-
-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to server-side hashing for SignServer support #260
base: master
Are you sure you want to change the base?
Conversation
Thank you for the follow up. Does the serverside hashing work in all cases? Maybe we could use that to keep things simple. |
I wouldn't recommend that, and no, depends on the configuration on the SignServer. |
I'm suggesting this because the data to be signed is an ASN.1 structure (SpcIndirectDataContent) containing the hash of the file, it's just a few bytes larger than the hash that would be produced on the client side. It's not like the whole file would be sent over the network. What error did you get with the Nitrokey HSM? It's a bit odd that client side hashing doesn't work, that sounds like a bug in SignServer. |
The error is
Oh, ok, then this was a misunderstanding on my side, it is indeed 126 byte vs. 32 byte for SHA-256. So yeah, I guess server-side hashing should always work if the worker is configured properly and I'll change this PR to only do server-side hashing. |
The Nitrokey 3 NFC was quite slow last year when I tested it, around 1 second per RSA 4096 signature. The Yubikey 5 is faster, about 100ms per sign operation. I don't remember the performance of the Nitrokey HSM 2 but I think it was close to the Nitrokey 3. There was some work in the latest firmwares to enable hardware acceleration on some operations but I haven't checked.
That's an annoying drawback :( That means the algorithm has to be specified to Jsign, the process is open to misuse and errors. |
Just noticed your message on the Nitrokey support forum: |
Did not fully get that. |
I think Jsign has to know the algorithm, I'll check. |
Maybe this will help if it gets considered Keyfactor/signserver-ce#108 :-) |
But currently you are right. |
For now I changed
to
|
When using for example a Nitrokey HSM 2, client-side hashing seems to not work.
Additionally if
CLIENTSIDEHASHING
was set totrue
in the worker as documented,the certificate fetching failed.
This PR also uses client-side hashing for the certificate retrieval,
and additionally allows to suffix the alias with
|serverside
, to allow doingserver-side hashing when necessary.