Digital Signature of a PDF using Servlet and Client-Applet for signing hash
I´m searching for a practical solution to sign a pdf document serverside with a client side smartcard.
As far as I´ve seen with the iText library, it is generally possible, but to generate the hash, which is going to be signed by applet running on the client , you need to use/have already the certchain of the user.
I search a possibility where I could generate a hash value to sign a pdf document (without the need of client input / his certificate chain) while or after generating it.
I thought of a process where the client-applet recieves as start parameter the hash to be signed, signs it using the smartcard and sends b64encoded the hash, certchain, pubkey etc back.
Is there maybe another library available, which can devide these two parts?
Thanks in advance!
As far as I´ve seen with the iText library, it is generally possible, but to generate the hash, which is going to be signed by applet running on the client , you need to use/have already the certchain of the user.
I search a possibility where I could generate a hash value to sign a pdf document (without the need of client input / his certificate chain) while or after generating it.
I thought of a process where the client-applet recieves as start parameter the hash to be signed, signs it using the smartcard and sends b64encoded the hash, certchain, pubkey etc back.
Is there maybe another library available, which can devide these two parts?
Thanks in advance!
Mick Barry
so what does itext need to do the signing?
ASKER
For better understanding I attached a code snippet of the signing process with iText.
This is the part of my servlet which prepares the hash value which needs to be signed by the user.
The problem, as you see is, that we need while setting crypto parameters, we definitively need the certificate chain.
Otherwise while preclosing the pdf document, the the moment when the hash value is somewhere getting calculated, I get a
NullPointerException at com.lowagie.text.pdf.PdfPK
Most likely that libraries are not directly made for this usecase.
I wonder if there might be something else even libraries / solutions apart from open source ?
This is the part of my servlet which prepares the hash value which needs to be signed by the user.
The problem, as you see is, that we need while setting crypto parameters, we definitively need the certificate chain.
Otherwise while preclosing the pdf document, the the moment when the hash value is somewhere getting calculated, I get a
NullPointerException at com.lowagie.text.pdf.PdfPK
Most likely that libraries are not directly made for this usecase.
I wonder if there might be something else even libraries / solutions apart from open source ?
PdfReader reader = new PdfReader("example.pdf");
FileOutputStream fout = new FileOutputStream("example_signed.pdf");
PdfStamper stamper = PdfStamper.createSignature(reader, fout, '\0');
PdfSignatureAppearance sap = stamper.getSignatureAppearance();
sap.setCrypto(null, certChain, null, PdfSignatureAppearance.WINCER_SIGNED);
sap.setReason("Digital Signature");
sap.setLocation("Paris");
sap.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED);
sap.setExternalDigest(new byte[256], new byte[20], "RSA");
sap.preClose();
MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
InputStream stream = sap.getRangeStream();
byte buf[] = new byte[8192];
int n;
while ((n = stream.read(buf)) > 0) {
messageDigest.update(buf, 0, n);
}
byte hash[] = messageDigest.digest();
and if it could be done theres a bit of a security risk here isn't there? You're going to have to pass some pretty sensitive information over the wire aren't you.
Its like trying to pass your signature to someone else to use to sign a document.
Its like trying to pass your signature to someone else to use to sign a document.
ASKER
Security:
This will all happen in a SSL session, as a specific logged-on user.
The public key and certificate chain are nothing to worry about.
The only sensitive part would be that hash value, which is going to be signed by the users smartcard for a specific document.
This will all happen in a SSL session, as a specific logged-on user.
The public key and certificate chain are nothing to worry about.
The only sensitive part would be that hash value, which is going to be signed by the users smartcard for a specific document.
ASKER
The objective behind all this is:
A User needs to sign for example 10 or 100 different documents.
Instead of downloading all those documents, signing them locally and uploading them back to the server, I want to sign them, where they are created.
There must be something, even though it might not be open source.
I am not aware if maybe Adobe Livecycle or any other open/closed-source product might be helpfull here?
A User needs to sign for example 10 or 100 different documents.
Instead of downloading all those documents, signing them locally and uploading them back to the server, I want to sign them, where they are created.
There must be something, even though it might not be open source.
I am not aware if maybe Adobe Livecycle or any other open/closed-source product might be helpfull here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.