Since the Web PKI component is designed to run in a variety of environments (different web browsers across different operating systems), in order to maximize compatibility, the component performs only the operation that must necessarily be performed on the client-side, which is the signature algorithm computation itself using the user's private key (RSA/PKCS #1).
This is usually a step in a larger process for performing a digital signature such as a CAdES (CMS), PAdES (PDF) or XAdEs/XmlDSig signature. The other parts of the process, which involve computing the document digest and the certificate digest, perhaps adding time and policy information (this depends on the signature format being used), are done server-side. By relaying as much as possible from the signature procedure to the server-side, we can minimize the size of the component's installer and also minimize the number of updates necessary to keep it up-to-date.
We offer two products to perform the server-side computation necessary:
- Lacuna PKI SDK - a library for .NET applications
- Lacuna REST PKI - a REST service that can be called by virtually any language, with client libraries for several languages (Java, PHP, C#, Python and NodeJS)
You can also use a third-party SDK, as long as it supports asynchronous signatures (also called "two-step signatures").