Digital Signature of a PDF using Servlet and Client-Applet for signing hash

I´m searching for a practical solution to sign a pdf document serverside with a client side smartcard.
As far as I´ve seen with the iText library, it is generally possible, but to generate the hash, which is going to be signed by applet running on the client , you need to use/have already the certchain of the user.

I search a possibility where I could generate a hash value to sign a pdf document (without the need of client input / his certificate chain) while or after generating it.

I thought of a process where the client-applet recieves as start parameter the hash to be signed, signs it using the smartcard and sends b64encoded the hash, certchain, pubkey etc back.

Is there maybe another library available, which can devide these two parts?

Thanks in advance!
Who is Participating?
ms_webtimizeAuthor Commented:
no solution given
so what does itext need to do the signing?

ms_webtimizeAuthor Commented:
For better understanding I attached a code snippet of the signing process with iText.

This is the part of my servlet which prepares the hash value which needs to be signed by the user.
The problem, as you see is, that we need while setting crypto parameters, we definitively need the certificate chain.
Otherwise while preclosing the pdf document, the the moment when the hash value is somewhere getting calculated, I get a
NullPointerException at com.lowagie.text.pdf.PdfPKCS7.<init>(

Most likely that libraries are not directly made for this usecase.

I wonder if there might be something else even libraries / solutions apart from open source ?
PdfReader reader = new PdfReader("example.pdf");
FileOutputStream fout = new FileOutputStream("example_signed.pdf");
PdfStamper stamper = PdfStamper.createSignature(reader, fout, '\0');
PdfSignatureAppearance sap = stamper.getSignatureAppearance();
sap.setCrypto(null, certChain, null, PdfSignatureAppearance.WINCER_SIGNED);
sap.setReason("Digital Signature");
sap.setExternalDigest(new byte[256], new byte[20], "RSA");
MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
InputStream stream = sap.getRangeStream();
byte buf[] = new byte[8192];
int n;
while ((n = > 0) {
	messageDigest.update(buf, 0, n);
byte hash[] = messageDigest.digest();

Open in new window

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

and if it could be done theres a bit of a security risk here isn't there?  You're going to have to pass some pretty sensitive information over the wire aren't you.

Its like trying to pass your signature to someone else to use to sign a document.
ms_webtimizeAuthor Commented:
This will all happen in a SSL session, as a specific logged-on user.
The public key and certificate chain are nothing to worry about.
The only sensitive part would be that hash value, which is going to be signed by the users smartcard for a specific document.

ms_webtimizeAuthor Commented:
The objective behind all this is:
A User needs to sign for example 10 or 100 different documents.
Instead of downloading all those documents, signing them locally and uploading them back to the server, I want to sign them, where they are created.

There must be something, even though it might not be open source.
I am not aware if maybe Adobe Livecycle or any other open/closed-source product might be helpfull here?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.