Hash Signing
Hash signing is the option for the client to pre-compute hash of the data that should be signed instead of providing the complete data. This approach may be useful to improve the overall speed of the signature processing as the server does not have to perform all steps with the signature formatting. Or it can be used when the data that should be signed are sensitive and the client does not want to share its content for the signature.
The hash signing is available for the:
Detached signatures
Only detached signatures are allowed with hash signing. Detached signature is one of the packaging options where the resulting signature data is separated from the original external resources.
If the worker has configured other packaging option than DETACHED and hash signing is applied, the signing process it will automatically override this property and use DETACHED packaging.
Activating hash signing
To activate the hash signing, you need to configure the following properties:
| Property | Description | Default Value | Mandatory |
|---|---|---|---|
| CLIENTSIDEHASHING | Hash is expected to be provided as input for the signing process. | false | NO |
| ALLOW_CLIENTSIDEHASHING_OVERRIDE | Allow client to specify in the request metadata if the input data is in the form of hash and hash signing is requested. | false | NO |
| ACCEPTED_HASH_DIGEST_ALGORITHMS | Comma-separated list of allowed digest algorithms for hash signing. | NONE | Mandatory if:
|
When you configure both CLIENTSIDEHASHING=true and ALLOW_CLIENTSIDEHASHING_OVERRIDE=true, the CLIENTSIDEHASHING takes precedence and all requests will be considered as requests for hash signing. If you want to keep the decision on the client, use only ALLOW_CLIENTSIDEHASHING_OVERRIDE=true.
Hash signing data format
When the hash signing is activated, worker is expected to receive Base64-encoded data of the hash pre-computed by the client as input for the signing request.
Request metadata properties
The following metadata should be provided by the client in the signing request when hash signing is activated:
| Property | Description | Mandatory |
|---|---|---|
| CLIENTSIDE_HASHDIGESTALGORITHM | Specifies the digest algorithm used to digest the data provided for the hash signing. | YES |
| USING_CLIENTSUPPLIED_HASH | Specifies if the data provided are already digested by the client or not. | Mandatory when ALLOW_CLIENTSIDEHASHING_OVERRIDE=true |