HSM Certification of PDF with the Datalogics PDF Java Toolkit

HSM Certification of PDF with the Datalogics PDF Java Toolkit

Sample of the Week:

Joel GeraciInformation Assurance is at the top of mind for every developer and IT manager these days so certifying your PDF files is more important than ever. Many business transactions in regulated industries, like financial services, pharmaceuticals, manufacturing, and governmental organizations, require a high level of assurance when documents are distributed electronically. Information Assurance, at least where PDF is concerned has two primary components, document authenticity and document integrity. Basically, did the document come from the organization that it claims to come from and can you confirm that it has not been modified in transit?

Adobe Acrobat allows authors to manually “certify” a document with a hidden digital signature so their recipients can verify it’s authenticity without modifying the appearance of the page. This can be critical for evidentiary documentation but is also important for branded documents, bank statements, regulations etc.

The user interface in Adobe Acrobat and Adobe Reader will prominently display the certification status of a document and let you know if there is, or is not, a problem with it’s authenticity. The blue ribbon in the blue bar indicates that the document has a valid certification.

screen-shot-hsm-certified
However, Acrobat can certify a document with just about any kind of digital certificate, including a certificate that end users create themselves; ones that aren’t backed up by a certificate authority and as a desktop product, it doesn’t lend itself to processing thousands of documents in the way that a server can.

That’s where this Sample of the Week comes in. For server-based PDF document certification, the Datalogics PDF Java Toolkit sample HSMCertifyDocument demonstrates how to apply a certifying signature to a PDF document using a Luna SA HSM device, created by SafeNet, Inc.

The HSM technology is designed to keep the private key completely secure. It is impossible to read or edit a private key stored on the HSM or copy it to another device. The private key never leaves the HSM, so it cannot be compromised and the device has a variety of security measures to block unauthorized access, including a feature that will automatically erase all content on the HSM if it loses power.

Code Snippet:

private static Credentials loadLunaCredentials(String password,
		String keyLabel,String certLabel) throws Exception {
	// Add the Luna Security Provider if it is not already in the list of 
	// Java Security Providers
    if (Security.getProvider("LunaProvider") == null) {
        System.out.println("Adding LunaProvider");
        Security.addProvider(new com.safenetinc.luna.provider.LunaProvider());
    }
    try {
    	// Obtain the Luna Keystore - Access the LunaSA via PKCS11 through
    	// the Luna Provider
        KeyStore lunaKeyStore = KeyStore.getInstance("Luna");
        lunaKeyStore.load(null, null); // Can be null-null after login
        
        // List the LunaSA contents
        System.out.println("Luna Keystore contains");
        Enumeration<String> aliases = lunaKeyStore.aliases();
        while (aliases.hasMoreElements()) {
            String keyStoreObj = aliases.nextElement();
            System.out.println("\t-" + keyStoreObj);
        }
        
        // Retrieve the PrivateKey and Certificate by labels
        PrivateKey privateKey = (PrivateKey) lunaKeyStore.getKey(keyLabel, password.toCharArray());
        X509Certificate cert = (X509Certificate) lunaKeyStore.getCertificate(certLabel);
        X509Certificate[] certChain = new X509Certificate[1];
        certChain[0] = cert;
        
        // Create credentials
        CredentialFactory credentialFactory = CredentialFactory.newInstance();
        PrivateKeyHolder pkh = PrivateKeyHolderFactory.newInstance().createPrivateKey(privateKey, "LunaProvider");
        return credentialFactory.createCredentials(pkh, certChain[0], certChain);
        
    } catch (Exception e) {
        System.out.println("Exception while obtaining LunaSA Credentials: "
                + e.getMessage());
        e.printStackTrace();
        throw e;
    }
}

Luna SA is the most trusted general purpose HSM on the market and the Adobe PDF Java Toolkit can be used with the Luna SA client (LunaProvider.jar) to communicate with the HSM to add certifying signatures to any PDF file. By integrating the Luna SA HSM, Datalogics can help you engineer software, systems and services that offer unparalleled Information Assurance for the PDF files that you need to distribute.

View and download HSMCertifyDocument sample or get all the samples and documentation by requesting an evaluation of the Datalogics PDF Java Toolkit.

Leave a Reply

Your email address will not be published. Required fields are marked *