Digitally Sign and timestamp a PDF in java

StackOverflow https://stackoverflow.com/questions/17873010

Question

I would like to attach a digital signature to a PDF file in Java and then timestamp this file with a trusted timestamp authority.

How do I do this?

Was it helpful?

Solution

Export your digital certificate with private key to a pfx file.

Using iText with BouncyCastle:

Document document = new Document();
ByteArrayOutputStream baos = new ByteArrayOutputStream();
PdfWriter.getInstance(document, baos);
document.open();
document.add(new Paragraph("Hello World!"));
document.close();


    PdfReader reader = new PdfReader(baos.toByteArray());
    OutputStream os = new FileOutputStream("c:\\temp\\sign\\test.pdf");
    PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0');

    // Creating the appearance
    PdfSignatureAppearance appearance = stamper.getSignatureAppearance();
    appearance.setReason("REASON");
    appearance.setLocation("LOCATION");

    appearance.setVisibleSignature(new Rectangle(36, 748, 144, 780), 1, "sig");

    Security.addProvider(new BouncyCastleProvider());

    FileInputStream fis = new FileInputStream("c:\\ssl\\test.pfx");
    String password = "myPassword";

    KeyStore ks = KeyStore.getInstance("pkcs12");
    ks.load(fis, password.toCharArray());
    String alias = ks.aliases().nextElement();

    PrivateKey pk = (PrivateKey) ks.getKey(alias, password.toCharArray());
    X509Certificate cert = (X509Certificate) ks.getCertificate(alias);

    TSAClient tsc = new TSAClientBouncyCastle("http://timestampserverURL/");
    ExternalDigest digest = new BouncyCastleDigest();
    ExternalSignature signature = new PrivateKeySignature(pk, "SHA-1", "BC");
    MakeSignature.signDetached(appearance, digest, signature, new Certificate[] { cert }, null, null, tsc, 0,
            CryptoStandard.CMS);

Maven Dependencies:

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15on</artifactId>
    <version>1.49</version>
</dependency>

<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcmail-jdk15on</artifactId>
    <version>1.49</version>
</dependency>
<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bctsp-jdk15on</artifactId>
    <version>1.46</version>
</dependency>


<dependency>
    <groupId>com.itextpdf</groupId>
    <artifactId>itextpdf</artifactId>
    <version>5.4.2</version>
</dependency>

OTHER TIPS

You could use the Securo API, via its HTTP RESTful interface.

The applied timestamps are in RFC3161 detached format, and all timestamps are issued by Qualified Certification Authorities accredited in the EU.

Disclaimer: co-founder of securo

DigiStamp provides a PDF signing and timestamping function in the SecureTime API Toolkit, you get a link to it when you create a free test account (and get access to the test servers). The toolkit utilizes BouncyCastle and the old, free version of iText.

Qoppa has a newer toolkit with a whole range of PDF features, but charges for its use.

Disclaimer: I work at DigiStamp

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top