Spire.PDF external digital signature using SCS device

[sampokivi]

Hello, we are evaluating Spire.PDF C# software and would like to know if this library supports external digital signatures.

The current procedure is following.

1. The document to be signed is sent to application hosting Spire.PDF library.
2. Spire.PDF should create digital signatures block to the PDF if it did not exist.
3. Spire.PDF should reserve space for the digital signature ~20kb per signature.
4. Then the pdf document bytes to be signed are returned to the client ( block1 and block2 ).
[ PDF
- block1
<reserved block for digital signature>
- block2
]
5. Client will connect to local SCS device which creates digital signature and sends signature bytes back to the application hosting Spire.PDF library
6. Spire.PDF modifies one of the reserved block with the bytes coming from the client.


I started implementing it following way, but the spire.pdf throws exception:

Code: Select all

System.Exception
  HResult=0x80131500
  Message=string parameter Filter required.
  Source=Spire.Pdf
  StackTrace:
   at spr颺.솶()

Code: Select all

        public void Sign(byte[] pdf_bytes)
        {
            PdfDocument doc = new PdfDocument();
            doc.LoadFromBytes(pdf_bytes);

            // Create a new instance of the CustomPKCS7SignatureFormatter
            CustomPKCS7SignatureFormatter customPKCS7SignatureFormatter = new CustomPKCS7SignatureFormatter();

            // Create a new instance of the PdfSignature
            PdfSignature signature = new PdfSignature(doc, doc.Pages[0], customPKCS7SignatureFormatter, "signature0");

            doc.SaveToFile("test.pdf", FileFormat.PDF);
            doc.Close();
        }

        class CustomPKCS7SignatureFormatter : IPdfSignatureFormatter
        {

            public Dictionary<string, object> Parameters => new(StringComparer.Ordinal);

            ///
            /// If encapsulate is true, a copy of the message will be included in the signature.
            ///
            private bool m_encapsulate = true;


            ///
            /// Construct a new instance.
            ///
            /// The signing certificate.
            ///
            /// If encapsulate is true, a copy of the message will be included in the signature.
            ///
            public CustomPKCS7SignatureFormatter()
            {
                Parameters.Add("Filter", "Adobe.PPKLite");
                Parameters.Add("SubFilter", "adbe.pkcs7.detached");
            }

            ///
            /// Sign.
            ///
            /// The data that contains signature content.
            /// The signature
            public byte[] Sign(byte[] content)
            {
                // Code never comes here?
                return content;
            }
        }
    }


This digital signature flow is different to traditional flow in a way that we do not have access to the client certificate private key, but the device uses the certificate internally to create the signature.

[Amin.Gan]

Hello,

Thanks for your inquiry. Our product(Spire.PDF) supports external signatures, and the reason for the exception in your code is that there are no certificate parameter passed in the CustomPKCS7SignatureFormatter class. I have attached CustomPKCS7SignatureFormatterWithAPI class and usage example for your reference. You can try running it, please feel free to give feedback if there are any further issues.

Code: Select all

 X509Store store = new X509Store(StoreLocation.CurrentUser);
 store.Open(OpenFlags.ReadOnly);
 X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindByThumbprint, "1ca787facba823ccc22099f4dec2120446bbd5b2", false);
 X509Certificate2 cert = new X509Certificate2(certs[0]);
 CustomPKCS7SignatureFormatterWithAPI customPKCS7SignatureFormatter = new Class1.CustomPKCS7SignatureFormatterWithAPI(cert);
 // Create a new instance of the PdfSignature
 PdfSignature signature = new PdfSignature(doc, doc.Pages[0], customPKCS7SignatureFormatter, "signature0");

Sincerely,
Amin
E-iceblue support team

[sampokivi]

Hey,

We do not have certificate available for the signature. This digital signature will be created by the external SCS device ( ID card reader ) by sending the bytes to be signed to the device it will then return the signature bytes.

Does Spire.PDF support this type of flow?

[sampokivi]

What we need is incremental saving of PDF document where signatures would be created one after one without certificate.
The process go could something like this:

Tell a size to the Spire.PDF how much space we are going to reserve for the digital signature (i.e. 20kb)
Have a way to read the bytes to be signed from the PDF document without providing certificate.
Then these bytes are sent to SCS device and the device will return the actual raw signature bytes.
Signature bytes are then written back to the reserved signature slot in the PDF.
Save and repeat.
This requires incremental PDF support to not corrupt the previous signature.

[Amin.Gan]

Hello,

Thanks for your inquiry. You can use the PdfCertificate class to receive the corresponding signature bytes, and refer to the following code for signing. If there are any further issues, please provide us with more detailed information to help you solve the problem (such as error screenshots, information contained in signature bytes).

Code: Select all

PdfCertificate cert = new PdfCertificate(signature bytes);
CustomPKCS7SignatureFormatterWithAPI customPKCS7SignatureFormatter = new Class1.CustomPKCS7SignatureFormatterWithAPI(cert);

Additionally, about the size space, at present our product does not have this method, we supports adding signatures on existing signature fields.

Sincerely,
Amin
E-iceblue support team