RE: PDF Signing Validation

[Jason Pyeron]

(html email, cannot reply inline)

For information on the smartcard you will need to read the NIST Special 
Publication 800-73-4 (PIV standard), NIST Interagency Report 6887, and ISO 7816

 

From: Waldemar Dick [mailto:walde...@skribble.com] 
Sent: Thursday, December 19, 2019 8:06 AM
To: users@pdfbox.apache.org
Subject: Re: PDF Signing Validation

 

The website doesn’t give you much information about the smartcard.

 

Usually you can access the smartcard via PKCS#11 drivers or they integrated 
into the Windows infrastructure.

Or use PC/SC to talk to the card directly, which I did for a couple of years. 

 

Anyway, it won’t be easy accessing the card vie JavaScript.

Do you have a client application, which runs natively on Windows? Then you can 
access the drivers.

Or do you have just browser app?

 

10 years ago we used Java-Applets to access these kind of cards. But Applets 
are dead and I am not up to date, what access a browser can give you.

 

For the PDF part: Prepare a PDF to be signed, like in the examples, then 
transfer the hash value (message digest) to wherever you have access to the 
card. Sign there and the return the PKCS#1 signature to where the document is 
waiting for it.

Add the PKCS#1 signature into the CMS. Add the CMS to the PDF document.

 

Regards,

Waldemar

 





On 19. 12 2019, at 13:50, gunslingor gunslingorsadf <gunslin...@gmail.com 
<mailto:gunslin...@gmail.com> > wrote:

 

This are the kind of cards in use: https://www.cac.mil/common-access-card/

There are multiple types of distribution we do: Client Side Apps, Server
based web pages and some special ones. Everything is java on the backend
and JS on the front end, even client apps. No matter what package we
release, they all use cards like these to login, sign PDFs and similar...
the private key shouldn't leave the smartcard I agree. What I don't know is
how these cards really work because I don't have access to them, but I know
internet isn't required to use them and rarely is available on the client
side apps. I have seen the end user sign a PDF with acrobat reader and they
seem to do it normally, with a certificate selector. I would guess that
these cards act as a sort of keystore themselves and the clients have
special software installed that, when the card is inserted and
authenticated, grants access to the certificate and perhaps imports them
into the windows keystore so that apps (like acrobat) know where to look
when signing... but that is just a laymen guess and I could be wrong...


Based on my (lack of) knowledge on these cards, javascript seems like the
only way... yet I suspect that would be more limiting in functionality than
a java solution. Any questions?





From: Wade Polk





Sent: Wednesday, December 18, 2019 5:58 PM





 





Yeah... it's our main use case but we won't have access to the smart





cards anytime soon. Internet isn't an option so web services won't work.





Javascript solution is the only way to go it would appear... at least





for these smartcards; still need the keystore approach as well too





though, not




Need actual specifics here...








everyone uses them.





 





On Wed, Dec 18, 2019 at 5:15 PM Jason Pyeron <jpye...@pdinc.us 
<mailto:jpye...@pdinc.us> > wrote:





 





While this is not in regards to version 1.8, we are currently using





smartcards and signing PDFs via web services.





 





So no a keystore is not required, only the ability to digitally sign





a digest value.





 





-----Original Message-----





From: gunslingor gunslingorsadf <gunslin...@gmail.com 
<mailto:gunslin...@gmail.com> >





Sent: Wednesday, December 18, 2019 3:32 PM





To: users@pdfbox.apache.org <mailto:users@pdfbox.apache.org> 





Subject: PDF Signing Validation





 





PDFBox 1.8.10, in reference to visible signature examples





 





 





 





Is it possible to sign a PDF without a keystore?





 





 





i.e. folks use SIM card devices… they plug it into the computer,





enter user/pass (or maybe alias/pin) and then the actual





certificate is used





and





compared against the certificate stored in the user management





system





(i.e.





cert == cert). This sounds a little odd to me, but I am no SSL





expert, it was built before I arrived and these SIM devices (which





I don't even have access to) make this situation a little different.





 





 





Any help appreciated





 





 





--------------------------------------------------------------------





- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org 
<mailto:users-unsubscr...@pdfbox.apache.org> 





For additional commands, e-mail: users-h...@pdfbox.apache.org 
<mailto:users-h...@pdfbox.apache.org> 





 





 






---------------------------------------------------------------------

To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org 
<mailto:users-unsubscr...@pdfbox.apache.org> 

For additional commands, e-mail: users-h...@pdfbox.apache.org 
<mailto:users-h...@pdfbox.apache.org> 

 

 

 







Waldemar Dick

signing & security

Mobile +49 (0)179 1106735
Support +41 (0)44 505 16 64
E-Mail walde...@skribble.com <mailto:walde...@skribble.com> 

Pforzheimer Straße 128a, 76275 Ettlingen, Deutschland

Qualified electronic signing made easy.
Skribble.com <https://www.skribble.com>