Electronic signature method, device, equipment and storage medium

By establishing and authenticating sessions with hardware key devices, determining the signature position by combining signature mode parameters, generating and embedding signature objects, the inefficiency caused by fixed signature positions in existing electronic signature methods is solved, and the automation and efficiency of batch document signing are improved.

CN122155359APending Publication Date: 2026-06-05SHENZHEN KAIDONGYUAN MODERN LOGISTICS CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN KAIDONGYUAN MODERN LOGISTICS CO LTD
Filing Date
2026-03-04
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing electronic signature methods lack a flexible mechanism for determining the signature location, resulting in low work efficiency when handling multiple documents and multiple signature locations.

Method used

By establishing a session with the hardware key device, obtaining the device session handle for authentication, reading the electronic seal data, determining the seal location information based on the seal mode parameters in the seal request, generating signature data, and then embedding the seal object into the document to be signed.

Benefits of technology

It enables flexible determination of signature positions, improves the automation and efficiency of batch document signing, and solves the problems of fixed signature positions and cumbersome operations in traditional methods.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122155359A_ABST
    Figure CN122155359A_ABST
Patent Text Reader

Abstract

The application provides an electronic signature method, device and equipment and a storage medium. The method comprises the following steps: performing session establishment on a hardware key device to obtain a device session handle, performing identity verification on the hardware key device according to the device session handle, and reading electronic seal data in the hardware key device; receiving a signature request, determining signature position information of a to-be-signed document according to a signature mode parameter in the signature request, and generating to-be-signed data according to the to-be-signed document and the signature position information; calling a signature interface of the hardware key device according to the device session handle and the to-be-signed data to obtain signature data; and generating a signature object according to the electronic seal data, the signature data and the signature position information, and embedding the signature object into the to-be-signed document. The application realizes flexible determination of a signature position through a signature mode parameter, solves the problems of fixed signature position and complicated operation in a traditional method, and improves the automation degree and work efficiency of batch document signature.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data processing technology, and in particular to an electronic signature method, apparatus, device, and storage medium. Background Technology

[0002] With the rapid development of e-government and e-commerce, electronic signature technology has been widely applied in scenarios such as contract signing, document circulation, and online approval. Traditional electronic signature methods typically require users to manually specify the signature location or affix the seal to a fixed position, which is inefficient when handling large volumes of documents. Especially in scenarios such as bid evaluation and approval where signatures need to be placed in specific locations on multiple documents, users must open each document, locate the signature position, and perform the signature operation one by one, making the process cumbersome and time-consuming.

[0003] In existing technologies, electronic signature systems lack a flexible mechanism for determining the signature position, and cannot automatically adapt the signature position according to different signature requirements. This results in low work efficiency for users when handling multiple documents and multiple signature tasks, affecting the practicality of electronic signature systems. Summary of the Invention

[0004] The main objective of this invention is to solve the technical problem of low signing efficiency caused by the lack of a flexible signing position determination mechanism in existing electronic signature methods; This invention provides an electronic signature method, characterized in that the electronic signature method includes: A session is established with the hardware key device to obtain a device session handle. The hardware key device is then authenticated based on the device session handle, and the electronic seal data in the hardware key device is read based on the device session handle. Receive a signature request, determine the signature position information of the document to be signed based on the signature mode parameters in the signature request, and generate signature data based on the document to be signed and the signature position information; The signature data is obtained by calling the signature interface of the hardware key device based on the device session handle and the data to be signed. A signature object is generated based on the electronic seal data, the signature data, and the signature position information, and the signature object is embedded into the document to be signed.

[0005] The present invention also provides an electronic signature device, characterized in that the electronic signature device comprises: The device authentication module is used to establish a session with the hardware key device, obtain a device session handle, authenticate the hardware key device based on the device session handle, and read the electronic seal data in the hardware key device based on the device session handle. The location determination module is used to receive a signing request, determine the signing location information of the document to be signed based on the signing mode parameters in the signing request, and generate signing data based on the document to be signed and the signing location information. The signature generation module is used to call the signature interface of the hardware key device based on the device session handle and the data to be signed, so as to obtain signature data; The signature embedding module is used to generate a signature object based on the electronic seal data, the signature data, and the signature position information, and to embed the signature object into the document to be signed.

[0006] The present invention also provides an electronic signature device, comprising: a memory and at least one processor, wherein the memory stores instructions, and the memory and the at least one processor are interconnected via a circuit; the at least one processor invokes the instructions in the memory to cause the electronic signature device to perform the steps of the above-described electronic signature method.

[0007] The present invention also provides a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the steps of the above-described electronic signature method.

[0008] The aforementioned electronic signature method, apparatus, device, and storage medium establish a session with a hardware key device to obtain a device session handle. The hardware key device is then authenticated using the session handle, and electronic seal data is read from it. A signature request is received; the signature position information of the document to be signed is determined based on the signature mode parameters in the request; and data to be signed is generated based on the document and the signature position information. The signature interface of the hardware key device is called based on the device session handle and the data to be signed to obtain signature data. A signature object is generated based on the electronic seal data, signature data, and signature position information, and then embedded into the document to be signed. This invention achieves flexible determination of the signature position through signature mode parameters, solving the problems of fixed signature positions and cumbersome operations in traditional methods, and improving the automation and efficiency of batch document signing.

