java - Sigining a PDF using USB driver in server client condition -
i doing project need sign pdf using usb based digital signature. have tried following code locally , able sign pdf. problem weather following code work in client server based senerio.
my code is:
import com.lowagie.text.documentexception; import com.lowagie.text.pdf.pdfreader; import com.lowagie.text.pdf.pdfsignatureappearance; import com.lowagie.text.pdf.pdfstamper; import java.io.fileinputstream; import java.io.filenotfoundexception; import java.io.fileoutputstream; import java.io.ioexception; import java.security.keystore; import java.security.keystoreexception; import java.security.nosuchalgorithmexception; import java.security.privatekey; import java.security.security; import java.security.unrecoverablekeyexception; import java.security.cert.crl; import java.security.cert.certificate; import java.security.cert.certificateexception; import javax.servlet.requestdispatcher; import org.bouncycastle.jce.provider.bouncycastleprovider; import sun.security.mscapi.sunmscapi; public class testing { private static boolean resflag; public static void main (string args[]) { try { bouncycastleprovider providerbc = new bouncycastleprovider(); security.addprovider(providerbc); sunmscapi providermscapi = new sunmscapi(); security.addprovider(providermscapi); keystore ks = keystore.getinstance("windows-my"); ks.load(null, null); string alias = (string)ks.aliases().nextelement(); privatekey pk = (privatekey)ks.getkey(alias, null); certificate[] chain = ks.getcertificatechain(alias); // //string e = request.getparameter("digifile"); // keystore ks = keystore.getinstance("pkcs12"); // string f10 = commonutil.getrealpath(); // string str8 = f10 + "/digifiles/"; // //system.out.println("str8-->>>>>>>>" + str8 + e); // ks.load(new fileinputstream("f:/digifiles/anurag goel.pfx"), "123".tochararray()); // // // system.out.println("the actual path " + str8); // string alias = (string)ks.aliases().nextelement(); // privatekey key = (privatekey)ks.getkey(alias, "123".tochararray()); // certificate[] chain = ks.getcertificatechain(alias); pdfreader reader = new pdfreader("f:/test.pdf"); fileoutputstream os = new fileoutputstream("f:/sampleoutput61.pdf"); pdfstamper stamper = pdfstamper.createsignature(reader, os, '\0',null,true); pdfsignatureappearance appearance = stamper.getsignatureappearance(); appearance.setcrypto(pk, chain, (crl[])null, pdfsignatureappearance.verisign_signed); appearance.setreason("elicense project"); appearance.setlocation("assam"); appearance.setvisiblesignature("hi"); stamper.close(); } catch (keystoreexception var27) { var27.printstacktrace(); resflag = false; } catch (nosuchalgorithmexception var28) { var28.printstacktrace(); resflag = false; } catch (certificateexception var29) { var29.printstacktrace(); resflag = false; } catch (filenotfoundexception var30) { var30.printstacktrace(); resflag = false; } catch (ioexception var31) { var31.printstacktrace(); resflag = false; } catch (unrecoverablekeyexception var32) { var32.printstacktrace(); resflag = false; } catch (documentexception var33) { var33.printstacktrace(); resflag = false; } catch (exception var34) { var34.printstacktrace(); resflag = false; } { requestdispatcher rd; } } } please give me suggestion . all
- you using wrong itext version, hence creating signatures not future proof (please read this book find out what's wrong code).
- you depending on fact operating system windows. server windows server? code won't work if it's linux server. check hosting provider , ask hosting provider if allowed have usb token on server (if it's not dedicated server, chances going refuse that).
- you using windows-my means delegate authentication operating system. if usb needs passphrase (they do), windows open dialog box fill out passphrase. if deploy on server: have sitting next server fill out password every time requests signature?
- usb tokens designed people sign document manually. have specific limitations. instance: normally, can not apply more 1 signature per second. insufficient in web context. in web context, expected use install hardware security module (hsm) on server.
while code may work on server in theory, see lot of reasons why it's not wise decision use code works on standalone machine in client/server environment. there many practical issues (such authentication, speed, wrong version of itext,...) can make project go wrong. answer "no" question whether code work in client/server scenario.
