Some test text!

Search
Hamburger Icon

Nodejs / Guides / Custom signing

Custom Signing in Node.js

The Apryse custom signing API is a set of APIs related to cryptographic digital signatures which allows users to customize the process of signing documents. Among other things, this includes the capability to allow for easy integration of PDF-specific signing-related operations with access to Hardware Security Module (HSM) tokens/devices, access to cloud keystores, access to system keystores, etc. The intent behind this API is to remove the old, tricky, and complicated requirement for users with specific needs to create custom SignatureHandler functor objects.

What follows is a simple code guide to the use of the custom signing API. Please note: any of the steps can be replaced with your own code that provides some custom functionality.

const doc = await PDFNet.PDFDoc.createFromFilePath(in_docpath);

const page1 = await doc.getPage(1);

// Create a digital signature field and associated widget.
const digsig_field = await doc.createDigitalSignatureField(in_sig_field_name);
const widgetAnnot = await PDFNet.SignatureWidget.createWithDigitalSignatureField(doc, new PDFNet.Rect(143, 287, 219, 306), digsig_field);
await page1.annotPushBack(widgetAnnot);

// Create a digital signature dictionary inside the digital signature field, in preparation for signing.
await digsig_field.createSigDictForCustomSigning("Adobe.PPKLite",
	in_PAdES_signing_mode?  PDFNet.DigitalSignatureField.SubFilterType.e_ETSI_CAdES_detached :  PDFNet.DigitalSignatureField.SubFilterType.e_adbe_pkcs7_detached,
	7500); // For security reasons, set the contents size to a value greater than but as close as possible to the size you expect your final signature to be, in bytes.
// ... or, if you want to apply a certification signature, use createSigDictForCustomCertification instead.

// (OPTIONAL) Set the signing time in the signature dictionary, if no secure embedded timestamping support is available from your signing provider.
const current_date = new PDFNet.Date();
await current_date.setCurrentTime();
await digsig_field.setSigDictTimeOfSigning(current_date);

await doc.save(in_outpath, PDFNet.SDFDoc.SaveOptions.e_incremental);

// Digest the relevant bytes of the document in accordance with ByteRanges surrounding the signature.
const pdf_digest = await digsig_field.calculateDigest(PDFNet.DigestAlgorithm.Type.e_SHA256);

const signer_cert = await PDFNet.X509Certificate.createFromFile(in_cert_path);

/* Optionally, you can add a custom signed attribute at this point, such as one of the PAdES ESS attributes.
The function we provide takes care of generating the correct PAdES ESS attribute depending on your digest algorithm. */
const pades_versioned_ess_signing_cert_attribute = await PDFNet.DigitalSignatureField.generateESSSigningCertPAdESAttribute(signer_cert, PDFNet.DigestAlgorithm.Type.e_SHA256);

// Generate the signedAttrs component of CMS, passing any optional custom signedAttrs (e.g. PAdES ESS). The signedAttrs are certain attributes that become protected by their inclusion in the signature.
const signedAttrs = await PDFNet.DigitalSignatureField.generateCMSSignedAttributes(pdf_digest,
	pades_versioned_ess_signing_cert_attribute);

// Calculate the digest of the signedAttrs (i.e. not the PDF digest, this time).
const signedAttrs_digest = await PDFNet.DigestAlgorithm.calculateDigest(PDFNet.DigestAlgorithm.Type.e_SHA256, signedAttrs);

At this point, use your signing provider (e.g. HSM device, cloud keystore) to sign the digest of signedAttrs. Your input should be the variable signedAttrs_digest. In the following code, we assume the output is in a variable named signature_value.

// Then, load all your chain certificates into a container of X509Certificate.
var chain_certs = [];

// Then, create ObjectIdentifiers for the algorithms you have used.
const digest_algorithm_oid = await PDFNet.ObjectIdentifier.createFromDigestAlgorithm(PDFNet.DigestAlgorithm.Type.e_SHA256);
const signature_algorithm_oid = await PDFNet.ObjectIdentifier.createFromPredefined(PDFNet.ObjectIdentifier.Predefined.e_RSA_encryption_PKCS1);

// Then, put the CMS signature components together.
const cms_signature = await PDFNet.DigitalSignatureField.generateCMSSignature(
		signer_cert, chain_certs, digest_algorithm_oid, signature_algorithm_oid, signature_value,
		signedAttrs);

// Write the signature to the document.
await doc.saveCustomSignature(cms_signature, digsig_field, in_outpath);

Get the answers you need: Chat with us