Preview PDF files and digitally sign them in compliance with eIDAS Regulation (EU)
Dear Syncfusion team,
I would like to expose a certain use case that apparently shows some limitations in the components of PDF digital signature and PDF Viewer.
Please correct me if I describe an issue that can be covered by a feature already available that I missed, or if a workaround exists. Thank you.
Use case: Preview PDF files and digitally sign them in compliance with eIDAS Regulation (EU), either with an Advanced Electronic Signature or even Qualified Electronic Signature.
Technologies: .NET Core 5 + Blazor (& Syncfusion 19.2.0.44)
PDF Signature:
For this, we need a framework allowing the integration of the signature in a PDF with a custom process working in two steps (calculation of the message to sign, and integration of the signature provided by an external service).
I have tested the components with a certificate in
Windows TrustStore and also on a smartcard requiring a PIN code (my identity
card), and it worked well with the deferred signing example you provide.
Therefore, we can "delegate" hash signing to
an external asynchronous service and integrate the result of the signature.
My first tests were very simple, and more tests will be required to fully validate all cases (e.g. multiple signature fields).
Conclusion for my use case: good start, but need to be tested further.
PDF Validation:
Here, I have some reserves for its use in our use
case.
Validation of a digital signature in compliance with
eIDAS is a bit more complex than just checking certificate validity and its
chain, as there are additional constraints like the EU Trusted List. Moreover, there
is a difference between a seal and a signature, which is more legal than
technical.
Do you validate the certificates against the EU
Trusted List? And allow to easily determine if it is a "simple",
advanced or qualified electronic signature?
As it is not mentioned in the documentation, and based on my tests, I do not think so. Therefore, it cannot be used to validate digital signatures in the context of a legally-binding document in the European Union.
A validation report might be useful to understand why
a digital signature is valid or not. Or its type (signature or seal;
"simple", advanced or qualified).
FYI, there is also a standard for this: ETSI TS 119 102-2 - Procedures for Creation and Validation of AdES Digital Signatures; Part 2: Signature Validation Report.
Regarding the properties and methods exposed by the
objects, I would suggest exposing the X509Certificate2 from the PdfCertificate
object.
It can bring additional information to verify that the certificate used to sign is appropriate (e.g. Key Usage contains Non-Repudiation).
Using reflection to get it is not complex but accessing a non-public field always introduce a risk in case of change in your implementation.
Conclusion for my use case: not usable as it does not allow us to determine that it is a Qualified Electronic Signature (legally equivalent to the handwritten signature in EU).
I know that the validation process is complex, and I do not really expect its support. However, having it implemented could open doors on EU market for your components.
PDFViewer (Blazor):
The integration of the PDFViewer would allow us to keep the WYSIWYS principle (What You See Is What You Sign).
On the paper, your PDFViewer supports forms and digital signatures. Therefore, filling in a form and signing it seems possible.
Unfortunately, the customisation possibilities are a problem in our use case.
Your signature pad is nice, but not really usable in the context of eIDAS or for a company having a corporate identity.
Digitally signing documents with a legal value
requires a digital certificate (more precisely Qualified Electronic
Certificate), and proposing only to draw/type/upload an image is therefore not really
usable in EU.
What would be very very nice, is the possibility to
"override" your signature pad with a custom panel.
For example, creating a custom form to select the certificate, preview information from the certificate, select a background image, the reason of signing, the location, etc. (somehow what you can do in Adobe Reader)
The generated image could be then draggable and resizable like the image you generate with your current signature pad.
A “light” version of this requirement would be the possibility to disable the signature pad but still capture the even of clicking on a signature field to replace it by a custom behaviour/component.
The second problem I faced is with PDF documents already having signatures.
When the form editing is enabled, existing signatures are not shown, and they can be replaced without any warning, which is not really nice. Unless I missed a parameter for this?
The workaround I found to show existing signatures is to "flatten" the document before showing it. It works but it also means that the form is not editable anymore.
"Flattening" the PDF is apparently the technique you use in your BoldSign service as form fields, even signature fields, are not usable.
Conclusion for my use case: cannot be used with forms and signatures at the same time.
Moreover, finding a way to integrate the possibility to let the user place the signature where he/she wants (outside the case of signature fields) may require a lot of time – especially in the context of Blazor.
Last comment on the description of BoldSign: stating that your service complies with eIDAS is a bit misleading as it does not allow users to create a Qualified Electronic Signature. Yes, a “simple” electronic signature is possible, but the burden of proof is very important in case of Court case and only the Qualified Electronic Signature is the (automatic) equivalent to the handwritten signature in EU.
Hoping that my feedback will give you some ideas of requirements for digital signature support.
