PDF Signing Meets FIPS-Capable PKCS#11: pdfsig + wolfPKCS11 + NSS

    • We’re excited to announce that the widely-used PDF signature tool pdfsig can now be used with wolfPKCS11 and NSS!

    This integration allows you to digitally sign PDF documents using PKCS#11 keys using software tokens, HSMs, or secure elements, through the NSS framework. All powered by the FIPS-ready wolfCrypt engine.

    Why This Matters

    For many applications – document workflows, certification, legal-signing chains – the ability to sign PDF files in a standards-compliant way is essential. pdfsig is a command-line tool (part of Poppler/NSS toolset) that supports PDF digital signatures, verifying them and creating them (when used with proper PDF fields). FreeBSD Manual Pages+1

    With wolfPKCS11 acting as a full PKCS#11 provider for NSS, you can now:

    • Bring in a FIPS 140-3 validated cryptographic engine (wolfCrypt) under the covers via wolfPKCS11 for high-assurance signing.
    • For embedded Linux applications, use a TPM along with wolfTPM to securely store signing keys, or leverage the secure domain when using wolfBoot.

    How It Works

    pdfsig (part of Poppler’s tools) supports digital signatures when NSS provides the signing backend.
    By loading wolfPKCS11 as a PKCS#11 module in NSS, the signing key and certificate can come from any token accessible via the wolfPKCS11 provider.
    Here’s what happens under the hood:

    1. NSS loads the wolfPKCS11 shared library as a PKCS#11 provider.
    2. NSS accesses the token (software, TPM, or HSM) for the private key.
    3. pdfsig signs the PDF via NSS, which routes cryptographic operations through wolfPKCS11 and wolfCrypt.
    4. The resulting PDF contains a standards-compliant signature validated by any conformant PDF viewer.

    Example: Signing a PDF via NSS and wolfPKCS11

    Once you have compiled wolfPKCS11 with NSS, the wolfPKCS11 backend module is used instead of NSS’s built-in one (a small patch to NSS is needed), this ensures that wolfCrypt is used for all cryptographic operations. You can then run:

    # 1. Create a new NSS database
mkdir ~/nssdb
echo "mypassword" > ~/nssdb/password.txt
certutil -N -d $HOME/nssdb -f ~/nssdb/password.txt

# 2. Import a certificate and private key into the token
pk12util -i mycert.p12 -d $HOME/nssdb -W mypassword

# 3. Verify that NSS can see the token and key
certutil -L -d $HOME/nssdb

# 4. Sign a PDF file using pdfsig via wolfPKCS11 + NSS
pdfsig input.pdf signed.pdf \
  -add-signature \
  -d $HOME/nssdb \
  -nss-pwd mypassword \
  -nick "pkcs11:token=mytoken;object=mykey;type=private" \
  -reason "Approved using wolfPKCS11"

# 5. Verify the signature
pdfsig signed.pdf

    This creates a signed PDF that includes the proper signature field and certificate chain, validated by most PDF viewers.

    Benefits

    • Hardware-Backed Security: Supports HSMs, TPMs, and other secure key stores via PKCS#11.
    • FIPS-Ready Cryptography: Leverages wolfCrypt’s FIPS 140-3 validated algorithms.
    • Automation Friendly: Perfect for document signing pipelines and CI/CD workflows.
    • Interoperable: Works with standard NSS tooling — no vendor lock-in.

    Getting Started

    1. Install wolfPKCS11 and wolfSSL from GitHub.
    2. Patch and compile NSS with the patch in GitHub.
    3. Import your signing key and certificate into the NSS token.
    4. Use pdfsig to sign and verify PDF files directly through NSS.

    Alternatively, our wolfPKCS11 examples repository has a Dockerfile which can build everything and will run an example sign and verify.

    Find out more

    If you’d like to integrate wolfPKCS11 with your document signing, HSM, or workflow automation system, contact us at facts@wolfssl.com or call us at +1 425 245 8247 for guidance or evaluation support.
    Download wolfSSL Now