DynaPDF Manual - Page 215

Previous Page 214   Index   Next Page 216

Function Reference
Page 215 of 839
The hash algorithm that is used to sign the hash or byte ranges can be MD2, MD5, SHA1, SHA256,
SHA384, SHA512, or RIPEMD160. MD2 and MD5 are not documented in the PDF Reference but
work very well too.
Detached signatures require no data to be encapsulated in the PKCS#7 SignedData field. When
signing a SHA1 hash the signature handler must store the hash in the SignedData field of the
PKCS#7 object.
Supported PKCS#7 Format
PKCS #7 objects are ASN1 encoded binary objects. The ASN1 standard defines a set of Basic
Encoding Rules (BER) which describe how ASN1 objects must be encoded. This Standard defines
also a set of Distinguished Encoding Rules (DER) and a set of Canonical Encoding Rules (CER) both
of which provide constraints on the Basic Encoding Rules (BER). The key difference between them is
that DER uses the definite length form of encoding while CER uses the indefinite length form.
PDF compatible PKCS#7 objects must be DER encoded because Adobe's Acrobat or Reader does not
support indefinite length encoding. However, not all cryptographic providers support definite
length encoding. Whether this is the case or not is also often not documented.
The Windows CryptAPI creates DER encoded PKCS#7 objects which are fully PDF compatible.
However, when using another cryptographic library and if Adobe's Acrobat or Reader reports an
error like "Error reading BER encoded object" when trying to validate the signature, the library does
probably not create definite length encoded PKCS#7 objects.
Hardware Certificates
Signing a PDF file with a hardware certificate works exactly in the same way as with a software
certificate as long as the certificate was installed in the certificate store of the operating system.
Hardware certificates like smart cards, USB sticks, or something similar are normally delivered with
software that is able to install the certificate on the operating system. Once a certificate was installed
in the certificate store it can be used like any other certificate.
The Windows CryptAPI for example, hides the certificate type fully for the developer. Whether the
user selects a software or hardware certificate is simply not of interest because nothing special must
be done in either case. You still call CryptSignMessage(), that's all. If a password is required the
CryptAPI displays automatically a dialog to enter the password. The communication with the
hardware is done in background.
If the function succeeds the signature must be written to the PDF file with FinishSignature(). Take a
look into the example external_signatures to determine how the function can be used. It is usually
best to open the the output file right before FinishSignature() will be called (see OpenOutputFile()).

Previous topic: Possible function errors, CloseAndSignFileExt

Next topic: CloseFile, CloseFileEx