Best regards,
Denis
Hi,
Thank you for your reply.
However, you missed several points from my message. If I can summarise my analysis and expectations in terms of features, there are:
- Syncfusion
PDF C# library:
- Expose the X509 certificate from the PdfCertificate object (instead of using reflection to get it).
- Validation:
your validation follows only the technical point of view of a digital signature,
and does not take into account international legal frameworks.
Even your example of “Validate signatures against a trusted list” is limited to a pure technical validation. But you are maybe not interested to go one step further...
In EU, the legal framework is the eIDAS Regulation that defines much more constraints that just validating the signature certificate and its chain: those certificates are validated against a complex Trusted List of Trust Service Providers (available on the web as XML – and regularly updated) that also defines the "level of trust" of a certificate used for signing. As result, it defines the legal recognition of the document that has been signed – where the highest level, “Qualified”, is the equivalent of the blue ink signature. Therefore, a validation check that just returns true or false, falls a bit short from the legal perspective. That’s why a (detailed) validation report is needed (see ETSI TS 119 102-2).
You can easily find legal and technical details on the web and it could be very useful for you to have a look at it if you are a minimum interested in the EU market – especially for your BoldSign service.
However, due to the complexity of the validation, it’s maybe better to rely on external specialised services for the validation in compliance with eIDAS…
- Blazor
PDF Viewer (most important):
- Make the digital signature visible without having to flatten the PDF (covered by the feedback entry 27239 you created).
- As an option - protect signature fields already used when the form is editable.
- Make the possibility for the developer to override the signature pad with a custom panel – in that way we can decide exactly what the user can do, show data from certificates or build a corporate identity that can be used to sign.
Thank you.
Best regards.
|
Query |
Details
|
|
Expose the X509 certificate from the PdfCertificate object (instead of using reflection to get it).
|
You can retrieve the digital ID “X509Certificate2” from the Windows certificate store and use it to add a digital signature to a PDF document.
Kindly refer the below documentation link for more information about X509Certificate2.
|
|
Validation: your validation follows only the technical point of view of a digital signature, and does not take into account international legal frameworks.
Even your example of “Validate signatures against a trusted list” is limited to a pure technical validation. But you are maybe not interested to go one step further... In EU, the legal framework is the eIDAS Regulation that defines much more constraints that just validating the signature certificate and its chain: those certificates are validated against a complex Trusted List of Trust Service Providers (available on the web as XML – and regularly updated) that also defines the "level of trust" of a certificate used for signing. As result, it defines the legal recognition of the document that has been signed – where the highest level, “Qualified”, is the equivalent of the blue ink signature. Therefore, a validation check that just returns true or false, falls a bit short from the legal perspective. That’s why a (detailed) validation report is needed (see ETSI TS 119 102-2). You can easily find legal and technical details on the web and it could be very useful for you to have a look at it if you are a minimum interested in the EU market – especially for your BoldSign service. However, due to the complexity of the validation, it’s maybe better to rely on external specialised services for the validation in compliance with eIDAS… |
We have an option to provide the trusted certificate list on the validation method. And we don't have direct support to get the trusted certificate from web and validate it. So, you can use that approach to validate the signature. |
|
Blazor PDF Viewer (most important):
Make the digital signature visible without having to flatten the PDF (covered by the feedback entry 27239 you created).
As an option - protect signature fields already used when the form is editable.
Make the possibility for the developer to override the signature pad with a custom panel – in that way we can decide exactly what the user can do, show data from certificates or build a corporate identity that can be used to sign.
|
We will consider these requirements while implementing the digital signature feature in our PDF Viewer control. As there is no immediate plans of this implementation and cannot provide you the exact timeline for this feature, we will be informing you once the feature is implemented in our PDF Viewer control.
|
Can you really access X509Certificate2 from a browser?
Hi Lukas,
Please find the details.
|
Query |
Details |
|
Can you really access X509Certificate2 from a browser?
|
We can initialize a new instance of the X509Certificate2 class from the System.Security library. We can retrieve the “X509Certificate2” from the system Windows certificate store and use it to add a digital signature to a PDF document. Please refer to the below link,
KB: https://www.syncfusion.com/kb/9860/how-to-digitally-sign-pdf-using-x509certificate2-in-c-and-vb-net https://www.syncfusion.com/kb/11500/digitally-sign-a-pdf-document-using-the-usb-token
Kindly try this and let us know with more details if you have any concerns about this.
|
Regards,
Vasugi.
- 5 Replies
- 4 Participants
-
DE Denis
- Jul 21, 2021 09:28 AM UTC
- Apr 4, 2022 12:09 PM UTC
