SiGa - Signature Gateway

Signature Gateway is a web service for creating, signing and validating ASIC-E and BDOC containers with XAdES signatures.

External services used by SiGa

• Signature Validation Service for validating signatures.
• DigiDocService or MID REST service for signing with Mobile-ID (depending on the configuration).
• Smart-ID service* for signing with Smart-ID (if enabled in configuration).

* Smart-ID support is not currently production ready. Use at your own risk.

How to build

Using Maven Wrapper

Recommended way of building this project is using Maven Wrapper to build it. Run the following command:

./mvnw clean install

How to deploy

SiGa Deployment digagram

SiGa project compiles into a WAR (Web application archive) file and requires a servlet container to run.

Additionally Apache Ignite version 2.7.5 is required for session management. Ignite servers must be up and running prior SiGa startup. Ignite servers must be configured the same way as the Ignite client embedded in SiGa. An example Ignite configuration file can be seen here.

Running SiGa in Tomcat

First Tomcat web servlet container needs to be downloaded. For example, when using the latest 8.5 version, which at the time of writing was 8.5.46, could be downloaded with wget:

wget https://www-eu.apache.org/dist/tomcat/tomcat-8/v8.5.46/bin/apache-tomcat-8.5.46.tar.gz

Unpack it somewhere:

tar -xzf apache-tomcat-8.5.46.tar.gz

Copy the built WAR file into Tomcat webapps directory and start the servlet container:

cp SiGa/siga-webapp/target/siga-webapp-2.0.0.war apache-tomcat-8.5.46/webapps
./apache-tomcat-8.5.46/bin/catalina.sh run

Configuring SiGa in Tomcat

• Make application.properties available anywhere in the host system.
• Create or modify setenv.sh placed inside Tomcat bin directory:
  • export JAVA_OPTS="$JAVA_OPTS -Dspring.config.location=file:/path/to/application.properties"
  • export JAVA_OPTS="$JAVA_OPTS -Dspring.profiles.active=list-of-profiles-to-activate" (see available profiles)

Additionally, when running SiGa on a Java version greater than 8, the following parameters should be added to JAVA_OPTS (see more on Ignite Getting Started guide):

--add-exports=java.base/jdk.internal.misc=ALL-UNNAMED
--add-exports=java.base/sun.nio.ch=ALL-UNNAMED
--add-exports=java.management/com.sun.jmx.mbeanserver=ALL-UNNAMED
--add-exports=jdk.internal.jvmstat/sun.jvmstat.monitor=ALL-UNNAMED
--add-exports=java.base/sun.reflect.generics.reflectiveObjects=ALL-UNNAMED
--illegal-access=permit
-Djdk.tls.client.protocols=TLSv1.2

NB: when providing your own external application.properties file, logback configuration and so on, be sure to remove them from siga-webapp/src/main/resources folder before building SiGa!

Available profiles

Profile name	Description
digidoc4jProd	Use DD4J production mode
digidoc4jTest	Use DD4J test mode (prefer AIA-OCSP)
digidoc4jPerf	Use DD4J test mode (without AIA-OCSP)
midRest	Use MID REST instead of DDS for signing with mobile-ID
smartId	Enable endpoints for signing with Smart-ID*
datafileContainer	Enable datafile container endpoints**

NB: exactly one of digidoc4jProd, digidoc4jTest and digidoc4jPerf must be active!

* Smart-ID support is not currently production ready. Use at your own risk.

** Datafile containers support is not currently production ready. Use at your own risk.

SiGa configuration

application.properties

Example application.properties file can be seen here. Common Spring Boot properties are described here.

SiGa Ignite configuration

Parameter	Mandatory	Description	Example
siga.ignite.configuration-location	Y	Location of the ignite configuration file.	/path/to/ignite-configuration.xml
siga.ignite.application-cache-version	Y	Version of Ignite cache.	v1

Example ignite-configuration.xml file can be seen here.

SiGa DD4J configuration

Parameter	Mandatory	Description	Example
siga.dd4j.configuration-location	Y	Location of the DD4J configuration file.	/path/to/digidoc4j.yaml
siga.dd4j.tsl-refresh-job-cron	Y	Cron expression for the scheduled job that refreshes DD4J TSL cache.	0 0 3 * * *

Example digidoc4j.yaml file can be seen here. More about configuring DD4J here.

SiGa SiVa configuration

Parameter	Mandatory	Description	Example
siga.siva.url	Y	Signature validation service URL.	https://siva-arendus.eesti.ee/V3

SiGa DDS configuration

Applicable if midRest profile is not active.

