Digital signatures are a stamp of authentication for digital information. For PDF files, they provide the ability to detect whether the document has been modified after it was signed by the author. This is especially useful in legal settings where the authenticity of the document needs to be verified.
How do they work?
In PDF files, a digital signature is contained within the /Contents key of a signature dictionary object. This digital signature is comprised of the hash of the document encrypted with the signer’s private key, a copy of their certificate, and various metadata entries.
Alongside it there shall also be a /ByteRange key that indicates which bytes in the file the signature represents. Typically, this is every byte in the file except the bytes containing the signature. i.e, the value of the /Contents key.
Supported signature types
The PDF specification defines three types of signatures that are supported, including:
- PKCS #1
- PKCS #7
- CAdES (PAdES)
PDF Advanced Electronic Signatures (PAdES) are the latest and greatest addition to PDF which supports the EU eIDAS regulations, long term validation (LTV), multiple signatures, temper detection, and time stamping.
Use JPedal to create digital signatures
Digitally signing PDF files in JPedal is achieved using a single method:
PdfSigner.signPdf(
"inputFile.pdf",
"outputFile.pdf",
"keystorePassword",
"keystoreFile.p12",
"signerName",
"signerLocation",
"signingReason",
ACCESS_PERMISSION.P1);
All you need is your PKCS #12 key store, containing your certificate and private key.
Access Permission refers to the /DocMDP category of a PDF signature dictionary.
P1: Any changes to the document will invalidate the signature
P2: You are allowed to fill in forms without invalidating the signature
P3: You are allowed all the changes from level 2, and you can manipulate annotations without invalidating the signature