stackoom
  简体   繁体   中英

How do I sign a PDF document using a LUNA HSM?

 原文  2016-11-09 04:34:18       java/ pkcs#11/ hsm

Question

I use a java with Itext for make a digital sign PDF document using a LUNA HSM. My objective is sign a document with PKCS11 and assemble the certificates chain from the HSM. I dont want to install certificates into the server.

I try to use a sample program called C4_01_SignWithPKCS11HSM.java from the iText.

I take this from: http://developers.itextpdf.com/examples/security/digital-signatures-white-paper/digital-signatures-chapter-4

When I compiled program, it show me the follow warning:

[luna@sumCentosHsm pdf]$ javac -Xlint signPdf.java signPdf.java:93: warning: [deprecation] OcspClientBouncyCastle() in OcspClientBouncyCastle has been deprecated OcspClient ocspClient = new OcspClientBouncyCastle();

Also, how to build the configuration file and parameters.

I would like to know if someone had the same problem Thank you.

2 answers

solution1
 1  2017-06-20 06:57:06

import java.security.*;
import java.security.KeyStore.*;
import java.security.cert.X509Certificate;
import java.security.cert.Certificate;
import com.safenetinc.luna.*;
import java.io.*;
import com.itextpdf.text.*;
import com.itextpdf.text.pdf.*;
import com.itextpdf.text.pdf.security.*;

public class SignPdfUsingLuna{
    private static String keyAlias = null;
    private static String slotPin = null;
    private static int slotId;
    private static String inputFile = null;
    private static String outputFile = null;
    private static KeyStore ks = null;
    private static PrivateKeyEntry prKE = null;

    private static void usage(){
        System.out.println("Command usage :-");
        System.out.println("java SignPdfUsingLuna <SlotNumber> <SlotPassword> <KeyAlias> <InputFile>");
    }

    public static void main(String args[]){
        try{
            slotId = Integer.parseInt(args[0]);
            slotPin = args[1];
            keyAlias = args[2];
            inputFile = args[3];
            ks = KeyStore.getInstance("Luna");
            ks.load(new ByteArrayInputStream(("slot:"+slotId).getBytes()),slotPin.toCharArray());
            ProtectionParameter param = new PasswordProtection("abcd".toCharArray());
            prKE = (PrivateKeyEntry)ks.getEntry(keyAlias,param);
            X509Certificate cert = (X509Certificate)ks.getCertificate(keyAlias);
            Certificate[] certchain =  (Certificate[]) ks.getCertificateChain(keyAlias);

            PdfReader readPdf = new PdfReader(inputFile);
            FileOutputStream outFile = new FileOutputStream("Signed"+inputFile);
            PdfStamper stamp = PdfStamper.createSignature(readPdf, outFile, '\0');
            PdfSignatureAppearance psa = stamp.getSignatureAppearance();
            psa.setReason("Signed by :- Sam Paul");
            psa.setLocation("India");
            Image img = Image.getInstance("Logo.jpg");
            psa.setImage(img);
            psa.setVisibleSignature(new Rectangle(100, 100, 300, 200), 1, "Signature");
            ExternalDigest dgst = new BouncyCastleDigest();
            Provider prod = ks.getProvider();
            PrivateKey pk = prKE.getPrivateKey();
            ExternalSignature sign = new PrivateKeySignature(pk,DigestAlgorithms.SHA256,prod.getName());
            MakeSignature.signDetached(psa, dgst, sign, certchain, null, null, null, 0, MakeSignature.CryptoStandard.CMS);
            stamp.close();
    }catch(ArrayIndexOutOfBoundsException aio){
            usage();
    }catch(NumberFormatException nfe){
            System.out.println("Please enter a valid slot number");
            usage();
    }catch(Exception e){
            e.printStackTrace();
    }
}

Hope this helps.

Sam.

solution2
 -1  2017-03-02 16:38:08

Perhaps you have a special circumstance where you want to use HSM keys to sign documents. Most of the time, document signing is done with 'person-entity' PKI certificates. In this scenario, your local Certificate Authority (Windows Server), has been configured to store the CA's private key on the SafeNet HSM. Then the local CA would issue personal PKI certificates to users of that domain (Bob Smith). Then a user, Bob, could use his certificate that is local to his machine to sign documents. This would provide integrity and nonrepudiation, and the certificate would signed by that individual.

In your implementation, any signed document would simply display the subject name of the HSM certificate, which in most implementations would be a domain's CA name, etc.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to use LUNA HSM with Java EDDSA Signature with Luna HSM using Java How do I digitally sign a PDF in Java using a PEM file? How to encrypt/decrypt data using public/private keys located at Safenet HSM Luna SA device in java How do I integrate HSM encryption with JAVA? PDF Signing, generated PDF Document certification is invalid? (using external signing, web-eid, HSM) How to Digitally Sign a Dynamically Created PDF Document Using PDFBox? How to digitally sign a PDF document with visible signature and text using Java How to programmatically digital sign PDF document? How do I sign an MSI using javafxpackager?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM