Tcl
Tcl
Sign PDF in the Cloud using AWS CloudHSM
See more Signing in the Cloud Examples
Demonstrates how to sign a PDF using AWS CloudHSM. The signing of the hash happens on a hardware token in AWS CloudHSM. Everything else involving the updating the PDF to add the signature happens locally within Chilkat.Note: This example requires Chilkat v9.5.0.96 or greater.
Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
# Note: Chilkat's PKCS11 implementation runs on Windows, Linux, Mac OS X, and other supported operating systems.
set pkcs11 [new_CkPkcs11]
# Provide the path to the AWS CloudHSM PKCS11 driver.
# This example runs on Windows, so we'll provide the CloudHSM DLL.
# If your code runs on Linux, the CloudHSM driver might be at /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
CkPkcs11_put_SharedLibPath $pkcs11 "C:\\Program Files\\Amazon\\CloudHSM\\lib\\cloudhsm_pkcs11.dll"
# Your PIN should be a string containing your crypto user's login and password, with a colon char delimiting.
# See https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-pin.html
set pin "user:password"
set userType 1
# Establish a PKCS logged-on session using the driver (.so, .dylib, or .dll) as specified in the SharedLibPath above.
set success [CkPkcs11_QuickSession $pkcs11 $userType $pin]
if {$success == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
delete_CkPkcs11 $pkcs11
exit
}
set cert [new_CkCert]
set success [CkCert_LoadFromFile $cert "qa_data/certs/myCert.cer"]
if {$success == 0} then {
puts [CkCert_lastErrorText $cert]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
exit
}
# Tell the certificate to link with the PKCS11 session.
# The cert's private key should be installed on the CloudHSM.
# If there are multiple private keys on the CloudHSM, then Chilkat will automatically
# locate and use the private key corresponding to the certificate.
set success [CkCert_LinkPkcs11 $cert $pkcs11]
if {$success == 0} then {
puts [CkCert_lastErrorText $cert]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
exit
}
# --------------------------------------------------------------------------
# At this point, we have the cert to be used for signing.
# Our PDF signing code is the same as for a cert obtained from any other source..
set pdf [new_CkPdf]
# Load a PDF to be signed.
set success [CkPdf_LoadFile $pdf "qa_data/pdf/hello.pdf"]
if {$success == 0} then {
puts [CkPdf_lastErrorText $pdf]
set success [CkPkcs11_CloseSession $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
exit
}
set json [new_CkJsonObject]
CkJsonObject_UpdateInt $json "page" 1
CkJsonObject_UpdateString $json "appearance.y" "top"
CkJsonObject_UpdateString $json "appearance.x" "left"
CkJsonObject_UpdateString $json "appearance.fontScale" "10.0"
CkJsonObject_UpdateString $json "signingAlgorithm" "pss"
CkJsonObject_UpdateString $json "hashAlgorithm" "sha256"
set i 0
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "Digitaly signed by: Xyz Widgets, Inc."
set i [expr $i + 1]
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "current_dt"
set i [expr $i + 1]
CkJsonObject_put_I $json $i
CkJsonObject_UpdateString $json "appearance.text[i]" "blah blah blah"
# The certificate is internally linked to the Pkcs11 object, which is currently in an authenticated session.
set success [CkPdf_SetSigningCert $pdf $cert]
set success [CkPdf_SignPdf $pdf $json "qa_output/out.pdf"]
if {$success == 0} then {
puts [CkPdf_lastErrorText $pdf]
set success [CkPkcs11_CloseSession $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json
exit
}
# --------------------------------------------------------------------------
# Revert to an unauthenticated session by calling Logout.
set success [CkPkcs11_Logout $pkcs11]
if {$success == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
set success [CkPkcs11_CloseSession $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json
exit
}
# When finished, close the session.
# It is important to close the session (memory leaks will occur if the session is not properly closed).
set success [CkPkcs11_CloseSession $pkcs11]
if {$success == 0} then {
puts [CkPkcs11_lastErrorText $pkcs11]
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json
exit
}
puts "Success."
delete_CkPkcs11 $pkcs11
delete_CkCert $cert
delete_CkPdf $pdf
delete_CkJsonObject $json