EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Evaluation/Presales Questions

Posted: 05/01/2013 14:20:59
by Elliott Ward (Basic support level)
Joined: 05/01/2013
Posts: 4

I know very little about using certificates for signing PDF's and am asking for your understanding with my questions below.

My current project stores and loads fillable PDF files from MSSQL as binary streams, using a third party ASP.NET viewer those files can be selected, displayed and filled out, but not signed.

Some of the PDF files have one or more signiture fields.

Here are my questions:

1) I need to create/use a certificate file for the user to sign a field. I know that your product can create certificates but I have been unable to get the one I have created to work with the PDF signiture field. I keep receiving an invalid chain message. We are using an internal Certificate Authority. Do you have a coding example of how to create a user certificate using an internal CA that can be used for signing?

2) Do you have a product that I can use to sign the PDF signiture fields? As well as an example of its use? As I am currently evaulating products that can do that as well.

Thank you,

Elliott Ward
Posted: 05/01/2013 16:32:24
by Ken Ivanov (Team)


Thank you for contacting us.

1) PDFBlackbox is capable of signing PDF documents with certificates, wherever they are stored (in files, system stores, hardware security modules, memory streams etc.). The chain validation problem you are coming across apparently has nothing to do with the certificate file itself; instead, it is likely to be specific to the validation process carried out by certain components involved in the signing operation (e.g. a HTTPS client used to access a TSA service or a PAdES signer). What we suggest you to do is to take the TinySigner sample (included to the evaluation distribution) and check whether it does succeed with signing. The sample accepts file-based certificates in PFX format. The outcome from this check will let us narrow down the issue and advise you on the next steps to take.

2) With PDFBlackbox you can either create brand new signatures or sign existing signature fields. The only thing in code that should be altered to place the signature into an existing field is the parameter passed to the TElPDFDocument.AddSignature() method, that is, you use the following syntax to add a brand new signature:

int sigIdx = document.AddSignature();

...and the following syntax to put a signature into an existing field:

int sigIdx = document.AddSignature(0); // the signature will be placed into field #0.
Posted: 05/02/2013 08:16:00
by Elliott Ward (Basic support level)
Joined: 05/01/2013
Posts: 4

Thank you for your reply.

I was able to use the pfx file that I had created to sign a new field in the PDF. However, the certificate from the file was not in the users local system store so the signiture cannot be validated. (I am assuming this to be true based on the message in the signiture field of the PDF)

Can I place the certificate in the user local store using your product, or do you have another suggestion?
Posted: 05/02/2013 08:21:16
by Vsevolod Ievgiienko (Team)


You can use our TElWinCertStorage class to place the certificate into the user's local store.
Posted: 05/02/2013 08:27:06
by Eugene Mayevski (Team)

Elliott Ward wrote:
I was able to use the pfx file that I had created to sign a new field in the PDF. However, the certificate from the file was not in the users local system store so the signiture cannot be validated.

PKI works in a different way. Normally you obtain the certificate for signing from one of trusted certificate authorities. Then the validator can trace the certificate chain up to trusted root and thus validate any unknown certificate issued by legitimate CA.

How PKI works is way too broad topic to be discussed in the single forum post. We have a separate topic with references to two good books about PKI: https://www.eldos.com/forum/read.php?FID=7&TID=1842 . This is a must read if you want to work with security.

Sincerely yours
Eugene Mayevski
Posted: 05/02/2013 08:30:15
by Ken Ivanov (Team)


Although you actually can use SecureBlackbox to put the certificate into a local system store, it is important to understand what exactly you are going to do.

First, Windows maintains several system stores for different types of certificates. Normally, end-user certificates are not imported to the store. Instead, the upper CA certificates are; to be exact, the root CA certificate is put to the Trusted Root Certification Authorities store, and all the intermediate CA certificates (if any) are put to the Intermediate CAs store. This will make all end-user certificates issued by that CA chain implicitly trusted.

Next, Adobe supports two certificate validation schemes:

1) Internal. In this case the trusted certificates should be added to the internal Acrobat certificate store.

2) Windows-based. In this case Acrobat will look for the trusted certificates in the system stores.

This way, if your document was generated to use the internal Adobe validation scheme, adding the certificates to the system stores makes little sense.

The validation scheme can be configured via the CustomName property of the security handler. Set it to 'Adobe.PPKLite' to force Acrobat use internal validation scheme, or to 'Adobe.PPKMS' to make it use certificates residing in Windows system stores.
Posted: 05/02/2013 11:51:14
by Elliott Ward (Basic support level)
Joined: 05/01/2013
Posts: 4

Here is my first attempt at it. It does not throw an exception but the signiture field appears blank and acrobat reports trouble validating the signiture.

