Understanding PDF Digital Signatures and Why They Matter

Industry | Signature · Digital Signature Tue. 09 Jan. 2024

In the fast-paced digital era, where transactions, contracts, and communication increasingly occur online, the need for secure and reliable methods of authentication and verification is paramount. Digital signatures have emerged to ensure the integrity and authenticity of digital documents. This blog aims to provide a comprehensive introduction to what digital signatures are and why they are important.

 

 

What Is a Digital Signature?

A digital signature serves as a modern alternative to traditional pen and paper signatures. It has a unique digital ID that authenticates the identity of the signer. This distinct feature allows for the verification of the signature's trustworthiness and ensures the integrity of the document by detecting any modifications made after the signing process, thereby upholding the legal validity of the document.

 

 

What Are Digital Signatures Used for? 

Digital signatures serve three key functions in information security: authentication, data integrity, and non-repudiation. A valid digital signature verifies whether PDFs have been tampered with, and ensures that the document signer cannot deny their involvement or the authenticity of their signature.

 

Digital signatures find applications across various domains, ranging from legal contracts and financial transactions to secure email communication and software distribution.

 

- Legal Contracts: Digital signatures are legally binding in many regions, including North America, the European Union, and the Asia-Pacific region. Digital signatures have the same legal effect as traditional handwritten signatures, making them ideal for contracts, agreements, and other legal documents.

- Financial Transactions: In the financial industry, the authenticity and integrity of transactions are critical, which is why digital signatures are widely used. Digital signatures ensure the security and tamper-proofing of financial documents such as loan agreements and investment contracts.

- Software Distribution: Digital signatures are used to verify the authenticity and integrity of software packages. Digital signatures ensure that software has not been tampered with or modified, thus ensuring that users can trust the origin and integrity of the distributed software.

 

Aside from the above fields, digital signatures can be used for more scenarios. ComPDFKit introduced them in detail when updating ComPDFKit PDF SDK 1.10.0. If you want to add digital signatures to your applications, try to use ComPDFKit.

 

 

How Does Digital Signatures Work

Digital signatures are designed under asymmetric cryptography. The sender generates a unique hash (a fixed-size string) of the document to be signed. With the private key, the sender creates a digital signature using this unique hash. Upon receiving the signed message as well as the public key, the recipient can use the public key to decrypt the signer's hash value, which generates a hash value of this document. If the two values match, it confirms that the document has not been tampered with. The entire process is automatically supported by ComPDFKit, sparing you the need to carry out these steps manually.

 

verify-digital-signatures

 

 

How to Create Digital Signatures on PDFs with ComPDFKit

By following these two steps, you can apply ComPDFKit to either self-sign a document or invite others to sign within the signature field you've created.

 

Step 1: Create a Signature Field

ComPDFKit offers support for customizing the styles of the signature form field and allows you to customize the appearance of your signature using drawn, image, and typed signatures.

// Create a signature field.
// 
// Page Index: 0
// Rect: CRect(28, 420, 150, 370)
// Border RGB:{ 0, 0, 0 }  
// Widget Background RGB: { 150, 180, 210 }
// 
CPDFDocument document = new CPDFDocument(context);
document.open(FileUtils.getAssetsTempFile(context, "CommonFivePage.pdf"));
// Insert a form signature Widget (unsigned)
CPDFPage cpdfPage = document.pageAtIndex(0);
RectF pageSize = cpdfPage.getSize();
RectF signatureRect = new RectF(28, 420, 150, 370);
signatureRect = cpdfPage.convertRectToPage(false, pageSize.width(), pageSize.height(), signatureRect);
CPDFSignatureWidget signatureWidget = (CPDFSignatureWidget) cpdfPage.addFormWidget(CPDFWidget.WidgetType.Widget_SignatureFields);
signatureWidget.setFieldName("Signature1");
signatureWidget.setFillColor(0xFF96B4D2);
signatureWidget.setRect(signatureRect);
signatureWidget.updateAp();

 

Step 2: Sign Within the Signature Field

To sign within the signature field, you need to do three things:

 

    - Possess a certificate that conforms to the PKCS12 standard (in PFX or P12 format) and ensure that you know its password. You can create a compliant digital certificate using the built-in methods within the ComPDFKit SDK.

    - Set the appearance of the digital signature.

    - Write the data into the signature field.

