EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Web : Send (and Encrypt) & Sign PDF file

Posted: 02/01/2016 08:37:02
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39


I need some advices for my need.
I need to :
- send a PDF (and encrypt it on server),
- sign it,
- check CRL
- check user certificate with customer CA

I diden't found the list of examples detailed with each content (which example do what)

Could you detail me where i can find each part in your examples please ?

Is there a simple way do to that without cryptoModules ? (customer want to upload & sign in 1 operation). If it need lot of work to secure the communication (identify sender, secure communication, send all data file/certificate/string fields in an easy way (need RMI or other ?))

If use your DCWeb example, is the communication throw applet secure ?

And one more thing, my file is encrypted (encryption with secret key stored in a keystore) on the server side.
So, if sign the server side file, it will be an encrypted file. Is your API can manage this use case ?

Otherwise, i'll have to sign in applet (is this possible without write this signed file ?), and find how to send it to the server, with certificate below (for CRL and CA checking), or find out why check that with a final encrypted file.

Thanks for your reply.

Posted: 02/01/2016 09:49:40
by Dmytro Bogatskyy (Team)

Thank you for contacting us,

- send a PDF (and encrypt it on server),
- sign it,

Yes, you can sign PDF document and it encrypt them simultaneously, or it is possible to sign an encrypted document, but it is not possible to encrypt a signed document. To sign an encrypted document the component will need to know the password or certificate with private key that is needed for document decryption.
For details, please take a look at PDFBlackbox\Desktop\SecurePDF sample.
- check CRL
- check user certificate with customer CA

I welcome you to read a couple of articles about proper certificate validation. The articles are: "Validation of certificates in SecureBlackbox (mini-FAQ)" (https://www.eldos.com/security/articles/7545.php ), "Diagnosing certificate chain validation errors when validating a certificate or signature with *AdES components" (https://www.eldos.com/security/articles/7639.php ), "Additional tune-up of retrievers in TElX509CertificateValidator" (https://www.eldos.com/security/articles/8115.php )
The sample can be found in <SecureBlackbox>\Samples\<language>\PKIBlackbox\Desktop\CertValidator directory after you install SecureBlackbox on your computer.

If use your DCWeb example, is the communication throw applet secure ?

The DCWeb sample communicate via HTTP. However, you can set up your web server to communicate via HTTPS only.
Posted: 02/01/2016 10:03:10
by Ken Ivanov (Team)

Hi Yann,

Thank you for contacting us.

I believe we need some more details about your task from you to come up with a fully qualified answer. So we'd better clarify what exactly you need to do first, and then we could speak about the instruments.

First of all, it is not entirely clear what exactly operations (signing/encryption) are to be applied to the file on each stage and where the encryption/signing keys are stored. Encryption and signing are independent operations, and with PDF you can normally do those in parallel.

So, could please elaborate on the exact operation you need to perform on each step please (with a bit more of granularity than in your message above)?

Posted: 02/01/2016 10:25:03
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi Ken,

first, thanks for your reply.

As you asked, i'll try tyo detail you what i'm (our application) expected to do

The customer want, throw its web browser, within our application (web side is ExtJS 3.4, server side is J2EE Spring 3/DWR/Servlet modules) :

Client side :
- select a file from its filesystem,
- sign it,
- retrieve checksum of signed PDF,
- and upload it (with its checksum)

Server side :
- check certificate throw CA,
- check certificate with the customer CRL,
- then encrypt (while writing) file with a secret key stored in a keystore (THIS PART ALREADY EXISTS : the encryption side is already written and validated ; all files are encrypted like this, not only PDF files)

So i need your security skills on these points

Because private key is not exportable and useable in Javascript, we'll may need an applet

I hope this is enough detailed


Posted: 02/01/2016 11:29:49
by Ken Ivanov (Team)

Hi Yann,

Thanks so much for the clarification, I believe your goal is fairly clear now.

