Integration
Integration
JavaDoc
The JavaDoc for SignServer is available at SIGNSERVER_HOME/doc/api/index.html after running "ant javadoc".
Web Services
New to version 3.0 is the Main WebService interface. It replaces the RMI-SSL interface in version 1.0 and 2.0 for two reasons, the RMI-SSL were based on a commercial library and it only worked for Java clients.
The WebService interface have two calls, the main one is 'process' which takes a collection of process request to a processable worker and returns a collection of process responses, the second one is getStatus that performs a health check of the node and returns an OK message if the node is healthy.
The WebService stack used is the JAX-WS stack from SUN. And the actual process data is a externalized Base64 byte-arrays. The reason why the are externalized is to simply the integration towards non-Java platforms. See the source of the actual request to see how the data is structured.
The getStatus call can be used to implement high-availability towards the client. The Java client API described in the next section have built in support for different high availability policies.
The WebService WSDL file is located at the URL http://<hostname>:8080/signserver/signserverws/signserverws?wsdl
It's possible to turn off the WebService interface by disabling it in the build configuration.
Important, Due to class path conflict in JBoss 4.2.x own JBoss WebService stack and the JAX-WS stack used by the SignServer must the JBoss WebService stack be removed before the WebService is used. This is done by going to JBOSS_HOME/server/default/deploy and remove the directory jbossws.sar.
Since SignServer >=3.2.1 it is possible to supply extra request data called RequestMetadata containing key/value pairs that can be used by the signers. For instance the PDFSigner uses this feature to let the client supply a PDF password.
Java Client API
Built along with the WebService is a Java API that can be used by clients. It's located in dist-client/signserverwscli and the file signserverws.jar and all the files in the lib directory is required to use the API. The client API have support for different high availability policies to avoid the need for load balance hardware.
The client classes is in the package org.signserver.protocol.ws.client and the main code are SignServerWSClientFactory creating a client using the specified load balance policy, it returns a ISignServerWSClient that is used to perform the actual process requests.
Load Balance Policies
With version 3.0 is one load balance policy defined and it's called 'CallFirstNodeWithStatusOK' it calls the getStatus method on all the server nodes in the cluster simultaneously and the first node to respond OK it sends its process request to. This to ensure that only one node in the cluster actually performs the signing.
Other future load balance policies could be round robin or that all nodes are called with the requests simultaneously and the first response is used.
SigningAndValidation API
The SigningAndValidation API is a wrapper around the previous mentioned API in order to have a simplified interface that also is the same regardless if WebService or EJB Remote calls are used.
To use the API include the file signingandvalidationapi.jar as well as all JAR-files in the lib-folder available in SIGNSERVER_HOME/dist-client/signingandvalidationapi/.
Sample Code
*** Signing and validating an XML document ***
try {
ISigningAndValidation signserver = new SigningAndValidationWS("localhost", 8080);
// Document to sign
byte[] unsigned = "<document><name>Some content</name></document>".getBytes();
byte[] signed;
// Signing
GenericSignResponse signResp = signserver.sign("DemoXMLSigner", unsigned);
signed = signResp.getProcessedData();
System.out.println("Signed: " + new String(signed));
// Validating
GenericValidationResponse validateResp = signserver.validate("DemoXMLValidator", signed);
System.out.println("Valid: " + validateResp.isValid());
if(validateResp.getSignerCertificate() != null) {
if(validateResp.getSignerCertificate() instanceof X509Certificate) {
X509Certificate signerCert = (X509Certificate) validateResp.getSignerCertificate();
System.out.println("Signed by: " + signerCert.getSubjectDN().getName());
}
}
} catch (Exception ex) {
ex.printStackTrace();
}
*** MRTD Signing ***
try {
ISigningAndValidation signserver = new SigningAndValidationWS("localhost", 8080);
// Bytes to sign
ArrayList<byte[]> bytesToSign = new ArrayList<byte[]>();
bytesToSign.add("Sample data 1".getBytes());
bytesToSign.add("Sample data 2".getBytes());
// Signing
MRTDSignResponse signResp = (MRTDSignResponse) signserver.process("MRTDSigner", new MRTDSignRequest(1234, bytesToSign), new RequestContext());
System.out.println("Certificate: " + signResp.getSignerCertificate());
if(signResp.getProcessedData() instanceof Collection) {
Collection<byte[]> signed = (Collection) signResp.getProcessedData();
for(byte[] data : signed) {
System.out.println("Signed: " + new String(Base64.encode(data)));
}
}
} catch (Exception ex) {
ex.printStackTrace();
}
Web Server Interface
GenericProcessServlet
HTTP requests can be sent to the SignServer servlet GenericProcessServlet located at /signserver/process using either POST or GET.
| URL: | /signserver/process |
| Method: | GET or POST |
| Request content-type: | None, "x-www-form-urlencoded", "multipart/form-data" or other* |
| Request parameters: |
|
| Response code: |
|
| Response content-type: | Depending on the worker |
* if the request content-type in a POST is specified as something else than "x-www-form-urlencoded" or "multipart/form-data" the message body is not parsed but instead directly passed to the worker specified by workerName or workerId in the URI's query string.
