Discussion:
[itextsharp-questions] Signature with windows certificate
Rick
2006-01-10 07:30:15 UTC
Permalink
Greetings!

First to say: I am quite new to using iTextSharp, so
perhaps the question is a bit stupid. (Sorry in
advance!)

I am trying to add a digital signature to an existing
PDF document. The input I have is
1) The filename of the PDF File
2) The System.Cryptography.X509Certificate2 to sign
with. (Windows CSP Certificate on a SmartCard in my
case.)

The function should return the signed PDF as byte
array for further handling. The code is quite as it
looks in your sample: (It's VB code though...)

Public Shared Function ComputePDFDigSigFromFile
(ByVal FileName As String, ByRef Certificate As
X509Certificate2) As Byte()
Dim PK As AsymmetricAlgorithm
Dim cert(0) As
org.bouncycastle.x509.X509Certificate
cert(0) = New
org.bouncycastle.x509.X509Certificate
(Certificate.RawData())
PK = Certificate.PrivateKey
Dim PR As New iTextSharp.text.pdf.PdfReader
(FileName)
Dim Buffer As New MemoryStream
Dim Stp As New iTextSharp.text.pdf.PdfStamper
(PR, Buffer)
Dim SigAp As
iTextSharp.text.pdf.PdfSignatureAppearance
SigAp = Stp.SignatureAppearance
SigAp.SetCrypto(PK, cert, Nothing,
iTextSharp.text.pdf.PdfSignatureAppearance.WINCER_SIGN
ED)
SigAp.Reason = "Digital signature"
SigAp.Location = "Vienna"
SigAp.SetVisibleSignature(New
iTextSharp.text.Rectangle(100, 100, 200, 200), 1,
Nothing)
Stp.Close()
Return Buffer.ToArray()
End Function

The function runs through properly, no errors, no
exceptions, no problem at all. The only problem: The
PDF generated with this code does not contain a
signature.... (At least Adobe Reader 7.0.5 does not
recognize one.)

I would appreciate any help on this matter.

thanks
Rick
Paulo Soares
2006-01-10 10:51:30 UTC
Permalink
Have a look at
http://article.gmane.org/gmane.comp.windows.dotnet.itextsharp.general/62
.
-----Original Message-----
Behalf Of Rick
Sent: Tuesday, January 10, 2006 7:30 AM
Subject: [itextsharp-questions] Signature with windows certificate
Greetings!
First to say: I am quite new to using iTextSharp, so
perhaps the question is a bit stupid. (Sorry in
advance!)
I am trying to add a digital signature to an existing
PDF document. The input I have is
1) The filename of the PDF File
2) The System.Cryptography.X509Certificate2 to sign
with. (Windows CSP Certificate on a SmartCard in my
case.)
The function should return the signed PDF as byte
array for further handling. The code is quite as it
looks in your sample: (It's VB code though...)
Public Shared Function ComputePDFDigSigFromFile
(ByVal FileName As String, ByRef Certificate As
X509Certificate2) As Byte()
Dim PK As AsymmetricAlgorithm
Dim cert(0) As
org.bouncycastle.x509.X509Certificate
cert(0) = New
org.bouncycastle.x509.X509Certificate
(Certificate.RawData())
PK = Certificate.PrivateKey
Dim PR As New iTextSharp.text.pdf.PdfReader
(FileName)
Dim Buffer As New MemoryStream
Dim Stp As New iTextSharp.text.pdf.PdfStamper
(PR, Buffer)
Dim SigAp As
iTextSharp.text.pdf.PdfSignatureAppearance
SigAp = Stp.SignatureAppearance
SigAp.SetCrypto(PK, cert, Nothing,
iTextSharp.text.pdf.PdfSignatureAppearance.WINCER_SIGN
ED)
SigAp.Reason = "Digital signature"
SigAp.Location = "Vienna"
SigAp.SetVisibleSignature(New
iTextSharp.text.Rectangle(100, 100, 200, 200), 1,
Nothing)
Stp.Close()
Return Buffer.ToArray()
End Function
The function runs through properly, no errors, no
exceptions, no problem at all. The only problem: The
PDF generated with this code does not contain a
signature.... (At least Adobe Reader 7.0.5 does not
recognize one.)
I would appreciate any help on this matter.
thanks
Rick
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep
through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web.
DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
itextsharp-questions mailing list
https://lists.sourceforge.net/lists/listinfo/itextsharp-questions
Rick
2006-01-10 11:30:28 UTC
Permalink
Post by Paulo Soares
Have a look at
http://article.gmane.org/gmane.comp.windows.dotnet.itextsharp.general/62
.
Post by Rick
Public Shared Function ComputePDFDigSigFromFile
(ByVal FileName As String, ByRef Certificate As
X509Certificate2) As Byte()
Dim PK As AsymmetricAlgorithm
Dim cert(0) As
org.bouncycastle.x509.X509Certificate
cert(0) = New
org.bouncycastle.x509.X509Certificate
(Certificate.RawData())
PK = Certificate.PrivateKey
Dim PR As New iTextSharp.text.pdf.PdfReader
(FileName)
Dim Buffer As New MemoryStream
Dim Stp As New iTextSharp.text.pdf.PdfStamper
(PR, Buffer)
Dim SigAp As
iTextSharp.text.pdf.PdfSignatureAppearance
SigAp = Stp.SignatureAppearance
SigAp.SetCrypto(PK, cert, Nothing,
iTextSharp.text.pdf.PdfSignatureAppearance.WINCER_SIGN
ED)
SigAp.Reason = "Digital signature"
SigAp.Location = "Vienna"
SigAp.SetVisibleSignature(New
iTextSharp.text.Rectangle(100, 100, 200, 200), 1,
Nothing)
Stp.Close()
Return Buffer.ToArray()
End Function
Sorry, wrote you a mail first, did not see your answer here.
Actually I did read the article and still cann't figure out the problem.
Article 62 always assumes that the certificate is read from a PKCS12Store
object. (And with it having the GetPrivateKey function (or whatever it is
called...)) I cann't go that way as I already only have the Certificate object
passed into the function not knowing the store to search in.
The only difference in the code except for that is that I am passing in an
AsymetricAlgorithm object instead of the bouncycastle-object. Unfortunately
the AsymetricAlgorithm object is the only thing I could extract from an
X509Certificate2 object.

