Enterprise Java
Electronic Signature System
Windows companion app + browser bridge that lets government-credentialed users sign legally-binding PDFs from a web app, talking PKCS#11 to a smart card reader and authenticating against the national PKI's cloud vault.
Client
Supreme Court of Justice of Panama
Year
2023–2024
Duration
6 months (Oct 2023 – Mar 2024)
Role
Full Stack Engineer
The Challenge
Give court staff a way to legally sign PDFs directly from the browser using their government-issued smart cards — while keeping private keys on the card, validating the certificate chain against the Panamanian national PKI, and producing signatures that hold up legally years later. Modern browsers can't talk to smart cards directly (NPAPI is gone, WebUSB doesn't cover this protocol), so the bridge had to live outside the browser.
The Solution
Wrote a Windows companion app (.msi installer) that bundles the smart card reader's drivers, a Java signing service, and a localhost WebSocket server origin-locked to the court's domain. The browser hashes the PDF locally, sends only the hash over the WebSocket, the companion authenticates the user via PIN against the government's cloud vault, then asks the smart card (via PKCS#11) to sign the hash with its on-card private key. The companion looks up the user's certificate chain in the Windows Certificate Store, validates revocation via OCSP (CRL fallback), and wraps the signature into PAdES-LTV format so the document stays legally valid years after the certificate expires.
Key Results
Legally-valid PDF signatures issued directly from the browser
Private keys never leave the smart card; PINs never reach the browser
PAdES-LTV embedded — signatures validate years after cert expiry
Deployed across Supreme Court workflows; cut paper-signing turnaround from days to minutes
Technologies Used
Want to chat about a role?
Open to senior backend, applications architect, and cloud engineering roles — full-time or contract, remote or relocation.
Get In Touch