Discuss this help topic in SecureBlackbox Forum

Create CMS signature using external signing interfaces

Sometimes there is a need to create a signature with a key residing out of the typical PKI infrastructure, unavailable to the standard access methods (files, PKCS#11 devices, Windows system stores etc.). Such signatures are produced by the in-house or bespoke signing devices accessible via proprietary non-standardizes interfaces. Sometimes the signing has to be performed via external web service.

SecureBlackbox supports the so-called remote signing mode. In this mode the signing component passes you the readily computed hash over the data; then you pass it to the signing device (or service) via the appropriate protocol. When the device completes the signing, you pass the signed hash back to the component. Essentially, SecureBlackbox allows you to intrude into the signing process and perform the signing operation yourself in the way you want. This refers to the lowest-level cryptographic signing operations such as RSA/PKCS11, DSA or ECDSA signing primitives.

Remote signing option is supported for CMS, PDF and XML components.

To use remote signing with CMS components (TElSignedCMSMessage and TElCMSSignature):

  1. Replace the Sign() call used for the normal signing with the corresponding SignRemote() call: sig.SignRemote(cert, signCallback, param, chain); Here, 'param' is a custom object that you can use to pass some data to the component (to be returned to you by the signing callback, see below).
  2. Implement the signCallback handler. This handler should take the hash and contact the device or service to ask for a signature over it:
    bool signCallback(object sender, object param, byte[] hash, ref byte[] signedHash)
      // Note: 'param' is the object you've passed to SignRemote
      signedHash = myCustomDevice.SignHash(hash);
      return true; // or false if signing fails
That's it. In most cases, the rest of your code that deals with the CMS signature objects can be left untouched. This code will work in exactly the same way as it does during the normal (non-remote) signing.

How To articles about Cryptographic Message Syntax (CMS)

Discuss this help topic in SecureBlackbox Forum