Can't sign with SHA256... only SHA1
I'm trying to sign a PDF file with SHA256, but the sign is created with SHA1 ¿what's wrong with this code?
X509Certificate2 digitalID = x509; // previously assigned from Windows store...
PdfLoadedDocument document = new PdfLoadedDocument(pdfFileName); // previously assigned with opendialog
PdfCertificate certificate = new PdfCertificate(digitalID);
PdfSignature signature = new PdfSignature(document, document.Pages[0], certificate, "DigitalSignature");
signature.Settings.CryptographicStandard = CryptographicStandard.CADES;
signature.Settings.DigestAlgorithm = DigestAlgorithm.SHA256;
document.Save(pdfFileName + " - signed.pdf");
document.Close(true);
Attached you can find the two files (before and after signature)
Thanks!
Saludos,
Antonio
Attachment: only_sha1_b6bd103d.zip
SIGN IN To post a reply.
14 Replies
1 reply marked as answer
SL
Sowmiya Loganathan
Syncfusion Team
June 4, 2020 02:35 PM UTC
Hi Antonio,
Thank you for contacting Syncfusion support.
We have tried to sign the given PDF document using SHA256, the resultant PDF document is signed with SHA256 only. Please refer the below sample for your reference,
Sample: https://www.syncfusion.com/downloads/support/forum/154897/ze/DigitalSignatureSample1390705592
Output document: https://www.syncfusion.com/downloads/support/forum/154897/pd/Output339538807
Screenshot:
Could you please try the above sample in your end and let us know the result.
Regards,
Sowmiya Loganathan
Marked as answer
AB
Antonio Begines Cerrada
June 4, 2020 05:49 PM UTC
Hi Sowmiya!
Attachment: sha1_(syncfusion)_and_sha256_(adobe)_de8ed63f.zip
Thanks for your answer. Your sample works well with the PFX certificate included.
But my use case is the user can select a certificate from windows store. The two main type of certificates will be:
- FNMT issued (Spanish government ID, very important in Spain)
- Windows CA (our network domain)
Attached you have the two samples, with two signatures made with the same certificate for each file (one with syncfusion and one with Adobe).
As you can see in attached zip, (file "signed with windows-store-FNMT-cert with syncfusion and adobe (sha1 and sha256).PDF")...
the signature made with Syncfusion using the FNMT (very importante for us) is created with SHA1, but the same signature made with Adobe is created with SHA256.
With other certificates (your PFX, the windows ca certificate, etc.) all seems ok.
Saludos,
abc
Attachment: sha1_(syncfusion)_and_sha256_(adobe)_de8ed63f.zip
AB
Antonio Begines Cerrada
June 4, 2020 06:08 PM UTC
I think, this is not the source of the problem, but for your information... this is the code used.. very similar than yours, but selecting certificate from window store...
private void Button1_Click(object sender, EventArgs e)
{
//Load PDF document
PdfLoadedDocument loadedDocument = new PdfLoadedDocument("../../Data/caratula.pdf");
//Load PDF page
PdfLoadedPage page = loadedDocument.Pages[0] as PdfLoadedPage;
//Creates a certificate instance from PFX file with private key
PdfCertificate pdfCert =
new PdfCertificate(selectCert("My", StoreLocation.CurrentUser, "Elige un certificado", "please..."));
//Creates a digital signature
PdfSignature signature = new PdfSignature(loadedDocument, page, pdfCert, "Signature");
//Sets signature settings to customize digest algorithm specified
PdfSignatureSettings settings = signature.Settings;
settings.CryptographicStandard = CryptographicStandard.CADES;
settings.DigestAlgorithm = DigestAlgorithm.SHA256;
//Sets an image for signature field
PdfBitmap signatureImage = new PdfBitmap(@"../../Data/logo.png");
//Sets signature information
signature.Bounds = new RectangleF(new PointF(0, 0), signatureImage.PhysicalDimension);
signature.ContactInfo = "[email protected]";
signature.LocationInfo = "Honolulu, Hawaii";
signature.Reason = "I am author of this document.";
//Draws the signature image
page.Graphics.DrawImage(signatureImage, 0, 0);
//Saves and closes the document
loadedDocument.Save("Output.pdf");
loadedDocument.Close(true);
Process.Start("Output.pdf");
}
static private X509Certificate2 selectCert(/*StoreName */string store, StoreLocation location, string windowTitle, string windowMsg)
{
X509Certificate2 certSelected = null;
X509Store x509Store = new X509Store(store, location);
x509Store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col = x509Store.Certificates;
X509Certificate2Collection sel = X509Certificate2UI.SelectFromCollection(col, windowTitle, windowMsg, X509SelectionFlag.SingleSelection);
if (sel.Count > 0)
{
X509Certificate2Enumerator en = sel.GetEnumerator();
en.MoveNext();
certSelected = en.Current;
}
x509Store.Close();
return certSelected;
}
SL
Sowmiya Loganathan
Syncfusion Team
June 5, 2020 12:34 PM UTC
Hi Antonio,
We have analyzed the mentioned issue and suspect that this to a certificate specific issue. Could you please share with us the certificate file for further analysis and provide a better solution to this. Or else we can set up a web meeting to look into providing the solution in your machine itself. We will make every effort to have this scheduled on a date and time of your convenience.