update:
in comments answer, indicate server linux server. should obvious using "windows-my" never work on linux server. you'll have use pkcs#11 instead of windows-my talk hardware device on token stored. code sample works on luna sa safenet. can see, uses pkcs#11:
import java.io.fileinputstream; import java.io.fileoutputstream; import java.io.ioexception; import java.security.generalsecurityexception; import java.security.keystore; import java.security.privatekey; import java.security.provider; import java.security.security; import java.security.cert.certificate; import java.security.cert.x509certificate; import java.util.arraylist; import java.util.collection; import java.util.list; import java.util.properties; import org.bouncycastle.jce.provider.bouncycastleprovider; import sun.security.pkcs11.sunpkcs11; import com.itextpdf.text.documentexception; import com.itextpdf.text.rectangle; import com.itextpdf.text.log.loggerfactory; import com.itextpdf.text.log.sysologger; import com.itextpdf.text.pdf.pdfreader; import com.itextpdf.text.pdf.pdfsignatureappearance; import com.itextpdf.text.pdf.pdfstamper; import com.itextpdf.text.pdf.security.bouncycastledigest; import com.itextpdf.text.pdf.security.certificateutil; import com.itextpdf.text.pdf.security.crlclient; import com.itextpdf.text.pdf.security.crlclientonline; import com.itextpdf.text.pdf.security.digestalgorithms; import com.itextpdf.text.pdf.security.externaldigest; import com.itextpdf.text.pdf.security.externalsignature; import com.itextpdf.text.pdf.security.makesignature; import com.itextpdf.text.pdf.security.ocspclient; import com.itextpdf.text.pdf.security.ocspclientbouncycastle; import com.itextpdf.text.pdf.security.privatekeysignature; import com.itextpdf.text.pdf.security.tsaclient; import com.itextpdf.text.pdf.security.tsaclientbouncycastle; import com.itextpdf.text.pdf.security.makesignature.cryptostandard; public class c4_01_signwithpkcs11hsm { public static final string src = "/home/itext/hello.pdf"; public static final string props = "/home/itext/key.properties"; public static final string dest = "/home/itext/hello_hsm.pdf"; public void sign(string src, string dest, certificate[] chain, privatekey pk, string digestalgorithm, string provider, cryptostandard subfilter, string reason, string location, collection<crlclient> crllist, ocspclient ocspclient, tsaclient tsaclient, int estimatedsize) throws generalsecurityexception, ioexception, documentexception { // creating reader , stamper pdfreader reader = new pdfreader(src); fileoutputstream os = new fileoutputstream(dest); pdfstamper stamper = pdfstamper.createsignature(reader, os, '\0'); // creating appearance pdfsignatureappearance appearance = stamper.getsignatureappearance(); appearance.setreason(reason); appearance.setlocation(location); appearance.setvisiblesignature(new rectangle(36, 748, 144, 780), 1, "sig"); // creating signature externalsignature pks = new privatekeysignature(pk, digestalgorithm, provider); externaldigest digest = new bouncycastledigest(); makesignature.signdetached(appearance, digest, pks, chain, crllist, ocspclient, tsaclient, estimatedsize, subfilter); } public static void main(string[] args) throws ioexception, generalsecurityexception, documentexception { loggerfactory.getinstance().setlogger(new sysologger()); properties properties = new properties(); properties.load(new fileinputstream(props)); char[] pass = properties.getproperty("password").tochararray(); string pkcs11cfg = properties.getproperty("pkcs11cfg"); bouncycastleprovider providerbc = new bouncycastleprovider(); security.addprovider(providerbc); fileinputstream fis = new fileinputstream(pkcs11cfg); provider providerpkcs11 = new sunpkcs11(fis); security.addprovider(providerpkcs11); keystore ks = keystore.getinstance("pkcs11"); ks.load(null, pass); string alias = (string)ks.aliases().nextelement(); privatekey pk = (privatekey)ks.getkey(alias, pass); certificate[] chain = ks.getcertificatechain(alias); ocspclient ocspclient = new ocspclientbouncycastle(); tsaclient tsaclient = null; (int = 0; < chain.length; i++) { x509certificate cert = (x509certificate)chain[i]; string tsaurl = certificateutil.gettsaurl(cert); if (tsaurl != null) { tsaclient = new tsaclientbouncycastle(tsaurl); break; } } list<crlclient> crllist = new arraylist<crlclient>(); crllist.add(new crlclientonline(chain)); c4_01_signwithpkcs11hsm app = new c4_01_signwithpkcs11hsm(); app.sign(src, dest, chain, pk, digestalgorithms.sha256, providerpkcs11.getname(), cryptostandard.cms, "hsm test", "ghent", crllist, ocspclient, tsaclient, 0); } } the content of config file used looks this:
name = luna library = /usr/lunasa/lib/libcryptoki2_64.so slot = 1 note so may in directory in case, , certificate may in slot. use properties file store password certificate. won't share password ;-)
this example tested on server owned globalsign using globalsign certificate.
Comments
Post a Comment