How to Sign a PDF Document with a X.509 Signing Certificate on Android

The PlugPDF SDK allows you to sign and validate your PDF documents with one or more signatures. To do so, please follow these steps.

  1. Prepare an image object. This is the visual appearance of a signature field (optional)
  2. Create a signature field (this is a form field containing a digital signature)
  3. Compute a byte range digest
  4. Inject the computed byte range into the signature field created in Step 2.

Then, validating a PDF document is a two step process:

  1. Get a signature field
  2. Get a computed byte range digest data in the signature field


How to Sign a PDF Document with a X.509 Signing Certificate on Android

Signing your PDF

1. Prepare an image object

The signature field’s visual appearance can be set using an image.

Screenshot 2014-10-21 17.06.50

To achieve this, insert an image object into your PDF document as shown in the following code snippet.

2. Create a signature field

Before computing the byte range digest we first need to create a signature field containing zero-filled digest data as a place holder.

The value returned from the prepareSignatureSrc method tells the file offset where the digest data starts in the file. The computed digest must be injected right after at this offset position.

Then, if you used your offset in the injectSignatureData method of the PDFDocument object (more info)

3. Compute a byte range digest

As you can see in step 2, the content file corresponds to the third parameter of the createSignatureField method.

It is necessary to compute the signature value, however, PlugPDF doesn’t provide any built-in method to compute a byte range digest; a DER-encoded PKCS#7 binary data object containing the signature can be used as the digest data.

The SHA1 digest of the byte range should be encapsulated in the PKCS#7 signed-data field. The PKCS#7 object must conform to the PKCS#7 specification in Internet RFC 2315, Cryptographic Message Syntax, Version 1.5.

At minimum, it must include the signer’s X.509 signing certificate, which is used to verify the signature value. The PKCS#7 object may optionally contain one or more issuer certificates from the signer’s trust chain.

4. Inject the byte range digest

Finally, inject the computed byte range digest data into your PDF file.

This will create a digitally signed PDF document.


Validating your PDF

Let’s finish this post by looking at the two step process of validating a PDF document.

1. Get a signature field property

Remember: This is a form field containing a digital signature, and is needed to know the signature field information in the PDF file for validation.

2. Get a computed byte range digest data in the signature field

The last step needed in order to compute the digest consists in getting the computed byte range digest data and the content file path; then, you’ll be able to validate your PDF document with the digest data and the content file.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *