Click here to Skip to main content
15,867,453 members
Articles / Programming Languages / C#

iSafePDF: The Open Source PDF Signature Tool

Rate me:
Please Sign up or sign in to vote.
4.91/5 (29 votes)
3 Jun 2010GPL35 min read 190.6K   10K   85   47
iSafePDF is an Open Source software to sign, timestamp, and encrypt PDF documents.

iSafePDF.png

Introduction

Four years ago, I wrote an article about signing a PDF document using the iTextSharp library. I was surprised by the number of comments and emails I received about it.

Many people asked me for new features and ideas, I didn't have enough time to answer them all for two reasons:

  1. I had not enough spare time to implement the new features
  2. I was not able to implement some features they asked for because of the lack of iTextSharp documentation, and some bugs/lacks in older versions.

Now iTextSharp v5.x is out and comes with many new features. This article will only cover the digital signature, encryption, and meta-data manipulation parts. iTextSharp is more than this, it allows you to create and manipulate PDF without using any proprietary library!

I developed iSafePDF for my own needs and tried to implement features that many people asked for: loading certificates from a local user store, time-stamped signature, and PDF encryption (only password encryption is supported right now).

Getting started

You can read my first article about digital signature "E-signing PDF documents with iTextSharp". It describes an old and simple code (the base code of iSafePDF) which is easier to understand.

What you have to know, is that PDF digital signature and encryption provided by iTextSharp library are all PDF standards. this mean that any PDF viewer will be able to read encrypted document (if you provide the encryption password) and check signature without the need to install 3rd party plugin or so.

Using the binary

This article comes with the iSafePDF binary. No setup is needed, all you have to do is to uncompress the zip file and put the exe program somewhere in your disk and then run it.

The document tab

isafepdf-main.jpg

In this tab, you have to choose at least:

  1. The source file: this is the document you want to sign, the document itself will not be modified.
  2. The target file: this document will be a copy of the source document to which the signature and encryption will be applied.

If you want, you can modify the document meta-data.

The signature tab

isafepdf-signature.jpg

This tab allows you to control the digital signature. If you have locally installed certificates you will see them in the Certificates list. You also have the choice to sign your document using a pfx file if certificates are exported to pfx format (see my first article for more information).

PDF Signature standard allows you to add three fields to the digital signature: the reason, the contact, and the location they are visible when you visualize the digital signature information.

If you want, you can make the signature visible in the document; in this case, it will be put on the first page in the lower left corner (in the next release, I'll add more options to configure visible signatures: position, custom image ...etc).

The PDF standard allows you to use a time stamp authority (TSA); using this feature will make your document signature valid even if the digital signature certificate expires, as the TSA will prove that the certificate was valid when the document was signed.

Notes

Encryption tab

isafepdf-encryption.jpg

Here, you can choose to activate or not the document encryption; if encryption is active, you need to enter two passwords. The user password allows you to open and read the document, plus do what encryption allows you to do. The owner password allows you to modify encryption options using iSagePDF or another PDF manipulation program. It also allows you to open and read the document.

The source code

You can get the latest source code version from the iSagePDF official site: http://isafepdf.eurekaa.org/.

The most important method in the code is the Sign method. Please refer to my first article ("E-signing PDF documents with iTextSharp") to read the description of a simpler Sign method version (without encryption and timestamp).

The old Sign method used a WINCER_SIGNED signature type. This method is easier to implement because iTextSharp does all the signature jobs, but this option doesn't allow TSA support. To support TSA, we need to use the SELF_SIGNED signature type. Using this option gives us more control on the signature process, but then we need to calculate the signature digest. Below is a piece of code from the new Sign() method implementing the self signed document signature type:

C#
//
sap.SetCrypto(null, this.myCert.Chain, null, PdfSignatureAppearance.SELF_SIGNED); 
// here we choose the self signed type

...

PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, 
                       new PdfName("adbe.pkcs7.detached")); 
// we will sign the document using a detached pkcs7
// certificate (generated from the pfx certificate).

...


//Bellow we calculate the SHA1 digest - this code
//is taken from iTextSharp tutorials
PdfPKCS7 sgn = new PdfPKCS7(this.myCert.Akp, 
               this.myCert.Chain, null, "SHA1", false);
IDigest messageDigest = DigestUtilities.GetDigest("SHA1");
Stream data = sap.RangeStream;
byte[] buf = new byte[8192];
int n;
while ((n = data.Read(buf, 0, buf.Length)) > 0)
{
    messageDigest.BlockUpdate(buf, 0, n);
}
byte[] hash = new byte[messageDigest.GetDigestSize()];
messageDigest.DoFinal(hash, 0);


DateTime cal = DateTime.Now;
byte[] ocsp = null;
if (this.myCert.Chain.Length >= 2)
{
    String url = PdfPKCS7.GetOCSPURL(this.myCert.Chain[0]);
    if (url != null && url.Length > 0)
        ocsp = new OcspClientBouncyCastle(this.myCert.Chain[0], 
                   this.myCert.Chain[1], url).GetEncoded();
}
byte[] sh = sgn.GetAuthenticatedAttributeBytes(hash, cal, ocsp);

sgn.Update(sh, 0, sh.Length);
//

The piece of code to add TSA is:

C#
byte[] encodedSigTsa = sgn.GetEncodedPKCS7(hash, cal, this.myCert.Tsc, ocsp);
System.Array.Copy(encodedSigTsa, 0, paddedSig, 0, encodedSigTsa.Length);

//this.myCert.Tsc is of type TSAClientBouncyCastle and build from a TSA url,
//TSA login and TSA password. See Cert.cs for detailed information.

To support PDF encryption, I added a new class called PDFEncryption (see PDFEncryption.cs).

I will enumerate all the PDF encryption types:

C#
public enum permissionType    { 
    Assembly = PdfWriter.ALLOW_ASSEMBLY,
    Copy = PdfWriter.ALLOW_COPY,
    DegradedPrinting = PdfWriter.ALLOW_DEGRADED_PRINTING,
    FillIn = PdfWriter.ALLOW_FILL_IN,
    ModifyAnnotation = PdfWriter.ALLOW_MODIFY_ANNOTATIONS,
    ModifyContent = PdfWriter.ALLOW_MODIFY_CONTENTS,
    Printing = PdfWriter.ALLOW_PRINTING,
    ScreenReaders = PdfWriter.ALLOW_SCREENREADERS };

The encryption method using a permission list is quite simple with iTextSharp (we use the PDFStamper).

C#
public List<permissionType> Permissions = new List<permissionType>();

...

public void Encrypt(PdfStamper stamper)
{
   int permission = 0;
   foreach (int i in this.Permissions)
   {
       permission |= (int)i;
   }
   stamper.SetEncryption(this.Encryption, this.UserPwd, this.OwnerPwd, permission);
}

The future of iSafePDF

I'm planning to make iSafePDF as complete as possible with new features related to PDF security and encryption. The next release will add more configuration options to visual signature: choose custom signature position, and use a custom image (a scanned signature, for example).

I'll also add a console version, and an API to make batch processing easier, in a future release.

To get the latest binaries/source code of iSafePDF, please visit the official website: http://isafepdf.eurekaa.org/.

