Change request: Allow custom signature cipher implementations in PgpSignatureGenerator

[ulrichb]

TL;DR:

• We'd like to use BouncyCastle's OpenPGP RSA/ECDSA keys with HSM-backed private keys.
• This is a change request proposal to open PgpSignatureGenerator for extension to enable to adapt the signature operations to HSM calls.
• Can provide a PR.

Background:

• We want to use the great OpenPGP implementation of BouncyCastle .NET with external (HSM-backed) RSA or ECDSA keys.
• Currently PgpSignatureGenerator.InitSign() creates the ISigner instance based on the provided PublicKeyAlgorithmTag and PgpPrivateKey via the PgpUtilities.CreateSigner() factory.
  • E.g. for a PublicKeyAlgorithmTag.RsaSign it always creates the RsaDigestSigner: ISigner implementation which uses an (in-memory / software) RsaPrivateCrtKeyParameters key.

Change request: Open PgpSignatureGenerator for extension (custom ISigner implementation)

One option (there are others; this is only the least invasive one): Add a PgpSignatureGenerator.InitSign() overload which takes an ISigner instance as input (instead of calling the PgpUtilities.CreateSigner() static factory method) and store it for later signing calls in the sig field. (Can provide alternative suggestions.)

That way a library user can provide either the full ISigner implementation, or a GenericSigner instance with an IAsymmetricBlockCipher implementation to adapt the ProcessBlock() call to e.g. an HSM call. We've already tested this E2E with RSA and ECDSA by "faking" the InitSign() call with reflection calls and it works: Can self-sign GPG keys and create BinaryDocument signatures.

Non-goal: Custom cipher algorithms (in addition to PublicKeyAlgorithmTag); it's just about the implementation of the signature operations (of the existing algos).

In case you approve the general idea, we can provide details for the change request (+ alternatives) as well as a pull request.