-
Notifications
You must be signed in to change notification settings - Fork 5
How to implement digital signing in a .NET web application back end
You have to use the C# bindings of the libdigidocpp
library to implement digital signing with Web eID in a .NET web application back end. libdigidocpp
has a very different design from the popular DigiDoc4j Java library due to different third party libraries and framework constraints.
For better or worse, there is no support for in-memory serialization of the digital signature container objects, you have to use full file system paths when creating or opening a digital signature container. So instead of the object, you have to keep the full path to the container file in the user session. Be careful with race conditions and unintended file access.
In general, you should follow the DigiDocCSharp.Program.webSign()
example. Digital signing is a two-step process: preparing the container and attaching the signature to it.
Here are the steps in more detail:
- Using
web-eid.js
, get the certificate and supported signature algorithms, send them to the back end with HTTP POST and pass them through the ASP.NET Web API layer intoPrepare()
. - Instructions for
Prepare()
:- In
Prepare()
, add lines #127 - #137 fromwebSign()
. Callb.save()
afterb.prepareWebSignature()
. - The digest returned from
c.dataToSign()
is the hash to be signed. You can get the signature method and hash algorithm identifier fromc.signatureMethod()
, the identifiers are listed here. - Save the signature ID and the container file path that you need to use during
Sign()
to the user session. You can get the signature ID withc.id()
. - Convert the hash algorithm from
c.signatureMethod()
into Web eID format and return the hash to be signed and hash algorithm fromPrepare()
in a JSON-encoded ASP.NET Web API response. Verify that the converted hash algorithm name matches the hash algorithm name of the supported signature algorithm provided in step 1.
- In
- Use
web-eid.js
to sign the digest, send the digest to the back end with HTTP POST and pass it through the ASP.NET Web API layer intoSign()
. - Instructions for
Sign()
:- Load the container with
Container.open()
, pass the full container file path from the user session as argument. -
container.signatures()
contains the list of signatures, find the signature object whose ID equals the signature ID from the user session. - Continue as in lines #147 - #150 of
webSign()
. Convert the signature from Base64 to bytes and callsignature.setSignatureValue()
with the bytes.
- Load the container with