EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDFBlackBox technical and licensing question

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#22220
Posted: 10/26/2012 04:29:24
by Ivan Hristov (Standard support level)
Joined: 10/26/2012
Posts: 16

Hello,
In the project I am currently working on, I need to provide the possibility to sign PDF documents on server using client certificates, stored on SmartCard and usually protected with PIN code. I downloaded the trial version of SBB and took a look at the samples (specifically TinySampler) - they work with all of our certificates, which is great. I've noticed that this codesample makes use of classes TElMemoryCertStorage and TElWinCertStorage, which are declared in SecureBlackBox assembly. My first question is: Can I purchase PDFBlackBox and still have access to these classes, or I should provide my own implementation of TElMemoryCertStorage and TElWinCertStorage? In other words - can I build TinySampler without purchasing the whole SBB package?

My second task would probably be to make PDF signing on the client side. A sample scenario would look like this:
1. The client opens a web page, fills in some data and submits the page.
2. The server creates a PDF file accordingly, signs it and returns it to the client page.
3. The client reviews the produced PDF file, verifies the server signature and decides whether or not to sign it with his personal certificate, presumably stored on SmartCard or other device.

This scenario is supposed to work on different web browsers and OS, so Java applet on the client side and .NET PDFBlackBox on the server side seems to do the job. My question here is which one of your products should I purchase along with PDFBlackBox, in order to be able to create this client-side JavaApplet?

Regards,
Ivan Hristov
#22221
Posted: 10/26/2012 04:37:04
by Vsevolod Ievgiienko (EldoS Corp.)

Ivan,

Thank you for interest in our products.

Both TElMemoryCertStorage and TElWinCertStorage are included into the PDFBlackbox package. If functionality that is demonstrated in the TinySampler sample is enough for your project then you need to purchase only PDFBlackbox package.

The second task can be implemented using our Distributed Cryptography Add-on: https://www.eldos.com/sbb/desc-dc.php It includes a Java applet but should be purchased separately.
#22222
Posted: 10/26/2012 04:42:12
by Ken Ivanov (EldoS Corp.)

Ivan,

Quote
My first question is: Can I purchase PDFBlackBox and still have access to these classes, or I should provide my own implementation of TElMemoryCertStorage and TElWinCertStorage?

Support for memory- and system-based certificates is included in every SecureBlackbox package you purchase. That is, you will have access to these components should you purchase a PDFBlackbox package.

Still, please be aware that if you need to access smartcard-based certificates via PKCS#11 interface, you will have to purchase a license for PKIBlackbox package (which includes the relevant TElPKCS11CertStorage class) separately.

Regarding the second task - if you are limited to Java applets on client side, you would need Java edition of SecureBlackbox, in addition to .NET edition that will work on the server side. As you need to create and validate PDF signatures within the applet, the PDFBlackbox package is the one you will need here.

Vsevolod, the distributed cryptography add-on will not do the job here, as there is a need for the client to view and validate the entire PDF document on their side.
#22223
Posted: 10/26/2012 06:02:46
by Ivan Hristov (Standard support level)
Joined: 10/26/2012
Posts: 16

Vsevolod,
Innokentiy,

Thank you for your quick answers.
I am not well grounded with certificates/tokens, so I would need a little bit further explanations.

Vsevolod, I took a look at Distributed Cryptography Add-ons and it really seemed to do the job, but since Innokentiy disagrees, I think I was not very clear in my scenario. The "view and validate" on the client-side will be a simple "download , open with Acrobat/Reader and check the signatures"-task. I don't think that there should be involved any code (at least according to current requirements).

Innokentiy, you said: "...if you are limited to Java applets on client side...". I chose Java applet, because it should work virtually in any browser running Java and it's not dependent on OS. What other options would you suggest?

Also, you mentioned that I need PKIBlackbox in order to work with certificates on tokens/smartcards via PKCS#11, but I guess you mean "direct access to the card". Currently I want to work only with certificates, which are registered in local computer certificate store, but the token itself require PIN-code in order to get the hash from private key.
I looked at the TinySampler code, but didn't found any reference, mentioning TElPKCS11CertStorage. Actually, the dialog, prompting for PIN-code, appears when I close the PDF Document - maybe internally it invokes some TElPKCS11CertStorage method?

Regards,
Ivan Hristov
#22224
Posted: 10/26/2012 06:19:17
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
Innokentiy, you said: "...if you are limited to Java applets on client side...". I chose Java applet, because it should work virtually in any browser running Java and it's not dependent on OS. What other options would you suggest?

Distributed Cryptography Add-on includes modules for Java, Flash and ActiveX. Java applet is the best choice for your scenario.

Quote
maybe internally it invokes some TElPKCS11CertStorage method?

Your certificates are mapped to Windows certificates store that is accessible via TElWinCertStorage class, so TElPKCS11CertStorage is not involved.
#22225
Posted: 10/26/2012 06:35:00
by Ken Ivanov (EldoS Corp.)

Quote
I chose Java applet, because it should work virtually in any browser running Java and it's not dependent on OS. What other options would you suggest?

There are no other options except Java if you need the client-side part to work on any platform.

Quote
The "view and validate" on the client-side will be a simple "download , open with Acrobat/Reader and check the signatures"-task. I don't think that there should be involved any code (at least according to current requirements).

So all the work on the client side is going to be performed solely with Acrobat (i.e. without involving SBB for signing or validation?). If this is the case, I believe that Acrobat plugin (which is available for a number of different browsers and platforms) will do the job.

Distributed Cryptography module is normally a solution targeting those developers who needs to delegate signing of loads of documents to a remotely residing private key and want to minimize the network load. Instead of sending a whole document for signing, DC allows to only send its hash to the signing party, thus reducing the network load drastically.

If you *do* need to perform PDF validation or signing tasks on the client with SecureBlackbox but *do not* need to optimize network performance according to what I explained above, then you apparently do not need the distributed crypto module. In this case purchasing a Java edition in addition to .NET one would be a more cost-effective solution for you.
#22244
Posted: 10/29/2012 03:37:02
by Ivan Hristov (Standard support level)
Joined: 10/26/2012
Posts: 16

Vsevolod,
Innokentiy,

Thank you for your input.
Due to last changes, the project management decided to leave the client-side signing to 3rd party applications (at least for now). So currently we will purchase PDFBlackBox .NET Edition in order to get the server-side signing done.

Thanks again for your help.
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 942 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!