We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Digital Signature of a PDF using Servlet and Client-Applet for signing hash

ms_webtimize asked
Medium Priority
Last Modified: 2013-12-29
I´m searching for a practical solution to sign a pdf document serverside with a client side smartcard.
As far as I´ve seen with the iText library, it is generally possible, but to generate the hash, which is going to be signed by applet running on the client , you need to use/have already the certchain of the user.

I search a possibility where I could generate a hash value to sign a pdf document (without the need of client input / his certificate chain) while or after generating it.

I thought of a process where the client-applet recieves as start parameter the hash to be signed, signs it using the smartcard and sends b64encoded the hash, certchain, pubkey etc back.

Is there maybe another library available, which can devide these two parts?

Thanks in advance!
Watch Question

Mick BarryJava Developer
Top Expert 2010

so what does itext need to do the signing?


For better understanding I attached a code snippet of the signing process with iText.

This is the part of my servlet which prepares the hash value which needs to be signed by the user.
The problem, as you see is, that we need while setting crypto parameters, we definitively need the certificate chain.
Otherwise while preclosing the pdf document, the the moment when the hash value is somewhere getting calculated, I get a
NullPointerException at com.lowagie.text.pdf.PdfPKCS7.<init>(PdfPKCS7.java:377).

Most likely that libraries are not directly made for this usecase.

I wonder if there might be something else even libraries / solutions apart from open source ?
PdfReader reader = new PdfReader("example.pdf");
FileOutputStream fout = new FileOutputStream("example_signed.pdf");
PdfStamper stamper = PdfStamper.createSignature(reader, fout, '\0');
PdfSignatureAppearance sap = stamper.getSignatureAppearance();
sap.setCrypto(null, certChain, null, PdfSignatureAppearance.WINCER_SIGNED);
sap.setReason("Digital Signature");
sap.setExternalDigest(new byte[256], new byte[20], "RSA");
MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
InputStream stream = sap.getRangeStream();
byte buf[] = new byte[8192];
int n;
while ((n = stream.read(buf)) > 0) {
	messageDigest.update(buf, 0, n);
byte hash[] = messageDigest.digest();

Open in new window

Mick BarryJava Developer
Top Expert 2010

and if it could be done theres a bit of a security risk here isn't there?  You're going to have to pass some pretty sensitive information over the wire aren't you.

Its like trying to pass your signature to someone else to use to sign a document.


This will all happen in a SSL session, as a specific logged-on user.
The public key and certificate chain are nothing to worry about.
The only sensitive part would be that hash value, which is going to be signed by the users smartcard for a specific document.


The objective behind all this is:
A User needs to sign for example 10 or 100 different documents.
Instead of downloading all those documents, signing them locally and uploading them back to the server, I want to sign them, where they are created.

There must be something, even though it might not be open source.
I am not aware if maybe Adobe Livecycle or any other open/closed-source product might be helpfull here?
no solution given

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.