At first glance there is no need for DC modules in your scheme. You can leverage SecureBlackbox for Java to build the in-browser signing part. The exact set of components to be used on this stage depends on the signing standard you need to follow (primarily, whether or not you need to insert CRLs, OCSP responses or timestamps to your signatures). After signing you can use SecureBlackbox to submit the created signed file, together with its checksum, to your web server. You can do that via HTTPS to guarantee the authenticity and confidentiality of the connection. This can be done 'in one step' (signing + upload).

Examples you need to implement the client:

1) PDF TinySigner: signs a PDF with certificate (or, alternatively, TinySignerPKCS11: signs a PDF with certificate residing on a hardware device);

2) HTTPPost: uploads a document to a web server.

As for the server side, implementing it with SecureBlackbox is quite straightforward. Basically, you verify your signature with PDFBlackbox components first, and use TElX509CertificateValidator to validate the signing certificate against its CA and revocation information sources.

Relevant resources:

3) PDF TinyProcessor: verifies a PDF;

4) Knowledgebase articles and how-to's on employing TElX509CertificateValidator for validating certificate chains. We will be happy to help you with that here in the forum too.

In case if you need to use PAdES (advanced) signatures, a better PDF sample would be

5) PAdES from the PDF directory.

Posted: 02/01/2016 11:54:41
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Thanks Ken for your reply.

i have a question that is, @ this time, unanswered.

U told that : "This can be done 'in one step' (signing + upload). "
QUESTION : Are u telling me that the digital sign can be done in memory ? (no need to write on the user client side)

The problem is the same on the server side :
i receive a stream, and have to encrypt to store in a file
QUESTION : Can i use your API to check CRL and CA, from a stream, without write it ? Because the only file that will be written will be an encrypted file (not a PDF encrypting standard)
If not possible, the other way is to post beside, from client, Certificate. So, while receiving in Server side, already have Certificate to check both CRL and CA (QUESTION : can your API do it from a Certificate insteadof a PDF file ??)

for the PAdES signature, i don't know, the custome only ask for a digital signature in the PDF file (signature type isn't specified)

Thanks for your whole help, i appreciate it a lot and see step by step more clearly where i'm going to

Posted: 02/01/2016 12:54:13
by Ken Ivanov (Team)


Yes, you can do that in memory if you need to (of course, subject to reasonable document size).

The same applies to the server side. All SecureBlackbox classes support serialization and deserialization from streams, so purely in-memory stream-based approach is easily accomplishable.

TElX509CertificateValidator component works with certificates, so you can use it to validate certificates taken from a PDF document as well as standalone ones.

Posted: 02/02/2016 09:56:32
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi Ken,

thanks for these good news !

For the first question (sign in memory), i don't find how to load from a stream, sign the Document, then write to another stream

The only resource i've found is

And found nothing useful in the knowledge database (search with "pdf memory load")

When i look at the hierarchy of the TElStream class, i find a lot of classes, but no documentation for each ones
I think it would be the TElMemoryStream, but i would like to find where is the documentation of all classes.

This is an example of documentation i found :
This resource doeasn't help to understand

Could u help me for that please ?

Thanks a lot

Posted: 02/02/2016 10:05:30
by Eugene Mayevski (Team)

Yes, you need to use TElMemoryStream. Could you lpease clarify what exactly problem are you having with this class? You create an instance of the class, save the data to it, then reset position to 0 and pass it to the PDF component. After calling TElPDFDocument.Save() you get the new data in TElMEmoryStream. You need to reset position to 0, then read the data to the buffer or copy it to other stream.

Sincerely yours
Eugene Mayevski
Posted: 02/02/2016 10:17:21
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi Eugene,

thanks for your reply, i'll try it.

But i'm facing a problem :
it's very difficult to test this API without a complete documentation of JAvadoc (complete description of each class, description for each method, each parameter, and so on...)
Am i missing something ? Is there a place where i could find this full documentation ?





Topic viewed 5980 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!