Sample code for 30+ languages & platforms
Tcl

PKCS11 Sign PDF using Certificate and Private Key on Smart Card / USB Token

See more PKCS11 Examples

Sample code showing how to use PKCS11 to sign a PDF with a certificate and private key stored on a smart card or USB token.

Note: This example requires Chilkat v9.5.0.96 or later.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.

set pkcs11 [new_CkPkcs11]

CkPkcs11_put_SharedLibPath $pkcs11 "C:/Program Files (x86)/Gemalto/IDGo 800 PKCS#11/IDPrimePKCS1164.dll"
set pin "0000"
set userType 1

# Establish a PKCS11 logged-on session using the driver (.so, .dylib, or .dll) as specified in the SharedLibPath above.
set success [CkPkcs11_QuickSession $pkcs11 $userType $pin]
if {$success == 0} then {
    puts [CkPkcs11_lastErrorText $pkcs11]
    delete_CkPkcs11 $pkcs11
    exit
}

# Get the certificate (on the smart card) that has a private key.
# There are other ways to locate a certificate on the HSM.
# This example assumes there is a single certificate w/ private key.
set cert [new_CkCert]

set success [CkPkcs11_FindCert $pkcs11 "privateKey" "" $cert]
if {$success == 1} then {
    puts "Cert with private key: [CkCert_subjectCN $cert]"
} else {
    puts "No certificates having a private key were found."
    set success [CkPkcs11_CloseSession $pkcs11]
    delete_CkPkcs11 $pkcs11
    delete_CkCert $cert
    exit
}

# --------------------------------------------------------------------------
# At this point, we have the cert to be used for signing.
# Our PDF signing code is the same as for a cert obtained from any other source..

set pdf [new_CkPdf]

# Load a PDF to be signed.
set success [CkPdf_LoadFile $pdf "qa_data/pdf/hello.pdf"]
if {$success == 0} then {
    puts [CkPdf_lastErrorText $pdf]
    set success [CkPkcs11_CloseSession $pkcs11]
    delete_CkPkcs11 $pkcs11
    delete_CkCert $cert
    delete_CkPdf $pdf
    exit
}

set json [new_CkJsonObject]

CkJsonObject_UpdateInt $json "page" 1
CkJsonObject_UpdateString $json "appearance.y" "top"
CkJsonObject_UpdateString $json "appearance.x" "left"
CkJsonObject_UpdateString $json "appearance.fontScale" "10.0"
CkJsonObject_UpdateString $json "signingAlgorithm" "pss"
CkJsonObject_UpdateString $json "hashAlgorithm" "sha256"

set i 0
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "Digitaly signed by: Xyz Widgets, Inc."
set i [expr $i + 1]
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "current_dt"
set i [expr $i + 1]
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "blah blah blah"

# The certificate is internally linked to the Pkcs11 object, which is currently in an authenticated session.
set success [CkPdf_SetSigningCert $pdf $cert]

set success [CkPdf_SignPdf $pdf $json "qa_output/out.pdf"]
if {$success == 0} then {
    puts [CkPdf_lastErrorText $pdf]
    set success [CkPkcs11_CloseSession $pkcs11]
    delete_CkPkcs11 $pkcs11
    delete_CkCert $cert
    delete_CkPdf $pdf
    delete_CkJsonObject $json
    exit
}

# --------------------------------------------------------------------------

# Revert to an unauthenticated session by calling Logout.
set success [CkPkcs11_Logout $pkcs11]
if {$success == 0} then {
    puts [CkPkcs11_lastErrorText $pkcs11]
    set success [CkPkcs11_CloseSession $pkcs11]
    delete_CkPkcs11 $pkcs11
    delete_CkCert $cert
    delete_CkPdf $pdf
    delete_CkJsonObject $json
    exit
}

# When finished, close the session.
# It is important to close the session (memory leaks will occur if the session is not properly closed).
set success [CkPkcs11_CloseSession $pkcs11]
if {$success == 0} then {
    puts [CkPkcs11_lastErrorText $pkcs11]
    delete_CkPkcs11 $pkcs11
    delete_CkCert $cert
    delete_CkPdf $pdf
    delete_CkJsonObject $json
    exit
}

puts "Success."

delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json