This example was written to show how to use iText and the Entrust Signing Automation Service for PKCS#11 signing of PDF documents. The process for iText integration is described in the manual provided by Entrust, but here we’ll run through the basics relating to this example.

Having followed the instructions of the Entrust SAS User Guide, the SAS PKCS#11 driver will be installed in C:\Program Files\Entrust\SigningAutomationClient\P11SigningClient64.dll on Windows for example. For reference, the setup on Linux is entirely analogous, it suffices to replace the path to P11SigningClient64.dll with the path to libp11signingclient64.so.

Consequentially the PKCS#11 configuration and instantiation will look like this:

class TestSignSimple { [Test] public void TestPkcs11SignSimple() { string testFileName = @"..\..\..\resources\circles.pdf"; using (Pkcs11Signature signature = new Pkcs11Signature(@"c:\Program Files\Entrust\SigningClient\P11SigningClient64.dll", 1) .Select(null, "CN=Entrust Limited,OU=ECS,O=Entrust Limited,L=Kanata,ST=Ontario,C=CA", "1234").SetHashAlgorithm("SHA256")) using (PdfReader pdfReader = new PdfReader(testFileName)) using (FileStream result = File.Create("circles-pkcs11-signed-simple.pdf")) { PdfSigner pdfSigner = new PdfSigner(pdfReader, result, new StampingProperties().UseAppendMode()); ITSAClient tsaClient = new TSAClientBouncyCastle("http://timestamp.entrust.net/TSS/RFC3161sha2TS"); pdfSigner.SignDetached(signature, signature.GetChain(), null, null, tsaClient, 0, CryptoStandard.CMS); } } } }

It should be noted that for this example the  IExternalSignature  implementations in Java and .NET are very different. The Java implementation is built upon the Java  Sun PKCS#11 provider which is well integrated into the Java JCA / JCE crypto architecture. See https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#Config for details on config file documentation.

The .NET implementation on the other hand is built upon the  Pkcs11Interop  package which can be retrieved via NuGet,  https://www.nuget.org/packages/Pkcs11Interop/. This is a "Managed .NET wrapper for unmanaged PKCS#11 libraries", and so is not part of the official .NET crypto architecture. It is available under the terms of the Apache License, Version 2.0, see  https://pkcs11interop.net/.