如何从 Usb Token(etoken pro 72 k(Java) ) 读取证书并附加到 pdf

Question

I want to read the signature from Usb token safenet (alladin etoken pro 72 k(Java)) and attach to pdf. I dont know how to do this. In previously they given an option to export .pfx file. Now they are giving an option to export .cer file. When i googled i get this code. When i run this code works it prompts the password of the token after enter the password i can able to verify the signature but i dont know how to attach the signature to the pdf. please guide me whether i am in correct direction or not. I am using c# language

private void btnGenpdfdigitalSignature_Click(object sender, EventArgs e)
        {
            try
            {

               // Cert myCert = null;

                // Sign text
                byte[] signature = Sign("Test", "Name of the signature person");

                // Verify signature. Testcert.cer corresponds to "cn=my cert subject"
                if (Verify("Test", signature,"jai.cer"))
                {


                }
                else
                {
                    Console.WriteLine("ERROR: Signature not valid!");
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("EXCEPTION: " + ex.Message);
            }
           // Console.ReadKey();
        }

        static byte[] Sign(string text, string certSubject)
        {
            // Access Personal (MY) certificate store of current user
            X509Store my = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            my.Open(OpenFlags.ReadOnly);

            // Find the certificate we'll use to sign            
            RSACryptoServiceProvider csp = null;
            foreach (X509Certificate2 cert in my.Certificates)
            {
                if (cert.Subject.Contains(certSubject))
                {
                    // We found it. 
                    // Get its associated CSP and private key
                    csp = (RSACryptoServiceProvider)cert.PrivateKey;

                }

            }
            if (csp == null)
            {
                throw new Exception("No valid cert was found");
            }

            // Hash the data
            SHA1Managed sha1 = new SHA1Managed();
            UnicodeEncoding encoding = new UnicodeEncoding();
            byte[] data = encoding.GetBytes(text);
            byte[] hash = sha1.ComputeHash(data);

            // Sign the hash
            return csp.SignHash(hash, CryptoConfig.MapNameToOID("Test"));


        }


        public bool Verify(string text, byte[] signature, string certPath)
        {
            // Load the certificate we'll use to verify the signature from a file 
             cert = new X509Certificate2(certPath);
            // Note: 
            // If we want to use the client cert in an ASP.NET app, we may use something like this instead:
            // X509Certificate2 cert = new X509Certificate2(Request.ClientCertificate.Certificate);

            // Get its associated CSP and public key
            RSACryptoServiceProvider csp = (RSACryptoServiceProvider)cert.PublicKey.Key;

            // Hash the data
            SHA1Managed sha1 = new SHA1Managed();
            UnicodeEncoding encoding = new UnicodeEncoding();
            byte[] data = encoding.GetBytes(text);
            byte[] hash = sha1.ComputeHash(data);

            // Verify the signature with the hash
            return csp.VerifyHash(hash, CryptoConfig.MapNameToOID("Test"), signature);


        }

Answer 1

As it seems, you need to sign the PDF with the key stored on USB token.

First thing to figure out is what signing format to use. PDFs can be signed according to PDF specification (which includes digital signing), PAdES (extended PDF signing), or as a generic binary data using CMS/CAdES or even XMLDSig/XAdES.

Assuming you need to sign the PDF according to PDF specification, you most likely need to use some library such as our PDFBlackbox or iText (watch the license and pricing!).

Back to technical side -- .cer file that you mentioned contains only public part of the certificate, and the private key, used for signing, can not usually be extracted from the security device such as USB token. The PDF signing library must support calling the USB token via some programming interface (our PDFBlackbox supports both CryptoAPI and PKCS#11) to have it sign the hash of the data.

Answer 2

If you want to sign PDF with embedded signature you would most likely need to use PDF processing library such as iTextSharp which will embed the signature into the structure of PDF document. Bruno Lowagie from iText Software has written white paper called " Digital Signatures for PDF documents " which is a great source of information about digital signatures in PDF documents.

If you want to use your application also on platforms other than Windows then you should take a look at my Pkcs11Interop.PDF library that extends iTextSharp with the ability to digitally sign PDF document with the private key stored on almost any PKCS#11 compatible device (smartcard, HSM, etc.).

The great thing about iTextSharp and Pkcs11Interop.PDF libraries is they are available under the dual license model so if you are able to comply with the terms of AGPL license then you can use both libraries for free.

Answer 3

Modern token middleware (drivers) comes with CSP (Crypto Service Provider) on the top of it. The CSP detects and handles event when USB Token plugged in or removed and makes the Certificates in the token available in the Windows Certificate Store. You may use Windows X509 Security libraries in C# to access the certificate for signing, which access the Certificate Store which in turns uses CSP to get content signed using the Private Key in the Token. Private keys never comes out of the token.

If you are looking to use it in Web Application, please refer to this SO Answer