What exactly is the problem there? Why is the library just doing nothing
without passing any returncode, exception or something like that?

Rick
Paulo Soares
2006-01-10 14:20:33 UTC
Permalink
You should first try a signature the standard way. For example, you must
use PdfStamper.CreateSignature() and you uses "new PdfStamper".
-----Original Message-----
Behalf Of Rick
Sent: Tuesday, January 10, 2006 11:30 AM
Subject: [itextsharp-questions] Re: Signature with windows certificate
Post by Paulo Soares
Have a look at
http://article.gmane.org/gmane.comp.windows.dotnet.itextsharp.
general/62
Post by Paulo Soares
.
Post by Rick
Public Shared Function ComputePDFDigSigFromFile
(ByVal FileName As String, ByRef Certificate As
X509Certificate2) As Byte()
Dim PK As AsymmetricAlgorithm
Dim cert(0) As
org.bouncycastle.x509.X509Certificate
cert(0) = New
org.bouncycastle.x509.X509Certificate
(Certificate.RawData())
PK = Certificate.PrivateKey
Dim PR As New iTextSharp.text.pdf.PdfReader
(FileName)
Dim Buffer As New MemoryStream
Dim Stp As New iTextSharp.text.pdf.PdfStamper
(PR, Buffer)
Dim SigAp As
iTextSharp.text.pdf.PdfSignatureAppearance
SigAp = Stp.SignatureAppearance
SigAp.SetCrypto(PK, cert, Nothing,
iTextSharp.text.pdf.PdfSignatureAppearance.WINCER_SIGN
ED)
SigAp.Reason = "Digital signature"
SigAp.Location = "Vienna"
SigAp.SetVisibleSignature(New
iTextSharp.text.Rectangle(100, 100, 200, 200), 1,
Nothing)
Stp.Close()
Return Buffer.ToArray()
End Function
Sorry, wrote you a mail first, did not see your answer here.
Actually I did read the article and still cann't figure out
the problem.
Article 62 always assumes that the certificate is read from a
PKCS12Store
object. (And with it having the GetPrivateKey function (or
whatever it is
called...)) I cann't go that way as I already only have the
Certificate object
passed into the function not knowing the store to search in.
The only difference in the code except for that is that I am
passing in an
AsymetricAlgorithm object instead of the bouncycastle-object.
Unfortunately
the AsymetricAlgorithm object is the only thing I could
extract from an
X509Certificate2 object.
What exactly is the problem there? Why is the library just
doing nothing
without passing any returncode, exception or something like that?
Rick
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep
through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web.
DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
itextsharp-questions mailing list
https://lists.sourceforge.net/lists/listinfo/itextsharp-questions
Rick
2006-01-11 07:10:33 UTC
Permalink
Paulo Soares <***@...> writes:
Thanks for the correction, I really overlooked that one...

