Internal SAD Provider
The implementation class of the Internal SAD Provider is:
com.czertainly.signserver.module.entrustsam.sad.InternalSAMSadProvider
The following properties can be configured for the Internal SAD Provider:
| Property | Description | Default Value | Mandatory |
|---|---|---|---|
| OTHER_SIGNERS | Sets the reference to the Crypto Token containing the key that is used to signed the SAD. The value can be comma separated list of Crypto Token names. | NONE | YES |
| SAD_PROVIDER_KEYSTORE_INDEX | Index of the Crypto Token that is configured in OTHER_SIGNERS property. Index starts from 0. | NONE | YES |
| SAD_PROVIDER_KEYSTORE_ALIAS | Alias of the private key stored in the keystore referenced by the Crypto Token. | NONE | YES |
| SAD_PROVIDER_SIGNING_ALGORITHM | Algorithm used to generate the digital signature of the SAD according to the RFC 7518. Supported values: RS256, RS384 and RS512. | RS512 | NO |
| SAD_PROVIDER_LOA | Level of assurance with which the Signer user specified in the sub field was authenticated. Values supported: LOW, MEDIUM,SUBSTANTIAL and HIGH. | HIGH | NO |
| SAD_PROVIDER_IAT_TIME_GAP | Number of seconds that should be deducted from the current time to set the iat claim in the SAD. The value should be a positive integer. | 0 | NO |
SAD format
The signed SAD is a JSON Web Token (JWT) with the following structure:
HEADER
{
"kid": "SAD_PROVIDER_KEYSTORE_ALIAS",
"typ": "JWT",
"alg": "SAD_PROVIDER_SIGNING_ALGORITHM"
}
PAYLOAD
{
"iss": "SAD_PROVIDER_KEYSTORE_ALIAS",
"loa": "SAD_PROVIDER_LOA",
"sub": "userId",
"iat": 1715427718,
"signing_key_id": "keyId",
"dtbs_summary": {
"value": "psuqzDWVpDsqajRMfmfD12isY8foSCHWy7tCddM1z0w=",
"hashing_algorithm": "sha256"
}
}