License

This article, along with any associated source code and files, is licensed under The GNU General Public License (GPLv3)


Written By
Technical Lead
France France
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
QuestionThis is a wonderful software mate. Pin
kasunx.kelaniya19-Aug-20 3:57
kasunx.kelaniya19-Aug-20 3:57 
QuestionWhere can I Download source code Pin
Member 1432494622-Apr-19 23:37
Member 1432494622-Apr-19 23:37 
QuestionError in debugging mode Pin
Member 117350811-Jun-15 23:00
Member 117350811-Jun-15 23:00 
QuestionITSAClient Error Pin
Selin köykıran27-Oct-14 4:46
Selin köykıran27-Oct-14 4:46 
AnswerRe: ITSAClient Error Pin
Selin köykıran27-Oct-14 5:39
Selin köykıran27-Oct-14 5:39 
QuestionRevision label and Add picture as signature Pin
Rui Frazao26-Feb-14 0:19
Rui Frazao26-Feb-14 0:19 
QuestionThe type or namespace name 'TSAClientBouncyCastle' could not be found Pin
Rui Frazao20-Feb-14 0:59
Rui Frazao20-Feb-14 0:59 
QuestionSign PDF file using signature data (SHA-1 algorithm) from etoken (PKCS11) Pin
cristi_gheorghe15-May-13 3:09
cristi_gheorghe15-May-13 3:09 
QuestionLicence for commercial product (close source) Pin
majco3339-Mar-13 22:28
majco3339-Mar-13 22:28 
AnswerRe: Licence for commercial product (close source) Pin
Alaa-eddine KADDOURI10-Mar-13 1:58
Alaa-eddine KADDOURI10-Mar-13 1:58 
GeneralRe: Licence for commercial product (close source) Pin
Alaa-eddine KADDOURI10-Mar-13 2:06
Alaa-eddine KADDOURI10-Mar-13 2:06 
GeneralRe: Licence for commercial product (close source) Pin
majco33310-Mar-13 5:29
majco33310-Mar-13 5:29 
QuestionWhat type of Encryption is Used? Pin
sp08179-Nov-12 22:09
sp08179-Nov-12 22:09 
GeneralMy vote of 5 Pin
Kuthuparakkal15-Oct-12 17:12
Kuthuparakkal15-Oct-12 17:12 
QuestionWhich certificate to use? Pin
oscargs22-May-12 4:57
oscargs22-May-12 4:57 
AnswerRe: Which certificate to use? Pin
Alaa-eddine KADDOURI22-May-12 22:06
Alaa-eddine KADDOURI22-May-12 22:06 
GeneralRe: Which certificate to use? Pin
oscargs24-May-12 3:16
oscargs24-May-12 3:16 
By "standard SSL certificate" I mean, a Thawte or Digicert or Verisign server certificate which I bought to enable sites in my domain to be recognized as secure.
My question is, which kind of certificate should I buy? These companies do not advertise any of their certificates as "document signing certificates" and their sales support only seem to know about web server and code signing certificates.
Questiondoes not work with smart card Pin
Tirad26-Feb-12 22:35
Tirad26-Feb-12 22:35 
AnswerRe: does not work with smart card Pin
Alaa-eddine KADDOURI26-Feb-12 23:09
Alaa-eddine KADDOURI26-Feb-12 23:09 
QuestionIt does not work with window certificate store ! Pin
truongnguyen16103-Jan-12 19:54
truongnguyen16103-Jan-12 19:54 
AnswerRe: It does not work with window certificate store ! Pin
Alaa-eddine KADDOURI3-Jan-12 21:31
Alaa-eddine KADDOURI3-Jan-12 21:31 
GeneralRe: It does not work with window certificate store ! Pin
truongnguyen16104-Jan-12 1:48
truongnguyen16104-Jan-12 1:48 
GeneralRe: It does not work with window certificate store ! Pin
Alaa-eddine KADDOURI26-Feb-12 23:11
Alaa-eddine KADDOURI26-Feb-12 23:11 
GeneralRe: It does not work with window certificate store ! Pin
truongnguyen16101-Mar-12 4:23
truongnguyen16101-Mar-12 4:23 
BugError: iSafePDF v1.3.0 Source Code and iSafePDF v1.3.0 binary Pin
truongnguyen16102-Jan-12 5:42
truongnguyen16102-Jan-12 5:42 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.