SignServer documentation (#252)

README.md

@@ -37,6 +37,7 @@ Jsign is free to use and licensed under the [Apache License version 2.0](https:/
     * [GaraSign](https://garantir.io/garasign/)
     * [Google Cloud KMS](https://cloud.google.com/security-key-management)
     * [HashiCorp Vault](https://www.vaultproject.io/)
+    * [Keyfactor SignServer](https://www.signserver.org)
     * [Oracle Cloud KMS](https://www.oracle.com/security/cloud-security/key-management/)
     * [SSL.com eSigner](https://www.ssl.com/esigner/)
 * Private key formats: PVK and PEM (PKCS#1 and PKCS#8), encrypted or not
@@ -54,7 +55,12 @@ See https://ebourg.github.io/jsign for more information.
 
 #### Version 7.0 (in development)
 
-* New signing services: HashiCorp Vault Transit (contributed by Eatay Mizrachi), Azure Trusted Signing, Oracle Cloud and GaraSign
+* New signing services:
+  * Azure Trusted Signing
+  * Oracle Cloud
+  * GaraSign
+  * HashiCorp Vault Transit (contributed by Eatay Mizrachi)
+  * Keyfactor SignServer (contributed by Björn Kautler)
 * Signing of NuGet packages has been implemented (contributed by Sebastian Stamm)
 * Commands have been added:
   * `timestamp`: timestamps the signatures of a file

docs/index.html

@@ -70,6 +70,7 @@ <h3 id="features">Features</h3>
           <li><a href="https://garantir.io/garasign/">GaraSign</a></li>
           <li><a href="https://cloud.google.com/security-key-management">Google Cloud KMS</a></li>
           <li><a href="https://www.vaultproject.io">HashiCorp Vault</a></li>
+          <li><a href="https://www.signserver.org">Keyfactor SignServer</a></li>
           <li><a href="https://www.oracle.com/security/cloud-security/key-management/">Oracle Cloud KMS</a></li>
           <li><a href="https://www.ssl.com/esigner/">SSL.com eSigner</a></li>
         </ul>
@@ -228,6 +229,7 @@ <h4 id="attributes" class="mobile-only">Attributes</h4>
           <li><code>GOOGLECLOUD</code>: Google Cloud KMS</li>
           <li><code>HASHICORPVAULT</code>: HashiCorp Vault</li>
           <li><code>ORACLECLOUD</code>: Oracle Cloud Key Management Service</li>
+          <li><code>SIGNSERVER</code>: Keyfactor SignServer</li>
           <li><code>TRUSTEDSIGNING</code>: Azure Trusted Signing</li>
         </ul>
       </td>
@@ -549,6 +551,7 @@ <h3 id="cli">Command Line Tool</h3>
                              - GOOGLECLOUD: Google Cloud KMS
                              - HASHICORPVAULT: HashiCorp Vault
                              - ORACLECLOUD: Oracle Cloud Key Management Service
+                             - SIGNSERVER: Keyfactor SignServer
                              - TRUSTEDSIGNING: Azure Trusted Signing
   -a,--alias &lt;NAME>          The alias of the certificate used for signing in the keystore
      --keypass &lt;PASSWORD>    The password of the private key. When using a keystore,
@@ -880,6 +883,43 @@ <h4 id="example-hashicorpvault">Signing with HashiCorp Vault</h4>
        --certfile full-chain.pem application.exe
 </pre>
 
+
+<h4 id="example-signserver">Signing with Keyfactor SignServer</h4>
+
+<p><a href="https://www.signserver.org">SignServer</a> is an on-premises open source signing service developed by Keyfactor.
+SignServer supports various signing operations handled by signer workers. Jsign requires a
+<a href="https://doc.primekey.com/signserver/signserver-reference/signserver-workers/signserver-signers/plain-signer">Plain Signer</a>
+worker configured with the <code>CLIENTSIDEHASHING</code> or <code>ALLOW_CLIENTSIDEHASHING_OVERRIDE</code> properties
+set to <code>true</code>, and the <code>SIGNATUREALGORITHM</code> property set to <code>NONEwithRSA</code> or
+<code>NONEwithECDSA</code>.</p>
+
+<p>The authentication is performed by specifying the username/password or the TLS client certificate in the
+<code>storepass</code> parameter. If the TLS client certificate is stored in a password protected keystore, the password
+is specified in the <code>keypass</code> parameter. The <code>keystore</code> parameter references the URL of the
+SignServer REST API. The <code>alias</code> parameter specifies the id or the name of the worker. </p>
+
+<p>Authenticating with a username and a password:</p>
+
+<pre>
+ jsign --storetype SIGNSERVER \
+       --keystore https://example.com/signserver \
+       --storepass "&lt;username&gt;|&lt;password&gt;" \
+       --alias test \
+       application.exe
+</pre>
+
+<p>Authenticating with a TLS client certificate:</p>
+
+<pre>
+ jsign --storetype SIGNSERVER \
+       --keystore https://example.com/signserver \
+       --storepass "/path/to/client-certificate.p12" \
+       --keypass &lt;client-certificate-password&gt; \
+       --alias test \
+       application.exe
+</pre>
+
+
 <h4 id="example-oraclecloud">Signing with Oracle Cloud Key Management Service</h4>
 