Note: We work in IST hours.
Regards,
Sowmiya Loganathan
AB
Antonio Begines Cerrada
June 5, 2020 02:59 PM UTC
Hi Sowmiya,
Attachment: certificado_prueba_3f74c7b5.zip
Thank you very much for your attention.
Attached you can find a "test certificate" issued by Spanish FNMT.
I imported it to muy windows certificate store and sign the document with syncfusion and adobe.
It endes with a sha1 (sync) and a sha256 (adobe) signatures.
The password for the certificate is is G5cp,fYC9gje
Saludos,
abc
Attachment: certificado_prueba_3f74c7b5.zip
AP
Anand Panchamoorthi
Syncfusion Team
June 8, 2020 04:34 PM UTC
Hi Antonio,
Thank you for your update.
As per the external signing behavior, we can sign the PDF document with SHA256 digest algorithm only for X509Certificate created as exportable. Otherwise, external signing only supports SHA1 digest algorithm in PDF signing.
Please try the below code snippet to create X509Certificate with exportable let us know whether the provided solution meets your requirement.
|
//Load PFX in X509Certificate2 as exportable
FileStream pfxStream = File.OpenRead("PDF.pfx");
X509Certificate2 x509Certificate = new X509Certificate2(pfxStream, "syncfusion", X509KeyStorageFlags.Exportable);
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider) x509Certificate.PrivateKey; |
With Regards,
Anand P
AB
Antonio Begines Cerrada
June 8, 2020 06:44 PM UTC
Hi Anand,
Sad to hear that.
My use case is allow the user to select the certificate from the Windows Certificate Store, not from a PFX file. (you can see the code used in this thread).
Other utilities or libraries allow me to sign PDFs from this certificates (as you can see for example with adobe) and cipher with sha256, so I dont undestand why syncfusion dont.
Can you help me dealing with this situation? Thanks!
Saludos,
Antonio
SL
Sowmiya Loganathan
Syncfusion Team
June 9, 2020 01:59 PM UTC
Hi Antonio,
Currently we are validating to achieve your requirement and will update the further details on June 11th, 2020.
Regards,
Sowmiya Loganathan
SL
Sowmiya Loganathan
Syncfusion Team
June 11, 2020 03:01 PM UTC
Hi Antonio,
We are able to Digitally sign a PDF document using Windows certificate store.
Please find the code to sign PDF using Windows certificate store below,
|
static void Main(string[] args)
{
//Load existing PDF document.
PdfLoadedDocument document = new PdfLoadedDocument(@"Sample.pdf");
//Initialize the Windows store.
X509Store store = new X509Store("MY", StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
//Find the certificate using thumb print.
X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, "0F59645E853309589EAE9965D2E603D70B46D707", true);
X509Certificate2 digitalID = fcollection[0];
//Load X509Certificate2.
PdfCertificate certificate = new PdfCertificate(digitalID);
//Create a revision 2 signature with loaded digital ID.
