EidKit Android SDK/ro.eidkit.sdk/CeiSigner

CeiSigner

class CeiSigner

Builder for a document signing session against a Romanian CEI card.

Obtain an instance from EidKit.signer. The signing session is separate from a read session — it requires a dedicated card tap and the 6-digit signing PIN.

The chip produces a raw ECDSA-SHA384 signature over the provided 48-byte hash using the nonRepudiation key (key ref 0x8E) in the GenPKI applet.

Preparing the hash

Compute a SHA-384 hash of the document content to be signed (e.g. the PDF byte range as defined by the PAdES signature field), then pass the 48 bytes here:

val hash = MessageDigest.getInstance("SHA-384").digest(documentBytes)
// hash.size == 48
Content copied to clipboard

Embedding the signature

SignResult.signature is a raw 96-byte r||s value. To embed it in a PDF (PAdES/eIDAS), it must be wrapped in a CMS/PKCS#7 SignedData structure. Use ro.eidkit.sdk.config.EidKitConfig.signingServiceUrl to delegate this to the EidKit signing service, or handle it yourself with Apache PDFBox.

Example

override fun onNewIntent(intent: Intent) {
    super.onNewIntent(intent)
    val isoDep = nfcManager.handleIntent(intent) ?: return
    lifecycleScope.launch {
        val result = EidKit.signer()
            .sign(documentHash, signingPin = userEnteredSigningPin)
            .execute(isoDep)
        // result.signature — 96-byte raw ECDSA-SHA384 r||s
        // result.certificate — DER X.509 CE8E cert for verification
    }
}
Content copied to clipboard

Functions

Link copied to clipboard
suspend fun execute(isoDep: IsoDep): SignResult

Execute the signing session on the given IsoDep tag.

Link copied to clipboard
fun executeFlow(isoDep: IsoDep): Flow<SignEvent>

Execute the signing session and emit SignEvent progress events as the session advances.

Link copied to clipboard
fun sign(hash: ByteArray, signingPin: String): CeiSigner

Set the document hash and signing PIN for this session.