How to implement digital signature

Question

We are building a web application(Java). Could anybody help brief me what we need to realize the following business scenario ?

1. An user access our web site
2. He inputs some data
3. He generate a PDF file from the data he input and export it
4. He digitally sign this PDF file
5. He then upload this PDF file to our web site
6. The system can parse the PDF file to know who signed this file and be sure it is of integrity and Non-repudiation and to some post-processes.

My questions are:

• What products/libraries(commercial or free opensource) should I need to implement the above ?
• Do those products provide API for developers to programmatically operate the signing process and retrieve information from a signed documents ?
• Is it a reasonable or proper way to do the digital signature in the above 3~5 steps ? could the user sign the data online in one step(e.g., without export a PDF file) ?

Answer 1

iText is a java library which, amongst other things, enables you to sign and verify signatures on pdf documents. This would enable your users to sign a pdf online. A good example of using iText for signing and verifying signatures in pdf documents can be found here

The library's licence is AGPL i.e. you need to release your software under AGPL or buy a commercial licence.

It used to be under the LGPL so you can work with iText 2.1.7 under the terms of LGPL and not need to buy a commercial licence.

Answer 2

If the data is located on the client, then your easiest option is to create a Java applet which will be executed in browser, and which will sign the data. Any data can be signed, and you don't need PDF just for signing. Generic binary data can be signed using PKCS#7/CMS format or using XMLDSig (less widespread option).

For signing data in Java applet you can use BouncyCastle or our SecureBlackbox (Java edition). BouncyCastle is open-source and SecureBlackbox comes with support, documentation and samples.