PDFKit.NET 2.0 is a 100% .NET (verifiable) component for creating and manipulating PDF documents. In this article I will focus on its digital signature capabilities. Digital signatures can be used to authenticate the source of a PDF document (who signed it?) and to provide the integrity of a PDF document (did the document change after it was signed?). In this article I will show how to apply one or more digital signatures and how to verify digital signatures.
Contents
Consider the following form:
Figure 1: PDF Form with fields and two empty signature fields
This form has two sections of form fields; one for the student and one for the teacher. Normally, first the student will fill out his portion and sign the document. This can be achieved programmatically as follows:
using (FileStream sourceFile = new FileStream(@"form.pdf", FileMode.Open,
FileAccess.Read))
{
Document document = new Document(sourceFile);
TextField projectNr = document.Fields["projectNumber"] as TextField;
projectNr.Value = "FF-235";
TextField sName = document.Fields["studentName"] as TextField;
sName.Value = "Bob Stapleton";
TextField sDate = document.Fields["studentDate"] as TextField;
sDate.Value = "April 18, 2007";
SignatureField sigField = document.Fields["studentSignature"] as
SignatureField;
Pkcs12Store store = null;
using (FileStream storeFile = new FileStream(@"ChrisSharp.pfx",
FileMode.Open, FileAccess.Read))
{
store = new Pkcs12Store(storeFile, "Sample");
}
SignatureHandler handler = StandardSignatureHandler.Create(store);
sigField.SignatureHandler = handler;
sigField.ContactInfo = "+31 (0)77 4748677";
sigField.Location = "The Netherlands";
sigField.Reason = "I hereby declare!";
using (FileStream outFile = new FileStream(@"signedByStudent.pdf",
FileMode.Create, FileAccess.ReadWrite))
{
document.Write(outFile);
}
}
After executing the code above and opening the PDF document in the PDF reader, the document looks as follows:
Figure 2: After applying the first signature
Note the question mark as shown by the PDF reader. This means that the certificate has not yet been trusted by the client machine. This is simply a matter of adding the certificate to the trust store.
Next, the teacher will review the student's data and then fill out the final fields and sign it. This can be achieved programmatically as follows:
using (FileStream sourceFile = new FileStream(@"..\..\signedByStudent.pdf",
FileMode.Open, FileAccess.Read))
{
Document document = new Document(sourceFile);
TextField tName = document.Fields["teacherName"] as TextField;
tName.Value = "Max Boulton";
TextField tDate = document.Fields["teacherDate"] as TextField;
tDate.Value = "April 18, 2007";
SignatureField sigField = document.Fields["teacherSignature"] as
SignatureField;
Pkcs12Store store = null;
using (FileStream storeFile = new FileStream(@"..\..\MaxBoulton.pfx",
FileMode.Open, FileAccess.Read))
{
store = new Pkcs12Store(storeFile, "teacherpassword");
}
SignatureHandler handler = StandardSignatureHandler.Create(store);
sigField.SignatureHandler = handler;
sigField.ContactInfo = "+31 (0)77 4748677";
sigField.Location = "The Netherlands";
sigField.Reason = "I hereby declare!";
using (FileStream outFile = new FileStream(@"..\..\signedByTeacher.pdf",
FileMode.Create, FileAccess.ReadWrite))
{
document.Write(outFile, DocumentWriteMode.AppendUpdate);
}
}
If you look at the code, it is practically the same as the previous code sample. The only significant difference is that I pass an extra argument to the Document.Write
method: DocumentWriteMode.AppendUpdate
. This tells PDFKit.NET 2.0 to save all changes as a so-called Update. I will discuss this in the next section.
After executing the code above and opening the PDF document in the PDF reader, the document looks as follows:
Figure 3: After applying the second signature
Note that the icon of the first signature has changed to a warning sign. This indicates that "the document has been updated since signed". This is exactly the case.
Note that when we saved the second signature, we passed an extra argument to Document.Write
, namely DocumentWriteMode.AppendUpdate
. This instructs PDFKit.NET to save the new field data and the signature as an Update. This means that the original PDF data is left entirely intact and the changes are concatenated. The figure below illustrates this.
Figure 4: PDF Updates
Consequently, the first signature remains valid because the exact data that was signed hasn't changed; we have just added an update.
So after saving the update there are now in fact two versions of the document; one that signed by the student and one that was signed by the teacher. It is useful to retrieve the exact document to which a given signature was applied. Obviously the signer only vows for that version and not for the versions that were created afterwards.
Given a document you can enumerate all updates or versions of the document and save a copy to disk as follows:
using (FileStream sourceFile = new FileStream(@"..\..\signedByTeacher.pdf",
FileMode.Open, FileAccess.Read))
{
Document document = new Document(sourceFile);
Console.WriteLine("This document has {0} updates.",document.Updates.Count );
foreach (Update update in document.Updates)
{
string name = string.Format( @"..\..\signedByTeacher_{0}.pdf",
update.Index );
using (FileStream updateFile = new FileStream(name, FileMode.Create,
FileAccess.Write))
{
update.Write(updateFile);
}
}
}
But perhaps even more interesting, you can open a signed document and per signature field you can retrieve the signed update. The following code sample enumerates all signature fields and saves the signed update.
using (FileStream sourceFile = new FileStream(@"..\..\signedByTeacher.pdf",
FileMode.Open, FileAccess.Read))
{
Document document = new Document(sourceFile);
foreach (Field field in document.Fields)
{
SignatureField sigField = field as SignatureField;
if (null != sigField)
{
if (sigField.IsSigned)
{
string name = string.Format(@"..\..\{0}.pdf", sigField.FullName);
using (FileStream updateFile = new FileStream(name,
FileMode.Create, FileAccess.Write))
{
sigField.SignedUpdate.Write(updateFile);
}
}
}
}
}
After executing this code, two new PDF documents have been saved: studentSignature.pdf and teacherSignature.pdf. Each document shows the version that was signed by the respective field.
Until now we have discussed signing documents. The verification was left to the PDF reader application. But PDFKit.NET also allows you to verify signatures programmatically. This is extremely simple as shown in the next code sample. The sample opens the PDF document that was signed by the student and the teacher and enumerates the signature fields. Per signature, information about the signature state is written to the console.
using (FileStream inFile = new FileStream(@"..\..\signedByTeacher.pdf",
FileMode.Open, FileAccess.Read))
{
Document document = new Document(inFile);
foreach (Field field in document.Fields)
{
SignatureField sigField = field as SignatureField;
if (null != sigField)
{
Console.WriteLine("Field '{0}'", sigField.FullName);
if (sigField.IsSigned)
{
bool verified = sigField.Verify();
Console.WriteLine(" -- {0}",
verified ? "Verified" : "Not verified");
if (verified)
{
bool modified = sigField.DocumentModifiedAfterSigning;
Console.WriteLine(" -- {0}", modified ? "Modified after
signing" : "Not modified after signing");
}
}
else
{
Console.WriteLine(" -- Not signed", sigField.FullName);
}
}
}
}
After executing the above code, the following is written to the console: