Certify a PDF document
The Pdftools SDK lets you apply a document certification signature, also known as a Modification Detection and Prevention (MDP) signature, to a PDF document. This type of signature records the identity of the document author. It also allows users to make specific changes to the document, such as filling form fields, without invalidating the signature.
There can be at most one document certification signature in a document, and it must be added before any other signatures are added to the document.
Download the full sample now in C# and Java.
Interested in C or other language samples? Let us know on the contact page and we'll add it to our samples backlog.
In this example, the Built-in cryptographic provider is used to digitally certify a PDF document. The permissions allow a user to fill form fields. Any other changes to the document cause the signature to be rejected.
Any of the cryptographic providers supported by the Pdftools SDK can be used to apply a document certification signature.
Steps to certify a document:
- Initialize the cryptographic provider.
- Read the PFX or P12 certificate.
- (Optional) Add long-term validation information
- (Optional) Add user modification permissions
- Open and sign the document.
You need to initialize the library.
Initializing the cryptographic provider
When using the Built-in cryptographic provider, you start the digital signing process by instantiating the Provider
object.
The Provider
object exposes the methods of the cryptographic provider.
The cryptographic provider manages certificates and private keys, and implements cryptographic algorithms.
- .NET
- Java
// Create a session to the built-in cryptographic provider
using var session = new BuiltIn.Provider();
// Create a session to the built-in cryptographic provider
Provider session = new Provider();
Reading the PFX or P12 certificate
Using the Built-in cryptographic provider, PFX certificate files can be loaded directly into the cryptographic provider from the file system. The certificate file is opened as a stream and loaded into the provider to prepare it to apply a digital signature.
- .NET
- Java
// Create signature configuration from PFX (or P12) file
using var pfxStr = File.OpenRead(certificateFile);
var signature = session.CreateSignatureFromCertificate(pfxStr, password);
// Create signature configuration from PFX (or P12) file
FileStream pfxStr = new FileStream(certificateFile, FileStream.Mode.READ_ONLY));
SignatureConfiguration signature = session.createSignatureFromCertificate(pfxStr, password);
Adding long-term validation information
As an optional step, long-term validation information can be added to the output document. It embeds revocation information such as online certificate status response and certificate revocation lists. Revocation information is provided by a validation service at the time of signing and acts as proof that the certificate was valid at the time of signing.
- .NET
- Java
// Embed validation information to enable the long-term validation (LTV) of the signature
signature.ValidationInformation = PdfTools.Crypto.ValidationInformation.EmbedInDocument;
// Embed validation information to enable the long-term validation (LTV) of the signature
signature.setValidationInformation(com.pdftools.crypto.ValidationInformation.EMBED_IN_DOCUMENT);
Adding user modification permissions
As an optional step, the author may permit users to make specific modifications to the document without the signature being revoked. In this example, the user is permitted to fill form fields.
- .NET
- Java
// Assign Form Filling user permissions to the document
var permissions = new MdpPermissionOptions(MdpPermissions.FormFilling);
// Assign form filling user permissions to the document
MdpPermissionOptions permissions = new MdpPermissionOptions(MdpPermissions.FORM_FILLING);
Opening and signing the document
After instantiating the Provider
and preparing the signature configuration, you are ready to digitally certify a document.
The input and output PDF documents are created as streams (in this example, as file streams). The Signer
object is used to apply the digital certification.
Non-critical processing errors raise a Warning
event. It is recommended to listen for these events, and review the WarningCategory
to determine if further action is needed.
- .NET
- Java
// Open the input document
using var inStr = File.OpenRead(inPath);
using var inDoc = Document.Open(inStr);
// Create a stream for the output file
using var outStr = File.Create(outPath);
// Create the Signer object
Signer signer = new Signer();
// (optional) Create an event listener to listen for warning events that are raised and write them to console
signer.Warning += (s, e) => Console.WriteLine("Warning - {0}: {1}: {2}", e.Category, e.Context, e.Message);
// Certify the output document
using var outDoc = signer.Certify(inDoc, signature, outStr, permissions);
// Open input document
FileStream inStr = new FileStream(inPath, FileStream.Mode.READ_ONLY);
Document inDoc = Document.open(inStr);
// Create a stream for the output file
FileStream outStr = new FileStream(outPath, FileStream.Mode.READ_WRITE_NEW);
// Create the Signer object
Signer signer = new Signer();
// (optional) Create an event listener to listen for warning events that are raised and write them to console
signer.addWarningListener((e) -> { System.out.format("Warning - %s: %s: %s", e.getCategory(), e.getContext(), e.getMessage()); });
// Sign the input document
Document outDoc = signer.certify(inDoc, signature, outStr, permissions);
Full example
- .NET
- Java
// Create a session to the built-in cryptographic provider
using var session = new PdfTools.Crypto.Providers.BuiltIn.Provider();
// Create signature configuration from PFX (or P12) file
using var pfxStr = File.OpenRead(certificateFile);
var signature = session.CreateSignatureFromCertificate(pfxStr, password);
// Embed validation information to enable the long-term validation (LTV) of the signature (default)
signature.ValidationInformation = PdfTools.Crypto.ValidationInformation.EmbedInDocument;
// Assign Form Filling user permissions to the document
var permissions = new MdpPermissionOptions(MdpPermissions.FormFilling);
// Open input document
using var inStr = File.OpenRead(inPath);
using var inDoc = Document.Open(inStr);
// Create stream for output file
using var outStr = File.Create(outPath);
// Create the Signer object
Signer signer = new Signer();
// Create an event listener to listen for warning events that are raised and write them to console
signer.Warning += (s, e) => Console.WriteLine("Warning - {0}: {1}: {2}", e.Category, e.Context, e.Message);
// Certify the output document
using var outDoc = signer.Certify(inDoc, signature, outStr, permissions);
try (
// Create a session to the built-in cryptographic provider
Provider session = new Provider();
// Open certificate file
FileStream pfxStr = new FileStream(certificateFile, FileStream.Mode.READ_ONLY))
{
// Create signature configuration from PFX (or P12) file
SignatureConfiguration signature = session.createSignatureFromCertificate(pfxStr, password);
// Embed validation information to enable the long-term validation (LTV) of the signature (default)
signature.setValidationInformation(com.pdftools.crypto.ValidationInformation.EMBED_IN_DOCUMENT);
// Assign form filling user permissions to the document
MdpPermissionOptions permissions = new MdpPermissionOptions(MdpPermissions.FORM_FILLING);
// Create the Signer object
Signer signer = new Signer();
// (optional) create an event listener to listen for warning events that are raised and write them to console
signer.addWarningListener((e) -> { System.out.format("Warning - %s: %s: %s", e.getCategory(), e.getContext(), e.getMessage()); });
try (
// Open input document
FileStream inStr = new FileStream(inPath, FileStream.Mode.READ_ONLY);
Document inDoc = Document.open(inStr);
// Create output stream
FileStream outStr = new FileStream(outPath, FileStream.Mode.READ_WRITE_NEW);
// Certify the output document
Document outDoc = new signer.certify(inDoc, signature, outStr, permissions))
{
}
}
You can also apply a visual appearance to the signatures. For more information, see Create a signature visual appearance page.
During the conversion process from PDF to PDF/A, any signatures are removed from the file before it is converted to PDF/A for archiving. Therefore, files that require archiving should be archived to PDF/A format before any digital signatures are applied.