How Do I Sign a PDF Using Smart Cards or Hardware Security Module?

[Vincent Ycasas]

Question:

How Do I Sign a PDF Using Smart Cards or Hardware Security Module? Is it possible to do so with PDFNet?

Answer:

It is definitely possible to sign a PDF via PDFNet using other types and formats of private keys. PDFNet, however, does not currently provide support other than the most common PKCS#12 format.

To sign a PDF in PDFNet using other digital signature certificate standards, you will have to extend the SignatureHandler class. Our sample: http://www.pdftron.com/pdfnet/samplecode/DigitalSignaturesTest.cpp.html already shows how to extend the SignatureHandler class. You will need to do the same if you want to use other formats of signing certificates.

 

When using smart cards or HSMs to obtain your certificates, you will want to use the PKCS#11 standards. OpenSSL supports PKCS#11 engine (via a special contrib branch): http://www.openssl.org/contrib/. Or you can also use OpenSC: https://www.opensc-project.org/opensc/wiki/engine_pkcs11

 

If you wish to use either of the two above, you will need to modify the OpenSSLSignatureHandler to handle PKCS#11 instead of PKCS#12 when obtaining the signing certificates from the key store.

 

Additionally, you can obtain further information here: https://github.com/viktorTarasov/OpenSC-SM/wiki/Creating-applications-with-smart-card-support