REST API to sign with client side hashing

[martincorr]

HI Im trying to use a plainsigner to sign a file where I do the hashing clientside and I provide a digest in the REST API

my worker config looks like this:

my request looks like this:

request url: https://signserver.local/signserver/rest/v1/workers/workerid/process
data: { "metaData": { "USING_CLIENTSUPPLIED_HASH" : "true", "CLIENTSIDE_HASHDIGESTALGORITHM": "SHA-256" }, "data": "b40f0bebce19fd0e8a758b591000de40ce8f196b0a7ee4be7270baff5c5cd2de" }

the hash is calculated in python like this:
file_contents = read_file_into_buffer(file)
myhash = sha256(file_contents.encode('utf-8')).hexdigest()

at signserver Im getting this logged:

signserver-ce | 2025-05-29 14:36:27,183+0000 DEBUG [org.signserver.server.data.impl.UploadConfig] (default task-3) Using default max upload field count as no HTTP_MAX_UPLOAD_FIELD_COUNT configured
signserver-ce | 2025-05-29 14:36:27,183+0000 DEBUG [org.signserver.server.data.impl.UploadConfig] (default task-3) Using default file size threshold as no FILE_SIZE_THRESHOLD configured
signserver-ce | 2025-05-29 14:36:27,183+0000 DEBUG [org.signserver.server.CredentialUtils] (default task-3) Certificate-authentication: true
signserver-ce | 2025-05-29 14:36:27,184+0000 DEBUG [org.signserver.server.CredentialUtils] (default task-3) HTTP Authorization: false
signserver-ce | 2025-05-29 14:36:27,184+0000 DEBUG [org.signserver.rest.api.resource.WorkerResource] (default task-3) Not highest priority request
signserver-ce | 2025-05-29 14:36:27,184+0000 DEBUG [org.signserver.ejb.WorkerSessionBean] (default task-3) >process: Worker{name: workerid}
signserver-ce | 2025-05-29 14:36:27,184+0000 DEBUG [org.signserver.ejb.WorkerProcessImpl] (default task-3) >process: Worker{name: workerid}
signserver-ce | 2025-05-29 14:36:27,185+0000 DEBUG [org.signserver.ejb.WorkerProcessImpl] (default task-3) Worker[Worker{name: workerid}]: WorkerLogger: org.signserver.server.log.AllFieldsWorkerLogger@25ab6465
signserver-ce | 2025-05-29 14:36:27,185+0000 DEBUG [org.signserver.module.cmssigner.PlainSigner] (default task-3) SigningCert: C=GE, O=org, CN=workerid
signserver-ce | 2025-05-29 14:36:27,185+0000 DEBUG [org.signserver.module.cmssigner.ClientSideHashingHelper] (default task-3) Client-side hashing configured: true
signserver-ce | Client-side hashing requested: true
signserver-ce | 2025-05-29 14:36:27,186+0000 INFO [org.signserver.ejb.WorkerProcessImpl] (default task-3) Illegal request calling signer with ID 2 : Input length doesn't match hash digest algorithm specified through request metadata
signserver-ce | 2025-05-29 14:36:27,186+0000 INFO [org.signserver.server.log.IWorkerLogger] (default task-3) AllVariablesLogger; CLIENT_CERT_SERIALNUMBER: 41e79d3d5050411d70242f6b296c308e25f14b85; CLIENT_IP: 192.168.10.228; CLIENT_CERT_ISSUERDN: C=GB, O=Public, CN=PubICA; XFORWARDEDFOR: null; XCUSTOM1: null; LOG_TIME: 1748529387184; CLIENT_AUTHORIZED: true; REQUEST_DIGEST_ALGORITHM: SHA256; EXCEPTION: Input length doesn't match hash digest algorithm specified through request metadata; REQUEST_DIGEST: e7333e172738470fa7a58336f88f2ef6c3d5da7ea1bfa19a7616c037e7118e90; WORKER_AUTHTYPE: CLIENTCERT; WORKER_NAME: workerid; KEYALIAS: defaultkey; PROCESS_SUCCESS: false; WORKER_ID: 2;CRYPTOTOKEN: Thales Luna; CLIENT_CERT_SUBJECTDN: C=GE, O=org, CN=dev01; REQUEST_LENGTH: 179; REQUEST_FULLURL: https://signserver.local/signserver/rest/v1/workers/eworkerid/process?null; LOG_ID: ea197993-c3a8-4328-8d2d-904a1cafb22a; REPLY_TIME:1748529387186

Reading the signserver documentation:

• Im using the explicit method not implicit. implicit seems to want the digest as a ASN.1 DigestInfo. Its not clear but I think explicit just wants a raw digest - Im providing this thru the rest call as hex but I cant see any doc that tells me how to form it.
• The examples all cite using openssl to create a binary digest thats then input as a file into the CLI signer. Since Im coming at signserver via rest api, how am I meant to encode the digest?
• the digest in my python is b4....de but in the server logs its showing as e7...90

Ive tried supplying the hash into signserver as a base64 encoded string:

myhash = sha256(file_contents.encode('utf-8')).digest()
base64_hash = base64.b64encode(myhash)
base64_hash.decode("ascii")

and this produces eg 1D+nI1s6NpTJtzyrNB52VR7tFH5x3XBkL4nZmFtoUhw=

but its a similar invalid length error serverside. I dont think its expecting b64, but when I provide hex then its always the wrong length. A SHA-256 should be 64 bytes hex which mines is.

Any ideas? Thanks, Martin

[martincorr]

Ive got it working. For everyone's information...

Here https://docs.keyfactor.com/signserver/latest/open-api-specification it defines the open api for the rest api.
there is a field called encoding - the api examples NONE. Theres no info I can see what are the possible values for this field.
I tried BASE64 and calculated the hash as a b64 byte array.

That worked:

sending to https://signserver.local/signserver/rest/v1/workers/workerid/process
data: { "metaData": { "USING_CLIENTSUPPLIED_HASH" : "true", "CLIENTSIDE_HASHDIGESTALGORITHM": "SHA-256" }, "encoding": "BASE64", "data": "EAfg35LnwZfzMkHXUv3K31PlX8wqWDLhV3qsm2OFB8g=" }
<Response [200]>
archiveId : 0083bf69a48a44bb0ce6b4c2936fca82f21f6dbd
data : TnzKb5Y5DXHeA6yjnzmgDDnIojXYioOAR0yb2Iub3QFtELKl2dts4eOB8BtNUrfwMx4mH8oKozmtgspS83kVP3yAt9wsuwJcQ5vXYTwVqDQPanWww7HfYA7U3P4PQzd2vY4VzY8yV2zu4pqM94d8OXVCuG30X02JWzQ+aQcgO56EI4vPqjqtQtv+zubs67FCRpNjMc3fNuBFb0PoxcTYz93zttvVHmD6LyccWWhPQHsZCtsp6ls4tS9q2/y8U2Y9yVz/fXE/h0K/M/V4yKOzeFBnhw9C9rQEhq+1NwGdVjrL4f3CA2u8a08w6I9NpazwiWs8p93mc/RgddNoxzMAxg==
metaData : {}
requestId : -99736571
signerCertificate : MII....vdQ==

It would be good to know what are the possible options for encoding. The page https://docs.keyfactor.com/signserver/latest/client-side-hashing explains about the explicit/implicit options but doesnt provide info on the rest api use case - it only examples the CLI

hope this helps.

thanks, martin