[0009] Other features and advantages of the invention will be set forth in the description which follows, and will be apparent in part from the description, or may be learned by practicing the invention. The objects and other advantages of the invention are realized and obtained in accordance with the structures particularly pointed out in the description, claims and drawings.

[0010] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, preferred embodiments are described below in detail with reference to the accompanying drawings. Attached Figure Description

[0011] Figure 1 This is a schematic diagram of the first embodiment of the electronic signature method in this invention; Figure 2 This is a schematic diagram of a second embodiment of the electronic signature method in this invention; Figure 3 This is a schematic diagram of one embodiment of the electronic signature device in this invention; Figure 4 This is a schematic diagram of one embodiment of the electronic signature device in this invention. Detailed Implementation

[0012] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0013] The terms "comprising" and "having," and any variations thereof, used in the embodiments of this invention are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the steps or units listed, but may optionally include other steps or units not listed, or may optionally include other steps or units inherent to these processes, methods, products, or devices.

[0014] To facilitate understanding of this embodiment, a detailed description of an electronic signature method disclosed in this invention will be provided first. For example... Figure 1 As shown, this method includes the following steps: 101. Establish a session with the hardware key device to obtain a device session handle, authenticate the hardware key device based on the device session handle, and read the electronic seal data in the hardware key device based on the device session handle. In this embodiment, establishing a session for the hardware key device and obtaining a device session handle includes: loading the driver library file of the hardware key device through a dynamic link library loading function to obtain a library file handle; parsing the device operation function symbols in the driver library file according to the library file handle to obtain a device open function pointer; and calling the device open function corresponding to the device open function pointer to obtain the device session handle.

[0015] Specifically, the session establishment process employs a dynamic loading mechanism to adapt to hardware key devices from different manufacturers. By calling the dynamic link library loading function provided by the operating system (such as the dlopen function in Linux), the driver library file provided by the hardware key device manufacturer (such as XSDigitalSeal.so) is loaded into the process's address space. Upon successful loading, a handle to the library file is returned. This handle serves as the entry point for accessing the functions within the driver library.

[0016] Then, based on the library file handle, a symbol resolution function (e.g., the dlsym function) is used to resolve the device operation function symbols exported from the driver library file. In this embodiment, the key function symbols to be resolved include device open functions (such as XS_API_OpenDevice), PIN code verification functions, seal enumeration functions, seal reading functions, and signature functions. After successful symbol resolution, function pointers corresponding to each function are obtained, wherein the device open function pointer is used to establish a session connection with the hardware key device.

[0017] It's important to note that when the device open function is called, a handshake communication is initiated with the hardware key device via a USB interface or other communication interface to verify the device's connection status. If the device connection is successful, the device open function returns a device session handle, which is an integer or pointer identifier that uniquely identifies the current session. All subsequent interactions with this hardware key device must be performed through this device session handle to ensure operational security and session continuity.

[0018] After a successful session establishment, the hardware key device is authenticated based on the device session handle. Authentication is achieved through a PIN code verification interface. The user needs to enter a preset PIN code (Personal Identification Number), which is then transmitted to the hardware key device, where it is verified internally. Only after successful PIN code verification is the hardware key device allowed for subsequent seal reading and signature operations. This two-factor authentication mechanism (hardware device + PIN code) effectively ensures the security of the signing operation.

[0019] After successful authentication, the system continues to read the electronic seal data from the hardware key device based on the device session handle. Specifically, it first calls the seal enumeration interface to obtain the number and index list of all electronic seals stored in the device. The seal list string returned by this interface contains the name information of each seal. The string is split according to a preset delimiter to obtain the name of each seal, and then associated with the corresponding index value to form a seal index list.

[0020] Once the user selects a target seal from the seal index list, the seal reading interface is invoked based on the seal's index value to read the seal's complete data from the hardware key device. The electronic seal data includes the seal image (typically a transparent background image in PNG or BMP format), seal size information, and the digital certificate information associated with the seal. The read seal image data is returned as a byte stream and cached in memory.

[0021] 102. Receive a signature request, determine the signature position information of the document to be signed based on the signature mode parameters in the signature request, and generate signature data based on the document to be signed and the signature position information. In this embodiment, determining the signature position information of the document to be signed based on the signature mode parameter in the signature request, and generating the data to be signed based on the document to be signed and the signature position information includes: when the signature mode parameter is a specified position mode, parsing a preset page number, a preset horizontal coordinate, and a preset vertical coordinate from the signature request, and using the preset page number, the preset horizontal coordinate, and the preset vertical coordinate as the signature position information; when the signature mode parameter is a keyword matching mode, extracting text from the document to be signed to obtain document text content and text coordinate information, matching the document text content with preset keywords in the signature request to obtain keyword positions, calculating signature coordinates based on the text coordinate information corresponding to the keyword positions, and using the signature coordinates as the signature position information; and performing a hash operation based on the document identifier of the document to be signed, the signature position information, and the current timestamp to obtain the data to be signed.

[0022] Specifically, after authenticating the hardware key device, the electronic signature method receives a signature request from the client or server. The signature request is transmitted in the form of a data packet, containing the identification information of the document to be signed, signature mode parameters, and other configuration parameters. The signature mode parameters indicate how to determine the embedding position of the signature within the document; different signature modes are suitable for different business scenarios.

