Digital signatures in PDF

Revision as of 14:58, 24 May 2018 by Adminko (talk | contribs) (CAdES signatures)
Jump to: navigation, search


Digial signatures do have the same power like their physical counterparts, but instead can be added without taking a pen or even without having a person signing the paper. They are based on so-called digital certificates, similar to those used for data encryption. It's a complex subject and we won't go to various mathematical aspects behind it, while will rather describe its difference from the regular signatures and how one can get PDF documents signed this way.

A list below shows some of the very important differences between regular and digital signatures:

  • digital signature guarantees the integrity of the document, it's not possible to change its content after the signing without the person reading the document noticing it
  • with digital signatures the identity of the person is easier to validate, so you always know who signed the document and when, it's possible to use an external timestamp server for getting a correct timestamp during the signing
  • digital means paperless, so no need to print something and the document may remain digital during its lifetime
  • digital signning can be automated, so it becomes possible for companies to process millions of documents very fast without a need for a manual labor, so bills, forms, orders can be signed without any human intervention by a company's signature if needed
  • it's possible to have digital signatures long term validated (LTV signatures) and documents suitable for archiving using the OCSP and CRL responses from the signing authority embedded during the signing

The PDF specification explains this subjecy in details in section 12.8 “Digital Signatures”, so if you're interested in under the hood tech the information given there can't be underestimated. Apitron PDF Kit implements all you need to sign PDF documents digitally, and the typical signing workflow is described in details below.

Digital signature in PDF usually consists of a signature field (implemented by a SignatureField class) added to FixedDocument.AcroForm collection in Fixed layout API or FlowDocument.Fields collection in Flow layout API and optionally its visual representation on one or more pages added using the corresponding widget annotation object implemented by a SignatureFieldView class.

LTV signatures

Long term validation signatures are quite specific, they are the same as normal signatures but intented for somehow longer archiving or processing without one having an ability to make a validation request to the original authority that issued the signing certificate. That's said they should carry all the information necessary to validate them with themselves. OCSP and CRL responses are the things that can be embedded into the signature and help to validate it later in case the issuing authority is out of the business or inaccessible. In practice, however, you'd rarely find an OCSP response with a validity for more than a few hours after the time the request has been made, so LTV signature's validity is heavily dependend on the signing authority.

CAdES signatures

A class CAdESSignature provides support for the advanced signatures defined by the further development of the cryptographics message syntax (CMS) standard. A digital signature, technically implemented based on CAdES has the status of an advanced electronic signature.

If it's a CAdES signature then,

  • it is uniquely linked to the signer
  • it is capable of identifying signer
  • only the signer has control of the data used for the creation of the signature
  • if the data attached to the signature has been changed after the signing, then it can be identified

A resulting property of CAdES is that digitally signed documents can remain valid for long periods, even if the signer later attempts to deny the validity of the signature. It's appears to be a better alternative to LTV signatures.

Signing using smart cards and cryptographic tokens

For signing you need a private key associated with a digital certificate, but sometimes the only thing your customers have is a some kind of cryptographics token: an USB device or a smart card implementing for example PKCS#11 standard - a platform independent cryptographics token interface, and they don't have any ability to get the direct access to the private key itself. Usually token providers supply drivers compatible with windows crypto API or tokend-based solution for a linux-based system, so you can actually call the signing routines provided by the token and Apitron PDF Kit supplies a specific interface you could implement to handle your particular case. It's called ISignatureServiceProvider and if you need a time stamp for you signatures you'd have to also implement ITimeStamptingAuthority interface.

Code samples

Sign PDF document with a digital certificate

The code below creates a signature object from a self-signed x509 certificate with a password set, and adds SHA256 RSA signature to the target document. It also creates its visual representation that looks as a handwritten signature, using an image XObject. Any PDF document can contain several signatures and they all can be easily added using either Fixed layout API or Flow layout API provided by the Apitron PDF Kit. If you use a self-signed certificate and it’s not added to the list of the trusted certificates then the reader may warn you that it couldn't validate the certificate used for signing the document.

// create output PDF file
using (FileStream outputStream = new FileStream("security.pdf", FileMode.Create, FileAccess.ReadWrite))
    // create new PDF document
    FixedDocument document = new FixedDocument();
    // add empty page
    document.Pages.Add(new Page());
    // register signature image
    // create signature field and add to the document
    SignatureField signatureField = new SignatureField("mySignature");
    // set signature certificate that will be used to sign the document
    using (Stream signatureStream = new FileStream("johndoe.pfx", FileMode.Open, FileAccess.Read)) 
        signatureField.Signature = Signature.Create(new Pkcs12Store(signatureStream, "password"));
    // create annotation object representing a signature
    SignatureFieldView signatureView = new SignatureFieldView(signatureField,new
    signatureView.ViewSettings = new SignatureFieldViewSettings()
        Graphic = Graphic.Image,
        GraphicResourceID = "signatureImageJoe",
        Description = Description.None
    // add visual representation of the signature onto PDF page