My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. ASP.NET Core
  3. PDF

Enhance PDF Security with Timestamping via External Signing in .NET Core

5 mins read

The Syncfusion Essential® PDF provides a comprehensive .NET PDF library to create, read, and edit PDF documents programmatically without relying on Adobe dependencies. This guide illustrates how to enhance your PDF document’s security by adding timestamps via external signing using C#.

Steps to add timestamps to a PDF document via external signing

  1. Create a Console Application: Set up a new console application project.
    Screenshot (1337).png
  2. Install Syncfusion® Package: Add the Syncfusion.Pdf.Net.Core and Portable.BouncyCastle package from NuGet to your project.
    Screenshot.png

    BouncyPackage.png

In this example, we have used the open-source BouncyCastle library. Ensure you review its licensing before including it in your production environment. Alternatively, you can use the timestamp token provided by your service provider.

  1. Include Required Namespaces: Add the following namespaces in Program.cs.

C#

using Syncfusion.Pdf.Parsing;
using Syncfusion.Pdf.Security;
using Syncfusion.Drawing;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography;
using Org.BouncyCastle.Tsp;
using System.Net;
using System.Text;
using Org.BouncyCastle.Math;
  1. Add Timestamps During External Signing: Implement the following code to add timestamps during the external signing process.

C#

// Get the stream from the input PDF document.
FileStream documentStream = new FileStream("Input.pdf", FileMode.Open, FileAccess.Read);

// Load the existing PDF document.
PdfLoadedDocument loadedDocument = new PdfLoadedDocument(documentStream);

// Create a digital signature for the first page of the document.
PdfSignature signature = new PdfSignature(loadedDocument, loadedDocument.Pages[0], null, "Signature");

// Set the signature bounds and cryptographic settings.
signature.Bounds = new RectangleF(new PointF(0, 0), new SizeF(100, 30));
signature.Settings.CryptographicStandard = CryptographicStandard.CADES;
signature.Settings.DigestAlgorithm = DigestAlgorithm.SHA1;

// Create an external signer using the SHA1 hash algorithm.
IPdfExternalSigner externalSignature = new ExternalSigner("SHA1");

// Add the public certificates for the external signer.
List<X509Certificate2> certificates = new List<X509Certificate2>();
certificates.Add(new X509Certificate2(Convert.FromBase64String(PublicCert)));
signature.AddExternalSigner(externalSignature, certificates, null);

//Create file stream.
using (FileStream outputFileStream = new FileStream(Path.GetFullPath(@"Output.pdf"), FileMode.Create, FileAccess.ReadWrite))
{
    //Save the PDF document to file stream.
    loadedDocument.Save(outputFileStream);
}
//Close the document.
loadedDocument.Close(true);

To sign the document using the X509Certificate2 API and generate an RFC3161-compliant timestamp token with the BouncyCastle library, add the following code:

C#

// External signer class that implements IPdfExternalSigner for signing the document hash.
class ExternalSigner : IPdfExternalSigner
{
  private string _hashAlgorithm;

  // Gets the hash algorithm used for signing.
  public string HashAlgorithm
  {
      get { return _hashAlgorithm; }
  }

  // Constructor that sets the hash algorithm for the signer.
  public ExternalSigner(string hashAlgorithm)
  {
      _hashAlgorithm = hashAlgorithm;
  }

  // Sign the document hash and return the timestamp response.
  public byte[] Sign(byte[] message, out byte[] timeStampResponse)
  {
      byte[] signedBytes = null;
      X509Certificate2 digitalID = new X509Certificate2(new X509Certificate2(Path.GetFullPath(@"Data/PDF.pfx"), "password123"));

      // Use the appropriate signing algorithm based on the private key type.
      if (digitalID.PrivateKey is System.Security.Cryptography.RSACryptoServiceProvider)
      {
          System.Security.Cryptography.RSACryptoServiceProvider rsa = (System.Security.Cryptography.RSACryptoServiceProvider)digitalID.PrivateKey;
          signedBytes = rsa.SignData(message, HashAlgorithm);
      }
      else if (digitalID.PrivateKey is RSACng)
      {
          RSACng rsa = (RSACng)digitalID.PrivateKey;
          signedBytes = rsa.SignData(message, System.Security.Cryptography.HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1);
      }

      // Generate an RFC3161 timestamp token for the signed data.
      timeStampResponse = GetRFC3161TimeStampToken(signedBytes);
      return signedBytes;
  }

  // Generate the RFC3161 timestamp token using the provided signed data.
  public byte[] GetRFC3161TimeStampToken(byte[] bytes)
  {
      SHA1 sha1 = SHA1CryptoServiceProvider.Create();
      byte[] hash = sha1.ComputeHash(bytes);

      // Create a timestamp request using the SHA1 hash.
      TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator();
      reqGen.SetCertReq(true);
      TimeStampRequest tsReq = reqGen.Generate(TspAlgorithms.Sha1, hash, BigInteger.ValueOf(100));
      byte[] tsData = tsReq.GetEncoded();

      // Send the timestamp request to the server.
      HttpWebRequest req = (HttpWebRequest)WebRequest.Create("https://rfc3161.ai.moda"); // Update your timestamp URI here
      req.Method = "POST";
      req.ContentType = "application/timestamp-query";
      req.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(Encoding.ASCII.GetBytes("9024:yourPass")));
      req.ContentLength = tsData.Length;

      // Write the request data to the stream.
      Stream reqStream = req.GetRequestStream();
      reqStream.Write(tsData, 0, tsData.Length);
      reqStream.Close();

      // Get the timestamp response from the server.
      HttpWebResponse res = (HttpWebResponse)req.GetResponse();
      if (res != null)
      {
          Stream resStream = new BufferedStream(res.GetResponseStream());
          TimeStampResponse tsRes = new TimeStampResponse(resStream);
          return tsRes.TimeStampToken.GetEncoded();
      }

      return null;
  }
}

A complete working sample can be downloaded from GitHub.
By executing the program, the output PDF document will be generated as shown below.

Output.png

Take a moment to explore the documentation for adding timestamps to a PDF document using external signing.

Conclusion
I hope you enjoyed learning on how to add timestamps to a PDF document via external signing.

You can refer to our ASP.NET Core PDF feature tour page to know about its other groundbreaking feature representations and documentation, and how to quickly get started for configuration specifications. You can also explore our ASP.NET Core PDF example to understand how to create and manipulate data.

For current customers, you can check out our components from the License and Downloads page. If you are new to Syncfusion®, you can try our 30-day free trial to check out our other controls.

If you have any queries or require clarifications, please let us know in the comments section below. You can also contact us through our support forums, Direct-Trac, or feedback portal. We are always happy to assist you!

Did you find this information helpful?
Yes
No
Help us improve this page
Please provide feedback or comments
Comments (0)
Please  to leave a comment
Access denied
Access denied