EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDFBlackBox + SmartCard + Java Applet - Is it possible?

Posted: 04/01/2014 09:28:29
by Shota Giorgobiani (Basic support level)
Joined: 04/01/2014
Posts: 4


Currently, we are developing web application, and our customer wants to implement pdf signature functionality. The tricky part is, that in our country, we use ID cards (Smart Cards) for personal identification and signature process must be done by using these cards. Also our government providers java applet which must be used during signature process.

We had implemented demo using iTextSharp library, but are also considering other opportunities, PDFBlackBox is one of them. I want to describe process of signing the document and get answer, if it's possible using PDFBlackBox.

1. User uploads PDF to the system
2. JavaApplet is called and 3 certificates are sent to specific URL (this is actually handler code which must be implemented) these certificates contains: users public key, public key of ministry of justice and root cert.
3. Empty signature is added to the file and users public key is used
4. hash for the signature is computed
5. hash is sent as a response of the request
6. applet gets hash, calls ID card-s internal signing functionality and signs the hash with private key (so signing with private key is always done inside smart card)
7. Signed hash is sent to second handler
8. Handler gets signed hash and timestamps it
9. Handler swaps empty signature with finished one
10 handler finalizes PDF document signature process

The main problem, when implementing this scenario with iTextSharp, was so called "preclosing" of the document, as we are one web and applet uses request/response scenario, we did not have uninterraptable flow of signature, we have 2 phases, that's why we are using empty signature and then updating it with real one.

I'm interested if something like this, is possible using PDFBlackBox and if some documentation or examples are available.

Posted: 04/01/2014 17:37:00
by Ken Ivanov (Team)

Hello Shota,

Thank you for your interest in our products.

SecureBlackbox offers a similar distributed signing functionality, represented by the pluggable DC module. It operates fairly similar to what you have described, by sending a hash to the signing party, obtaining the signature from it and inserting it to the document. Under the DC terms, the initiation and finalization stage are completely independent (with 'state' objects passed between the initiator and the signer) and thus are applicable for use in stateless protocols such as HTTP.

Alternatively, a synchronous variant of distributed signing functionality is also available, where the hash is passed to the user code via a .NET event, and the signature is expected to be passed back from that very event. While this approach is usable in HTTP-driven scenarios where the document resides on the client side and the signing is done on the HTTP server, the stateless nature of the HTTP protocol significantly complicates its use in reverse conditions (where the hash is signed on the HTTP client side).

In both cases, timestamping can be performed either on the signing stage or later.

It would be great if you explain us what you wish to achieve. As far as I understand, you would prefer to sign the document in one pass, by obtaining the hash from server and sending back the signature (i.e. exclude step 2 from the scheme). Is that correct?

Posted: 04/02/2014 09:04:28
by Shota Giorgobiani (Basic support level)
Joined: 04/01/2014
Posts: 4

Hi Ken,

First of all, thanks for your reply. The main idea, while we are not satisfied by iTextSharp's solution, is it's price. It's little bit high and we are considering alternatives. In other case, it's ok for us. If PDFBlackBox will provide us with same functionality with significant price difference, we are ready to use it.

So as I understand from your reply, there is actually two ways to achieve desired functionality:

1. via using additional add-on component (easy but more costy one)
2. via synchronous variant, which is more complicated but cheaper

To clarify the scenario, the business process is something like this:

1. User inputs some data in application form
2. After clicking "Complete Application" button, a new PDF is generated on server side and this PDF is textual representation of the application, this PDF must be signed using users ID card (smart card)
3. User clicks "Sign" button and is redirected to the signing page
4. User puts ID card into card reader
5. Java Applet is activated on the signing page and reads ID card data
6. Java applet calls url on the server and passes public keys to it
7. Handler, that is located on the server, opens PDF file, prepares and puts empty signature into it and uses for this users public key
8. Handler than computes hash of the signature and sends returns it in http responce
9. Java applet gets signature and signs it using private key (signature process is done in ID card chip)
10. Java applet calls second url and passed signed hash
11. handler that is located on the second url, gets signed hash, timestamps it, opens "pre-signed" PDF and puts signed hash in the empty signature place
12. handler saves PDF file, thus completes the signing process

I'd like to achieve this functionality with cheapest way, so complexity is not problem (but any sample code or documentation will be highly appreciated).

If it will be achievable without extra add-on, than PDFBlackBox will be better solution for us.
Posted: 04/04/2014 09:13:13
by Ken Ivanov (Team)

Hello Shota,

Thank you for a comprehensive description of your task. I believe your goals are quite clear for us now.

According to what you are saying, the applicability of the synchronous approach ('no DC add-on' method) is questionable. First, the synchronous method only works in scenarios where the state is preserved between signature initiation and finalization stages. As your environment is web-based, the pre-signing and finalization stages are executed within different and independent server-side execution contexts, so they can hardly be merged together in one execution flow.

Next, due to limitations of PDF signature standard, you always have to pass the public part of the signing certificate to the server on the first stage (it won't be able to create the pre-signature without having access to the public certificate of the signer).

This way, I am afraid that your scenario is the only scenario applicable to your task. There is some small chance (subject to further investigation) that we might be able to squeeze it down to exclude one step (provision of the public certificate by the applet to the server), but in either case the use of the DC module will be necessary.




Topic viewed 1642 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!