0

I am attempting to digitally sign PDFs using a smart card and iText. I read through the documentation on how to use iText to sign a document and tried to use some of their code myself. Below is the code I am using:

String pkcs11ConfigSettings =
  "name = SmartCard\nlibrary = C:\\Program Files\\ActivIdentity\\ActivClient\\acpkcs201-ns.dll";
AuthProvider p =
  new SunPKCS11(new ByteArrayInputStream(pkcs11ConfigSettings.getBytes()));
Security.addProvider(p);
KeyStore.PasswordProtection pp =
  new KeyStore.PasswordProtection("012345".toCharArray());
KeyStore.Builder builder =
  KeyStore.Builder.newInstance("PKCS11",p ,pp);
KeyStore ks = builder.getKeyStore();
Certificate[] cc = ks.getCertificateChain("Digital Signature Key");
PrivateKey pk = (PrivateKey)ks.getKey("Digital Signature Key", null);
OutputStream fos = new FileOutputStream("c:\\2.pdf");
PdfReader reader = new PdfReader(new FileInputStream(new File("C:\\1.pdf")));
PdfStamper stamper = PdfStamper.createSignature(reader, fos, '\0');
PdfSignatureAppearance appearance = stamper.getSignatureAppearance();
appearance.setCrypto(pk, cc, null,PdfSignatureAppearance.SELF_SIGNED);
appearance.setVisibleSignature(new Rectangle(0, 0, 100, 100), 1,null);
stamper.close();

The problem with this method is when iText closes the PDFStamper it does a call to C_Sign() which invokes the driver's prompt for a PIN.

So if this were an application it would require me to enter my PIN prior to signing, in order to obtain the KeyStore and PrivateKey, as well as when the driver's PIN input prompt comes up. Is there anyway around asking for the PIN twice? I'm kind of new to this stuff, am I going about this the wrong way?

Danny
  • 7,141
  • 8
  • 42
  • 68

1 Answers1

2

It seems if I follow the example with authenticated attributes I can get the PIN dialog to only pop up once for each time signing a document. This is the final code that I ended up using, hopefully it will be helpfully for someone else.

for(int i=0;i<2;i++) {
    String pkcs11ConfigSettings =
                "name = AuthProvider\nlibrary = C:\\Program Files\\ActivIdentity\\ActivClient\\acpkcs201-ns.dll";
    AuthProvider p = (SunPKCS11)Security.getProvider("SunPKCS11-AuthProvider");
    if(p==null) {
        p = new SunPKCS11(new ByteArrayInputStream(pkcs11ConfigSettings.getBytes()));
        p.setCallbackHandler(new CallbackHandler() {    
            @Override
            public void handle(Callback[] callbacks) throws IOException,
                    UnsupportedCallbackException {
                for(Callback c : callbacks)
                    if(c instanceof PasswordCallback) {
                        //HACK. if we set password to null it will bring up the drivers PIN dialog.
                        ((PasswordCallback) c).setPassword(null);
                    }
            }
        });
        Security.addProvider(p);
    }
    KeyStore ks = KeyStore.getInstance("PKCS11",p); 
    ks.load(null, null);
    Certificate[] cc = ks.getCertificateChain("Digital Signature Key");
    PrivateKey pk = (PrivateKey)ks.getKey("Digital Signature Key", null);
    OutputStream fos = new FileOutputStream("c:\\doc" + i + ".pdf"); ;
    PdfReader reader = new PdfReader(new FileInputStream(new File("C:\\1.pdf")));
    PdfStamper stamper = PdfStamper.createSignature(reader, fos, '\0');
    PdfSignatureAppearance sap = stamper.getSignatureAppearance();
    sap.setVisibleSignature(new Rectangle(100, 100, 200, 200), 1, null);
    Calendar cal = Calendar.getInstance();
    PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
    dic.setDate(new PdfDate(cal));
    dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)cc[0]).getField("CN"));
    sap.setCryptoDictionary(dic);
    sap.setLayer2Text("Digitally signed by "+ dic.get(PdfName.NAME) +"\n\nDate: " + cal.getTime().toString());
    HashMap<PdfName,Object> exc = new HashMap<PdfName,Object>();
    exc.put(PdfName.CONTENTS, new Integer(0x2502));
    sap.preClose(exc);
    PdfPKCS7 pk7 = new PdfPKCS7(pk, cc, null, "SHA1", "SunPKCS11-AuthProvider", false);
    MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
    byte buf[] = new byte[8192];
    int n;
    InputStream inp = sap.getRangeStream();
    while ((n = inp.read(buf)) > 0) {
        messageDigest.update(buf, 0, n);
    }
    byte hash[] = messageDigest.digest();
    byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal, null);
    pk7.update(sh, 0, sh.length);
    PdfDictionary dic2 = new PdfDictionary();
    byte sg[] = pk7.getEncodedPKCS7(hash, cal);
    byte out[] = new byte[0x2500 / 2];
    System.arraycopy(sg, 0, out, 0, sg.length);
    dic2.put(PdfName.CONTENTS, new PdfString(out).setHexWriting(true));
    sap.close(dic2);
}
Danny
  • 7,141
  • 8
  • 42
  • 68