Compliance with the SHA-2 signature algorithm

Default signature algorithm

When an application makes a request to the Centralized Signador and does not indicate which signature algorithm it wants to use, the system applies a default algorithm.

📌 Since April 26, 2023 this default algorithm is SHA256.

This situation is common, for example, when sending a PDF file and no specific algorithm is specified.

How to indicate a specific algorithm in the signature request

If you want the Centralized Signador to use a specific algorithm to generate the signature, you must add the <SignatureDigestAlgorithm> field within <OptionalInputs> in the request that arrives at TX.

📋 The possible values are:

• md5

• sha1

• id_sha256

• id_sha384

• id_sha512

Example:

<OptionalInputs>

...

<SignatureDigestAlgorithm>id_sha256</SignatureDigestAlgorithm>

....

</OptionalInputs>

Requests that instead of a document provide an externally calculated HASH.

There are cases where the request does not contain the document to be signed but a HASH calculated externally in TrustedX. In this case the <Document> node contains a structure like this:

<InputDocuments><DocumentHash>

<ns3:DigestMethod Algorithm=" urn:nist-gov:sha256 " xsi:type="ns3:DigestMethodType" xmlns:ns3=http://www.w3.org/2000/09/xmldsig#/>

<ns4:DigestValue xsi:type="ns4:DigestValueType" xmlns:ns4=http://www.w3.org/2000/09/xmldsig#>ZTgwZTYyZTQ2MTJmMjQ5NGE4OTAwY2QxZTJjZTA4ZjQwNjQwMjI0NTE1MzY4ZjYwNDVjOTU4YTM3MjFlZGY3MA==</ns4:DigestValue>

</DocumentHash>

</InputDocuments>

In this case the value that must be indicated in <ds:DigestMethod> is the Algorithm attribute that has been used, the values can be the following:

• http://www.w3.org/2000/09/xmldsig#sha1

• http://www.w3.org/2001/04/xmldsig-more#md5

• urn:nist-gov:sha256

• urn:nist-gov:sha384

• urn:nist-gov:sha512

• http://www.w3.org/2001/04/xmlenc#sha256 (only for generating XMLDSig/XAdES signatures)

• http://www.w3.org/2001/04/xmldsig-more#sha384 (only for generating XMLDSig/XAdES signatures)

• http://www.w3.org/2001/04/xmlenc#sha512 (only for generating XMLDSig/XAdES signatures)

NOTE : In these cases, it is necessary to ensure that the combination between SignatureDigestAlgorithm and the calculated HASH must be consistent. or the system will not sign.

You might be interested

• The Centralized Signador improves its security (Blog Post AOC informing about the change in the configuration)