My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
  2. ASP.NET Core

How to Extract PDF Content and Certificate Metadata from .p7m Files in .NET

Overview

This article explains how to decode a CMS/PKCS #7 (.p7m) signed file in .NET, extract the embedded PDF, validate the digital signature, and read signer certificate metadata. The solution uses the System.Security.Cryptography.Pkcs package.

If you need to further process the extracted PDF—such as reading text, editing content, validating standards, or digitally signing—the Syncfusion .NET PDF Library provides robust APIs for advanced PDF manipulation.

Prerequisites

  • .NET 6.0 or later SDK installed on your machine.
  • A console application created with dotnet new console.
  • The System.Security.Cryptography.Pkcs NuGet package added to the project:
    dotnet add package System.Security.Cryptography.Pkcs
  • A signed PDF file such as XCORE-DocumentoTest.pdf.p7m stored in your project directory or a known path.

Follow the below steps to retrieve the signer data from the. p7m file:

  1. Load the .p7m container into memory.
  2. Decode the CMS envelope and confirm the digital signature.
  3. Extract the original PDF payload and persist it to disk.
  4. Inspect the signer information (certificate subject and signing timestamp).

Sample Code

using System;
using System.IO;
using System.Linq;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;

namespace P7mPdfExtractor
{
   internal class Program
   {
       static void Main()
       {
           // 1. Read the signed CMS package (.p7m file)
           byte[] signedCmsBytes = File.ReadAllBytes("XCORE-DocumentoTest.pdf.p7m");

           // 2. Decode and validate the CMS signature (chain validation skipped here)
           var signedCms = new SignedCms();
           signedCms.Decode(signedCmsBytes);
           signedCms.CheckSignature(verifySignatureOnly: true);

           // 3. Extract the embedded PDF document
           byte[] originalDocument = signedCms.ContentInfo.Content;
           File.WriteAllBytes("Decoded.pdf", originalDocument);
           Console.WriteLine("PDF content extracted to Decoded.pdf");

           // 4. Enumerate signer metadata
           foreach (SignerInfo signerInfo in signedCms.SignerInfos)
           {
               X509Certificate2? signerCertificate = signerInfo.Certificate;
               string signerName = signerCertificate?.Subject ?? "Unknown Signer";
               Console.WriteLine($"Signer Name: {signerName}");

               var signingTime = signerInfo.SignedAttributes
                   .SelectMany(attr => attr.Values.OfType<Pkcs9SigningTime>())
                   .FirstOrDefault();

               if (signingTime != null)
               {
                   Console.WriteLine($"Signing Time: {signingTime.SigningTime}");
               }
               else
               {
                   Console.WriteLine("Signing Time: Not provided.");
               }
           }
       }
   }
}
  • CheckSignature(true) validates the signature without enforcing full certificate chain validation. If you require chain validation, pass false and ensure the relevant root/intermediate certificates are available.
  • Update the relative path XCORE-DocumentoTest.pdf.p7m to match your project layout.
  • Handle exceptions such as CryptographicException to capture invalid signatures or malformed CMS envelopes.

Summary
Using the System.Security.Cryptography.Pkcs API, you can decode .p7m files, extract the embedded PDF, and retrieve signer metadata. For further processing—including digital signing, signature validation, and advanced PDF manipulation—the Syncfusion .NET PDF Library provides all the tools needed for secure, automated PDF workflows.
Attachments
Did you find this information helpful?
Yes
No
Help us improve this page
Please provide feedback or comments
Comments (0)
Access denied
Access denied