I followed your advise and started using your sample (as in article 62). With
this (and a PFX Keystore) the signing works just fine. I from there started
rebuilding my needs into the code and got stuck again on the same point but
this time with an error message:
Using VB I can pass AsymetricAlgorithm object into the SetCrypto function
instead of the AsymetricKeyParameter. I ported my code to C# and here the
compiler throws an error at this point. (Unable to convert object)
This leaves me a step further, but no step nearer to a solution I fear. I took
some hours of trying yesterday, but unfortunately I didn't find any way to
converting the AsymetricAlgorithm object into an AsymetricKeyParameter object.
Also though I found a way to convert the M$ X509Certificate2 object into a
BouncyCastle X509Certificate object I cann't find a way to get the private key
out of that object. (Seems BouncyCastle doesn't support getting private keys
from X509Certificates...) I also tried creating a dummy PKCS#12 store to go
the long road, but it seems there is just no way to extract the whole
Certificate from the SmartCard and insert it into such a store... (Good thing,
this would be a kind of a security leak...)

So here I am again with the same basic question: How do I sign a PDF with an
X509Certificate?

Rick
Paulo Soares
2006-01-11 08:02:30 UTC
Permalink
I doubt that you can extract the private key from the smartcard. In general
you provide an hash to the smartcard and get a PKCS#7 or alternatively a
signature and the public key.

----- Original Message -----
From: "Rick" <***@dangerous.it>
To: <itextsharp-***@lists.sourceforge.net>
Sent: Wednesday, January 11, 2006 7:10 AM
Subject: [itextsharp-questions] Re: Signature with windows certificate
Post by Rick
Thanks for the correction, I really overlooked that one...
I followed your advise and started using your sample (as in article 62). With
this (and a PFX Keystore) the signing works just fine. I from there started
rebuilding my needs into the code and got stuck again on the same point but
Using VB I can pass AsymetricAlgorithm object into the SetCrypto function
instead of the AsymetricKeyParameter. I ported my code to C# and here the
compiler throws an error at this point. (Unable to convert object)
This leaves me a step further, but no step nearer to a solution I fear. I took
some hours of trying yesterday, but unfortunately I didn't find any way to
converting the AsymetricAlgorithm object into an AsymetricKeyParameter object.
Also though I found a way to convert the M$ X509Certificate2 object into a
BouncyCastle X509Certificate object I cann't find a way to get the private key
out of that object. (Seems BouncyCastle doesn't support getting private keys
from X509Certificates...) I also tried creating a dummy PKCS#12 store to go
the long road, but it seems there is just no way to extract the whole
Certificate from the SmartCard and insert it into such a store... (Good thing,
this would be a kind of a security leak...)
So here I am again with the same basic question: How do I sign a PDF with an
X509Certificate?
Rick
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
itextsharp-questions mailing list
https://lists.sourceforge.net/lists/listinfo/itextsharp-questions
Rick
2006-01-11 08:34:38 UTC
Permalink
Post by Paulo Soares
I doubt that you can extract the private key from the smartcard. In general
you provide an hash to the smartcard and get a PKCS#7 or alternatively a
signature and the public key.
So, are you saying that I just cann't sign a PDF with a SmartCard?
Paulo Soares
2006-01-11 14:26:16 UTC
Permalink
-----Original Message-----
Behalf Of Rick
Sent: Wednesday, January 11, 2006 8:35 AM
Subject: [itextsharp-questions] Re: Signature with windows certificate
Post by Paulo Soares
I doubt that you can extract the private key from the
smartcard. In general
Post by Paulo Soares
you provide an hash to the smartcard and get a PKCS#7 or
alternatively a
Post by Paulo Soares
signature and the public key.
So, are you saying that I just cann't sign a PDF with a SmartCard?
No, read the above. I've no idea of the capabilities of your smartcard
and there's more than one way to generate the signature.

