Skip to content

How to implement digital signing in a .NET web application back end

Jump to bottom
Mart Sõmermaa edited this page Feb 18, 2022 · 7 revisions

You have to use the C# bindings of the libdigidocpp library to implement digital signing with Web eID in a .NET web application back end. libdigidocpp has a very different design from the popular DigiDoc4j Java library due to different third party libraries and framework constraints.

For better or worse, there is no support for in-memory serialization of the digital signature container objects, you have to use full file system paths when creating or opening a digital signature container. So instead of the object, you have to keep the full path to the container file in the user session. Be careful with race conditions and unintended file access.

In general, you should follow the DigiDocCSharp.Program.webSign() example. Digital signing is a two-step process: preparing the container and attaching the signature to it.

Here are the steps in more detail:

  1. Using web-eid.js, get the certificate and supported signature algorithms, send them to the back end with HTTP POST and pass them through the ASP.NET Web API layer into Prepare().
  2. Instructions for Prepare():
    1. In Prepare(), add lines #127 - #137 from webSign(). Call b.save() after b.prepareWebSignature().
    2. The digest returned from c.dataToSign() is the hash to be signed. You can get the signature method and hash algorithm identifier from c.signatureMethod(), the identifiers are listed here.
    3. Save the signature ID and the container file path that you need to use during Sign() to the user session. You can get the signature ID with c.id().
    4. Convert the hash algorithm from c.signatureMethod() into Web eID format and return the hash to be signed and hash algorithm from Prepare() in a JSON-encoded ASP.NET Web API response. Verify that the converted hash algorithm name matches the hash algorithm name of the supported signature algorithm provided in step 1.
  3. Use web-eid.js to sign the digest, send the digest to the back end with HTTP POST and pass it through the ASP.NET Web API layer into Sign().
  4. Instructions for Sign():
    1. Load the container with Container.open(), pass the full container file path from the user session as argument.
    2. container.signatures() contains the list of signatures, find the signature object whose ID equals the signature ID from the user session.
    3. Continue as in lines #147 - #150 of webSign(). Convert the signature from Base64 to bytes and call signature.setSignatureValue() with the bytes.
Clone this wiki locally