The private key is used for signing only. It is not needed for
validation. The public key validates the signature (signed with the
private key). The public key is part of the certificate, so you should
not need any external keystores. But you may need internet access to
chase the validation chain to a trusted root (you will need a local
certificate store of trusted roots). The CAC interface is usually
PKCS#11, which you can get to from Java, but not from Javascript in a
browser. Signing takes place on the CAC card itself, so the private key
is never exposed.
On 12/19/2019 1:58 PM, gunslingor wrote:
Can x509 sign pdfs? To validate a pdf signature, do you have to have access to
the private key?I'm wondering if we can create an isolated store by importing
these certs and still use pdf box... but I'm thinking it has to be the original
private key from the cac card right, so others can validate, and probably a
different type of cert?I'm also wondering, since I'm mainly concerned about the
client app atm, that since the java is on the client, I should be able to
interface with the cac via a driver or something and get it that way?The idea
of sending the pdf digest back and forth sounds about as secure as these
options. Still learning this stuff, sorry and thanks!Sent from my T-Mobile 4G
LTE Device
null
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
