Digital Signature Algorithm

Question

When I Using SyncFusion For Signing Document and setting property DigitalSignature.Settings.DigestAlgorithm with value algorithm sha256 and setting property DigitalSignature.Settings.CryptographicStandard with CADES and when I sign document with certificate. the result document shown signed with algorithm sha-1 and when i use Event ComputeHash for signing document and the resulting document correctly signed with algorithm 256 I could not understand why that happen and prototype project I attached below shown that with certificate attached too in file below shown what I said

Attachment: tetsing_dkdkdkdk_6f6c1d76.rar

Gowthamraj Kumar · Answer

Hi Mohamed, 
 
If you are signing the PDF with certificate from Windows Certificate Store, exportable store certificate will allow to sign using the provided algorithm. Non-exportable store certificate are only allow to sign using SHA1 algorithm.   
  
Please refer the below screenshot for change the certificate to exportable and also run the application with “Run as Administrator” and let us know the result. 




  
   
Please let us know if you need any further assistance with this.  
 
Regards, 
Gowthamraj K

Mohamed · Answer

we send this certificate for test but we use USB token  for sign  and face the same problem  there is any way  to use property with usb token

Gowthamraj Kumar · Answer

Hi Mohamed, 
 
No. If the certificate is exportable, then only we can change the algorithm based on the provided one. Otherwise, the store supports only SHA1 algorithm. This is the limitation from the store certificate/USB token. 
 
Regards, 
Gowthamraj K

Mohamed · Answer

Then how come  it works  when we use compute_hash event  to change algorithm to sha256  on usb token that has non exportable key ?

Gowthamraj Kumar · Answer

Hi Mohamed, 
 
In the compute hash approach, we are passing whole document data, it is not suitable for adding timestamp and LTV details in it. This is the limitation from the store certificate/USB token, exportable certificate only can change the algorithm based on the provided one. Otherwise, the store supports only SHA1 algorithm.  
 
Regards, 
Gowthamraj K

Damir · Answer

Hello,

we are considering using your components for implementing a module that can digitally sign PDF files according to PAdES B-LT standard. Certificates that our users use originally exist on USB tokens but they are automatically imported in Windows Personal certificates store from where we can reference them in code. We are unable to mark this kind of certificates as exportable. SHA1 is no longer considered reliable for signature creation.Is there a way to digitally sign a PDF document with your components to pass validation at https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation?If there is a problem with supporting SHA256 for non-exportable certificates, are you considering providing some kind of PKCS#11 (Cryptoki) module?Kind regards,Damir

Gowthamraj Kumar · Answer

Hi Damir,

We do not have direct support to create a PAdES B-LTA signature. However, we can create a PAdES B-LTA signature by using the following approach. Kindly try this on your end and let us know whether it is suitable for you.

//Load the PDF document

FileStream docStream = new FileStream("../../../Barcode.pdf", FileMode.Open, FileAccess.Read);

//Load the PDF document.

PdfLoadedDocument loadedDocument = new PdfLoadedDocument(docStream);

//Create signature.

PdfSignature signature = new PdfSignature(loadedDocument, loadedDocument.Pages[0], null, "Signature");

//Sets the signature information.

signature.Bounds = new RectangleF(new PointF(0, 0), new SizeF(100, 30));

//Set the cryptographic standard.

signature.Settings.CryptographicStandard = CryptographicStandard.CADES;

signature.Settings.DigestAlgorithm = DigestAlgorithm.SHA256;

//Create an external signature.

IPdfExternalSigner externalSignature = new ExternalSigner("SHA256");

//Add public certificates.

System.Collections.Generic.List<X509Certificate2> certificates = new System.Collections.Generic.List<X509Certificate2>();

X509Certificate2 digitalId = new X509Certificate2(@"../../../certchain.pfx", "password", X509KeyStorageFlags.Exportable);

X509Chain chain = new X509Chain();

chain.Build(digitalId);

for (int i = 0; i < chain.ChainElements.Count; i++)

{

certificates.Add(chain.ChainElements[i].Certificate);

}

//Add external signer to the signature.

signature.AddExternalSigner(externalSignature, certificates, null);

//Create LTV

signature.CreateLongTermValidity(certificates);

//Set timestamp server.

signature.TimeStampServer = new TimeStampServer(new Uri(http://timestamping.ensuredca.com));

MemoryStream stream = new MemoryStream();

//Save and close the document.

loadedDocument.Save(stream);

loadedDocument.Close(true);

//Load the PDF document.

loadedDocument = new PdfLoadedDocument(stream);

//Load the existing PDF page.

