5

I have a project to generate PDFs on a server using ASP.NET (C #). But now we need the customer to be able to digitally sign these PDF. From what I saw, the documents must be signed at the client side, using an applet, as in the server I have no access to the private key of the certificate, but as I said above, the PDFs are generated on the server and I keep them there.

So, what I need is to digitally sign PDFs on the server, taking the client's certificate.

Thanks

alexyorke
  • 4,224
  • 3
  • 34
  • 55
Hernan
  • 404
  • 5
  • 6
  • 1
    Your pdf component on server shall be able to support providing pdf hash and then inject back signature container received from browser back to pdf file. On browser side, use Signer.Digital Chrome Extension (Disclosure: freely provided by may company) or any browser extension that can return signature value back to server, where the pdf component will inject back the signature to pdf document. Refer https://stackoverflow.com/a/55676351/9659885 – Bharat Vasant May 24 '19 at 06:52
  • @Hernan we have a similar use case. A user enters data into our application using a browser. After he has entered the data the user must confirm that he is responsbile for the entered data and he shall do so by signing it digitally. We could do it by prompting a pdf that the user downloads, signs it on his pc and uploads it again. But how do we ensure / clarify if the user has signed the document? Which way did you take? – surfmuggle Apr 06 '21 at 15:54

4 Answers4

3

Since it is not possible or anyway safe to extract and send the client's private key, to sign pdfs on the server you need to establish a "session" with the client and let them calculate the signature.

The steps should be something like:

  1. the client sends his public certificate to be embedded in the signed pdf

  2. the server generates the pdf, embeds the certificate and calculates the hash (eg: sha1)

  3. the server sends the hash to the client applet

  4. the applet calculates the digital signature with her private key

  5. the applet sends the signature to the server

  6. the server embeds the digital signature and closes the pdf.

To do this with itext you will have to use the preclose method after ambedding the certificate, so to be able to alculate the sha1 hash on the final document. Then after pre-closing the pdf you will have to calculate the hash of the pdf and send it to the client. Be careful: while preclosed you will have to keep the document in memory, for example in a server session.

To generate the pdf, embed certificates and prepaare the document you can use itextsharp, the c# port of the itext library. To calculate the hash and create the pkcs7 envelopes you can use the .net crypto api.

Hope this helps.

surfmuggle
  • 5,527
  • 7
  • 48
  • 77
Vespassassina
  • 515
  • 3
  • 7
2

You might be missing the point of digitally signing a document. The act of signing a document is meant to be a user activity.

You can create the document on the server side and serve it with the content-type "application/pdf" and that will serve the document to be signed. When they sign it you can use pdf form submit to submit the signed document back to the server.

maple_shaft
  • 10,435
  • 6
  • 46
  • 74
  • Hi, thanks for the reply. Yes, that's what I was reading, but wanted to know if there is no possibility of doing so in the server, it is not feasible to download the PDF on the client. Environment where work is an intranet with Active Directory. Thanks – Hernan Apr 11 '11 at 19:59
  • You can use a tool like http://itextpdf.com/ (Java tool, I think there is a .NET port) to not only create a PDF document programatically, but apply a certificate and signature field to a PDF document. You will be able to sign the document programatically as well. There are a number of examples out their with how to do this. A quick google search turned up this (again, Java) http://itextpdf.sourceforge.net/howtosign.html. – maple_shaft Apr 12 '11 at 11:26
  • 1
    With that being said I do strongly urge you to reevaluate your requirements based on the customer need. Digital signatures are meant to be a user activity because they identify the user, confirm the user has read and agreed with a document, and validate the document authenticity. Signatures provided from a user can then be validated against a certificate to verift authenticity. If you programtically create the document, apply the certificate and sign the document all on the server, then the goals of a digital certificate are defeated. Joe Hacker could create such a phony document as well. – maple_shaft Apr 12 '11 at 11:30
0

AspPdf + USB Network Gate or AnywhereUSB might help if the client uses USB smard card on their machine.

Nime Cloud
  • 6,162
  • 14
  • 43
  • 75
0

you can also use a signing service like (I'm sorry, I just know this one as working) http://www.signagate.de - these guys offer an Web service that enables you to 'upload' an unsigned pdf which will be sent back with an so called 'intermediate' signature that is conforming to even all signature laws in the EU as a qualified signature (at least for invoices as I know).

The fun is, you just need to be able to do a post call to their service to get the pdf singed back as answer.

So the 'intermediate' thing allows you (from a legal view) to NOT promote the private key etc. around the world but getting a valid signature on your PDF and keeping so the legal needs by a proper authentication to the signature service of this company.

Jimmy

Jimmy Koerting
  • 1,231
  • 1
  • 14
  • 27