[0023] It should be noted that this embodiment supports two main signature modes: the specified location mode and the keyword matching mode. The specified location mode is suitable for scenarios where the signature position is fixed, such as the signature field of a contract document, which is usually located in a specific area at the end of the document; while the keyword matching mode is suitable for scenarios where the signature needs to be placed near specific text in the document, such as automatically locating the signature position after the words "Evaluator's Signature:" in a bid evaluation document.

[0024] Specifically, when the signature mode parameter is set to specified location mode, the preset page number, preset horizontal coordinate, and preset vertical coordinate are parsed from the signature request. These coordinate parameters can be specified by the user in the client interface via mouse clicks or drags, or they can be read from the preset template configuration. The preset page number indicates which page the signature should be embedded on, while the preset horizontal and vertical coordinates indicate the signature's position on that page. In PDF documents, the coordinate system typically uses the bottom left corner of the page as the origin, with the horizontal coordinate increasing to the right and the vertical coordinate increasing upwards, using points (1 point is approximately equal to 1 / 72 inch). The parsed preset page number, preset horizontal coordinate, and preset vertical coordinate are combined to form the signature position information.

[0025] When the signature mode parameter is set to keyword matching mode, text extraction is performed on the document to be signed. The text extraction process employs appropriate parsing methods depending on the document format. For example, for PDF documents, a PDF parsing library can be used to extract the text content and its coordinates on the page. The extraction results include the document text content and text coordinate information, where the text coordinate information records the position of each character or text block on the page.

[0026] Then, the document text content is matched against preset keywords carried in the signature request. Preset keywords can be strings with clear semantic meaning, such as "judge's signature," "signature and seal," or "Party A (seal)." The matching process uses a string search algorithm to traverse the document text content and find all locations that match the preset keywords. If multiple matching results exist in the document, one can be selected according to preset rules, such as selecting the first occurrence or selecting the matching location on the last page based on page number priority.

[0027] After determining the keyword position, the signature coordinates are calculated based on the text coordinates corresponding to that keyword position. The calculation method can be either to obtain the right boundary coordinates of the keyword text box as the left boundary of the signature image, or to place the signature after leaving a certain spacing below the keyword. The calculated signature coordinates are used as the signature position information.

[0028] After determining the signature location information, the data to be signed is generated based on the document identifier, signature location information, and current timestamp of the document to be signed. The document identifier can be a unique document number, a hash value of the file path, or a digest value of the document content. The document identifier, signature location information (including page numbers and coordinates), and current timestamp are concatenated into a string according to a specific format, and then a hash operation is performed on this string to obtain a fixed-length hash value, which is the data to be signed. The hash operation can use secure hash algorithms such as SHA-256 or SM3 to ensure the uniqueness and immutability of the data to be signed.

[0029] 103. Based on the device session handle and the data to be signed, call the signature interface of the hardware key device to obtain the signature data; In this embodiment, the step of calling the signature interface of the hardware key device according to the device session handle and the data to be signed to obtain the signature data includes: parsing the signature function symbols in the driver library file according to the library file handle to obtain a signature function pointer; calling the signature function corresponding to the signature function pointer according to the device session handle, the PIN code input by the user, the data to be signed, the length of the data to be signed, and a signature buffer for receiving the signature result, performing a digital signature operation on the data to be signed using the signature function and the private key stored internally by the hardware key device, and writing the signature result into the signature buffer; and reading the signature result from the signature buffer to obtain the signature data and the signature data length.

[0030] Specifically, the signature function symbols in the driver library file are parsed based on the library file handle. These signature function symbols are typically named in the form of XS_API_SignMessage. The dlsym function takes this symbol name as input and retrieves the corresponding signature function pointer. This pointer points to the entry address of the function in the hardware key device driver library that actually performs the signature operation.

[0031] It's important to note that calling the signature function requires passing multiple parameters to complete the signature operation. These parameters include the device session handle, the user-input PIN code, the data to be signed, the length of the data to be signed, and a signature buffer for receiving the signature result. The device session handle identifies the current session; the PIN code is used to re-verify the user's identity, as the signature operation involves the use of a private key and is a high-security operation; some hardware key devices require the PIN code to be re-entered each time a signature is performed; the data to be signed and its length specify the data content to be signed; and the signature buffer is a pre-allocated memory space used to receive the signature result.

[0032] Then, by calling the signature function corresponding to the signature function pointer, the above parameters are passed to the hardware key device. The signature function communicates with the hardware key device internally. The device first verifies the correctness of the PIN code. After successful verification, it uses the private key stored in the device's internal secure storage area to perform digital signature operations on the data to be signed. The private key is stored in the hardware key device's secure chip and is never exported. All signature operations are completed internally, ensuring the security of the private key.

[0033] The digital signature operation can use algorithms such as RSA, SM2 (China's national cryptographic algorithm), or other asymmetric encryption algorithms, depending on the algorithm types supported by the hardware key device and the type of certificate configured by the user. After the signature operation is completed, the hardware key device returns the signature result via USB or other communication interface, and the signature function writes the result into a pre-provided signature buffer.

