles:xades:1.0:sign " Attributes>
...
<dss:OptionalInputs>
<dss:KeySelector>
<css:KeySelector>
<Name dss:Format="urn:oasis:names:tc:SAML:1.1:nameidformat:X509SubjectName">
CN=Homer Simpson, O=Safelayer, C=Es
</Name> ...
</css:KeySelector>
</dss:KeySelector>
<dss:InputDocuments>…</dss:InputDocuments>
<dss:OptionalInputs>
</dss:SignRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Examples of use of the TrustedX signature generation service.
In the try section of TrustedX Labs, you will find a collection of example codes, which show how TrustedX operates in relation to the various aspects of signature generation
|
How to 
(1)