PdfLoadedPage lpage = loadedDocument.Pages[0] as PdfLoadedPage;

//Create PDF signature with empty certificate.

PdfSignature timeStamp = new PdfSignature(lpage, "timestamp");

timeStamp.TimeStampServer = new TimeStampServer(new Uri(http://timestamping.ensuredca.com));

MemoryStream str = new MemoryStream();

//Save and dispose the document.

loadedDocument.Save(str);

loadedDocument.Close(true);

And add the following code on the external signer.

class ExternalSigner : IPdfExternalSigner

{

private string _hashAlgorithm;

public string HashAlgorithm

{

get { return _hashAlgorithm; }

}

public ExternalSigner(string hashAlgorithm)

{

_hashAlgorithm = hashAlgorithm;

}

public byte[] Sign(byte[] message, out byte[] timeStampResponse)

{

timeStampResponse = null;

return SignDocumentHash(message);

}

private byte[] SignDocumentHash(byte[] documentHash)

{

X509Certificate2 digitalID = new X509Certificate2(@"certchain.pfx", "password", X509KeyStorageFlags.Exportable);

if (digitalID.PrivateKey is System.Security.Cryptography.RSACryptoServiceProvider)

{

System.Security.Cryptography.RSACryptoServiceProvider rsa = (System.Security.Cryptography.RSACryptoServiceProvider)digitalID.PrivateKey;

return rsa.SignData(documentHash, HashAlgorithm);

}

else if (digitalID.PrivateKey is RSACng)

{

RSACng rsa = (RSACng)digitalID.PrivateKey;

return rsa.SignData(documentHash, System.Security.Cryptography.HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

}

else

{

return null;

}

By ignoring to add the document timestamp, this will create a signature with PAdES B-LT.

Regards,

Gowthamraj K

Mohamed · Answer

but it not work  with .net framework  with SHA256   and we need it to work with .net framework 4.7  VB and  with SHA256

Gowthamraj Kumar · Answer

Hi Mohamed,
We have created a VB (.Net Framework
4.7) sample for creating a PAdES B-LTA signature with SHA 256 by using the
following approach. Please try the sample with your input file on your end and
let us know the result.

Sample: https://www.syncfusion.com/downloads/support/directtrac/general/ze/ConsoleApp1-1397205949Please let us know if you need any further assistance with
this.Regards,Gowthamraj K

Mohamed · Answer

signature always give me  invalid signature  and  multi signature for the document not work

Mohamed · Answer

how can i sign multiple time in the same document without  invalid  signature . example  not work correctly

Gowthamraj Kumar · Answer

Hi Mohamed,We can add
multiple digital signatures in a PDF document by appending additional
signatures to an already signed PDF file. We have checked the provided
screenshot on our end, the document contains the trail watermark in it. When we
add the signature for the first time without a license key, the trial watermark
will be added and the document to be modified. So that, the second signature is
Invalid. This is not an issue. To overcome this, we have to apply the registration
license key to avoid a trial watermark and get a valid signature.    
Please refer to the below documentation for more information,UG: https://help.syncfusion.com/file-formats/pdf/working-with-digitalsignature   Blogs: https://www.syncfusion.com/blogs/post/create-validate-pdf-digital-signatures-csharp.aspx#add-multiple-digital-signatures-in-a-single-PDF-document
KB: https://www.syncfusion.com/kb/9801/how-to-apply-one-or-more-digital-signatures-to-a-pdf-using-c-and-vb-net

Please let us know if you need any further assistance with
this.Regards,Gowthamraj K

Damir · Answer

Dear Gowthamraj,thank you for the code you posted! With few minor changes I managed to get properly signed PDF file according to PAdES-LTA standard but the size of the file signed in that way is huge (cca. 20 MB) in comparison with properly signed PDF file using one of your competitor's solution (cca. 2,6 MB).(If you want, I can send you a link to a functional demo version.)The size of original (unsigned) PDF file was cca. 450 KB.Unfortunatelly, the increase of the original file size is too big for using in a production environment.Have you any idea what could be the reason for such big increase of the file size after implementing suggested way of PAdES signature?Kind regards,Damir

Gowthamraj Kumar · Answer

Hi Damir,We suspect that the reported issue may occur due to input
document or certificate specific. Kindly revert us with the below-required
details. So, it will help us to provide a precise solution. 
 Syncfusion
     package details with version.
 Input
     document, certificate details with key.
 Simplified
     sample or complete code snippet to replicate the issue on our end.
Regards,Gowthamraj K