[0034] The signature result is read from the signature buffer, yielding the signature data and its length. The signature data is a stream of binary bytes, the length of which depends on the signature algorithm used. For example, the RSA 2048 algorithm generates a signature of 256 bytes, while the SM2 algorithm typically generates a signature of 64 to 72 bytes. The signature data length parameter is used for subsequent correct parsing and processing of the signature data.

[0035] As can be seen, this embodiment completes the digital signature operation of the data to be signed by calling the signature interface of the hardware key device and using the private key stored inside the device. The generated signature data will be embedded into the document together with the seal image in subsequent steps to form a complete electronic seal.

[0036] Furthermore, the private key stored internally in the hardware key device adopts a seed storage method. The digital signature operation on the data to be signed using the signature function and the private key stored internally in the hardware key device includes: in the initial key pair generation stage, generating a random seed and encrypting the random seed and storing it in the internal storage area of ​​the hardware key device as the private key stored internally in the hardware key device; when the signature function receives a digital signature operation request, reading the random seed from the internal storage area of ​​the hardware key device and using the random seed to re-deterministically generate a temporary signature private key; using the temporary signature private key to perform a digital signature operation on the data to be signed using the signature function, obtaining a signature result and writing it into the signature buffer; and after the digital signature operation is completed, clearing the temporary signature private key in memory.

[0037] Specifically, to support higher-security cryptographic algorithms while reducing storage space usage in hardware keying devices, the private key stored internally can employ seed storage. Traditional private key storage methods store the complete private key data directly in the device's secure storage area. While this is acceptable for classic algorithms like RSA or SM2, it's unsuitable for post-quantum cryptography algorithms (such as the Dilithium algorithm based on lattice cryptography), where the private key length can reach thousands of bytes. This quickly exhausts the hardware keying device's storage space, limiting the number of seals and credentials the device can store.

[0038] The core idea of ​​the seed storage method is as follows: During the initial key pair generation phase, a short random seed (e.g., a 32-byte 256-bit random number) is generated. This random seed serves as input to a deterministic random number generator. Through cryptographically secure extension functions (such as SHAKE-256 or HMAC-DRBG), the complete signing private key and verification public key can be deterministically derived. This random seed is then encrypted and stored in the internal storage area of ​​the hardware key device as the private key stored internally within the hardware key device. The complete signing private key data is discarded immediately after generation and is not persistently stored.

[0039] Taking the Dilithium algorithm as an example, its private key contains multiple vector parameters (such as s1, s2, t0, etc.), requiring approximately 4864 bytes for complete storage. However, by using seed storage, only 32 bytes of seed need to be stored, reducing storage space by more than 99%. This allows hardware key devices to support more seal credentials within a limited storage space, or to use higher-security cryptographic algorithms without increasing hardware costs.

[0040] When the signature function receives a digital signature operation request, it reads the stored random seed from the internal storage area of ​​the hardware key device. The reading process requires PIN verification to ensure that only authorized users can trigger the seed reading operation. After decryption, the read seed data is used to regenerate the temporary signature private key using the same deterministic algorithm as in the initial generation phase. Although this reconstruction process requires additional computation time, for the Dilithium algorithm, the time overhead of key reconstruction is approximately tens of milliseconds, which is insignificant compared to the overall signing process time.

[0041] Then, the signature function uses the reconstructed temporary signature private key to perform a digital signature operation on the data to be signed. The signature operation process is the same as the traditional method: the data to be signed is first hashed to obtain a message digest, and then the message digest is signed using the base key parameters in the temporary signature private key. After the signature operation is completed, the signature result is written to the signature buffer.

[0042] It's important to note that, to further enhance security, the temporary signing private key is immediately cleared from memory after the digital signature computation is complete. This clearing operation is achieved by overwriting the memory area storing the private key, typically with zero or a random number, and repeated multiple times to prevent memory remnants. This use-and-clear mechanism ensures that the private key data does not reside in memory for extended periods. Even if an attacker gains access to the device's memory through a side-channel attack or memory dump, they cannot steal the complete private key data.

[0043] It is evident that the seed storage method, while maintaining signature security, significantly reduces the storage space occupied by the private key and improves the security of the temporary private key, enabling hardware key devices to support high-security cryptographic algorithms and more signature credential management under resource-constrained conditions.

[0044] Furthermore, the step of performing a digital signature operation on the data to be signed using the temporary signing private key through the signing function, obtaining a signature result, and writing it into the signature buffer includes: performing a hash operation on the data to be signed using the signing function to obtain a message digest; performing a signature calculation on the message digest using the basic key parameters in the temporary signing private key through the signing function, dynamically generating the required intermediate parameters according to the random seed during the signature calculation process, and immediately releasing the memory space occupied by the intermediate parameters after the intermediate parameters are used up; and writing the signature value obtained by the signature calculation as the signature result into the signature buffer.

[0045] Specifically, the signature function first performs a hash operation on the data to be signed to obtain a message digest. The hash operation converts data of arbitrary length into a fixed-length digest value. For example, the SHA-256 algorithm yields a 32-byte message digest, and the Chinese national cryptographic algorithm SM3 also yields a 32-byte digest value. Signing the message digest instead of directly signing the original data is standard practice in digital signature algorithms, ensuring both signing efficiency and security.

