Self-signed, sealed and delivered

Objective : digitally sign a pdf using JSignPdf, an open source Java application

Requires Java.

In Windows Powershell:

java -version
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) Client VM (build 25.121-b13, mixed mode)

Downloaded version: JSignPdf_setup_1.6.0_wjre.exe

Installed as C:\Program Files (x86)\JSignPdf

Documentation:

java -jar JSignPdf.jar --help

Get a list of supported keystores:

java -jar JSignPdf.jar -lkt
DEBUG Relaxing SSL security.
INFO Available key store types:
BCPKCS12
BKS
BOUNCYCASTLE
CASEEXACTJKS
DKS
JCEKS
JKS
PKCS12
PKCS12-3DES-3DES
PKCS12-3DES-40RC2
PKCS12-DEF
PKCS12-DEF-3DES-3DES
PKCS12-DEF-3DES-40RC2
WINDOWS-MY
WINDOWS-ROOT

JKS is a Java keystore.  The tool keytool.exe lives in C:\Program Files\Java\jdk1.8.0_144\bin. Add  C:\Program Files\Java\jdk1.8.0_144\bin to the environment variables for easy access (with powershell check with echo $Env:PATH)

Generate a keystore:

keytool -genkey -dname "cn=procedure check, ou=checker, o=check, c=NL"
 -keyalg RSA 
-alias procedurecheck -keystore keystore.jks
 -storepass secret -validity 360 
-keysize 2048

A keystore file is generated with the name keystore.jks. Get the details:

keytool -list -v -keystore keystore.jks > outputfile

The results are logged in the outputfile file:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: procedurecheck
Creation date: 2-sep-2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=procedure check, OU=checker, O=check, C=NL
Issuer: CN=procedure check, OU=checker, O=check, C=NL
Serial number: 35c7a9d9
Valid from: Sat Sep 02 16:19:00 CEST 2017 until: Tue Aug 28
 16:19:00 CEST 2018
Certificate fingerprints:
 MD5: A9:E2:38:81:31:2C:FF:D5:C5:68:68:03:B8:70:E8:68
 SHA1: 4A:60:98:01:06:12:4A:74:EF:0E:71:C3:81:B7:43:4B:EC:E9:DD:58
 SHA256: 8A:16:A9:72:D2:80:2A:05:E4:EB:44:51:6E:14:6E:AB:32:AC:22:0A:
21:BD:F7:8D:CF:6A:1A:55:FE:C5:FD:CF
 Signature algorithm name: SHA256withRSA
 Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 89 EB 92 84 95 13 90 3D CF 62 1D 4B 08 68 C3 37 .......=.b.K.h.7
0010: 44 FB 0D 91 D...
]
]

Then run:

 java -jar JSignPdf.jar --keystore-type JKS 
--keystore-file keystore.jks --keystore-password secret doc.pdf

DEBUG Relaxing SSL security.
INFO Checking input and output PDF paths.
INFO Getting key alias
INFO Used key alias: procedurecheck
INFO Loading private key
INFO Getting certificate chain
INFO Opening input PDF file: doc.pdf
INFO Creating output PDF file: ./doc_signed.pdf
INFO Creating signature
INFO Setting certification level
INFO Processing (it may take a while) ...
INFO Closing result PDF stream
INFO Finished: Signature succesfully created.
PS C:\Program Files (x86)\JSignPdf>

 

This action creates the file doc_signed.pdf which can be opened in a pdf reader such as Acrobat Reader. Because the certificate is self-signed the reader flags an error with the certificate.

Use keytool to export the keystore as a certificate:

 keytool -export -alias procedurecheck -keystore keystore.jks 
-keypass secret -storepass secret -file MJ.cer
Certificate stored in file <MJ.cer>

The add the certificate to the list of trusted certificates:

edit >> preferences >> signatures >> Identities & Trusted Certificates
 >> more >> trusted certificates >> import

Then in edit trust make sure the certificate is a trusted root.

Adobe now trusts the document as issued by procedurechecker:

Signed and all signature are valid

Links

 

Advertisements