Interoperability
The following provides an overview of SignServer's capabilities and support, with relevant links to documentation and external standards.
SignServer supports multiple application servers and standard, high-performance databases. For more information on SignServer requirements, see Prerequisites.
Algorithms
SignServer supports the following algorithm types and key size/curves.
Algorithm |
Key Size/curve |
RSA |
Keys up to and including 8192 bits. |
DSA |
Keys up to and including 1024 bits. |
ECDSA |
ECDSA key algorithm with named curves. |
Hash algorithms |
Hash algorithms for signatures, SHA-1, SHA-2. |
NSA SUITE B |
Compliant with NSA SUITE B algorithms and certificates. |
Signature Formats
Document Signing
SignServer can easily be adapted to customer-specific needs by using plug-ins and supports document signing formats such as the ones listed below.
Format |
Documentation |
PDF (ISO 32000) PDF document processing, including support for:
|
|
PAdES (-B, -T, -LT, -LTA)
(PDF Advanced Electronic Signatures)
|
ENTERPRISE |
XAdES (–B, -T, -LT, -LTA)
(XML Advanced Electronic Signatures
) |
ENTERPRISE |
XAdES (XAdES-BES and XAdES-T) |
|
XML (XMLdSig) |
|
CMS/PKCS#7 Generic CMS (PKCS#7) signer signs any document or file with support for encapsulated content or detached signatures and client-side hashing. |
|
CMS signing with support for time-stamping |
ENTERPRISE |
OpenDocument Format (ODF) |
(Available as-is) |
Office Open XML (OOXML) |
(Available as-is) |
Code Signing
SignServer supports code signing formats such as the following.
Format |
Documentation |
Plain signing |
|
CMS signing |
|
OpenPGP signing |
|
CMS signing + time-stamping |
ENTERPRISE |
OpenPGP signing with client-side hashing |
ENTERPRISE |
Authenticode signing including:
|
ENTERPRISE |
Microsoft APPX package signing (Appx) |
ENTERPRISE |
Java code signing including:
|
ENTERPRISE |
Debian package signing (dpkg-sig) |
ENTERPRISE |
ePassport
SignServer is used both for MRTD signing and for ICAO CSCA Master list signing.
ePassport |
Documentation |
Document (MRTD SOD) signing with Logical Data Structure (LDS) version 1.7 and 1.8 support |
|
Document (MRTD) signing |
(Legacy) |
ICAO CSCA Master list signing |
ENTERPRISE |
Additional algorithm support Subject to SoW/support agreement including for instance:
|
|
Time-stamping
SignServer can be used as the time stamp unit within a Time Stamp Authority (TSA) to generate digitally signed time stamps and includes monitoring of time synchronization, offering both RFC 3161 and MS Authenticode time-stamps.
Format |
External References |
Documentation |
Basic Time-stamping |
||
Professional Time-stamping including:
|
ENTERPRISE |
Validation Service
Validators for signed documents, built-in support for XML validation, and
XAdES (XAdES-BES and XAdES-T).
The SignServer Validation Service also allows you to make your own validator plug-in.
Third-party Hardware
Hardware Security Modules
SignServer supports Hardware Security Modules (HSMs) and has built-in support for various HSMs such as the ones listed below , and other HSMs with a good PKCS#11 library. SignServer additionally supports software-based keys for lower security requirements or development.
Vendor |
Model |
Generic PKCS#11 Provider |
|
ARX |
CoSign |
nChipher |
nShield/netHSM |
SafeNet |
Luna |
SafeNet |
ProtectServer Gold |
SafeNet |
ProtectServer Gold Emulator |
SoftHSM |
SoftHSMv2 |
Utimaco |
CryptoServer |
Microsoft Azure |
Key Vault |
For HSM vendor specific installation and configuration information, refer to the EJBCA Documentation section Vendor Specific Information.
Integration Interfaces
SignServer provides multiple integration interfaces such as:
-
Client CLI Interface (a.k.a. SignClient) and Administration CLI.