I’m struggling in adding digital signature to a PDF Document.
The signature we get from our provider is of the following format (stated from the reference guide):
The Cryptographic Message Syntax (CMS) is a standard for cryptographically protected messages. It can be used to digitally sign, digest, authenticate or encrypt any form of digital data. CMS is based on the syntax of PKCS#7.
[…] the signature part in the response is Base64 encoded and represents either a [RFC3161] compliant Trusted Timestamp or a [RFC3369] / [RFC5652] compliant CMS Signature
Can anyone please give me some advice on how to implement a signature of such type? All information I found so far is on adding a certificate but in our case we need to add a complete signature…
Please check following code snippet, in order to sign the PDF documents with PKCS file.
PKCS7Detached pkcs = new PKCS7Detached(dataDir + "PKCSFile.pfx", "password");
Facades.PdfFileSignature pdfSign = new Facades.PdfFileSignature();
System.Drawing.Rectangle rect = new System.Drawing.Rectangle(100, 100, 200, 100);
pdfSign.BindPdf(dataDir + "input.pdf");
pdfSign.SetCertificate(dataDir + "stg.pfx", "password");
pdfSign.Sign(1, "Signature from John", "1st:Signature Reason", "John", false, rect, pkcs);
pdfSign.Save(dataDir + @"certified.pdf");
In case you face any issue, please share your sample PKCS file along with sample PDF document, so that we can test the scenario in our environment and address it accordingly.
Unfortunately, I’m still not able to add the signature.
I’m trying to add this: mycert.zip (3.6 KB)
To this (just a dummy pdf): DigitallySign.zip (267.9 KB)
The signature I’m getting from our provider is a ‘Base64 CMS Signature (RFC3369)’ format. Could you help me in converting this into a PKCS#7-signature?
Another problem I’m facing is how to generate a hash-value from the target PDF. This hash is required by our provider in order to request the signature.
I have tried to open the certificate file which you have shared and was unable to open it, as it appeared as invalid file (Please check screenshot invalid_cert.png). Would you please share a valid certificate file along with its password, so that we can test the scenario in our environment and address it accordingly.
Would you please add more details regarding your this requirement? As per my understanding, you want to specify a HASH Algorithm for PDF signing. In case your requirement is different than my understandings, please let us know, so that we can share related information.
This is what I get from our provider (now as a text-file): mycertdata.zip (9.3 KB)
Any help on how to add this to a PDF would be highly appreciated!
Regarding the hash-value: this is the information I find in the documentation of our provider:
The document hash (digest) value shall be in a Base64 encoded binary form.
The procedure should be as following: I must add an empty signature to the target PDF (shouldn’t be a problem to achieve with Aspose). From that manipulated file I have to generate a hash, which I must send to our provider…
We have further looked into the scenario and found that the file which you have shared is not only in Base64 format but a CMS (Cryptographic Message Syntax) file. I am afraid that we were unable to find any method to sign PDF with this file, hence we have logged an investigation ticket as PDFNET-43646 in our issue tracking system.
We have also shared your requirement, related to hash-value generation, along with the logged ticket. Our product team will further investigate the ticket and share their feedback accordingly. As soon as we receive some definite updates in this regard, we will inform you within this forum thread. Please be patient and spare us little time.
Adding more to my previous reply, we have tried to add the signature with following code snippet and API threw ArgumentOutOfRangeException Exception. However a PDF file with empty signature was generated as well. We have logged these details with the previously generated ticket as well. For your reference, we have attached generated PDF document with code snippet:
Aspose.Pdf.Document document = new Aspose.Pdf.Document(dataDir + "DigitallySign.pdf");
Facades.PdfFileSignature signature = new Facades.PdfFileSignature(document);
PKCS7 pkcs = new PKCS7(new FileStream(dataDir + "mycertdata.txt", FileMode.Open), null);
pkcs.Reason = "Reason";
pkcs.ContactInfo = "ContactInfo";
pkcs.Location = "Location";
pkcs.Date = DateTime.Now;
pkcs.ShowProperties = true;
System.Drawing.Rectangle rect = new System.Drawing.Rectangle(50, 50, 100, 80);
signature.Sign(1, true, rect, pkcs);
signature.Save(dataDir + "DigitallySign.out.pdf"); // Exception occurs here
Here another input from my side:
I got an email from our provider (Swisscom, a major telecommunications provider in Switzerland, owned by the Swiss Confederation). They wrote that they are willing to give you some support. It could be in form of consulting or even in form of a temporary test-access. Please let me know if this would be of any interest, I could provide you with the contact infos.
As we recently have logged the issue in our issue tracking system, so it is still pending for investigation. Product team will definitely start an investigation against it as per their development schedule. I am afraid that we cannot comment any further upon the issue unless we have some investigation results. As soon as some progress, in terms of investigation, is made, we will let you know whether the issue is related to signature file, provide by your provider or it is limitation in our API.
We greatly appreciate your cooperation and patience in this regard. Please spare us little time.
To you have us a link to your previous mentioned investigation ticket PDFNET-43646 or what is the state about that ticket?
Update: that stackoverflow issue describes what we must do with Swisscom CMS signature: PDF Signature digest - Stack Overflow
My question now is: how can we actually create a signable digest without knowing someone’s certificate beforehand and then adding CMS later to PDF document and that all with Aspose.Pdf? Is this possible today or in the near future?
Earlier logged ticket has not been resolved yet, due to other pending issues in the queue. Since the ticket has been logged under free support model, it will be resolved on first come first serve basis. As soon as there are some updates regarding ticket resolution, we will let you know.
We have logged these details along with the ticket as well. We will definitely consider them during investigation and let you know in case of further updates. Please be patient and spare us little time.
We regret to share that earlier logged ticket is not yet resolved due to other high priority issues in the queue. However, we have already escalated the ticket to next level of priority and as soon as some definite updates are available regarding its investigation, we will share within this forum thread. Please spare us little time.
We apologize for the inconvenience and delay in ticket resolution. Please note that issue has already been taken into account for investigation/resolution and as soon as logged ticket is resolved, we will surely let you know. We already have raised issue priority after recording your concerns, however it will take some time to completely investigate and implement the functionality required. We highly appreciate your comprehension in this regard. Please spare us little time.
I would also need that … any ETA available ?
It seems that you don’t really care about enhance signing method, because it’s the same problem for any certificate with export private key disabled. If there is no pfx file it’s impossible to use signing method.
Thank you for your support.
Please accept our humble apology on the delay of issue fix. Please note that we resolve every logged issue and each issue possesses equal attention from us. However, they are resolved on the basis of support model in which they were reported and logged. In free support model, the issues are resolved on first come first serve basis.
Furthermore, the issues involving new feature requests may take more time to resolve usually as many of the internal components of the API get affected due to that enhancement. The investigation against implementation of this issue has been underway since release of 19.4 version of the API and we will surely update here as soon as it is completed. We highly appreciate your patience in this matter. Please spare us little time.
Hello @asad.ali
I just ran into this post investigating the possibility to sign pdf documents.
Is this bug still pending or solved meanwhile?
Thx for feedback!