[0046] Furthermore, the signature function uses the base key parameters from the temporary signing private key to perform a signature calculation on the message digest. The base key parameters are the core parameters in the temporary signing private key that directly participate in the signature calculation. For example, in the Dilithium algorithm, the base key parameters include vectors s1 and s2. These parameters, reconstructed from the random seed, are loaded into memory to participate in the signature calculation.

[0047] It's important to note that in addition to the basic key parameters, some intermediate parameters are needed to assist in the signature calculation process. Taking the Dilithium algorithm as an example, the signature process requires the intermediate parameter t0, which is obtained through operations on matrix A and vectors s1 and s2. Traditional implementations pre-calculate and store all intermediate parameters in memory, but this approach consumes a significant amount of stack or heap memory on embedded devices. For instance, the reference implementation of the Dilithium5 algorithm requires over 120KB of memory during the signature process, which is unacceptable for embedded devices with only 64KB of RAM.

[0048] Therefore, this embodiment employs a strategy of dynamically generating intermediate parameters: during the signature calculation process, when a certain intermediate parameter is needed, it is temporarily calculated based on the random seed and the basic key parameters. For example, when the signature algorithm reaches the step requiring the intermediate parameter t0, matrix A is regenerated based on the random seed, and then t = A·s1 + s2 is calculated. Modular reduction of t yields t0. After completing the corresponding calculation using this intermediate parameter, the memory space occupied by the intermediate parameter is immediately released.

[0049] The release of intermediate parameters is achieved through explicit memory reclamation. In the C implementation, if the intermediate parameter is allocated on the stack, it is automatically reclaimed when it goes out of scope; if it is allocated on the heap, the `free` function is called to release it. In the Rust implementation, its ownership mechanism can be used to ensure that intermediate parameters are automatically released when they go out of scope. Through this dynamic generation and immediate release mechanism, the peak memory usage of the signature calculation process can be reduced to less than 20KB, enabling high-security signature algorithms to execute smoothly on resource-constrained hardware keying devices.

[0050] After the signature calculation is complete, a signature value is obtained. The signature value is a piece of binary data, the format of which and its length are determined by the specific signature algorithm. For example, the signature value generated by the Dilithium3 algorithm is approximately 3293 bytes long. The signature function writes this signature value as the signature result to a pre-allocated signature buffer and records the actual length of the data written so that the caller can correctly read the signature data.

[0051] 104. Generate a signature object based on the electronic seal data, the signature data, and the signature position information, and embed the signature object into the document to be signed.

[0052] In this embodiment, generating a signature object based on the electronic seal data, the signature data, and the signature position information, and embedding the signature object into the document to be signed includes: combining the electronic seal data, the signature data, the signature position information, and the current timestamp to generate the signature object containing a seal image, a digital signature, position coordinates, and a signing time; locating the page of the document to be signed based on the page number information in the signature position information to obtain a target page, and determining the signature embedding position in the target page based on the coordinate information in the signature position information; inserting the seal image from the signature object into the signature embedding position, and attaching the digital signature and signing time from the signature object as metadata to the seal image, thereby embedding the signature object into the document to be signed.

[0053] Specifically, a signature object is generated by combining electronic seal data, signature data, signature location information, and the current timestamp. Electronic seal data includes the binary data of the seal image and its format information; signature data is the signature value obtained by performing a digital signature operation on the data to be signed; signature location information includes the page number and coordinates; and the current timestamp records the exact moment the signing operation occurred. This information is organized according to a specific data structure to form a signature object. This signature object contains complete information such as the seal image, digital signature, location coordinates, and signing time, and is the basic unit for subsequent embedding in the document.

[0054] Then, the page location of the document to be signed is determined based on the page number information in the signature location information. For PDF documents, page numbers start from 1. The document's page set can be accessed through PDF processing libraries (such as iText, PDFBox, etc.), and the target page can be located based on the page number index. If the page number exceeds the actual number of pages in the document, an error message is returned; if the page number is a special value (such as -1 indicating the last page), the total number of pages in the document needs to be obtained first before determining the actual target page.

[0055] After determining the target page, the signature embedding position on the target page is determined based on the coordinate information in the signature location information. The coordinate information includes the x-coordinate and y-coordinate, which are relative to the page coordinate system. When determining the embedding position, the size of the seal image also needs to be considered to ensure that the seal is fully displayed within the page area. For example, if the seal image is 80 points wide and 80 points high, and the specified coordinates are the bottom left corner of the seal, then it is necessary to check whether x + 80 and y + 80 exceed the page boundaries, adjusting the coordinates or issuing a warning if necessary.

[0056] Insert the seal image from the signature object into the signature embedding position. The insertion operation is achieved using the image drawing function of the PDF processing library, adding the seal image as a graphic object to the content flow of the target page. During insertion, you need to set the image's position, size, and transparency. For PNG format seals with transparent backgrounds, you can maintain their alpha channel to allow the seal to blend naturally with the document background; for formats such as JPG that do not support transparency, you need to pay attention to the visual harmony between the seal edges and the document content.

[0057] It's important to note that attaching the digital signature and signing time as metadata to the seal image is a crucial step in ensuring the legal validity of electronic signatures. This metadata can be attached to PDF documents in several ways. One method is to embed the signature data into the PDF's digital signature field, which conforms to the signature specifications defined by the ISO 32000 standard and includes information such as the signature value, signature algorithm identifier, and signer certificate. Another method is to attach the signature and timestamp as annotations to the seal image object. These annotations are not visible to ordinary users but can be read and verified using PDF verification tools.

