Signing PDFs on a server document using a signature from the user
Here is what I want to do:
- user creates document (html)
- edit -> save PDF on server
- ask if user wants to sign the document
- (yes) here is the problem
- (no) no problem
- ???? (not important)
So now the problem I face is how to do that (yes) in step 3. If the signature is on the server no problem, I have some html->php->pdf classes that can sign with digital signatures but the signature must be on the server as a file. The question is, how can I do it directly on the server. The user chooses yes, the signature is read (from his reader on his computer) and send to the server and signing is done. Here I believe I can't do it without something like Java or so. In my opinion PHP and JavaScript sure as hell aren't going to be enough for this action.
Has anyone ever encountered a problem like that? Maybe some ready to use library?
P.S. not quite sure if the tags are correct, but couldn't figure out which to put.
Solution 1:
If the certificate with a private key is on the client, then you need a client-side module to do signing. JavaScript won't be enough as it won't have access to the key on the client. While you can try calling CAPICOM from JavaScript, this is a partial (no PKCS#11 support), Windows-specific and obsolete solution. Better option is to have a browser applet written in Java that will perform signing (see below).
Our SecureBlackbox product has a distributed signature add-on which does exactly what you describe (PHP, Java, ASP.NET and compiled modules are supported at the moment). You can see the scheme how the add-on works:
In our product we offer pre-built browser modules - Java Applet, ActiveX control and Flash applet, yet Java applet is in most cases enough as it can access PKCS#11 storages and Windows Certificate storage on Windows. For browsers that don't support Java applets SecureBlackbox allows to use the applet via Java Web Start, as an external "application".
You will probably need to re-create this complete scheme, however it's a big trick to calculate the hash on the server and pass it to the client for signing and then embed the signature back to the document.
It would probably be easier to transfer the complete document to the client and have a Java applet that will sign that document using iText or Java edition of our SecureBlackbox and then upload the document back to the server.