Digital Signatures


What are Digital Signatures

A digital signature is an electronic fingerprint, uniquely identifying the signing person. For more information on digital signatures please look at Digital Signatures in PDF. Also have a look at Section 12.8 Digital Signatures of the PDF 1.7 Specification.

For general information on how digital signatures work have a look here.

Considerations

Currently PSPDFKit only allows signing existing signature form elements. You therefore will need a template with an existing signature form field.

Supported signing algorithms are:

  • RSA / SHA256
  • ECDSA

You can use a self-signed certificate for testing purposes, but you will need to make sure that certificate is trusted by all the devices the PDF is opened on (including PCs/Macs with Acrobat). A self signed certificate will probably also generate warnings about it's keyUsage extension (the self-signed certificate must permit certificate signing - keyCertSign, see RFC 5280).

In production always use a certificate from a valid Certificate Authority. Make sure that the certificate's keyUsage has digitalSignature permission set (see RFC 5280).

How to create Digital Signatures

To create a digital signature, you need 2 things. An X509 certificate that contains your public key and signer information - and your private key. The signing process produces the signature by encrypting the message digest from the PDF file with a private key. The certificate with its public key is added to the signature and saved in the PDF file. PSPDFKit provides a PSPDFPKCS12Signer for your convenience that loads a certificate with public and private key from a p12 archive. If you want to customize the signing process, you need to subclass PSPDFSigner.Keep in mind that certificates installed by user via opening .p12 container with built-in apps (via "Install Profile") will go to Apple access group and will only be available to Apple-provided apps such as Safari or Mail. See Apple Technical Q&A for more details and a suggested workaround - Technical Q&A QA1745

Here is an example of how to register a PSPDFPKCS12Signer

Copy
1
2
3
4
5
6
7
8
9
// p12Data is an p12 archive NSData object
let p12 = PSPDFPKCS12(data: p12Data)

// Create a signer with a display name. the display name will shop up in the list of identities when you tap on a signature form field
let p12Signer = PSPDFPKCS12Signer(displayName: "John Appleseed", pkcs12: p12)

// Finally register your signer with the signature manager
let signatureManager = PSPDFKit.sharedInstance.signatureManager
signatureManager.register(p12Signer)
Copy
1
2
3
4
5
6
7
8
9
// p12Data is an p12 archive NSData object
PSPDFPKCS12 *p12 = [[PSPDFPKCS12 alloc] initWithData:p12Data];

// Create a signer with a display name. the display name will shop up in the list of identities when you tap on a signature form field
PSPDFPKCS12Signer *p12Signer = [[PSPDFPKCS12Signer alloc] initWithDisplayName:@"John Appleseed" PKCS12:p12];

// Finally register your signer with the signature manager
PSPDFSignatureManager *signatureManager = PSPDFKit.sharedInstance.signatureManager;
[signatureManager registerSigner:p12Signer];

A PSPDFUnsignedFormElementViewController will be automatically created when tapping on a signature form element, after you registered a signer:

PSPDFUnsignedFormElementViewController

PSPDFKit also needs to be able to validate signatures. The validation process consists of two steps. First we check if the signature certificate embedded on signing can be trusted. In order to do so, we need to obtain the trusted certificate from the authority that issued it, a root CA certificate or an intermediate CA certificate. For your convenience, PSPDFKit already provides the Adobe root CA. This CA is also typically loaded by third-party readers. The second step is the signature verification. This process essentially decrypts the signature with a public key from the certificate embedded in the PDF file on signing and compares it with the message digest built from the PDF file excluding the signature itself.

Here is an example on how to provide the trusted certificate:

Copy
1
2
3
4
5
6
7
8
9
10
11
do {
    // Load a certificate (with a public key) from a p7 archive
    let certificateData = try Data(contentsOf: p7URL)
    let certificates = try PSPDFX509.certificatesFromPKCS7Data(certificateData)

    for certificate in certificates {
        signatureManager.addTrustedCertificate(certificate)
    }
} catch {
    // Don't forget to check for errors here
}
Copy
1
2
3
4
5
6
7
8
9
10
11
// Load a certificate (with a public key) from a p7 archive
NSData *certificateData = [NSData dataWithContentsOfURL:p7URL];

NSError *error = nil;
NSArray *certificates = [PSPDFX509 certificatesFromPKCS7Data:certData error:&err];

// Don't forget to check for errors here

for (PSPDFX509 *certificate in certificates) {
    [signatureManager addTrustedCertificate:certificate];
}

In PSPDFKit Demo app in the section FORMS AND DIGITAL SIGNATURES see the Digital signing process for the example of interactive (user driven) signing process and signature validation. In the Automated digital signing process see the example of non-interactive signing process.

Creating a custom signer

In order to customize the signing process you can subclass PSPDFSigner. Then you register the signer with the signature manager just like described above. Please have a look at the documentation in the PSPDFSigner header file for more information on what methods you need to override.

How does Adobe Acrobat validate a document signed by PSPDFKit?

Once you have signed a PDF document using PSPDFKit, you'll notice that after opening it in Adobe Acrobat you might get the following validation status:

This warning is informing you that the reader application has verified that the document has not been modified since the last time it was signed, but that the certificate is not trusted yet. You can configure the certificate as a trusted anchor in Adobe Acrobat by following these instructions: Get Certificates from Other Users

Alternatively, if the PDF is opened in a Windows environment, you can configure Adobe Acrobat to automatically trust every certificate in the Windows Certificate Store by clicking Edit, Preferences, Security, Advanced Preferences, and then check "Enable searching the Windows Certificate Store for the following operations". Use this option with caution as it might pose a security risk.

Adobe Acrobat 9 introduced a new program to make the validation process more user-friendly: Adobe Approved Trust List (AATL). Businesses that provide certificates to their users can apply to this program by submitting application materials and their root certificates. Once approved, Adobe Acrobat will automatically download and trust every certificate that is part of this program. There's more information about this program at Adobe Approved Trust List

Was this page helpful? We're happy to answer any questions.