4

I'm trying to digitally sign a pdf file using a PKCS#7 formatted signature in NodeJS.

The setup:

Node-forge does a great job at generating PKCS#7 format. I've already validated that the end output of the library fits my needs. By default pkcs7 requires an input of:

  1. Certificate that includes signer's public key
  2. Binary content to be signed
  3. Signer's private key

The problem:

I want to generate and store my signer (user) keys in HSM so the private key is not directly accessible to me. So instead of content to be signed (2.) and signer's private key (3.) I can provide the end result - the signed content as input. I haven't been able to find an option to do so in node-forge, or any other javascript library.

For reference openssl command requires the same 3 parameters.

I've found a solution for java, using the bouncycastle library. It gives the ability to implement ContentSigner interface. You can basically tell the library - "get the signature from here whenever you sign a file", so in theory it should be possible to create PKCS#7 with only certificate(s) and signed content.

The question:

How can I generate PKCS#7, or any other valid PDF signature format, by using only certificate and the signed file content?

Ivaylo Atanasov
  • 175
  • 4
  • Please provide more information in reference to your tag for Google-cloud-kms. Are you looking for solution to apply the default pkcs7 with GCP KMS/HSM for your pdf file ? – Sohail Alvi Aug 20 '20 at 02:22
  • Yes, I am using the nodejs-kms client library to [create a signature](https://github.com/googleapis/nodejs-kms/blob/master/samples/signAsymmetric.js). I want to apply that signature to pkcs7 signed data format, which will later be embedded in my pdf file. – Ivaylo Atanasov Aug 20 '20 at 07:19
  • Have you used the Google supported document on the [digital signature](https://cloud.google.com/kms/docs/digital-signatures) and [Creating and validating digital signatures](https://cloud.google.com/kms/docs/create-validate-signatures#validate_rsa_signature) ? Have you observed error while applying that signature to pkcs7 signed data format ? Can you please provide me more information and the screenshots of any error message ? – Sohail Alvi Aug 21 '20 at 03:42
  • 1
    Yes, I'm using kms through the client library for nodejs. I'm creating a digital signature with [signAsymmetric](https://github.com/googleapis/nodejs-kms/blob/master/samples/signAsymmetric.js) function. The problem is that I can't put that signed data directly into the pdf. According to pdf spec I need to embed it into PKCS#7 format first and I'm not sure exactly how to do that. – Ivaylo Atanasov Aug 21 '20 at 08:22

0 Answers0