Cosign API documentation talks about signing a hash as an alternative to a stream buffer. How would I go about obtaining the hash and then signing it with SAPI?
Is signing the hash secure enough for a business application? Is it a common practice? I'm asking because sending a hash might be more efficient than sending a large document for signing.
From the answers I got I understand now that the client SAPI actually takes care of the hashing for me and only sends the hash to be signed. Although the SAPI web service is more generic (can be accessed from any platform), it does require either sending the whole document over the network or computing the hash before invoking the service.
Now, if I use the client SAPI, is it enough to deploy the DLL/assembly or do I also need to install the CoSign client?
Depending on the document type that you want to sign, computing the hash value might not be an easy task. Adobe PDF format, for example, supports embedding of digital signatures in the document itself, but in order to properly do that the hash value must be computed in a specific manner, according to Adobe PDF standard.
For document types that do not support digital signature standards, obtaining the hash for the whole file is easier and can be done using any external cryptographic library or tool.
The question is, why would you want to separate the hash computing process from the signing operation while SAPI (CoSign Signature API) takes care of computing the hash according to the standard, digitally signing it and embedding it back in to the document?
SAPI will always compute the hash of the file/document on the client machine and then will send that hash (and only the hash) to the CoSign server for signing (and yes- signing the hash indeed is a common practice). This also applies to documents that support embedded signatures (e.g. PDF, XML, DOCX, XLSX, etc.).
Having said that, if you still interested in signing a document hash only using SAPI, you can do it by calling the BufferSignEx function and insert the AR_SAPI_SIG_HASH_ONLY constant into the Flags parameter.