(Chilkat2-Python) Sign PDF in the Cloud using AWS CloudHSM

See more Signing in the Cloud Examples

Demonstrates how to sign a PDF using AWS CloudHSM. The signing of the hash happens on a hardware token in AWS CloudHSM. Everything else involving the updating the PDF to add the signature happens locally within Chilkat.

Note: This example requires Chilkat v9.5.0.96 or greater.

Chilkat2 Python Downloads install with pip pip3 install chilkat2 or download... Python Module for Windows, Linux, Alpine Linux, MacOS, Solaris

import sys
import chilkat2

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

# Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.

pkcs11 = chilkat2.Pkcs11()

# Provide the path to the AWS CloudHSM PKCS11 driver.
# This example runs on Windows, so we'll provide the CloudHSM DLL.
# If your code runs on Linux, the CloudHSM driver might be at /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
pkcs11.SharedLibPath = "C:\\Program Files\\Amazon\\CloudHSM\\lib\\cloudhsm_pkcs11.dll"

# Your PIN should be a string containing your crypto user's login and password, with a colon char delimiting.
# See https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-pin.html
pin = "user:password"
userType = 1

# Establish a PKCS logged-on session using the driver (.so, .dylib, or .dll) as specified in the SharedLibPath above.
success = pkcs11.QuickSession(userType,pin)
if (success == False):
    print(pkcs11.LastErrorText)
    sys.exit()

cert = chilkat2.Cert()
success = cert.LoadFromFile("qa_data/certs/myCert.cer")
if (success == False):
    print(cert.LastErrorText)
    sys.exit()

# Tell the certificate to link with the PKCS11 session.
# The cert's private key should be installed on the CloudHSM.
# If there are multiple private keys on the CloudHSM, then Chilkat will automatically
# locate and use the private key corresponding to the certificate.
success = cert.LinkPkcs11(pkcs11)
if (success == False):
    print(cert.LastErrorText)
    sys.exit()

# --------------------------------------------------------------------------
# At this point, we have the cert to be used for signing.
# Our PDF signing code is the same as for a cert obtained from any other source..

pdf = chilkat2.Pdf()

# Load a PDF to be signed.
success = pdf.LoadFile("qa_data/pdf/hello.pdf")
if (success == False):
    print(pdf.LastErrorText)
    success = pkcs11.CloseSession()
    sys.exit()

json = chilkat2.JsonObject()

json.UpdateInt("page",1)
json.UpdateString("appearance.y","top")
json.UpdateString("appearance.x","left")
json.UpdateString("appearance.fontScale","10.0")
json.UpdateString("signingAlgorithm","pss")
json.UpdateString("hashAlgorithm","sha256")

i = 0
json.I = i
json.UpdateString("appearance.text[i]","Digitaly signed by: Xyz Widgets, Inc.")
i = i + 1
json.I = i
json.UpdateString("appearance.text[i]","current_dt")
i = i + 1
json.I = i
json.UpdateString("appearance.text[i]","blah blah blah")

# The certificate is internally linked to the Pkcs11 object, which is currently in an authenticated session.
success = pdf.SetSigningCert(cert)

success = pdf.SignPdf(json,"qa_output/out.pdf")
if (success == False):
    print(pdf.LastErrorText)
    success = pkcs11.CloseSession()
    sys.exit()

# --------------------------------------------------------------------------

# Revert to an unauthenticated session by calling Logout.
success = pkcs11.Logout()
if (success == False):
    print(pkcs11.LastErrorText)
    success = pkcs11.CloseSession()
    sys.exit()

# When finished, close the session.
# It is important to close the session (memory leaks will occur if the session is not properly closed).
success = pkcs11.CloseSession()
if (success == False):
    print(pkcs11.LastErrorText)
    sys.exit()

print("Success.")