8

Here is what I want to do:

  1. user creates document (html)
  2. edit -> save PDF on server
  3. ask if user wants to sign the document
    • (yes) here is the problem
    • (no) no problem
  4. ???? (not important)

So now the problem I face is how to do that (yes) in step 3. If the signature is on the server no problem, I have some html->php->pdf classes that can sign with digital signatures but the signature must be on the server as a file. The question is, how can I do it directly on the server. The user chooses yes, the signature is read (from his reader on his computer) and send to the server and signing is done. Here I believe I can't do it without something like Java or so. In my opinion PHP and JavaScript sure as hell aren't going to be enough for this action.

Has anyone ever encountered a problem like that? Maybe some ready to use library?

P.S. not quite sure if the tags are correct, but couldn't figure out which to put.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Nikola
  • 546
  • 1
  • 6
  • 18
  • What do you mean by "his reader on his computer"? – esej May 18 '12 at 16:13
  • 2
    @esej I guess he means some kind of USB stick containing signatur infos. – Ahatius May 18 '12 at 16:17
  • Well, that is the whole issue then - isn't it. – esej May 18 '12 at 16:28
  • @esej yes that is what i mean.the signature is on a usb signature reader, for example http://www.hidglobal.com/prod_detail.php?prod_id=182 – Nikola May 18 '12 at 16:46
  • I fail to follow you here, if there is a user-owned device that is doing the signing - the server obv. can't do it. Maybe you want the server to create the digest to be signed? (if so you'd need some general way to communicate / ask for a signature) – esej May 18 '12 at 16:50
  • i create the document at the server.then i want to ask the user if he wants to sign the document using his signature, which is saved to a usb signature reader (like the one on the link i gave). the question is how do i get the signature to the server, or how do i get the document to the user pc to sign it and the re-upload the document back to the server, automatically?without asking the user to download the document, sign it m and then uploading it again to the server. – Nikola May 18 '12 at 17:08
  • @esej You can do this with Chrome native messaging + plugin/app, natively with CAPICOM, or via a Java applet. In windows at least, it is very easy to prompt the API for a signature and make it happen. – Yablargo Apr 04 '18 at 14:56

1 Answers1

6

If the certificate with a private key is on the client, then you need a client-side module to do signing. JavaScript won't be enough as it won't have access to the key on the client. While you can try calling CAPICOM from JavaScript, this is a partial (no PKCS#11 support), Windows-specific and obsolete solution. Better option is to have a browser applet written in Java that will perform signing (see below).

Our SecureBlackbox product has a distributed signature add-on which does exactly what you describe (PHP, Java, ASP.NET and compiled modules are supported at the moment). You can see the scheme how the add-on works:

enter image description here

In our product we offer pre-built browser modules - Java Applet, ActiveX control and Flash applet, yet Java applet is in most cases enough as it can access PKCS#11 storages and Windows Certificate storage on Windows. For browsers that don't support Java applets SecureBlackbox allows to use the applet via Java Web Start, as an external "application".

You will probably need to re-create this complete scheme, however it's a big trick to calculate the hash on the server and pass it to the client for signing and then embed the signature back to the document.

It would probably be easier to transfer the complete document to the client and have a Java applet that will sign that document using iText or Java edition of our SecureBlackbox and then upload the document back to the server.

Community
  • 1
  • 1
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121