Tcl
Tcl
PKCS11 Sign PDF using Certificate and Private Key on Smart Card / USB Token
See more PKCS11 Examples
Sample code showing how to use PKCS11 to sign a PDF with a certificate and private key stored on a smart card or USB token.Note: This example requires Chilkat v9.5.0.96 or later.
Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
# Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.
set pkcs11 [new_CkPkcs11]
CkPkcs11_put_SharedLibPath $pkcs11 "C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS1164.dll"
set pin "0000"
set userType 1
# Establish a PKCS11 logged-on session using the driver (.so, .dylib, or .dll) as specified in the SharedLibPath above.
set success [CkPkcs11_QuickSession $pkcs11 $userType $pin]
if {$success == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
delete_CkPkcs11 $pkcs11
exit
}
# Get the certificate (on the smart card) that has a private key.
# There are other ways to locate a certificate on the HSM.
# This example assumes there is a single certificate w/ private key.
set cert [new_CkCert]
set success [CkPkcs11_FindCert $pkcs11 "privateKey" "" $cert]
if {$success == 1} then {
puts "Cert with private key: [CkCert_subjectCN $cert]"
} else {
puts "No certificates having a private key were found."
set success [CkPkcs11_CloseSession $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
exit
}
# --------------------------------------------------------------------------
# At this point, we have the cert to be used for signing.
# Our PDF signing code is the same as for a cert obtained from any other source..
set pdf [new_CkPdf]
# Load a PDF to be signed.
set success [CkPdf_LoadFile $pdf "qa_data/pdf/hello.pdf"]
if {$success == 0} then {
puts [CkPdf_lastErrorText $pdf]
set success [CkPkcs11_CloseSession $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
exit
}
set json [new_CkJsonObject]
CkJsonObject_UpdateInt $json "page" 1
CkJsonObject_UpdateString $json "appearance.y" "top"
CkJsonObject_UpdateString $json "appearance.x" "left"
CkJsonObject_UpdateString $json "appearance.fontScale" "10.0"
CkJsonObject_UpdateString $json "signingAlgorithm" "pss"
CkJsonObject_UpdateString $json "hashAlgorithm" "sha256"
set i 0
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "Digitaly signed by: Xyz Widgets, Inc."
set i [expr $i + 1]
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "current_dt"
set i [expr $i + 1]
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "blah blah blah"
# The certificate is internally linked to the Pkcs11 object, which is currently in an authenticated session.
set success [CkPdf_SetSigningCert $pdf $cert]
set success [CkPdf_SignPdf $pdf $json "qa_output/out.pdf"]
if {$success == 0} then {
puts [CkPdf_lastErrorText $pdf]
set success [CkPkcs11_CloseSession $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json
exit
}
# --------------------------------------------------------------------------
# Revert to an unauthenticated session by calling Logout.
set success [CkPkcs11_Logout $pkcs11]
if {$success == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
set success [CkPkcs11_CloseSession $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json
exit
}
# When finished, close the session.
# It is important to close the session (memory leaks will occur if the session is not properly closed).
set success [CkPkcs11_CloseSession $pkcs11]
if {$success == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json
exit
}
puts "Success."
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json