''' <summary>
''' Insert a digital signiture onto the signFieldName from a generated pfx file
''' </summary>
''' <param name="logicalFileName">The real name of the file. Example: Officer Memo.doc</param>
''' <param name="fileStream">The PDF file as a filestream of bytes</param>
''' <param name="signFieldName">The name of the signiture field</param>
''' <returns></returns>
''' <remarks></remarks>

Public Function SignAField(logicalFileName As String, fileStream As Byte(), signFieldName As String) As Byte()
   Dim certFullFileName As String = String.Empty
   Dim physicalFileName As String = String.Empty
   Dim PublicKeyHandler As New TElPDFPublicKeySecurityHandler
   Dim CertStorage As New TElMemoryCertStorage
   Dim SystemStore As New TElWinCertStorage
   Dim Cert As New TElX509Certificate
   Dim myUser As New clsUserID
   Dim CertFormat As Integer = 0
   Dim CertSearch As New TElCertificateLookup
   Dim Document As New SBPDF.TElPDFDocument
   Dim index As Integer = 0
   Dim signFieldIndex As Integer = -1
   Dim Sig As TElPDFSignature


     certFullFileName = String.Format("{0}\{1}.pfx", PDFPath, myUser.UsersID)

     Using CertF As New IO.FileStream(certFullFileName, FileMode.Open)
        CertFormat = TElX509Certificate.DetectCertFileFormat(CertF)
        CertF.Position = 0
        Select Case (CertFormat)
           Case SBX509.Unit.cfDER
                Cert.LoadFromStream(CertF, 0)
           Case SBX509.Unit.cfPEM
                Cert.LoadFromStreamPEM(CertF, myUser.EmailAddress, 0)
           Case SBX509.Unit.cfPFX
                Cert.LoadFromStreamPFX(CertF, myUser.EmailAddress, 0)
        End Select
     End Using
   Catch ex As Exception
   End Try

      physicalFileName = WriteOutPdfStream(fileStream)
      If Not IO.File.Exists(physicalFileName) Then Throw New Exception(String.Format("File {0} not found.", physicalFileName))
      Using fs As New IO.FileStream(physicalFileName, FileMode.Open, FileAccess.ReadWrite)
         For i = 0 To Document.EmptySignatureFieldCount
            Dim thisField As TElPDFSignatureInfo = Document.EmptySignatureFields(i)
            If thisField.FieldName.Trim.ToLower = signFieldName.Trim.ToLower Then
               signFieldIndex = i
               Exit For
            End If

         index = Document.AddSignature(signFieldIndex)
         Sig = Document.Signatures(index)
         Sig.Handler = PublicKeyHandler
         Sig.AuthorName = myUser.CommonName
         Sig.SigningTime = DateTime.Now.ToUniversalTime()
         Sig.Reason = "Approval"
         Sig.Invisible = False
         'Sig.SignatureType = SBPDF.Unit.stMDP

         CertStorage.Add(Cert, True)
         PublicKeyHandler.CertStorage = CertStorage
         PublicKeyHandler.SignatureType = TSBPDFPublicKeySignatureType.pstPKCS7SHA1
         PublicKeyHandler.CustomName = "Adobe.PPKMS"
      End Using
   Catch ex As Exception
   End Try
End Function

Any suggestions?
Posted: 05/02/2013 13:18:44
by Ken Ivanov (Team)


Your code is generally correct. There is a minor mistake in the empty signature fields enumeration loop (the upper bound of the enumeration should be EmptySignatureFieldCount - 1):
For i = 0 To Document.EmptySignatureFieldCount - 1

Empty signature fields often declare how the signature widget should be displayed to user. By default, PDFBlackbox sticks to that declarations and doesn't override them. To override the default appearance with your own widget settings, please set the TElPDFSignature.WidgetProps.IgnoreExistingAppearance property to true.

Regarding the validation, what exactly error does Acrobat report about your signature?
Posted: 05/02/2013 13:32:52
by Elliott Ward (Basic support level)
Joined: 05/01/2013
Posts: 4

I have included a screen shot of the message.

Posted: 05/02/2013 13:42:59
by Eugene Mayevski (Team)

This sounds like a malformed PDF, whose issues become detected by Acrobat when the signature is validated (signature calculation and validation includes recomposition of PDF and then issues show themselves). I'll move your question to the helpdesk.

Sincerely yours
Eugene Mayevski



Topic viewed 3844 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!