PDF online digital signature

Question

We are building a Java website to share documents with users.

Once a user access to his documents, he can digitally sign them with his certificate (It is stored on client-side).

The requirement is an on-line sign with a “sign button” on the documents list.

We researched ways to accomplish the requirement but apparently, there is not a way to do that without using Java Applet or a secured server that contains the users certificates.

We know what other solution would be use Itext on a stand-alone Java Application but that is not an online solution.

The question is:

Is there a way to access to the user's key-store or load the certificate from the file system on the sign process without use an applet?

Thanks and regards.

capitalized title – Barry Michael Doyle Feb 26 '17 at 08:12 — Barry Michael Doyle, Feb 26 '17 at 08:12

score 1 · Accepted Answer · edited May 23 '17 at 12:17

It is not possible to use a certificate installed on system/browser keystore using javascript due to security restrictions

An alternative solution is to install on the client an application with an embedded web server and send the document from the webpage to be signed at the moment. This application can use the keystore and include the itext library.

If the user has a certificate file (.p12/.pfx) it is possible to load the content using WebCryptographyApi and sign the document in client side (without uploading certificate to server. See How to load a PKCS#12 Digital Certificate with Javascript WebCrypto API

score 0 · Answer 2 · answered Feb 27 '17 at 22:52

@pedrofb is right, you won't, without the help of a plug-in, be able to access the certificate store on the host.

You can in browser use WebCrypto with a library like PKIjs load a key into the browser and sign with it, you can also verify the PDFs signature if you like. Here are some related examples:

You can see https://hwcrypto.github.io/ for a discussion, and plug-ins that provide access to smart cards within the browser.

Bharat Vasant · Answer 3 · 2019-09-13T10:58:19.630

Modern browsers does not support applets. For browser based signing scenarios, my company has published free Chrome extension Signer.Digital and setup may be downloaded from cNet using link https://download.cnet.com/Signer-Digital-Chrome-Extension/3000-33362_4-78042540.html Installing this host and restarting Chrome will automatically add Signer.Digital Chrome Extension

Javascript to call method from extension:

    //Calculate Sign for the Hash by Calling function from Extension SignerDigital
    SignerDigital.signPdfHash(hash, $("#CertThumbPrint").val(), "SHA-256")      //or "SHA256"
     .then(
            function (signDataResp) {
              //Send signDataResp to Server
        },
            function (errmsg) {
                //Send errmsg to server or display the result in browser.
              }
     );

If Failed, returns error msg starting with "SDHost Error:"

If success, returns Base64 encoded pkcs7 signature - as you said, use iText or any suitable library to inject sign to pdf.

Disclosure: I work for CISPL (Signer.Digital)

Yes. But its free along with complete working source code project in C#. Works in VS 2015 or VS 2017. Source code and JavaScript [explained](http://help.signer.digital/digital_signing_signer_digital_weblib__net_integration_source_code_explained.htm) — Bharat Vasant, Sep 13 '19 at 10:54
You need to disclose if you are talking about your own product. — schroeder, Sep 13 '19 at 10:56

PDF online digital signature

3 Answers3