*** Samples ***
-
HTTP GET:
http://localhost:8080/signserver/process?workerName=DemoXMLSigner&data=%3Croot%3Ehej2%3C/root%3E
http://localhost:8080/signserver/process?workerName=DemoXMLSigner&encoding=base64&data=PGhlajI%2Bb2s8L2hlajI%2BCg%3D%3D
-
HTTP POST with multipart/form-data or x-www-form-urlencoded:
For example see /signserver/demo/xmlsign.jsp (multipart/form-data) and /signserver/demo/genericsign.jsp (x-www-form-urlencoded).
-
HTTP POST with other content-type:
See the TimeStampClient.
SODProcessServlet
Servlet recieving HTTP POST requests containing data group hashes and creates a MRTDSODSignerRequest and passes it to the specified MRTDSODSigner. The response from the servlet is the signed security object in binary format.
| URL: | /signserver/sod |
| Method: | POST |
| Request parameters: |
|
| Response code: | The same response codes as for the GenericProcessServlet are used. |
| Response content-type: | application/octet-stream |
Client Command Line Interface (CLI)
Requests can be sent to the workers using the Client CLI. After building SignServer the script bin/client.sh can be run.
$ bin/client.sh
INFO usage: client <signdocument | validatedocument | timestamp | validatecertificate | signdatagroups>
signdocument
Request signing of a document using HTTP(s) or web services.
usage: signdocument <-workername WORKERNAME | -workerid WORKERID>
[options]
Request a document to be signed by SignServer
-data Data to send to the worker.
-host Server name or IP address. Default: localhost
-infile File to read data to send to the worker from.
-keyalias Alias of the key in the keystore to use for
authentication.
-keystore Keystore with private key and certificate for client
certificate authentication.
-keystorepwd Password for reading the keystore.
-outfile File to write the result to. If not specified the
result is written to stdout.
-password Password for authentication.
-pdfpassword Password for changing the PDF (if required).
-port Server port. Default: 8080 (for HTTP), 8442 for HTTPS
and 8443 for HTTPS with client authentication.
-protocol Method of interacting with SignServer. HTTP or
WEBSERVICES. Default: HTTP.
-servlet Servlet to call. Default /signserver/process
-truststore Keystore with trusted certificates to use with HTTPS.
-truststorepwd Password for the keystore with trusted certificates.
-username Username for authentication.
-workerid ID of worker which should perform the operation.
-workername Name of worker which should perform the operation.
Sample usages:
a) signdocument -workername XMLSigner -data "<root/>"
b) signdocument -workername XMLSigner -infile /tmp/document.xml
c) signdocument -workerid 2 -data "<root/>" -truststore truststore.jks
-truststorepwd changeit
d) signdocument -workerid 2 -data "<root/>" -keystore superadmin.jks
-truststorepwd foo123
validatedocument
Request a document to be validated.
usage: validatedocument <-workername WORKERNAME | -workerid WORKERID>
[options]
Request a document to be validated by SignServer
-data Data to send to the worker.
-host Server name or IP address. Default: localhost
-infile File to read data to send to the worker from.
-keyalias Alias of the key in the keystore to use for
authentication.
-keystore Keystore with private key and certificate for client
certificate authentication.
-keystorepwd Password for reading the keystore.
-password Password for authentication.
-port Server port. Default: 8080 (for HTTP), 8442 for HTTPS
and 8443 for HTTPS with client authentication.
-truststore Keystore with trusted certificates to use with HTTPS.
-truststorepwd Password for the keystore with trusted certificates.
-username Username for authentication.
-workerid ID of worker which should perform the operation.
-workername Name of worker which should perform the operation.
Sample usages:
a) validatedocument -workername XMLValidator -data "<root><Signature...
b) validatedocument -workername XMLValidator -infile /tmp/signed.xml
c) validatedocument -workerid 2 -infile /tmp/signed.xml -truststore
truststore.jks -truststorepwd changeit
d) validatedocument -workerid 2 -infile /tmp/signed.xml -keystore
superadmin.jks -truststorepwd foo123
timestamp
$ bin/client.sh timestamp
usage: java -jar timeStampClient.jar <options> <url>
-instr <string> String to be time stamped, if neither instr or
infile is given, the client works in test-mode generating it's own
message.
-base64 Give this option if the stored request/reply should
be base64 encoded, default is not.
-help Print this message.
-infile <file> File containing message to time stamp.
-inrep <file> Input file containing an earlier stored base64
encoded response, to verify.You must specify the verify flag also.
-inreq <file> Input file containing an earlier stored request to
use instead of creating a new. You must specify the request flag also.
-outrep <file> Output file to store the recevied TSA reply, if not
given the reply is not stored.
