Our solution is based on a microservice architecture involving two main components:
Node.js Layer (API Gateway):
Acts as the primary communication layer with client applications. It receives documents and signature requests from clients and passes the information to the signing service. It also handles the response back to the client, including delivering signed documents.
Java Microservice (Core Signature Engine):
Processes documents using the EU DSS Library. This component is responsible for:
Parsing documents and generating hashes using the SHA-256 algorithm.
Communicating securely with the Hardware Security Module (HSM) via RESTful APIs and token-based authentication.
Performing the actual digital signing operation using the provided HSM private key alias.
Adding timestamp tokens and ensuring compliance with OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) checks for LT and LTA signatures.
Embedding the final signature back into the document and returning it in Base64-encoded format to the Node.js layer.
The Node.js service then decodes the Base64 data into the requested format for download by the client application.
Signature Creation Process
Document Submission: Client sends the document with desired signature format and level to the Node.js API.
Hash Generation: Java service computes a hash of the document internally (SHA-256).
HSM Signing: Java interacts with HSM securely to sign the hash using a specified private key alias.
Timestamping and Validation:
Java connects to a trusted Timestamp Authority (TSA)
Validates the signer certificate through OCSP and CRL.
Signature Embedding: The document is updated with the digital signature and any required validation data.
Document Delivery: The signed document is returned in Base64 to Node.js, converted as needed, and provided to the client.
Signature Verification Process
Document Submission: The signed document is uploaded (Base64 format) to the Node.js API.
Verification Handling:
Java microservice uses the EU DSS library to verify the document signature.
It checks:
Signature validity (non-repudiation assurance)
Certificate chain integrity
Timestamp authenticity
OCSP/CRL responses to ensure certificates are still valid
Parallel/Serial signatures if multiple signatures exist
Detailed Verification Report: Java microservice generates a verification status report, confirming the authenticity, integrity, and signer identity.
Key Security Features
HSM Communication:
Token-based authentication.
Key alias provided for private key usage.
All operations performed using secured REST APIs internally.
Compliance:
Adheres to standards like PAdES (ETSI EN 319 142-1), XAdES (ETSI EN 319 132-1), JAdES (ETSI TS 119 182-1), and CAdES.
Incorporates FIPS 204 ML-DSA resilience where applicable.
Audit and Logging:
Full traceability for document signing and verification processes.
User Authentication Before Signing (YubiKey Integration)
To enhance the security of the signing process, user authentication is enforced before any signing operation:
Web (ReactJS Application):
Integration with WebAuthn services allows the application to interact with YubiKey devices connected to the user's computer.
During signing, users are prompted to authenticate via YubiKey.
Only upon successful authentication can they proceed with the digital signature.
The user's YubiKey is registered in advance and mapped to their account within our system.
Mobile App (iOS/Android):
For mobile users, we integrate FIDO authentication services.
The app requests authentication through the YubiKey (via NFC or direct connection).
FIDO2 protocol ensures strong, phishing-resistant, passwordless authentication.
Signing is allowed only after successful YubiKey verification.
This ensures multi-factor authentication (MFA) and complies with strict security standards such as FIPS 140-2/3.
Timestamping and Validation:
For LT and LTA levels, the EU DSS library requires a trusted Timestamp Authority (TSA) to confirm the trustworthiness of the timestamp certificates.
Timestamp URL Configuration:
Initially attempted with: http://timestamp.entrust.net/
However, Entrust's TSA certificates did not contain complete issuer and root certificate chains required for full validation.
As a result, we integrated a fully compliant test TSA: http://dss.nowina.lu/pki-factory/tsa/good-tsa for LT and LTA testing and validation.
EU DSS validates the timestamp's certificate chain, including OCSP/CRL, before accepting LT or LTA signature profiles.