Paulo
Robertico
2007-01-05 13:29:54 UTC
Permalink
Hello:

I have a personal certificate installed in the My store of Windows. The
private key is exportable.
So I'm trying to sign a PDF file using this X509Certificate2 (not from a
.pfx file or other store).
The Windows program is in C# (.NET 2.0). And next I show the code:

MetaData md = new MetaData();
md.Author = txtAutor.Text;
md.Title = txtTitulo.Text;
md.Subject = txtAsunto.Text;
md.Keywords = txtPalabras.Text;
md.Creator = txtCreador.Text;
md.Producer = txtProductor.Text;

string nombre = cboCertificado.Text;
X509Certificate2 cert = CertificateUtils.FindCert(nombre);
PdfSigner signer = new PdfSigner(_pdf, cert, md);
byte[] pdf = signer.Sign(txtRazon.Text, txtContacto.Text, txtLugar.Text,
chkFirmaVisible.Checked);

class PdfSigner
{
private byte[] _inputPdf = null;
private X509Certificate2 _cert;
private MetaData _metadata;

public byte[] Sign(string sigReason, string sigContact, string
sigLocation, bool visible)
{
MemoryStream ms = new MemoryStream();
iText.PdfReader reader = new iText.PdfReader(this._inputPdf);
iText.PdfStamper st = iText.PdfStamper.CreateSignature(reader, ms, '\0',
null, true);
st.MoreInfo = _metadata.GetMetaData();
st.XmpMetadata = _metadata.GetStreamedMetaData();
iText.PdfSignatureAppearance sap = st.SignatureAppearance;
Crypto.CipherParameters akp = GetAkp(_cert);
X509.X509Certificate[] chain = GetChain(_cert);
sap.SetCrypto(akp, chain, null,
iText.PdfSignatureAppearance.WINCER_SIGNED);
sap.Reason = sigReason;
sap.Contact = sigContact;
sap.Location = sigLocation;
if (visible)
{
sap.SetVisibleSignature(new iTextSharp.text.Rectangle(100, 100, 250,
150), 1, null);
}
byte[] result = ms.ToArray();
st.Close();
return result;
}

private Crypto.CipherParameters GetAkp(X509Certificate2 cert)
{
RSACryptoServiceProvider privateKey = cert.PrivateKey as
RSACryptoServiceProvider;
RSACryptoServiceProvider publicKey = cert.PublicKey.Key as
RSACryptoServiceProvider;
if (privateKey != null)
{
RSAParameters privateParameters = privateKey.ExportParameters(true);
RSAParameters publicParameters = publicKey.ExportParameters(false);
Math.BigInteger modulus = new
Math.BigInteger(privateParameters.Modulus);
Math.BigInteger privateExponent = new
Math.BigInteger(privateParameters.Exponent);
Math.BigInteger publicKeyExponent = new
Math.BigInteger(publicParameters.Exponent);
Math.BigInteger p = new Math.BigInteger(privateParameters.P);
Math.BigInteger q = new Math.BigInteger(privateParameters.Q);
Math.BigInteger dP = new Math.BigInteger(privateParameters.DP);
Math.BigInteger dQ = new Math.BigInteger(privateParameters.DQ);
Math.BigInteger qInv = new
Math.BigInteger(privateParameters.InverseQ);
Crypto.CipherParameters to = new
PkcsParams.RSAPrivateCrtKeyParameters(modulus, publicKeyExponent,
privateExponent, p, q, dP,
dQ, qInv);
return to;
}
else
{
return null;
}
}

private X509.X509Certificate[] GetChain(X509Certificate2 cert)
{
X509.X509Certificate certAux = new
X509.X509Certificate(cert.GetRawCertData());
return new X509.X509Certificate[] { certAux };
}
}

The resulting output stream I get is void, but the call doesn't return any
exception.
Is there anything wrong? In short: Is it possible?
Thank's a lot in advance.

