Interoperability
The following provides an overview of SignServer's capabilities and support, with relevant links to documentation and external standards.
SignServer supports multiple application servers and standard, high-performance databases. For more information on SignServer requirements, see Prerequisites.
Algorithms
SignServer supports the following algorithm types and key size/curves.
|
Algorithm |
Key Size/curve |
|
RSA |
Keys up to and including 8192 bits. |
|
DSA |
Keys up to and including 1024 bits. |
|
ECDSA |
ECDSA key algorithm with named curves. |
|
Hash algorithms |
Hash algorithms for signatures, SHA-1, SHA-2. |
|
NSA SUITE B |
Compliant with NSA SUITE B algorithms and certificates. |
Signature Formats
Document Signing
SignServer can easily be adapted to customer-specific needs by using plug-ins and supports document signing formats such as the ones listed below.
|
Format |
Documentation |
|
PDF (ISO 32000) PDF document processing, including support for:
|
|
|
PAdES (-B, -T, -LT, -LTA)
(PDF Advanced Electronic Signatures)
|
ENTERPRISE |
|
XAdES (–B, -T, -LT, -LTA)
(XML Advanced Electronic Signatures
) |
ENTERPRISE |
|
XAdES (XAdES-BES and XAdES-T) |
|
|
XML (XMLdSig) |
|
|
CMS/PKCS#7 Generic CMS (PKCS#7) signer signs any document or file with support for encapsulated content or detached signatures and client-side hashing. |
|
|
CMS signing with support for time-stamping |
ENTERPRISE |
|
OpenDocument Format (ODF) |
(Available as-is) |
|
Office Open XML (OOXML) |
(Available as-is) |
Code Signing
SignServer supports code signing formats such as the following.
|
Format |
Documentation |
|
Plain signing |
|
|
CMS signing |
|
|
OpenPGP signing |
|
|
CMS signing + time-stamping |
ENTERPRISE |
|
OpenPGP signing with client-side hashing |
ENTERPRISE |
|
Authenticode signing including:
|
ENTERPRISE |
|
Microsoft APPX package signing (Appx) |
ENTERPRISE |
|
Java code signing including:
|
ENTERPRISE |
|
Debian package signing (dpkg-sig) |
ENTERPRISE |
ePassport
SignServer is used both for MRTD signing and for ICAO CSCA Master list signing.
|
ePassport |
Documentation |
|
Document (MRTD SOD) signing with Logical Data Structure (LDS) version 1.7 and 1.8 support |
|
|
Document (MRTD) signing |
(Legacy) |
|
ICAO CSCA Master list signing |
ENTERPRISE |
|
Additional algorithm support
|
|
Subject to SoW/support agreement including for instance:
Time-stamping
SignServer can be used as the time stamp unit within a Time Stamp Authority (TSA) to generate digitally signed time stamps and includes monitoring of time synchronization, offering both RFC 3161 and MS Authenticode time-stamps.
|
Format |
External References |
Documentation |
|
Basic Time-stamping |
||
|
Professional Time-stamping including:
|
ENTERPRISE |
Validation Service
Validators for signed documents, built-in support for XML validation, and
XAdES (XAdES-BES and XAdES-T).
The SignServer Validation Service also allows you to make your own validator plug-in.
Third-party Hardware
Hardware Security Modules
SignServer supports Hardware Security Modules (HSMs) and has built-in support for various HSMs such as the ones listed below , and other HSMs with a good PKCS#11 library. SignServer additionally supports software-based keys for lower security requirements or development.
|
Vendor |
Model |
|
Generic PKCS#11 Provider |
|
|
ARX |
CoSign |
|
nChipher |
nShield/netHSM |
|
SafeNet |
Luna |
|
SafeNet |
ProtectServer Gold |
|
SafeNet |
ProtectServer Gold Emulator |
|
SoftHSM |
SoftHSMv2 |
|
Utimaco |
CryptoServer |
|
Microsoft Azure |
Key Vault |
For HSM vendor specific installation and configuration information, refer to the EJBCA Documentation section Vendor Specific Information.
Integration Interfaces
SignServer provides multiple integration interfaces such as:
-
Client CLI Interface (a.k.a. SignClient) and Administration CLI.