Parameter	Mandatory	Description	Example
siga.dds.url-v1	Y	DigiDocService access url for v1 endpoint.	https://tsp.demo.sk.ee/
siga.dds.url-v2	Y	DigiDocService access url for v2 endpoint.	https://tsp.demo.sk.ee/v2/
siga.dds.trust-store	Y	Location of the DDS truststore file.	file:/path/to/dds_truststore.p12
siga.dds.trust-store-password	Y	Password to access DDS truststore file.	changeit
siga.dds.relying-party-name	Y	DigiDocService relying party name: name of the service – previously agreed with Application Provider and DigiDocService operator.	Testimine

SiGa MID REST configuration

Applicable if midRest profile is active.

Parameter	Mandatory	Description	Example
siga.midrest.url	Y	MID REST service URL.	https://tsp.demo.sk.ee/mid-api

NB: MID REST relying party name and UUID are registered per service.

SiGa Smart-ID configuration

Applicable if smartId profile is active.

Parameter	Mandatory	Description	Example
siga.sid.url	Y	Smart-ID service URL.	https://sid.demo.sk.ee/smart-id-rp/v1/
siga.sid.session-status-response-socket-open-time	N	Smart-ID session status request long poll value in milliseconds. Defaults to 40.	40

NB: Smart-ID relying party name and UUID are registered per service.

SiGa security configuration

Parameter	Mandatory	Description	Example
siga.security.hmac.expiration	Y	Maximum amount of time from signing timestamp after which the request is considered expired, in seconds. Validation takes into account clock skew. Must be greater than or equal to -1.	5
siga.security.hmac.clock-skew	Y	Maximum clock skew between SiGa server and service provider machines, in seconds. Must be greater than or equal to 0.	2
siga.security.jasypt.encryption-algo	Y	Algorithm that is used to encrypt service signing key values in service database.	PBEWITHSHA-256AND256BITAES-CBC-BC
siga.security.jasypt.encryption-key	Y	Secret key that is used to encrypt/decrypt service signing key values in service database.	encryptorKey

SiGa database configuration

Example changelogs and changesets are provided under siga-auth/src/main/resources/db. To apply a changelog to the database on the application startup, spring.liquibase.change-log property must be set, e.g.:

spring.liquibase.change-log=classpath:db/changelog/db.changelog-master.yaml

Use classpath:db/changelog/db.changelog-master-dev.yaml only for test/dev purposes. This changeset inserts default testing values into services database.

Out-of-the-box, SiGa supports H2 and PostgreSQL databases. H2 (which is also configured by default in the example configuration) is good for development and testing, but in production using PostgreSQL is recommended. An example for configuring SiGa to use PostgreSQL:

spring.datasource.continue-on-error=false
spring.datasource.platform=postgresql
spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://127.0.0.1:5432/database
spring.datasource.username=user
spring.datasource.password=password

SiGa database

Data model

SIGA_CLIENT

A table holding all the registered clients that are allowed to use SiGa.

Column name	Type	Description
id	SERIAL (autoincrement primary key)	Entry ID
name	VARCHAR(100)	Client name
contact_name	VARCHAR(100)	Client contact person name
contact_email	VARCHAR(256)	Client contact e-mail
contact_phone	VARCHAR(30)	Client contact phone
uuid	VARCHAR(36)	Client UUID

SIGA_SERVICE

A table holding all the registered services that are allowed to use SiGa.

Column name	Type	Description
id	SERIAL (autoincrement primary key)	Entry ID
uuid	VARCHAR(36)	Service UUID
signing_secret	VARCHAR(128)	A previously agreed secret that is used to sign all requests sent to SiGa by this service
client_id	INTEGER	Client ID (foreign key to SIGA_CLIENT)
name	VARCHAR(20)	Service name
sk_relying_party_name	VARCHAR(20)	MID REST relying party name
sk_relying_party_uuid	VARCHAR(100)	MID REST relying party UUID
smart_id_relying_party_name	VARCHAR(20)	Smart-ID relying party name
smart_id_relying_party_uuid	VARCHAR(100)	Smart-ID relying party UUID
billing_email	VARCHAR(128)	(currently not used by SiGa)
max_connection_count	INTEGER	Allowed maximum number of active sessions for this service. A value of -1 indicates no limit
max_connections_size	BIGINT	Allowed cumulative maximum data volume* for all active sessions. A value of -1 indicates no limit
max_connection_size	BIGINT	Allowed maximum data volume* for a single session. A value of -1 indicates no limit

* data volume is based on the content length of HTTP POST requests.

SIGA_CONNECTION

A table holding cumulative data volume* per active session.

Column name	Type	Description
id	SERIAL (autoincrement primary key)	Entry ID
container_id	VARCHAR(36)	Container ID (an internal identifier identifying a currently active session)
service_id	INTEGER	Service ID (foreign key to SIGA_SERVICE)
size	BIGINT	Cumulative data volume* for this session

* data volume is based on the content length of HTTP POST requests.