1st you need the middleware software for that. They provide only an Ubuntu package but it can be used in other systems as well. In my case I didn't have to make any customizations in Debian Unstable.
Then you need a software to sign your PDF which is PKCS11 capable. Currently I know about three free Linux softwares which can digitally sign a document using some hardware token (PKCS11): LibreOffice, Okular (in it's latest development version with some supporting libraries - Poppler) and JSignPDF. So ...
- LibreOffice still quite sucks because it can sign the document but you can not place a visible mark about that anywhere. But the configuration is quite easy, IMHO it uses the same configuration as Thunderbird does.
- Also Okular still quite sucks. Configuration is also the same as Thunderbird uses so it's good. But again, there is a problem with the visible mark of the digital signature. It's better than LibreOffice beacause at least you can place the visible mark somewhere. But you can not easily configure the text properties so it looks usually quite lousy.
- So from the three mentioned softwares I use JSignPDF where you can do some fine-tunning of the visible mark.
How to configure JSignPDF to use PKCS11
So you have downloaded the latest version of JSignPDF (now it is 2.2.0, to use PKCS11 you need at least version 2.0.0) for example in ~/prg/JSignPDF. Now edit the conf/pkcs11.cfg and fill it with:
After that edit the file conf/conf.properties and uncomment the linename=eObcanka library=/usr/lib/x86_64-linux-gnu/libeopproxyp11.so slot=1
pkcs11config.path=conf/pkcs11.cfgAfter this you can put your eObcanka to the card reader and run the jsignpdf.sh. It should behave like this:
FINE Relaxing SSL security.FINE Registering SunPKCS11 provider from configuration in conf/pkcs11.cfgFINE PKCS11 provider registered with name SunPKCS11-eObcankaFINE PKCS11 provider registered with name JSignPKCS11-eObcanka
Now you should see a new PKCS11 type of key and certificates storage.