We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date
  1. Home
  2. Forum
  3. WinForms
  4. Can't sign with SHA256... only SHA1

Can't sign with SHA256... only SHA1

I'm trying to sign a PDF file with SHA256, but the sign is created with SHA1 ¿what's wrong with this code?

            X509Certificate2 digitalID = x509; // previously assigned from Windows store...
            PdfLoadedDocument document = new PdfLoadedDocument(pdfFileName); // previously assigned with opendialog
            PdfCertificate certificate = new PdfCertificate(digitalID);
            PdfSignature signature = new PdfSignature(document, document.Pages[0], certificate, "DigitalSignature");
            signature.Settings.CryptographicStandard = CryptographicStandard.CADES;
            signature.Settings.DigestAlgorithm = DigestAlgorithm.SHA256;
            document.Save(pdfFileName + " - signed.pdf");
            document.Close(true);          

Attached you can find the two files (before and after signature)

Thanks!

Saludos,
Antonio

Attachment: only_sha1_b6bd103d.zip

14 Replies 1 reply marked as answer
SL Sowmiya Loganathan Syncfusion Team June 4, 2020 02:35 PM UTC

  
Hi Antonio,    
   
Thank you for contacting Syncfusion support.    
   
We have tried to sign the given PDF document using SHA256, the resultant PDF document is signed with SHA256 only. Please refer the below sample for your reference,    
   
Output document: https://www.syncfusion.com/downloads/support/forum/154897/pd/Output339538807     
Screenshot:    
     
   
Could you please try the above sample in your end and let us know the result.    
 
Regards, 
Sowmiya Loganathan 


Marked as answer
AB Antonio Begines Cerrada June 4, 2020 05:49 PM UTC

Hi Sowmiya! 

Thanks for your answer. Your sample works well with the PFX certificate included.
But my use case is the user can select a certificate from windows store. The two main type of certificates will be:
- FNMT issued (Spanish government ID, very important in Spain)
- Windows CA (our network domain)

Attached you have the two samples, with two signatures made with the same certificate for each file (one with syncfusion and one with Adobe).
As you can see in attached zip, (file "signed with windows-store-FNMT-cert with syncfusion and adobe (sha1 and sha256).PDF")...
the signature made with Syncfusion using the FNMT (very importante for us) is created with SHA1, but the same signature made with Adobe is created with SHA256.

With other certificates (your PFX, the windows ca certificate, etc.) all seems ok.

Saludos,
abc

Attachment: sha1_(syncfusion)_and_sha256_(adobe)_de8ed63f.zip

AB Antonio Begines Cerrada June 4, 2020 06:08 PM UTC

I think, this is not the source of the problem, but for your information... this is the code used.. very similar than yours, but selecting certificate from window store...

        private void Button1_Click(object sender, EventArgs e)
        {
            //Load PDF document 
            PdfLoadedDocument loadedDocument = new PdfLoadedDocument("../../Data/caratula.pdf");

            //Load PDF page
            PdfLoadedPage page = loadedDocument.Pages[0] as PdfLoadedPage;

            //Creates a certificate instance from PFX file with private key
            
            PdfCertificate pdfCert = 
            new PdfCertificate(selectCert("My", StoreLocation.CurrentUser, "Elige un certificado", "please..."));



            //Creates a digital signature
            PdfSignature signature = new PdfSignature(loadedDocument, page, pdfCert, "Signature");

            //Sets signature settings to customize digest algorithm specified
            PdfSignatureSettings settings = signature.Settings;
            settings.CryptographicStandard = CryptographicStandard.CADES;
            settings.DigestAlgorithm = DigestAlgorithm.SHA256;

            //Sets an image for signature field
            PdfBitmap signatureImage = new PdfBitmap(@"../../Data/logo.png");

            //Sets signature information
            signature.Bounds = new RectangleF(new PointF(0, 0), signatureImage.PhysicalDimension);
            signature.ContactInfo = "johndoe@owned.us";
            signature.LocationInfo = "Honolulu, Hawaii";
            signature.Reason = "I am author of this document.";

            //Draws the signature image
            page.Graphics.DrawImage(signatureImage, 0, 0);

            //Saves and closes the document
            loadedDocument.Save("Output.pdf");
            loadedDocument.Close(true);

            Process.Start("Output.pdf");
        }


        static private X509Certificate2 selectCert(/*StoreName */string store, StoreLocation location, string windowTitle, string windowMsg)
        {
            X509Certificate2 certSelected = null;
            X509Store x509Store = new X509Store(store, location);
            x509Store.Open(OpenFlags.ReadOnly);

