Q: Can jPDFSecure apply digital signatures using a hardware token?
A: Yes, our 2 java PDF libraries jPDFSecure and jPDFProcess can apply a digital signature to PDF documents using a hardware token through PKCS#11.
Sample Code
// Load token configuration file and register provider String configName = "pkcs11.cfg"; Provider p = new sun.security.pkcs11.SunPKCS11(configName); Security.addProvider(p); // Create key store KeyStore ks = KeyStore.getInstance("PKCS11"); ks.load(null, "tokenpwd".toCharArray()); // Get the alias of the first entry in the keystore Enumeration aliases = ks.aliases(); if (aliases.hasMoreElements() == false) { System.out.println ("No digital IDs found in token."); System.exit(-1); } String idAlias = (String)aliases.nextElement(); // Load PDF document with jPDFSecure PDFSecure pdf = new PDFSecure ("input.pdf", null); // Add a signature field to the document SignatureField signField = pdf.addSignatureField(0, "SignHere", new Rectangle2D.Double(180, 72, 200, 60)); // Create signature information from the keystore SigningInformation signingInfo = new SigningInformation(ks, idAlias, "password"); // Sign and save the document pdf.signDocument(signField, signingInfo); pdf.saveDocument("signed.pdf"); |
Download Full Java sample code for signing using PKCS#11
Windows
On Windows, it is possible to use the Windows store to read PKCS11 certificates. Read this KB entry about signing a PDF with Windows IDs in Java. But you can also use the sample above.
Sample configuration file pkcs11.cfg for Windows:
name = SafeNetToken library = C:\Windows\system32\eTPKCS11.dll slot=2 |
Linux
On Linux, to use PKCS#11, Java requires a configuration token file that points to the native library that provides access to the hardware token.
Sample configuration file pkcs11.cfg for Linux:
name = SafeNetToken library = /usr/lib/libeTPkcs11.so slot = 0 |
Mac
On Mac, it is normally possible to use the Mac store to read PKCS11 certificates but there has been an issue reported on some Mac versions where the certificate can not be accessed. The other option is to to access the hardware token using the configuration token file with the same approach mentioned for Linux.
Sample configuration file pkcs11.cfg for the Mac.
name = Safenet eToken 5100 library = /usr/local/lib/libeTPkcs11.dylib |
Try with PDF Studio First!
To create and test your configuration file on your machine, we suggest you use our user-friendly desktop PDF editor PDF Studio Pro (free demo version available). Read more below:
Setting up PKCS11 smart card signing with configuration file on Ubuntu.
Setting up a PKCS11 smart card signing with configuration file on the Mac.