PdfSignature signature = new PdfSignature(document, document.Pages[0], certificate, "DigitalSignature");
//Changing the digital signature standard and hashing algorithm.
signature.Settings.CryptographicStandard = CryptographicStandard.CADES;
if (IsExportable(digitalID))
{
signature.Settings.DigestAlgorithm = DigestAlgorithm.SHA512;
}
else
{
signature.Settings.DigestAlgorithm = DigestAlgorithm.SHA1;
}
//Save the PDF document.
document.Save("WindowsStore.pdf");
//Close the document.
document.Close(true);
}
private static bool IsExportable(X509Certificate2 certificate)
{
try
{
return (certificate.PrivateKey as RSACryptoServiceProvider).CspKeyContainerInfo.Exportable;
}
catch
{
return false;
}
} |
Please refer the below link for more details
Note: As we said earlier, for the external signing behaviour, we can sign the PDF document with SHA256 digest algorithm only for X509Certificate created as exportable. Otherwise, external signing only supports SHA1 digest algorithm in PDF signing.
Regards,
Sowmiya Loganathan
AB
Antonio Begines Cerrada
June 11, 2020 10:28 PM UTC
As I said earlier, i need to sign with sha256/sha512 with certificates stored on windows but not exportable. I can do it with Adobe and other libraries.
If I can't do it with Syncfusion i must do it with other library, it's a pitty. Because sync pdf do a lot of things very well.
Can you say me if you plan to introduce this functionality soon?
Thank you.
Saludos,
abc
SL
Sowmiya Loganathan
Syncfusion Team
June 12, 2020 01:27 PM UTC
Hi Antonio,
Sorry for the inconvenience.
Currently we are validating to achieve your requirement and will update the further details on June 16, 2020.
Regards,
Sowmiya Loganathan
MK
Moorthy Karunanithi
Syncfusion Team
June 16, 2020 03:54 PM UTC
Hi Antonio,
We deeply regret for the inconvenience caused,
Still we are validating to achieve your requirement with high priority and will update the further details on June 18, 2020.
Regards,
Moorthy K
MK
Moorthy Karunanithi
Syncfusion Team
June 18, 2020 03:49 PM UTC
Hi Antonio,
We have created the workaround sample to achieve your requirement. Here we have externally signed the PDF document using SHA256 and added that signed hash to the PDF document. Please find the code snippet and sample from below,
|
static void Main(string[] args)
{
//Load existing PDF document.
PdfDocument document = new PdfDocument();
PdfPage page = document.Pages.Add();
PdfSignature signature = new PdfSignature(document, page, null, "DigitalSignature");
//Set the signature bounds.
signature.Bounds = new RectangleF(0, 0, 200, 100);
//Call the compute hash event.
signature.ComputeHash += Signature_ComputeHash;
//Save the PDF document.
document.Save("WindowsStore.pdf");
//Close the document.
document.Close(true);
System.Diagnostics.Process.Start("WindowsStore.pdf");
}
private static void Signature_ComputeHash(object sender, PdfSignatureEventArgs ars)
{
//Get the document bytes.
byte[] documentBytes = ars.Data;
//Initialize the Windows store.
X509Store store = new X509Store("MY", StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
//Find the certificate using thumb print.
X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, "0F59645E853309589EAE9965D2E603D70B46D707", true);
X509Certificate2 certificate = fcollection[0];
//Include the signed data to PDF.
ars.SignedData = Sign(documentBytes, certificate);
}
public static byte[] Sign(byte[] data, X509Certificate2 certificate)
{
if (data == null)
throw new ArgumentNullException("data");
if (certificate == null)
throw new ArgumentNullException("certificate");
// setup the data to sign
ContentInfo content = new ContentInfo(data);
SignedCms signedCms = new SignedCms(content, true);
CmsSigner signer = new CmsSigner(certificate);
signer.DigestAlgorithm = new Oid("SHA256");//you can use SHA1,SHA256,SHA512
signedCms.ComputeSignature(signer);
return signedCms.Encode();
} |
Output PDF: https://www.syncfusion.com/downloads/support/forum/154897/pd/WindowsStore-1088732148.pdf
Kindly try the above sample in your end and let us know if it satisfies your requirement.
Regards,
Moorthy K
AB
Antonio Begines Cerrada
June 22, 2020 12:27 PM UTC
This is not a workaround, it's a GREAT FEATURE and works very well! ;-)
Sorry for not read this before: https://www.syncfusion.com/kb/10762/digitally-sign-pdf-document-with-an-external-signature-using-c-and-vb-net
Thank you all so much for your valuable support!
Saludos,
abc
SIGN IN To post a reply.
- 14 Replies
- 4 Participants
- Marked answer
-
AB Antonio Begines Cerrada
- Jun 4, 2020 01:41 AM UTC
- Jun 22, 2020 12:27 PM UTC