[0058] In one specific embodiment, a PDF incremental update method can be used to embed signature objects. Incremental update refers to appending new objects and cross-reference tables to the end of the original PDF file without modifying the content of the original file. The advantage of this method is that it maintains the integrity of the original document. If the signature needs to be removed, the original document can be restored by deleting the incremental part. At the same time, incremental update also facilitates scenarios where multiple people sign multiple times, with each signature generating a new incremental part, and all signature information is saved in chronological order.

[0059] Once the signature object is embedded, the document content is updated, generating a final document containing the electronic signature. This document can be saved as a new file or overwrite the original file. When saving, the PDF's metadata information, such as the modification date and document version, needs to be updated to reflect the document's signed status.

[0060] In this embodiment, a session is established with the hardware key device to obtain a device session handle. The hardware key device is then authenticated using the session handle, and the electronic seal data within it is read. A signing request is received, and the signing position information of the document to be signed is determined based on the signing mode parameters in the request. Signing data to be signed is generated based on the document and the signing position information. The signature interface of the hardware key device is called based on the device session handle and the signing data to obtain signature data. A signature object is generated based on the electronic seal data, signature data, and signing position information, and then embedded into the document to be signed. This invention achieves flexible determination of the signing position through signing mode parameters, solving the problems of fixed signing positions and cumbersome operations in traditional methods, and improving the automation and efficiency of batch document signing.

[0061] Please see Figure 2 Another embodiment of the electronic signature method in this application includes: 201. Establish a session with the hardware key device and obtain the device session handle; 202. Based on the device session handle and the PIN code entered by the user, call the PIN code verification interface of the hardware key device to perform identity verification; In this embodiment, the PIN verification interface of the hardware key device is invoked based on the device session handle and the PIN code entered by the user. The PIN verification interface transmits the user-entered PIN code to the hardware key device, which internally compares and verifies the PIN code. If the PIN code is correct, the device returns a verification success flag and marks the user as successfully authenticated in the current session; if the PIN code is incorrect, the device returns a verification failure flag and records the number of incorrect attempts. It should be noted that most hardware key devices limit the number of incorrect PIN code attempts; for example, after 10 consecutive incorrect attempts, the device will be locked and requires an administrator key or factory reset to unlock. This mechanism effectively prevents brute-force attacks.

[0062] 203. When authentication is successful, the seal enumeration interface of the hardware key device is called according to the device session handle to obtain the number of seals and the seal index list; In this embodiment, the step of calling the seal enumeration interface of the hardware key device according to the device session handle to obtain the number of seals and the seal index list includes: calling the seal enumeration interface according to the device session handle to obtain a seal list string and the number of seals; splitting the seal list string according to a preset delimiter to obtain multiple seal names; generating the seal index list according to the number of seals and the multiple seal names, wherein the seal index list includes seal indexes and corresponding seal names.

[0063] Specifically, once the PIN code verification is successful, the seal data stored in the hardware key device can be accessed. Hardware key devices typically support the storage of multiple electronic seals, each corresponding to different usage scenarios or different signing permissions. For example, enterprise users may store multiple seals such as the legal representative's seal, financial seal, and contract seal in the same device.

[0064] Specifically, the hardware key device's seal enumeration interface is invoked based on the device session handle. This interface sends an enumeration request to the hardware key device, which iterates through its internally stored seal data and returns the name and quantity information of all seals. The returned data includes the seal quantity and a seal list string, where the seal quantity is an integer value indicating the total number of seals stored in the device; the seal list string is an encoded string containing the name information of all seals, with each seal name separated by a preset delimiter.

[0065] Next, the list of seals is split into strings according to preset delimiters. These delimiters are defined by the hardware key device manufacturer, and common delimiters include the vertical bar "|", semicolon ";", or comma ",". The splitting operation is implemented using string manipulation functions; for example, the `strtok` function can be used in C, and the `split` method can be used in Python. After splitting, multiple seal names are obtained, each corresponding to an electronic seal stored in the device.

[0066] A seal index list is generated based on the number of seals and multiple seal names. The seal index list is a data structure that associates each seal name with its corresponding index value. The index values ​​typically start from 0 or 1 and increment sequentially, used to uniquely identify a seal in subsequent seal reading operations. For example, if the device stores three seals named "Legal Representative Seal," "Financial Seal," and "Contract Seal," the generated seal index list can be represented as follows: Index 0 corresponds to "Legal Representative Seal," Index 1 corresponds to "Financial Seal," and Index 2 corresponds to "Contract Seal." This index list can be displayed to the user, allowing the user to select the seal they wish to use.

[0067] 204. Based on the device session handle and the target seal index in the seal index list, call the seal reading interface of the hardware key device to obtain the electronic seal data; In this embodiment, after the user selects a target seal from the seal index list, the seal reading interface of the hardware key device is invoked based on the device session handle and the target seal index. The target seal index is the index value corresponding to a seal selected by the user from the seal index list, and this index value uniquely identifies a specific seal stored internally by the hardware key device.

