Digitally signing a PDF with the Cloud Signature Consortium

One of the unmistakable trends with digital signatures is the move towards network-based signing services. Signing remotely is not difficult - upload a hash, download a signature - so there has been a proliferation of these services from vendors. The BFO PDF Library has support for the API from GlobalSign (we've blogged about that here and here).

The Cloud Signature Consortium is, unsurprisingly, a consortium of cloud-based signature providers, and they have published a standard API which we hope will be adopted by vendors rather than rolling their own. BFO is not a member of this consortium but their API is public, and we've now written an implementation of it in Java

We've also made the decision to publish this API as open-source at https://github.com/bfocom/netkeystore, for several reasons: partly because as it presents as a standard java.security.KeyStore it can be used with any Java signing process, not just our PDF API, but also because with many vendors we antipate this may grow beyond something we want to maintain ourselves.

It's trivial to use: after creating a YAML configuration file describing your Cloud Signature Consortium-based key, signing simply looks like this

import com.bfo.netkeystore.client.NetProvider;
import java.security.*;
import java.io.*;
import org.faceless.pdf2.*;

Provider provider = new NetProvider();
provider.load(new FileInputStream("config.yaml"));
KeyStore keystore = KeyStore.getInstance(NetProvider.KEYSTORE_TYPE, provider);
keystore.load(null, password);
PDF pdf = new PDF(new PDFReader(new FileInputStream("input.pdf")));
FormSignature sig = new FormSignature();
SignatureHandlerFactory sigfactory = new AcrobatSignatureHandlerFactory();
sig.sign(keystore, alias, password, sigfactory);
pdf.getForm().getElements().put("Sig", sig);
pdf.render(new FileOutputStream("signed.pdf"));
  

More details are at the project page: https://github.com/bfocom/netkeystore