This article explains how to generate electronic signatures using TrustedX.
Electronic signature generation
Electronic signature generation consists in encrypting the summary of the data, which are to be signed, with the private component of an asymmetrical key. This is done in such a way that subsequent verification may be performed using a public component.
The types of electronic signatures possible are as follows:
- Enveloped electronic signatures, where the electronic signature is embedded in the signed data (e.g., in PDF documents)
- Enveloping electronic signatures, where the signed data is included in the same file (typical example in XML documents) or
- Detached electronic signatures, where the data are stored in different files.
The most widely used and recognized formats in the sector are:
- PKCS#7/CMS, CAdES, PDF digital signature, PAdES, XML-Dsig and XAdES for documents
- S/MIME for electronic messaging
- WS-Security for securing SOAP messages
Critical factors of electronic signature generation are the security and custody of the private key. It is essential that the private key is always under the signer's exclusive control, as a means of guaranteeing the non-repudiation of the electronic signature. Therefore, electronic signature systems must manage a secure keystore, in order to impede copying or the unauthorized use of keys.
Electronic signatures can be produced in the user's own system (e.g. in a PC or telephone) or through automated business processes (e.g. electronic invoicing). In the former case, keys are usually stored in intelligent cards or SIM cards. The latter, however, uses HSM devices, which must be integrated into the corporate applications.
TrustedX is particularly involved in the latter case. TrustedX facilitates the integration of the management of all electronic signature types and formats into the applications, it enables large volumes of electronic signatures to be managed, and it provides a secure, by using HSM, and easy-to-audit environment for managing private keys.
Electronic signature generation using TrustedX
From the point of view of the application, and just like the rest of the functions related to the electronic signature, implementation of the electronic signature generation process will consist in consuming a TrustedX service. The application must send the document or the document's hash to TrustedX, indicating the desired electronic signature format. TrustedX will, then, generate the electronic signature.
One of the advantages of TrustedX, is, that it provides a secure and easy-to-audit environment in which to custody the application's private keys. All management tasks (requests, revocation and key renewal) are automated and are transparent to the applications.
The delegation of electronic signature policy management to TrustedX, makes for a centralized system in which the electronic signature parameters (algorithms, signer roles, electronic signature commitments, the electronic signature production place and time-stamp inclusion) are established.
Just like the rest of the TrustedX services, the electronic signature service can be used as SOAP/WS or REST/WS, or via the TrustedX Java API. To learn about the different integration architectures of TrustedX, consult the howto “TrustedX Integration Architectures ”.
Next, you will see an example of an XML digital signature request, using the OASIS DSS standard, where the documents to be signed will be included in the element: The key to be used, and for which one has use privileges, is identified by its corresponding DN.
CN=Homer Simpson, O=Safelayer, C=Es