[0068] The seal reading interface receives the device session handle and the target seal index as parameters and sends a read request to the hardware key device. The hardware key device locates the corresponding seal data from its internal storage area based on the received target seal index. The seal data is stored in the device as a file or data block, containing the binary data of the seal image, image format identifiers (such as PNG, BMP, etc.), and metadata about the seal (such as seal size, creation time, etc.). The device returns the read seal image data via USB or other communication interface.

[0069] The received seal image data is a raw binary byte stream, the length of which depends on the size and format of the seal image. For example, an 80×80 pixel PNG format transparent seal image typically has a data size between 5KB and 20KB. The read seal image data is cached in memory and used as electronic seal data in subsequent signature object generation steps. Simultaneously, the seal image data can be decoded and previewed, allowing the user to confirm that the read seal is the intended one, avoiding signing errors due to incorrect selection.

[0070] 205. Receive a signature request, determine the signature position information of the document to be signed based on the signature mode parameters in the signature request, and generate the signature data based on the document to be signed and the signature position information. 206. Based on the device session handle and the data to be signed, call the signature interface of the hardware key device to obtain the signature data; 207. Generate a signature object based on the electronic seal data, the signature data, and the signature position information, and embed the signature object into the document to be signed.

[0071] In this embodiment, steps 205-207 are similar to steps 102-104 in the first embodiment, and will not be described again here.

[0072] In this embodiment, a session is established with the hardware key device to obtain a device session handle. The hardware key device is then authenticated using the session handle, and the electronic seal data within it is read. A signing request is received, and the signing position information of the document to be signed is determined based on the signing mode parameters in the request. Signing data to be signed is generated based on the document and the signing position information. The signature interface of the hardware key device is called based on the device session handle and the signing data to obtain signature data. A signature object is generated based on the electronic seal data, signature data, and signing position information, and then embedded into the document to be signed. This invention achieves flexible determination of the signing position through signing mode parameters, solving the problems of fixed signing positions and cumbersome operations in traditional methods, and improving the automation and efficiency of batch document signing.

[0073] The electronic signature method in the embodiments of the present invention has been described above. The electronic signature device in the embodiments of the present invention will be described below. Please refer to [link to relevant documentation] for details. Figure 3 One embodiment of the electronic signature device in this invention includes: The device authentication module 301 is used to establish a session with the hardware key device, obtain a device session handle, authenticate the hardware key device according to the device session handle, and read the electronic seal data in the hardware key device according to the device session handle. The location determination module 302 is used to receive a signing request, determine the signing location information of the document to be signed according to the signing mode parameters in the signing request, and generate signing data according to the document to be signed and the signing location information. The signature generation module 303 is used to call the signature interface of the hardware key device according to the device session handle and the data to be signed to obtain signature data; The signature embedding module 304 is used to generate a signature object based on the electronic seal data, the signature data and the signature position information, and embed the signature object into the document to be signed.

[0074] In this embodiment of the invention, the electronic signature device operates the aforementioned electronic signature method. The electronic signature device establishes a session with a hardware key device to obtain a device session handle, authenticates the hardware key device using the device session handle, and reads the electronic seal data from the hardware key device. It receives a signature request, determines the signature position information of the document to be signed based on the signature mode parameters in the signature request, and generates data to be signed based on the document to be signed and the signature position information. It calls the signature interface of the hardware key device based on the device session handle and the data to be signed to obtain signature data. Finally, it generates a signature object based on the electronic seal data, signature data, and signature position information, and embeds the signature object into the document to be signed. This invention achieves flexible determination of the signature position through signature mode parameters, solving the problems of fixed signature positions and cumbersome operations in traditional methods, and improving the automation and efficiency of batch document signing.

[0075] above Figure 3 The electronic signature device in the embodiments of the present invention will be described in detail from the perspective of unitized functional entities. The electronic signature device in the embodiments of the present invention will be described in detail from the perspective of hardware processing.

[0076] Figure 4This is a schematic diagram of an electronic signature device 400 provided in an embodiment of the present invention. The electronic signature device 400 can vary significantly due to different configurations or performance. It may include one or more central processing units (CPUs) 410 (e.g., one or more processors) and a memory 420, and one or more storage media 430 (e.g., one or more mass storage devices) for storing application programs 433 or data 432. The memory 420 and storage media 430 can be temporary or persistent storage. The program stored in the storage media 430 may include one or more units (not shown in the diagram), each unit may include a series of instruction operations on the electronic signature device 400. Furthermore, the processor 410 may be configured to communicate with the storage media 430 and execute the series of instruction operations in the storage media 430 on the electronic signature device 400 to implement the steps of the above-described electronic signature method.

[0077] The electronic signature device 400 may also include one or more power supplies 440, one or more wired or wireless network interfaces 450, one or more input / output interfaces 460, and / or one or more operating systems 431, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, etc. Those skilled in the art will understand that... Figure 4 The illustrated electronic signature device structure does not constitute a limitation on the electronic signature device provided by the present invention. It may include more or fewer components than illustrated, or combine certain components, or have different component arrangements.

[0078] The present invention also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium or a volatile computer-readable storage medium, wherein the computer-readable storage medium stores instructions that, when the instructions are executed on a computer, cause the computer to perform the steps of the electronic signature method.

[0079] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working process of the system, device, or unit described above can be referred to the corresponding process in the foregoing method embodiments, and will not be repeated here.

