Q: I work in the Air Force and have a requirement to digitally sign .pdf forms with my Common Access Card (CAC -> militaryID). Does the digital signing capabilities of your software Xodo PDF Studio interact with linux’s libcackey or your own libraries to enable digital signing of documents? Will my CAC work with your software?

A: We think you should be able to use the PKCS#11 interface for the CAC in order to sign PDFs with Xodo PDF Studio on Linux.

1) Download PKCS#11 for CAC
https://militarycac.com/linux.htm

Once there, look at the PKCS#11 section: apparently, there is a module called “CACkey” that you should be able to download from software.forge.mil. We’re unable to do this because it seems that you need CAC authentication to get access to that website.

2) Setup Xodo PDF Studio to use PKCS11
How to setup USB Smart Card Hardware PKCS11 signing on Linux with Xodo PDF Studio.

3) Send  us Feedback!
Since we are unable to try this ourselves, please send us feedback by emailing us that we can share with other CAC users.

Feedback Received from Users
User 1: I am running CentOS 7 and I had to install opensc. This is what I have in my config.cfg file:

name = SCR35xxSmartCardReader
library = /usr/lib64/pkcs11/opensc-pkcs11.so
slot = 1

I had issues at first because I was trying to sign with the email certificate instead of the signing certificate. The error message I was getting in the Sign Document dialog was

“Error saving document: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_USER_NOT_LOGGED”.

Once I selected the signing certificate, I was able to save a signed PDF.

Make sure to also restart your machine after installing opensc.

User 2: I have spent several hours now attempting to Digitally Sign a document with a Certificate on a Smart Card.

The Smart Card is working via Firefox, but continually receive an error trying to work with Xodo PDF Studio.  As shown via the attachment there is no clue provided as to what the issue may be.  I have tried the config.cfg file many different ways.

Ubuntu 16.04 LTS, DigiScan Card Reader, opensc, etc..

Below is my config file:

#name = SmartCardReader
#library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#slot = 1

# Give the HSM device a name
name = DigiScan

# Path to the PKCS#11 driver
library = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

# The HSM slot number
slotListIndex = 1

I found this post on StackOverflow where someone else had trouble with opensc-pkcs11. They fixed it by updating their config to use the specific dll that came with their token. I also referenced https://connect2id.com/products/nimbus-jose-jwt/examples/pkcs11 and thus modified the config file again.  Apparently Opensc in Linux wants to see ‘slotListIndex’

User 3: For those using CACKey for signing documents with a DOD Common Access Card, on debian based systems, please refer them to the following:

https://militarycac.org/linux.htm

https://github.com/jdjaxon/linux_cac

Once they have their browsers working, use this for the configuration file (config.cfg) to access the tokens in Xodo PDF Studio

name = CACKey

library = /usr/lib64/libcackey.so

 

Tested on:

Linux parrot 6.0.0-2parrot1-amd64 #1 SMP PREEMPT_DYNAMIC Debian

6.0.2-1parrot1 (2022-10-18) x86_64 GNU/Linux