Implement Server-Side Timestamping with Interrupted signing #482

sudoman00 · 2024-10-31T09:29:03Z

sudoman00
Oct 31, 2024

Hi everyone,

I'm working on a digital signing application with a split environment:

Client-side: Document preparation and signature embedding
Server-side: Document hash signing

This design allows us to:

Avoid sending entire documents to the server
Keep certificates secure on the server

Current Challenge:
I need to implement timestamping but have concerns about security since my timestamping service requires credentials.

Questions:

What's the best way to implement timestamping on the server-side along with the current signing process?
How can I return both the signature and timestamp together to the client?

Current Implementation:
Here's how I'm embedding the signature on the client-side after receiving it from the server:

async def proceed_with_signing(input_file, field_name, signature, prep_digest, output_handle, certificate, other_certs):
    cert_registry = SimpleCertificateStore()
    cert_registry.register_multiple(other_certs)

    ext_signer = signers.ExternalSigner(
        signing_cert=certificate,
        signature_value=signature,
        cert_registry=cert_registry,
        embed_roots=True,
    )

    signed_attrs = await ext_signer.signed_attrs(
        prep_digest.document_digest, 'sha256', use_pades=True
    )

    sig_cms = await ext_signer.async_sign_prescribed_attributes(
        'sha256', signed_attrs=signed_attrs,
        timestamper=DUMMY_HTTP_TS
    )

    validation_context = ValidationContext(
        allow_fetching=True,
    )

    pdf_signer = signers.PdfSigner(
        signers.PdfSignatureMetadata(
            field_name=field_name, 
            embed_validation_info=True, use_pades_lta=True,
            subfilter=fields.SigSeedSubFilter.PADES,
            validation_context=validation_context,
            md_algorithm='sha256',
            dss_settings=DSSContentSettings(include_vri=False),
            reason='Testing',
        ),
        signer=ext_signer,
        timestamper=DUMMY_HTTP_TS
    )

    pdf_buffer = open(input_file, 'rb')
    w = IncrementalPdfFileWriter(pdf_buffer)
    _, tbs_document, _ = await pdf_signer.async_digest_doc_for_signing(w)

    psi = tbs_document.post_sign_instructions
    
    await PdfTBSDocument.async_finish_signing(
        output_handle, prepared_digest=prep_digest,
        signature_cms=sig_cms,
        post_sign_instr=psi,
        validation_context=validation_context
    )

Any insights or best practices would be greatly appreciated!
Thanks in advance!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Implement Server-Side Timestamping with Interrupted signing #482

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Implement Server-Side Timestamping with Interrupted signing #482

sudoman00 Oct 31, 2024

Replies: 0 comments

sudoman00
Oct 31, 2024