[0080] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0081] The above-described embodiments are only used to illustrate the technical solutions of the present invention, and are not intended to limit it. Although the present invention has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. An electronic signature method; characterized in that; The electronic signature method includes A session is established with the hardware key device to obtain a device session handle. The hardware key device is then authenticated based on the device session handle, and the electronic seal data in the hardware key device is read based on the device session handle. Receive a signature request, determine the signature position information of the document to be signed based on the signature mode parameters in the signature request, and generate signature data based on the document to be signed and the signature position information; The signature data is obtained by calling the signature interface of the hardware key device based on the device session handle and the data to be signed. A signature object is generated based on the electronic seal data, the signature data, and the signature position information, and the signature object is embedded into the document to be signed.

2. The electronic signature method according to claim 1, characterized in that, The process of establishing a session with the hardware key device and obtaining the device session handle includes: The driver library file for the hardware key device is loaded using the dynamic link library loading function to obtain the library file handle; Based on the library file handle, the device operation function symbols in the driver library file are parsed to obtain the device open function pointer; Call the device open function corresponding to the device open function pointer to obtain the device session handle.

3. The electronic signature method according to claim 1, characterized in that, The step of authenticating the hardware key device based on the device session handle and reading the electronic seal data in the hardware key device based on the device session handle includes: The device session handle and the PIN code entered by the user are used to call the PIN code verification interface of the hardware key device for authentication. When authentication is successful, the seal enumeration interface of the hardware key device is called according to the device session handle to obtain the number of seals and the seal index list. The electronic seal data is obtained by calling the seal reading interface of the hardware key device based on the device session handle and the target seal index in the seal index list.

4. The electronic signature method according to claim 3, characterized in that, The step of calling the seal enumeration interface of the hardware key device based on the device session handle to obtain the number of seals and the seal index list includes: The seal enumeration interface is called based on the device session handle to obtain the seal list string and the number of seals. The string of seals is split according to a preset delimiter to obtain multiple seal names; The seal index list is generated based on the number of seals and the multiple seal names. The seal index list includes the seal index and the corresponding seal name.

5. The electronic signature method according to claim 1, characterized in that, The step of determining the signature position information of the document to be signed based on the signature mode parameters in the signature request, and generating the signature data based on the document to be signed and the signature position information, includes: When the signature mode parameter is a specified position mode, the preset page number, preset horizontal coordinate and preset vertical coordinate are parsed from the signature request, and the preset page number, preset horizontal coordinate and preset vertical coordinate are used as the signature position information; When the signature mode parameter is keyword matching mode, the document to be signed is extracted to obtain the document text content and text coordinate information. The document text content is matched with the preset keyword in the signature request to obtain the keyword position. The signature coordinates are calculated based on the text coordinate information corresponding to the keyword position, and the signature coordinates are used as the signature position information. The data to be signed is obtained by performing a hash operation based on the document identifier of the document to be signed, the signing location information, and the current timestamp.

6. The electronic signature method according to claim 2, characterized in that, The step of calling the signature interface of the hardware key device based on the device session handle and the data to be signed to obtain the signature data includes: The signature function symbols in the driver library file are parsed based on the library file handle to obtain the signature function pointer; The signature function corresponding to the signature function pointer is invoked based on the device session handle, the PIN code entered by the user, the data to be signed, the length of the data to be signed, and the signature buffer used to receive the signature result. The signature function and the private key stored inside the hardware key device are used to perform a digital signature operation on the data to be signed, and the signature result is written into the signature buffer. The signature result is read from the signature buffer to obtain the signature data and the signature data length.

7. The electronic signature method according to claim 1, characterized in that, The step of generating a signature object based on the electronic seal data, the signature data, and the signature position information, and embedding the signature object into the document to be signed includes: The electronic seal data, the signature data, the signature location information, and the current timestamp are combined to generate the signature object, which includes a seal image, digital signature, location coordinates, and signature time. The page of the document to be signed is located based on the page number information in the signature location information to obtain the target page, and the signature embedding position is determined in the target page based on the coordinate information in the signature location information. The seal image from the signature object is inserted into the signature embedding position, and the digital signature and signing time from the signature object are appended to the seal image as metadata, thereby embedding the signature object into the document to be signed.

8. An electronic signature device, characterized in that, The electronic signature device includes: The device authentication module is used to establish a session with the hardware key device, obtain a device session handle, authenticate the hardware key device based on the device session handle, and read the electronic seal data in the hardware key device based on the device session handle. The location determination module is used to receive a signing request, determine the signing location information of the document to be signed based on the signing mode parameters in the signing request, and generate signing data based on the document to be signed and the signing location information. The signature generation module is used to call the signature interface of the hardware key device based on the device session handle and the data to be signed, so as to obtain signature data; The signature embedding module is used to generate a signature object based on the electronic seal data, the signature data, and the signature position information, and to embed the signature object into the document to be signed.

9. An electronic signature device, characterized in that, The electronic signature device includes: a memory and at least one processor, wherein the memory stores instructions; The at least one processor invokes the instructions in the memory to cause the electronic signature device to perform the steps of the electronic signature method as described in any one of claims 1-7.

10. A computer-readable storage medium storing instructions thereon, characterized in that, When the instructions are executed by the processor, they implement the steps of the electronic signature method as described in any one of claims 1-7.