//	   Sign in the signature field.
//
// 	   Text: Grantor Name
// 	   Content:
//     Name: get grantor name from certificate
//     Date: now(yyyy.mm.dd)
//     Reason: I am the owner of the document
//     DN: Subject
//     IsContentAlginLeft: false
//     IsDrawLogo: True
//     LogoBitmap: logo.png
//     text color RGB: { 0, 0, 0 }
//     Output file name: document.FileName + "_Signed.pdf"
//
// Make a digital signature.
String fileName = FileUtils.getNameWithoutExtension(document.getFileName()) + "_Signed.pdf";
File file = new File(outputDir(), "digitalSignature/" + fileName);
file.getParentFile().mkdirs();
String password = "ComPDFKit";

String certPath = FileUtils.getAssetsTempFile(context, "Certificate.pfx");
CPDFX509 cpdfx509 = CPDFSignature.getX509ByPKCS12Cert(certPath, password);
String location = cpdfx509.getCertInfo().getSubject().getCountry();
String reason = "I am the owner of the document.";

Bitmap bitmap = BitmapFactory.decodeFile(FileUtils.getAssetsTempFile(context, "ComPDFKit.png"));
// Describe signature appearance information.
CPDFDigitalSigConfig sigConfig = new CPDFDigitalSigConfig();
sigConfig.setText(cpdfx509.getCertInfo().getSubject().getCommonName());
sigConfig.setTextColor(0xFF000000);
sigConfig.setContentColor(0xFF000000);
sigConfig.setLogo(bitmap);
StringBuilder builder = new StringBuilder();
builder.append("Name: ").append(cpdfx509.getCertInfo().getSubject().getCommonName()).append("\n")
  .append("Date: ").append(DateUtil.getDataTime("yyyy.MM.dd HH:mm:ss")).append("\n")
  .append("Reason: ").append(reason).append("\n")
  .append("Location: ").append(location).append("\n")
  .append("DN: ").append(cpdfx509.getCertInfo().getSubject());
sigConfig.setContent(builder.toString());
sigConfig.setContentAlginLeft(false);
sigConfig.setDrawLogo(true);

boolean updateSignAp = signatureWidget.updateApWithDigitalSigConfig(sigConfig);
if (updateSignAp){
  boolean writeSignResult = document.writeSignature(
    signatureWidget,
    file.getAbsolutePath(),
    certPath,
    password,
    location,
    reason,
    CPDFDocument.PDFDocMdpP.PDFDocMdpPForbidAllModify
  );
}



How to Verify Digital Signatures

Verifying a digital signature consists of signature validity and certificate trustworthiness. Signature validity indicates that the document has not been tampered with. Certificate trustworthiness confirms that the signer is trustworthy. Generally, a signature is verified only when both the signature is valid and the certificate is trustworthy.

CPDFDocument document = new CPDFDocument(context);
document.open(FileUtils.getAssetsTempFile(context, "Signed.pdf"));
// Iterate through all digital signatures.
for (int i = 0; i < document.getSignatureCount(); i++) {
  CPDFSignature signature = document.getPdfSignature(i);
  // Check if the signer array exists and is not empty.
  if (signature.getSignerArr() != null && signature.getSignerArr().length > 0) {
    CPDFSigner signer = signature.getSignerArr()[0];

    // Verify the validity of the signature.
    boolean verifyValid = signature.verify(document);

    // Verify if the document has not been modified.
    boolean unmodified = signature.verifyDocument(document);

    // Determine if the signature is valid and the document is unmodified.
    boolean isSignVerified = verifyValid && unmodified;

    // Check if the certificate is trusted.
    boolean certChainTrusted = signer.getCert().verifyGetChain(document.getContext(), signature);
    boolean certificateIsTrusted = signer.getCert().checkCertificateIsTrusted(document.getContext());
    boolean certIsTrusted = certChainTrusted || certificateIsTrusted;

    // Check if the certificate has expired.
    boolean isExpired = signer.getCert().isExpired();

    // Take appropriate actions based on the verification results.
    if (isSignVerified && certIsTrusted) {
      // Signature is valid and the certificate is trusted.
      // Perform the corresponding actions.
    } else if (isSignVerified && !certIsTrusted) {
      // Signature is valid but the certificate is not trusted.
      // Perform the corresponding actions.
    } else {
      // Signature is invalid.
      // Perform the corresponding actions.
    }
  }
}

 

Conclusion

 

This post comprehensively explains that digital signatures use a unique digital ID and asymmetric encryption algorithm to ensure the integrity and authenticity of documents. Once you have learned about the basic underlying principle of how digital signatures work, it is easy to follow our guides to use ComPDFKit to integrate digital signatures with your applications. Please feel free to contact our sales to get the free trial to explore the possibilities and empower your users with the benefits of digital signatures.

 

Ready to Get Started?

Download our all-in-one ComPDFKit for free and run it to your project within minutes!