1

I have a Java EE app that needs to implement e-signing of PDF Files. The user needs to be able to click a link that will generate a PDF File based on data in the database and see the PDF in their browser. The use then needs to be able to "sign" the document using their private key stored on their smart card (which is plugged into a smart card reader on the PC that they're using). Users are using Windows 7 and JRE 1.6

I was hoping to use iText for the PDF generation, but it is unclear what solution I would use on the client-side for pulling information in from from the smart card and then for applying that information to sign the PDF and show the PDF as being signed (either showing the user's signature or updating the doc to say that it has been signed).

Has anyone done this before and has a solution?

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
BestPractices
  • 12,738
  • 29
  • 96
  • 140
  • So we have one answer that includes a commercial product; anyone know of a non-commercial product which will achieve this? – BestPractices Jun 13 '12 at 13:35
  • Modern Browsers no more supports Applets or ActiveX. This SO answer has link to complete working project download. https://stackoverflow.com/a/55676351/9659885 – Bharat Vasant Feb 07 '20 at 01:51

2 Answers2

1
  1. It does not help reading a certificate from the smartcard, as you need the private key.
  2. You should not (and most often can not) read the private key from the smartcard (that's the reason for using a smartcard)
  3. To access the smartcard you need to interface one of the native API's like plain PC/SC, PKCS#11 or CSP.
  4. To do this from the browser you need either an ActiveX or an Applet.
  5. Building this from scratch is very ambitious

Some critical information is: - what reader - what smartcard - what browser - what os to select or develop a solution

We have a commercial product built using applet technology that does exactly what you requested (take a PDF, interface to the smartcard, sign the hash, insert the signature in any form supported by PDF, post the signed PDF). If you are interested, i will provide a contact.

mtraut
  • 4,720
  • 3
  • 24
  • 33
  • Or use something that exists out there (there are many) or use native plugins or other solutions, that work for the occasion. I think that these days a native plugin is even better than Java, due to recent exploits often disabling Java by default. – Martin Paljak Jun 12 '12 at 20:12
  • I dont want to build from scratch. We currently use an activex control to read from the reader which is plugged into a Windows 7 machine. It is a DoD CAC card. Ideally we would like to use open source libraries (read: free) via an applet. @martin-- any ideas? – BestPractices Jun 12 '12 at 20:27
  • @mtraut: that being said... please provide your commercial contact info. – BestPractices Jun 12 '12 at 20:28
  • @BestPractices - if you currently use an ActiveX, what is wrong with it? Does it provide a "sign" function? Do you have to be platform independent? Are you only looking for the PDF integration? – mtraut Jun 13 '12 at 12:42
  • @BestPractices - that being said - feel free to contact mtraut at intarsys dot de – mtraut Jun 13 '12 at 12:44
  • @martin - i am not aware of (many) products around that sign a PDF document on the client using a smartcard - at least not free. Can you give links? – mtraut Jun 13 '12 at 12:46
  • @mtraut - the ActiveX control locks us into having to use Internet Explorer and we'd like to support more browser types, if possible. We also want to move away from our current e-signature solution (which works, but has been sunsetted) – BestPractices Jun 13 '12 at 13:40
  • thanks @martin. But maybe the question was not specific enough. There's generally no lack of software in a fat client environment interfacing to PKCS#11 (at least to some PKCS#15 cards). What software can sign a PDF in a browser? – mtraut Jun 16 '12 at 19:27
0

Use PDF Studio. I had an issue with my CAC reader config.cfg file but after I deleted the "slot = 1" line it worked like a champ. My file now looks like this:

name = SunPKCS11
library = /usr/lib64/libcackey.so

For further info visit: https://www.qoppa.com/pdfstudio/

Frankie
  • 1
  • 1