-outreq <file> Output file to store the sent TSA request, if not
given the request is not stored.
-signerfile <file> Input file containing the PEM encoded certificate of
the TSA signer.Used to verify a stored response.
-sleep <num> Sleep a number of milliseconds after each request.
Default 1000 ms.
-url <url> Url of TSA, e.g.
http://127.0.0.1:8080/signserver/process?workerId=1.
-verify Give this option if verification of a stored reply
should be done, work together with inrep and cafile. If given, no request
to the TSA will happen.
Sample usages:
a) timestamp -url http://localhost:8080/signserver/tsa?workerName=TimeStampSigner
validatecertificate
Request a certificate to be validated by the specified service.
usage: Usage: java -jar validate.jar <options>
-cert <cert-file> Path to certificate file (DER or PEM)
(Required).
-certpurposes <certpurposes> A ',' separated string containing
requested certificate purposes.
-der Certificate is in DER format.
-help Display this info
-hosts <hosts> A ',' separated string containing the
hostnames of the validation service nodes. Ex
'host1.someorg.org,host2.someorg.org' (Required).
-pem Certificate is in PEM format (Default).
-port <port> Remote port of service (Default is 8080 or
8442 for SSL).
-service <service-name> The name or id of the validation service
to process request. (Required)
-silent Don't produce any output, only return
value.
-truststore <jks-file> Path to JKS truststore containing trusted
CA for SSL Server certificates.
-truststorepwd <password> Password to unlock the truststore.
The following values is returned by the program that can be used when scripting.
-2 : Error happened during execution
-1 : Bad arguments
0 : Certificate is valid
1 : Certificate is revoked
2 : Certificate is not yet valid
3 : Certificate have expired
4 : Certificate doesn't verify
5 : CA Certificate have been revoked
6 : CA Certificate is not yet valid
7 : CA Certificate have expired.
8 : Certificate have no valid certificate purpose.
Sample usages:
a) validatecertificate -service CertValidationWorker -hosts localhost -cert
certificate.pem
b) validatecertificate -service 5806 -hosts localhost -cert certificate.pem
-truststore p12/truststore.jks -truststorepwd changeit
signdatagroups
Sign the specified data groups and produce an SOd (MRTD).
$ bin/client.sh signdatagroups
usage: signdatagroups <options>
-data Data to send to the worker.
-encoding Encoding of the data option. None or base64. Default:
none.
-host Server name or IP address. Default: localhost
-keyalias Alias of the key in the keystore to use for
authentication.
-keystore Keystore with private key and certificate for client
certificate authentication.
-keystorepwd Password for reading the keystore.
-password Password for authentication.
-port Server port. Default: 8080 (for HTTP), 8442 for HTTPS
and 8443 for HTTPS with client authentication.
-repeat Run the operation this number of times. Default: 1
-servlet Servlet to call. Default /signserver/sod
-truststore Keystore with trusted certificates to use with HTTPS.
-truststorepwd Password for the keystore with trusted certificates.
-username Username for authentication.
-workerid ID of worker which should perform the operation.
-workername Name of worker which should perform the operation.
Sample usages:
a) signdatagroups -workername MRTDSODSigner -data "1=value1&2=value2&3=value3"
Administration Web Service
The SignServer AdminWS can be used for remote administration of SignServer over client authenticated HTTPS. Access is granted based on a list of certificate serial number and issuer distinguished name pairs. Currently there is only one access level and all administrators granted access will be able to perform all operations.
The WSDL file is located at the URL http://<hostname>:8080/signserver/AdminWSService/AdminWS?wsdl
Authorizing administrators can be done using the Admin CLI command "wsadmins".
Usage: signserver wsadmins -add -certserialno <certificate serial number> -issuerdn <issuer DN>
Usage: signserver wsadmins -remove -certserialno <certificate serial number> -issuerdn <issuer DN>
Usage: signserver wsadmins -list
Example 1: signserver wsadmins -add -certserialno 123abcdef -issuerdn "C=SE, CN=Neo Morpheus"
Example 2: signserver wsadmins -remove -certserialno 123abcdef -issuerdn "C=SE, CN=Neo Morpheus"
Example 3: signserver wsadmins -list
Notice that the certificate serial number should be entered with lower case characters. Also notice that the issuer DN currently should be entered in the reversed order and with spaces after each component. In the example above the issuer DN from the certificate actually is "CN=Neo Morpheus, C=SE".
To troubleshoot an "Administrator not authorized to resource" see the logs for how SignServer interprets the serialnumber and subject DN. Example:
19:00:33,946 INFO [AdminWS] ADMIN OPERATION; subjectDN=C=SE, O=Markus Organization, OU=Internal Testing 1, CN=External RA Admin 1; serialNumber=4a3442e98e3ce428; issuerDN=C=SE, O=Markus Organization, OU=Internal Testing 1, CN=MarkusAdminCA1; authorized=false; operation=getWorkers; arguments=