 <p>Signing with the Oracle Cloud Infrastructure Key Management Service requires the

jsign-cli/src/main/java/net/jsign/JsignCLI.java

@@ -95,6 +95,7 @@ public static void main(String... args) {
                         + "- GOOGLECLOUD: Google Cloud KMS\n"
                         + "- HASHICORPVAULT: HashiCorp Vault\n"
                         + "- ORACLECLOUD: Oracle Cloud Key Management Service\n"
+                        + "- SIGNSERVER: Keyfactor SignServer\n"
                         + "- TRUSTEDSIGNING: Azure Trusted Signing\n").build());
         options.addOption(Option.builder("a").hasArg().longOpt(PARAM_ALIAS).argName("NAME").desc("The alias of the certificate used for signing in the keystore").build());
         options.addOption(Option.builder().hasArg().longOpt(PARAM_KEYPASS).argName("PASSWORD").desc("The password of the private key. When using a keystore, this parameter can be omitted if the keystore shares the same password").build());

jsign-crypto/src/main/java/net/jsign/KeyStoreType.java

@@ -547,6 +547,16 @@ Provider getProvider(KeyStoreBuilder params) {
         }
     },
 
+    /**
+     * Keyfactor SignServer. This keystore requires a Plain Signer worker configured to allow client-side hashing (with
+     * the properties <code>CLIENTSIDEHASHING</code> or <code>ALLOW_CLIENTSIDEHASHING_OVERRIDE</code> set to true), and
+     * the <code>SIGNATUREALGORITHM</code> property set to <code>NONEwithRSA</code> or <code>NONEwithECDSA</code>.
+     *
+     * <p>The authentication is performed by specifying the username/password or the TLS client certificate in the
+     * storepass parameter. If the TLS client certificate is stored in a password protected keystore, the password is
+     * specified in the keypass parameter. The keystore parameter references the URL of the SignServer REST API. The
+     * alias parameter specifies the id or the name of the worker.</p>
+     */
     SIGNSERVER(false, false, false) {
         @Override
         void validate(KeyStoreBuilder params) {

jsign-maven-plugin/src/main/java/net/jsign/JsignMojo.java

@@ -90,7 +90,7 @@ public class JsignMojo extends AbstractMojo {
 
     /**
      * The type of the keystore (JKS, JCEKS, PKCS12, PKCS11, ETOKEN, NITROKEY, OPENPGP, OPENSC, PIV, YUBIKEY, AWS,
-     * AZUREKEYVAULT, DIGICERTONE, ESIGNER, GARASIGN, GOOGLECLOUD, HASHICORPVAULT, ORACLECLOUD or TRUSTEDSIGNING).
+     * AZUREKEYVAULT, DIGICERTONE, ESIGNER, GARASIGN, GOOGLECLOUD, HASHICORPVAULT, ORACLECLOUD, SIGNSERVER or TRUSTEDSIGNING).
      */
     @Parameter( property = "jsign.storetype" )
     private String storetype;

jsign/src/deb/data/usr/share/bash-completion/completions/jsign

@@ -42,7 +42,7 @@ _jsign()
             return 0
             ;;
         --storetype)
-            COMPREPLY=( $( compgen -W 'JKS JCEKS PKCS12 PKCS11 AWS AZUREKEYVAULT DIGICERTONE ESIGNER ETOKEN GARASIGN GOOGLECLOUD HASHICORPVAULT ORACLECLOUD TRUSTEDSIGNING YUBIKEY NITROKEY OPENPGP OPENSC PIV' -- "$cur" ) )
+            COMPREPLY=( $( compgen -W 'JKS JCEKS PKCS12 PKCS11 AWS AZUREKEYVAULT DIGICERTONE ESIGNER ETOKEN GARASIGN GOOGLECLOUD HASHICORPVAULT ORACLECLOUD SIGNSERVER TRUSTEDSIGNING YUBIKEY NITROKEY OPENPGP OPENSC PIV' -- "$cur" ) )
             return 0
             ;;
         --storepass|-a|--alias|--keypass|-t|--tsaurl|-r|--tsretries|-w|--tsretrywait|-n|--name|-u|--url|--proxyUrl|--proxyUser|--proxyPass|--value)

jsign/src/deb/data/usr/share/man/man1/jsign.1

@@ -99,6 +99,8 @@ Cloud key management systems:
 .br
 - ORACLECLOUD   : Oracle Cloud Key Management Service
 .br
+- SIGNSERVER    : Keyfactor SignServer
+.br
 - TRUSTEDSIGNING: Azure Trusted Signing
 
 This option is not required for file based keystores (JKS, JCEKS and PKCS12).