An IExternalSignature implementation for signing via PKCS#11 with the Entrust Signing Automation Service
This example was written to show how to use iText and the Entrust Signing Automation Service for PKCS#11 signing of PDF documents. The process for iText integration is described in the manual provided by Entrust, but here we’ll run through the basics relating to this example.
Having followed the instructions of the Entrust SAS User Guide, the SAS PKCS#11 driver will be installed in C:\Program Files\Entrust\SigningAutomationClient\P11SigningClient64.dll
on Windows for example. For reference, the setup on Linux is entirely analogous, it suffices to replace the path to P11SigningClient64.dll
with the path to libp11signingclient64.so
.
Consequentially the PKCS#11 configuration and instantiation will look like this:
It should be noted that for this example the IExternalSignature
implementations in Java and .NET are very different. The Java implementation is built upon the Java Sun PKCS#11 provider which is well integrated into the Java JCA / JCE crypto architecture. See https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#Config for details on config file documentation.
The .NET implementation on the other hand is built upon the Pkcs11Interop package which can be retrieved via NuGet, https://www.nuget.org/packages/Pkcs11Interop/. This is a "Managed .NET wrapper for unmanaged PKCS#11 libraries", and so is not part of the official .NET crypto architecture. It is available under the terms of the Apache License, Version 2.0, see https://pkcs11interop.net/.