Digitally sign a PDF on the server

I have a proje开发者_运维百科ct to generate PDFs on a server using ASP.NET (C #). But now we need the customer to be able to digitally sign these PDF. From what I saw, the documents must be signed at the client side, using an applet, as in the server I have no access to the private key of the certificate, but as I said above, the PDFs are generated on the server and I keep them there.

So, what I need is to digitally sign PDFs on the server, taking the client's certificate.

Thanks

Since it is not possible or anyway safe to extract and send the client's private key, to sign pdfs on the server you need to establish a "session" with the client and let them calculate the signature.

The steps should be something like:

1. the client sends his public certificate to be embedded in the signed pdf

2. the server generates the pdf, embeds the certificate and calculates the hash (eg: sha1)

3. the server sends the hash to the client applet

4. the applet calculates the digital signature with her private key

5. the applet sends the signature to the server

6. the server embeds the digital signature and closes the pdf.

To do this with itext you will have to use the preclose method after ambedding the certificate, so to be able to alculate the sha1 hash on the final document. Then after pre-closing the pdf you will have to calculate the hash of the pdf and send it to the client. Be careful: while preclosed you will have to keep the document in memory, for example in a server session.

To generate the pdf, embed certificates and prepaare the document you can use itextsharp, the c# port of the itext library. To calculate the hash and create the pkcs7 envelopes you can use the .net crypto api.

Hope this helps.

You might be missing the point of digitally signing a document. The act of signing a document is meant to be a user activity.

You can create the document on the server side and serve it with the content-type "application/pdf" and that will serve the document to be signed. When they sign it you can use pdf form submit to submit the signed document back to the server.

AspPdf + USB Network Gate or AnywhereUSB might help if the client uses USB smard card on their machine.

you can also use a signing service like (I'm sorry, I just know this one as working) http://www.signagate.de - these guys offer an Web service that enables you to 'upload' an unsigned pdf which will be sent back with an so called 'intermediate' signature that is conforming to even all signature laws in the EU as a qualified signature (at least for invoices as I know).

The fun is, you just need to be able to do a post call to their service to get the pdf singed back as answer.

So the 'intermediate' thing allows you (from a legal view) to NOT promote the private key etc. around the world but getting a valid signature on your PDF and keeping so the legal needs by a proper authentication to the signature service of this company.

Jimmy