In chapter 16, you learned ... document using a (self-signed) certificate and a private key that is...

Transcription

In chapter 16, you learned ... document using a (self-signed) certificate and a private key that is...
622
APPENDIX D
Signing a PDF with a smart card
In chapter 16, you learned how to add a digital signature to a PDF document
using a (self-signed) certificate and a private key that is present somewhere on the
file system. I also mentioned that this certificate and key are sometimes stored on
a smart card.
Figure D.1 shows an example of such a smart card. It’s a copy of my identity card.
Figure D.1
A smart card containing my personal information
Belgium is one of the first countries in the world to issue an electronic identity
card (eID) as official proof of identity for its citizens. This identity card looks like a
regular bankcard, with basic identity information in visual format, such as personal details and a photograph. It also contains a chip with the same information
printed legibly on the card, the address of the card holder, and the identity and
signature keys and certificates.
The next example (written by Philippe Frankinet) uses this special card to add
a digital signature to a PDF document. This example requires middleware that is
specific for the type of smart card and smart card reader you’re using. It’s impossible to write a universal example that will work for every device and every type of
card. The example is provided for your interest only; you’ll have to adapt it
according to the requirements of your project:
Certificate[] certs = new Certificate[1];
BelpicCard scd = new BelpicCard("");
certs[0] = scd.getNonRepudiationCertificate();
PdfReader reader = new PdfReader("unsigned.pdf");
B
Signing a PDF with a smart card
FileOutputStream fout = new FileOutputStream("signed.pdf");
PdfStamper stamper = PdfStamper.createSignature(reader, fout, '\0');
PdfSignatureAppearance sap = stamper.getSignatureAppearance();
sap.setCrypto(
null, certs, null, PdfSignatureAppearance.SELF_SIGNED);
sap.setReason("How to use iText a Belgian eID");
sap.setLocation("Belgium");
sap.setVisibleSignature(new Rectangle(100, 100, 200, 200), 1, null);
sap.setExternalDigest(new byte[128], new byte[20], "RSA");
sap.preClose();
PdfPKCS7 sig = sap.getSigStandard().getSigner();
byte[] content = streamToByteArray(sap.getRangeStream());
byte[] hash = MessageDigest.getInstance("SHA-1").digest(content);
byte[] signatureBytes = scd.generateNonRepudiationSignature(hash);
sig.setExternalDigest(signatureBytes, null, "RSA");
PdfDictionary dic = new PdfDictionary();
dic.put(PdfName.CONTENTS,
new PdfString(sig.getEncodedPKCS1()).setHexWriting(true));
sap.close(dic);
623
C
D
E
F
G
H
This example is quite different from the examples you’ve seen elsewhere. In
chapter 16, you learned how to retrieve the certificate and the private key from a
keystore. Now you have to fetch the certificate from the smart card b. After you
create a reader and a stamper object, you create a signature appearance.
You don’t pass the private key with the method setCrypto() C. The private key
is on the smart card, and there would be a serious security problem if you could
read this private key. You have to sign the hash externally on the smart card reader
D. To achieve this, you create a PdfPKCS7 instance E. PdfPKCS7 is a class that does
all the processing related to signing. You create a hash of the document’s contents
F and use middleware to sign it G. The signature appearance is stored as a PDF
dictionary; sap.close() adds the CONTENTS entry to the signature H.
This example uses the GoDot library. This library was written by Danny De
Cock, and it can only be used with the Belgian eID. The object be.godot.sc.engine.BelpicCard retrieves the certificate b and signs the hash G. You’ll have
to replace these lines with code that addresses software that is specific for your
type of smart card and smart card reader.
If you need to know more about external hashes and/or external signatures,
consult the online how-to examples written by Paulo Soares: http://itextpdf.sourceforge.net/howtosign.html.
If you want to know more about the Belgian eID, read my presentation notes
for GovCamp Brussels: http://itext.ugent.be/articles/eid-pdf/.