DCAuth Class
Properties Methods Events Configuration Settings Errors
The DCAuth class represents the private key side of the SecureBlackbox distributed cryptography protocol.
Syntax
class secureblackbox.DCAuth
Remarks
The purpose of DCAuth is to sign async requests produced by SignAsyncBegin calls. For each incoming async request containing a document hash, DCAuth produces the corresponding async response containing a signature over that hash.
Protocol Overview
The distributed cryptography protocol involves two principal parties. The signing party, represented by classes such as PDFSigner, XAdESSigner, or OfficeSigner, pre-signs documents (such as PDF files), and encapsulates their hashes into what is called an async request. It then communicates the async request to the private key side, where the DCAuth class extracts the hash and signs it with a local private key. DCAuth then encapsulates the signature into an async response, which is sent back to the signing party. The signing party completes the signing operation by extracting the signature from the async response and embedding it into the pre-signed document.
The protocol supports a variety of uses. The scheme above describes the most typical of them, where the signing party is represented by a web application, and the private key side is represented by a workstation. In that particular scenario DC provides a mechanism for the web app to sign documents residing on the web server with private keys residing on the users workstations, perhaps in non-exportable form (e.g. a USB dongle). Other uses include creation of a signing server for a team of driver developers, or an automated signing gateway for outgoing official documents.
In the webapp-to-browser setting the DCAuth control would normally be used within a web server running on the users workstation. That web server would accept async requests from the web page running in the browser, use DCAuth to generate the matching async response, and feed that response back to the web page. The web page will then submit it back to the web server.
Configuring and Using DCAuth
To process an async request, you need to set up a DCAuth object first, and then call its process_request method:
- Set the KeyId and KeySecret properties so they match the credentials used by the signing party - e.g. those of PDFSigner object:
DCAuth.KeyId = "mykeyid"; DCAuth.KeySecret = "mykeysecret123";These two properties are used to verify the integrity of the incoming async requests. Keep them safe.
- Provide the signing certificate:
DCAuth.SigningCertificate = "C:\Certs\SigningCert.pfx"; DCAuth.CertPassword = "password789";Alternatively, use storage_id to provide a certificate residing elsewhere, such as a PKCS#11 device.
- Assign the async request to the input property:
DCAuth.Input = Request;Make sure to provide the request in its original XML format. Some technologies and SecureBlackbox code samples may apply additional encoding when conveying async requests from their origin to the DCAuth endpoint. Please double check that you assign the request without any encodings applied. An async request is a properly formed XML document with the root element of SecureBlackboxAsyncState.
- Call the process_request method:
DCAuth.ProcessRequest;This method performs the actual signing of the hash. Make sure your code is prepared for potential signing errors.
- If the process_request call has succeeded, grab the async response from the output property:
Result = DCAuth.Output;
Property List
The following is the full list of the properties of the class with short descriptions. Click on the links for further details.
| cert_password | Specifies the signing certificate password. |
| external_crypto_custom_params | Custom parameters to be passed to the signing service (uninterpreted). |
| external_crypto_data | Additional data to be included in the async state and mirrored back by the requestor. |
| external_crypto_external_hash_calculation | Specifies whether the message hash is to be calculated at the external endpoint. |
| external_crypto_hash_algorithm | Specifies the request's signature hash algorithm. |
| external_crypto_key_id | The ID of the pre-shared key used for DC request authentication. |
| external_crypto_key_secret | The pre-shared key used for DC request authentication. |
| external_crypto_method | Specifies the asynchronous signing method. |
| external_crypto_mode | Specifies the external cryptography mode. |
| external_crypto_public_key_algorithm | Provide public key algorithm here if the certificate is not available on the pre-signing stage. |
| input | Contains the signing request to process. |
| input_encoding | Specifies request encoding. |
| key_id | Specifies the KeyID of the pre-shared authentication key. |
| key_secret | The pre-shared authentication key. |
| output | Contains the output of the request processing. |
| output_encoding | Specifies response encoding. |
| profile | Specifies a pre-defined profile to apply when creating the signature. |
| signing_certificate | Specifies the signing certificate. |
| storage_id | Specifies the signing certificate residing in an alternative location. |
Method List
The following is the full list of the methods of the class with short descriptions. Click on the links for further details.
| config | Sets or retrieves a configuration setting. |
| process_request | Processes the request. |
Event List
The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.
| on_custom_parameters_received | Passes custom request parameters to the application. |
| on_error | Reports information about errors during request processing or signing. |
| on_external_sign | Handles remote or external signing initiated by the SignExternal method or other source. |
| on_key_secret_needed | Requests the key secret from the application. |
| on_notification | This event notifies the application about an underlying control flow event. |
| on_parameter_received | Passes a standard request parameter to the user code. |
| on_password_needed | Requests a password from the application. |
| on_select_cert | Requests certificate selection criteria from the application. |
| on_sign_request | This event signifies the processing of an atomic signing request. |
| on_sign_request_completed | This event signifies completion of the processing of an atomic signing request. |
Configuration Settings
The following is a list of configuration settings for the class with short descriptions. Click on the links for further details.
| DataURL | (obsolete) The DataURL parameter to pass to the signer. |
| GoURL | (obsolete) The GoURL parameter to pass to the signer. |
| RequireDefinedSignCert | (obsolete) The RequireDefinedSignCert parameter to pass to the signer. |
| SchemeParams | The algorithm scheme parameters to employ. |
| SessionID | (obsolete) The SessionID parameter to pass to the signer. |
| TokenName | The TokenName parameter to pass to the signer. |
| TokensLibraries | (obsolete) The TokensLibraries parameter to pass to the signer. |
| CheckKeyIntegrityBeforeUse | Enables or disable private key integrity check before use. |
| CookieCaching | Specifies whether a cookie cache should be used for HTTP(S) transports. |
| Cookies | Gets or sets local cookies for the class (supported for HTTPClient, RESTClient and SOAPClient only). |
| DefDeriveKeyIterations | Specifies the default key derivation algorithm iteration count. |
| EnableClientSideSSLFFDHE | Enables or disables finite field DHE key exchange support in TLS clients. |
| GlobalCookies | Gets or sets global cookies for all the HTTP transports. |
| HttpUserAgent | Specifies the user agent name to be used by all HTTP clients. |
| LogDestination | Specifies the debug log destination. |
| LogDetails | Specifies the debug log details to dump. |
| LogFile | Specifies the debug log filename. |
| LogFilters | Specifies the debug log filters. |
| LogFlushMode | Specifies the log flush mode. |
| LogLevel | Specifies the debug log level. |
| LogMaxEventCount | Specifies the maximum number of events to cache before further action is taken. |
| LogRotationMode | Specifies the log rotation mode. |
| MaxASN1BufferLength | Specifies the maximal allowed length for ASN.1 primitive tag data. |
| MaxASN1TreeDepth | Specifies the maximal depth for processed ASN.1 trees. |
| OCSPHashAlgorithm | Specifies the hash algorithm to be used to identify certificates in OCSP requests. |
| UseOwnDNSResolver | Specifies whether the client classes should use own DNS resolver. |
| UseSharedSystemStorages | Specifies whether the validation engine should use a global per-process copy of the system certificate stores. |
| UseSystemOAEPAndPSS | Enforces or disables the use of system-driven RSA OAEP and PSS computations. |
| UseSystemRandom | Enables or disables the use of the OS PRNG. |