Robertico
--
View this message in context: http://www.nabble.com/Signature-with-windows-certificate-tf886578.html#a8177950
Sent from the itextsharp-questions mailing list archive at Nabble.com.
Robertico
2007-01-05 13:38:18 UTC
Permalink
I have found the error:

in Sign method of PdfSigner, I put:

st.Close();
byte[] result = ms.ToArray();

instead of:

byte[] result = ms.ToArray();
st.Close();
Post by Robertico
I have a personal certificate installed in the My store of Windows. The
private key is exportable.
So I'm trying to sign a PDF file using this X509Certificate2 (not from a
.pfx file or other store).
MetaData md = new MetaData();
md.Author = txtAutor.Text;
md.Title = txtTitulo.Text;
md.Subject = txtAsunto.Text;
md.Keywords = txtPalabras.Text;
md.Creator = txtCreador.Text;
md.Producer = txtProductor.Text;
string nombre = cboCertificado.Text;
X509Certificate2 cert = CertificateUtils.FindCert(nombre);
PdfSigner signer = new PdfSigner(_pdf, cert, md);
byte[] pdf = signer.Sign(txtRazon.Text, txtContacto.Text, txtLugar.Text,
chkFirmaVisible.Checked);
class PdfSigner
{
private byte[] _inputPdf = null;
private X509Certificate2 _cert;
private MetaData _metadata;
public byte[] Sign(string sigReason, string sigContact, string
sigLocation, bool visible)
{
MemoryStream ms = new MemoryStream();
iText.PdfReader reader = new iText.PdfReader(this._inputPdf);
iText.PdfStamper st = iText.PdfStamper.CreateSignature(reader, ms,
'\0', null, true);
st.MoreInfo = _metadata.GetMetaData();
st.XmpMetadata = _metadata.GetStreamedMetaData();
iText.PdfSignatureAppearance sap = st.SignatureAppearance;
Crypto.CipherParameters akp = GetAkp(_cert);
X509.X509Certificate[] chain = GetChain(_cert);
sap.SetCrypto(akp, chain, null,
iText.PdfSignatureAppearance.WINCER_SIGNED);
sap.Reason = sigReason;
sap.Contact = sigContact;
sap.Location = sigLocation;
if (visible)
{
sap.SetVisibleSignature(new iTextSharp.text.Rectangle(100, 100, 250,
150), 1, null);
}
byte[] result = ms.ToArray();
st.Close();
return result;
}
private Crypto.CipherParameters GetAkp(X509Certificate2 cert)
{
RSACryptoServiceProvider privateKey = cert.PrivateKey as
RSACryptoServiceProvider;
RSACryptoServiceProvider publicKey = cert.PublicKey.Key as
RSACryptoServiceProvider;
if (privateKey != null)
{
RSAParameters privateParameters = privateKey.ExportParameters(true);
RSAParameters publicParameters = publicKey.ExportParameters(false);
Math.BigInteger modulus = new
Math.BigInteger(privateParameters.Modulus);
Math.BigInteger privateExponent = new
Math.BigInteger(privateParameters.Exponent);
Math.BigInteger publicKeyExponent = new
Math.BigInteger(publicParameters.Exponent);
Math.BigInteger p = new Math.BigInteger(privateParameters.P);
Math.BigInteger q = new Math.BigInteger(privateParameters.Q);
Math.BigInteger dP = new Math.BigInteger(privateParameters.DP);
Math.BigInteger dQ = new Math.BigInteger(privateParameters.DQ);
Math.BigInteger qInv = new
Math.BigInteger(privateParameters.InverseQ);
Crypto.CipherParameters to = new
PkcsParams.RSAPrivateCrtKeyParameters(modulus, publicKeyExponent,
privateExponent, p, q, dP,
dQ, qInv);
return to;
}
else
{
return null;
}
}
private X509.X509Certificate[] GetChain(X509Certificate2 cert)
{
X509.X509Certificate certAux = new
X509.X509Certificate(cert.GetRawCertData());
return new X509.X509Certificate[] { certAux };
}
}
The resulting output stream I get is void, but the call doesn't return any
exception.
Is there anything wrong? In short: Is it possible?
Thank's a lot in advance.
Robertico
--
View this message in context: http://www.nabble.com/Signature-with-windows-certificate-tf886578.html#a8178039
Sent from the itextsharp-questions mailing list archive at Nabble.com.
Loading...