            X509Certificate2Collection col = x509Store.Certificates;
            X509Certificate2Collection sel = X509Certificate2UI.SelectFromCollection(col, windowTitle, windowMsg, X509SelectionFlag.SingleSelection);

            if (sel.Count > 0)
            {
                X509Certificate2Enumerator en = sel.GetEnumerator();
                en.MoveNext();
                certSelected = en.Current;
            }

            x509Store.Close();

            return certSelected;
        }

SL Sowmiya Loganathan Syncfusion Team June 5, 2020 12:34 PM UTC

Hi Antonio,    
   
We have analyzed the mentioned issue and suspect that this to a certificate specific issue. Could you please share with us the certificate file for further analysis and provide a better solution to this. Or else we can set up a web meeting to look into providing the solution in your machine itself. We will make every effort to have this scheduled on a date and time of your convenience.     
   
Note: We work in IST hours. 
 
Regards, 
Sowmiya Loganathan 


AB Antonio Begines Cerrada June 5, 2020 02:59 PM UTC

Hi Sowmiya,
Thank you very much for your attention.

Attached you can find a "test certificate" issued by Spanish FNMT.
I imported it to muy windows certificate store and sign the document with syncfusion and adobe.
It endes with a sha1 (sync) and a sha256 (adobe) signatures.
The password for the certificate is is G5cp,fYC9gje

Saludos,
abc

Attachment: certificado_prueba_3f74c7b5.zip

AP Anand Panchamoorthi Syncfusion Team June 8, 2020 04:34 PM UTC

Hi Antonio,  
  
Thank you for your update.   
  
As per the external signing behavior, we can sign the PDF document with SHA256 digest algorithm only for X509Certificate created as exportable. Otherwise, external signing only supports SHA1 digest algorithm in PDF signing.   
Please try the below code snippet to create X509Certificate with exportable let us know whether the provided solution meets your requirement.  
//Load PFX in X509Certificate2 as exportable   
FileStream pfxStream = File.OpenRead("PDF.pfx");   
X509Certificate2 x509Certificate = new X509Certificate2(pfxStream, "syncfusion", X509KeyStorageFlags.Exportable);   
RSACryptoServiceProvider rsa = (RSACryptoServiceProvider) x509Certificate.PrivateKey;   
With Regards, 
Anand P 


AB Antonio Begines Cerrada June 8, 2020 06:44 PM UTC

Hi Anand,
Sad to hear that.

My use case is allow the user to select the certificate from the Windows Certificate Store, not from a PFX file. (you can see the code used in this thread).

Other utilities or libraries allow me to sign PDFs from this certificates (as you can see for example with adobe) and cipher with sha256, so I dont undestand why syncfusion dont.

Can you help me dealing with this situation? Thanks!

Saludos,
Antonio


SL Sowmiya Loganathan Syncfusion Team June 9, 2020 01:59 PM UTC

Hi Antonio,   
 
Currently we are validating to achieve your requirement and will update the further details on June 11th, 2020.   
 
Regards,  
Sowmiya Loganathan  
 


SL Sowmiya Loganathan Syncfusion Team June 11, 2020 03:01 PM UTC

Hi Antonio, 
 
We are able to Digitally sign a PDF document using Windows certificate store.  
 
Please find the code to sign PDF using Windows certificate store below, 
        static void Main(string[] args) 
        { 
             
            //Load existing PDF document. 
            PdfLoadedDocument document = new PdfLoadedDocument(@"Sample.pdf"); 
 
            //Initialize the Windows store. 
            X509Store store = new X509Store("MY", StoreLocation.CurrentUser); 
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); 
            X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates; 
            //Find the certificate using thumb print. 
            X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, "0F59645E853309589EAE9965D2E603D70B46D707", true); 
            X509Certificate2 digitalID = fcollection[0]; 
 
            //Load X509Certificate2. 
            PdfCertificate certificate = new PdfCertificate(digitalID); 
 
            //Create a revision 2 signature with loaded digital ID. 
            PdfSignature signature = new PdfSignature(document, document.Pages[0], certificate, "DigitalSignature"); 
 
            //Changing the digital signature standard and hashing algorithm. 
            signature.Settings.CryptographicStandard = CryptographicStandard.CADES; 
 
            if (IsExportable(digitalID)) 
            { 
                signature.Settings.DigestAlgorithm = DigestAlgorithm.SHA512; 
            } 
            else 
            { 
                signature.Settings.DigestAlgorithm = DigestAlgorithm.SHA1; 
            }             
 
