Sign а PDF document with USB token

Users are able to sign a PDF document offline using client software and their private key holders.

Client software is Java based application that is downloaded and started on user's demand.

Private key holder is an USB device holding multiple private key and digital certificate that can be used for digital signature.

Requirements

In order to run Java application user must have JRE (Java Runtime Environment) installed on his workstation. Oracle JRE 8 can be downloaded from official Java SE Downloads page. JRE 8 is mandatory for the program to run.

Private key and digital certificate that are used for the digital signature are read from USB device. In order to be able to read them application requires appropriate drivers installed in the target operating system.

Java and JNLP

Java application is started from the web browser, by choosing "client" signature option at Signing provider section. Internet browser will download JNLP file to the local workstation and try to execute automatically. If automatic execution fails, user can start JNLP file manually.

JNLP stands for "Java Network Launch Protocol".

When running the application, JRE has to download all required sources from the Internet before starting the application.

Java and Security

Java (by default) does not allow execution of applications from untrusted sources. Thus the application has to be signed with a trusted digital certificate. Application use external libraries and dependencies signed by another vendor. Because of that application might ask the user to confirm usage of such external sources, for example Bouncy Castle cryptography library:

External sources warning

Signer certificate selection

Application will try to find appropriate security provider driver on startup. It will search for drivers in common directories per running operating system.

In case a driver file is found, application will ask the user to confirm it is correct one and offer him to choose another driver file manually.

With properly selected security provider driver and (optional) keystore password user will get a list of available signer certificates (stored on a USB device). After selecting signer certificate and (optional) correct password application will display the document to the user.

Signature

Application allows user to add textual or image signature to the document. By adding a document to desired position in the selected page and choosing "Sign the document" action button the document will be signed with a selected signer certificate.

Optionally, if the document owner has pre-selected position for the user's signature, user will be able to add his signature only to pre-selected page and position in the document.

When adding textual signature to the document, signature text is read from the selected signer's certificate; CommonName value of the certificate is used.

Configuration

Application will store configuration within user's home directory.

Configuration allows user to: