I'm trying to digitally sign a pdf file using a PKCS#7 formatted signature in NodeJS.
The setup:
Node-forge does a great job at generating PKCS#7 format. I've already validated that the end output of the library fits my needs. By default pkcs7 requires an input of:
- Certificate that includes signer's public key
- Binary content to be signed
- Signer's private key
The problem:
I want to generate and store my signer (user) keys in HSM so the private key is not directly accessible to me. So instead of content to be signed (2.) and signer's private key (3.) I can provide the end result - the signed content as input. I haven't been able to find an option to do so in node-forge, or any other javascript library.
For reference openssl command requires the same 3 parameters.
I've found a solution for java, using the bouncycastle library. It gives the ability to implement ContentSigner interface. You can basically tell the library - "get the signature from here whenever you sign a file", so in theory it should be possible to create PKCS#7 with only certificate(s) and signed content.
The question:
How can I generate PKCS#7, or any other valid PDF signature format, by using only certificate and the signed file content?