Digitally sign a pdf document in iOS

Question

Recently I was assigned an iOS project, where I need to digitally sign a pdf document using a key that the application will download from a server.

I don't yet have a clear idea of the process involved in signing documents, what I know until now is that I will be signing my pdf using a private key file provided to me, and then the verification will be done using the public key version of the same file.

I have seen that digital sign can be achieved using libraries like iText for Java or iTextSharp for C#. That's why I would like to know if there is something similar for iOS?. And if not, what would be the process to achieve this using Quartz abilities to manage pdf documents?

---

Well... I have been checking the Apple docs, and I found this:

https://developer.apple.com/documentation/security/certificate_key_and_trust_services

I think this is supposed to support the X.509 format... which I could use to sign the pdf as an instance os CFData I guess. Also I have been checking the CryptoExercise sample code, but I am not 100% sure if this is what I am looking for.

Other suggestions have told me to check Adobe documentation, but haven't found yet a C api to sign documents using certificates.

If somebody has used the certificate services provided by Apple... it would be great any suggestion or more sample codes to understand the process.

Answer 1

Pablo,

signing PDF documents is a tough task (my company is doing this in the windows world in Pascal).

In general, I can tell you that you probably will not find usable source code you can just incorporate into you project. To see how it is done, the iText source is a good starting point, cause everything is in there.

In objective-c you are on the right path. Using X.509 certificates with functions like SecKeyRawSign is the right way (cause the actual given paddings are to old, you need to create your own padding for supporting e.g. SHA256. You can see here, how this is done: What is the difference between the different padding types on iOS?). The 'dataToSign' is nothing else than the hash of PDF Content (e.g. SHA256) you want to sign.

To find out which part of the PDF source you have to sign exactly, you must check the adobe PDF 1.6 documentation, or do some searches in groups talking about that. It makes no difference in which language you are going to sign the PDF.

In the end, you will embed the signature and some information about the signature in the predefined portion of the PDF document (look out to not break the valid hash by doing that ;) ) and it could be seen and verified with any other PDF signature/verification software.

I'm sorry that I can't provide you with relevant code, but you'll find enough samples around the X.509 certificates - e.g. creating a SSL/SSH connection. And if you search for SecKeyRawSign, you'll even find some samples for signing (at least with other patterns). That's all you need, if you find the PDF Syntax for taking the content portion to sign and to embed the signature into the final PDF.

I hope this was of help for you

Jimmy