Entrust Signing Automation Service
Document Sealing with iText
Step-by-step PDF document sealing process using iText
Step 1: iText prepares the PDF document for sealing
- iText adds a signature value dictionary to a signature field in the PDF’s code. This value contains some meta information (signing reason, signing time, etc.) and a placeholder for the future signature container.
- iText calculates the hash value of the document (not including the placeholder) using a strong message digest algorithm (e.g. SHA-256).
- iText builds a signature container that consists of a set of “signed attributes,” including the document hash, then calculates the hash of the full set into one final hash.
Step 2: iText requests and fetches a digital seal using the Entrust Signing Automation Service
- Using the Entrust Signing Automation client, iText sends the final hash value to the Entrust Signing Automation Service via an authenticated PKCS #11 request.
- The Entrust Signing Automation Service uses the private key securely stored in your account to generate a digital seal for the hash value, and sends this seal back to iText.
Step 3: iText requests and fetches a timestamp token using the Entrust public timestamping service
- Using the same process described in step 1, iText recalculates a final hash of the document, including the digital seal. This new hash is sent to the Entrust public timestamping service.
- The timestamping service bundles the hash value with the exact date and time, and uses the private key of its own long-lived certificate to generate a signature for the bundle. This signature (timestamp token) is sent back to iText.
Step 4: iText finalizes the sealing process
- iText embeds the seal and the timestamp token into the signature container that it started building in step 1.
- iText injects the signature container into the placeholder created during step 1. The PDF document is now sealed!