My questions are regarding the flow:
- I can export the signature, so what should I do with the signature? Save it in the database?
- If I attach signature to the file using
BouncyCastleexported file is not readable. Should file with attached signature be readable?
- Is this the correct flow of digital signature: create the signature with user’s certificate, store the signature, create endpoint for signature verification?
- If 3. is correct, does that mean if the file is sent outside an app, recipient wouldn’t know if the file is signed? Should the signature be attached to the file? If yes, is there solution for all types of files (ie. I have found pdf based solutions).
Maybe the question is to broad, but I am open to any material regarding the subject.
I can export the signature, so what should I do with the signature?
You have to distinguish between Private Key, Certificate and Signature.
Private Key: User’s private key, if created in cryptographic device, never comes out of the device.
Certificate, in very brief, is a signed Public Key. Certifying Authority (CA) Signed it and Certificate is publicly available.
Signature is Signed Content. In fact, content to be signed is hashed and then this hash is signed, which is called Signature.
Is this the correct flow of digital signature: create the signature with user’s certificate, store the signature, create endpoint for signature verification?
Private key is used to sign content (hash of content). The string produced is called Signature. Certificate (Public key) is used to verify signature.
is there solution for all types of files (ie. I have found pdf based solutions).
Any content can be signed. Signing text files like CSV data, XML, Json, etc is used by web applications which accepts data from the users or members. Example being eReturns, Signed Payment settlement data from banks, Tender Forms, etc. PDF (and some other formats) supports signing and verifying signature and is format widely used to share document. Documents can display visible signature and hence pdf signatures are most discussed format of the Signatures.
Otherwise, any application can define the signing requirement, users (client application or web browser) follow the required standard of signing and then the application can verify that signature is attached (along with data) as per pre-define format and standard.
I need to implement digital signatures to my web app.
Modern Browsers may need to use Browser Extensions to access Certificate stored on local machine. ex: Signer.Digital Browser Extension