            //Save the PDF document. 
            document.Save("WindowsStore.pdf"); 
 
            //Close the document. 
            document.Close(true); 
             
        } 
        private static bool IsExportable(X509Certificate2 certificate) 
        { 
            try 
            { 
                return (certificate.PrivateKey as RSACryptoServiceProvider).CspKeyContainerInfo.Exportable; 
            } 
            catch 
            { 
                return false; 
            } 
        } 
 
 
Please refer the below link for more details 
 
Note: As we said earlier, for the external signing behaviour, we can sign the PDF document with SHA256 digest algorithm only for X509Certificate created as exportable. Otherwise, external signing only supports SHA1 digest algorithm in PDF signing. 
 
Regards, 
Sowmiya Loganathan 


AB Antonio Begines Cerrada June 11, 2020 10:28 PM UTC

As I said earlier, i need to sign with sha256/sha512 with certificates stored on windows but not exportable. I can do it with Adobe and other libraries.
If I can't do it with Syncfusion i must do it with other library, it's a pitty. Because sync pdf do a lot of things very well.
Can you say me if you plan to introduce this functionality soon?

Thank you.

Saludos,
abc

SL Sowmiya Loganathan Syncfusion Team June 12, 2020 01:27 PM UTC

Hi Antonio,   
  
Sorry for the inconvenience.   
  
Currently we are validating to achieve your requirement and will update the further details on June 16, 2020.   
  
Regards,  
Sowmiya Loganathan  
 


MK Moorthy Karunanithi Syncfusion Team June 16, 2020 03:54 PM UTC

Hi Antonio,    
 
We deeply regret for the inconvenience caused,  
   
Still we are validating to achieve your requirement with high priority and will update the further details on June 18, 2020.    
   
Regards,   
Moorthy K 


MK Moorthy Karunanithi Syncfusion Team June 18, 2020 03:49 PM UTC

Hi Antonio,    
 
We have created the workaround sample to achieve your requirement. Here we have externally signed the PDF document using SHA256 and added that signed hash to the PDF document. Please find the code snippet and sample from below,   
 
static void Main(string[] args) 
        {            
 
            //Load existing PDF document. 
            PdfDocument document = new PdfDocument(); 
 
            PdfPage page = document.Pages.Add(); 
                       
            PdfSignature signature = new PdfSignature(document, page, null, "DigitalSignature"); 
             
            //Set the signature bounds.   
            signature.Bounds = new RectangleF(0, 0, 200, 100); 
 
            //Call the compute hash event.   
            signature.ComputeHash += Signature_ComputeHash; 
            //Save the PDF document. 
            document.Save("WindowsStore.pdf"); 
 
            //Close the document. 
            document.Close(true); 
 
            System.Diagnostics.Process.Start("WindowsStore.pdf"); 
        } 
        private static void Signature_ComputeHash(object sender, PdfSignatureEventArgs ars) 
        { 
            //Get the document bytes.  
            byte[] documentBytes = ars.Data; 
 
            //Initialize the Windows store. 
            X509Store store = new X509Store("MY", StoreLocation.CurrentUser); 
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); 
            X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates; 
            //Find the certificate using thumb print. 
            X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByThumbprint, "0F59645E853309589EAE9965D2E603D70B46D707", true); 
            X509Certificate2 certificate = fcollection[0]; 
 
            //Include the signed data to PDF.   
            ars.SignedData = Sign(documentBytes, certificate); 
        } 
        public static byte[] Sign(byte[] data, X509Certificate2 certificate) 
        { 
            if (data == null) 
                throw new ArgumentNullException("data"); 
            if (certificate == null) 
                throw new ArgumentNullException("certificate"); 
 
            // setup the data to sign  
            ContentInfo content = new ContentInfo(data); 
            SignedCms signedCms = new SignedCms(content, true); 
            CmsSigner signer = new CmsSigner(certificate); 
            signer.DigestAlgorithm = new Oid("SHA256");//you can use SHA1,SHA256,SHA512 
            signedCms.ComputeSignature(signer); 
 
            return signedCms.Encode(); 
        } 
 
 
Kindly try the above sample in your end and let us know if it satisfies your requirement. 
 
Regards, 
Moorthy K 


AB Antonio Begines Cerrada June 22, 2020 12:27 PM UTC

This is not a workaround, it's a GREAT FEATURE and works very well! ;-)


Thank you all so much for your valuable support!

Saludos,
abc

Loader.
Live Chat Icon For mobile
Up arrow icon