We have a windows application in (the dot net 2.0 framework).
Using this application our client took out invoice print. Due to the new gov. rules and regulations, they want to take out digitally signed invoices in pdf format so they can upload it on the gov. portal.
Every client will have their own one or multiple "DSC token/ e-pass token 2003/smart card".
We have to use this token to digitally sign the pdf.
Can anyone suggest to us what is a good way to achieve this in vb.net or c#?
While googling for this solution we found that these tokens install one certificate in Windows Root Certificate bind with the name. Use this certificate and digitally sign a pdf document.
We have one question related to this solution If the client installs their certificate on System A and it will show pdf doc is verified. What will happen if the files got shifted from System A to System B, will they be still verified or unverified?
Related
In order to onboard users, we have to identify them and they need to sign a contract (through our web application). The signed contract must be compliant with eIDAS AdES, so a PAdES.
The users are identified either through SPID or onfido (but it could be any other KYC service).
What do we need to do in order to produce a valid PAdES? Can we produce one on our own, without a third party?
For what I understood, we can't create a signed PDF because we don't have the private key of the user. If we create a self-signed certificate, the signature would not be valid and we would be able to prove nothing.
Document signing in KYC compliant process usually requires a qualified signature.
"Qualified signature" in all cases is created on QSCD device listed in the EU QSCD list.
I work for company that has a component that enables signing od PDF or XML files according the PADES and XADES signature standards using user x.509 certificate (stored on card, USB roken or in local certificate store on the OS) that enables web applications to get signed document or just CADES signature with few lines of code. Most important works on most modern browsers on both Windows and MacOS operating systems. If you are interested please check our PDF Signing Extension developer portal https://developers.nextsense.com for more details.
We are generating document PDF's as part of our server application workflow. We need to be able to sign these documents to prove they are from us and have not been tampered with. We currently do this using a self-signed cert and using syncfusion's PDF module (excellent sw btw!). The problem is (of course) that the self-signed cert is not in the CA trust chain so although the document is secured, it doesnt automatically validate that its from us.
I have been researching where to purchase AATL certified certificates from and have found several vendors (Identrust being one of the more affordable options). However, they all share the same delivery method which is they ship it to you on a secure USB or similar token. What I dont understand then is how to use this token with our hosted VM. Does anyone have any experience in using these types of token ie. are we simply able to export the private key from the token onto the server?
Thanks
You cannot use the tokens in this scenario.
The certificate issuer should provide you with a web-based API that you integrate in your signing process. Usually you send the document hash and get back the signature, but the actual flow and ins/outs depends on the certificate provider.
Then the PDF library you use should let you embed in the PDF file the externally computed signature.
I have my own webpage www.kasperikoski.fi that is, the way I see it, trusted, and I would like to have the ability to digitally sign PDF-documents by using some kind of sertificate that is put into my webpage so that people really know that it is me signing all these documents.
At first I thought that maybe I could share "public key" at the bottom of my webpage, but then I heard something about OpenSSL. Could that be used in my needs?
How would you carry out this one so that I could use the PDF's integrated "sign digitally"-option?
Assuming that I read your question right, you want to let your web site visitors a way to download some documents, which are created or maintained by your web site, and you want those documents to be digitally signed.
If the document is pre-created, it's possible to sign it during creation (either with the tool that generates them, or create a separate piece of code for signing). If the documents are generated on-the-fly, then your web site should include signing capabilities.
To perform signing you need a certificate with a private key. But not every certificate would work. The certificate you need should be suitable for data signing, rather than just for SSL/TLS. You can try to obtain the certificate for your site from some CA and then use it for signing the documents. Whether the users' software would accept such certificates depends on how Key Usage and Extended Key Usage properties (extensions) of the certificate are put by the CA. Another option would be to create a self-signed certificate.
In case of a self-signed certificate you would want to place the certificate itself (without a private key) to your web site for the users to download and install. This is needed for validation of the signature in your signed documents. No need to say, that you don't put the private key to download, neither you provide it to your users by any other means. It's kept only on the server (and preferably secured to make stealing it harder for the possible attacker).
The technologies / components / tools to use in these scenarios depend on which of the above options you need.
I have a hash of a certificate using the example at http://techblog.bozho.net/?p=37 and wish to use this to fill in a signature field in a pdf form with iTextSharp. Does anyone have any examples or know how? This is a web app and the only method I can find for capturing the signature from a smart card local to the client.
Ken
You can't use a hash of the certificate for signing. Signing is performed using the private key (and not its hash either).
For web application you have two options - either transfer the whole document to the client, or use some distributed signing mechanism which involves a client-side module (either a browser plugin / java applet or a standalone application).
Our company developed a distributed cryptography add-on to SecureBlackbox, which is described in details in this SO answer and which does what you need. The scheme in the answer explains how distributed signing would work.
Our website generates PDFs and signs them digitally with iTextSharp and BouncyCastle.
We've been told however that we cannot use the website's SSL certificate to sign the PDF, we need a special PDF signing certificate (because Adobe only trusts certain roots). And that the only way to get a certificate like that for use by a website (i.e. automated programmatic signature of generated documents) is to get a physical hardware device that gives access to the certificate's private key. Apparently this hardware device costs a lot of money.
Do we really need to spend thousands of dollars to sign a PDF to be trusted by Adobe?
From technical point of view you can use any X.509 certificate with the private key and properly set Key usage extensions to sign the document. However, the validating side (most often it's Adobe Reader) will trust only certain certificates. Adobe demands is that certificates, accepted by Adobe Reader, are issued in compliance with their requirements, one of which is that the private key is protected by putting it to hardware.
It is possible to tune up Adobe Reader to accept other certificates by telling Reader to validate certificates using Windows certificate storage, adding custom roots as trusted roots etc., but this requires extra actions on client (reader) side.
Also you have yet to find the certificate authority that will sell you a certificate suitable for data signing without requiring you to pay a fortune for hardware device. Why is it so? "Monopoly" is the answer. Adobe have created a kind of monopoly with PDF and reader and now lets partners (and itself) abuse it.
The cost of the USB token is about $50 (and much less when purchased in bulk) yet you have to pay 10 times more to the CA for delivering this token to you. And this cost is not for validating you but solely a monopolistic charge.
No, there is no need to have hardware to sign PDFs. Looks like someone is trying to wring you out for a little money :)
http://www.pdflib.com/products/plop-ds/ is an example of a commercial product you can use to sign PDFs with Software.
TCPDF (http://www.tcpdf.org/) which is a common library for PHP to write PDFs dynamically has PDF signing built in. It's open source =) There is example code there for how they sign PDFs.