// // This code is part of Document Solutions for PDF demos. // Copyright (c) MESCIUS inc. All rights reserved. // using System; using System.IO; using System.Drawing; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using Org.BouncyCastle.Crypto; using Org.BouncyCastle.Crypto.Digests; using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.X509; using Azure.Core; using Azure.Identity; using Azure.Security.KeyVault.Certificates; using Azure.Security.KeyVault.Keys; using Azure.Security.KeyVault.Keys.Cryptography; using GrapeCity.Documents.Pdf; using GrapeCity.Documents.Pdf.Security; using GrapeCity.Documents.Pdf.AcroForms; using GrapeCity.Documents.Text; namespace DsPdfWeb.Demos { // This sample shows how to sign an existing PDF file that contains // an empty signature field with a certificate that is stored // in an Azure Key Vault. // // The sample includes a ready to use utility class AzureSignatureGenerator // that implements the GrapeCity.Documents.Pdf.IPkcs7SignatureGenerator interface, // and can be used to sign PDFs with certificates stored in Azure Key Vault. // // Please note that when run directly off the DsPdf demo site, // this sample will NOT sign the PDF, as it passes dummy Azure credentials // to the AzureSignatureGenerator's ctor. You will need to download the sample // and provide your own credentials for the sample code to actually sign a PDF. // public class SignAzureKeyVault { public int CreatePDF(Stream stream) { var doc = new GcPdfDocument(); using var s = File.OpenRead(Path.Combine("Resources", "PDFs", "SignAzureKeyVault.pdf")); doc.Load(s); try { // This WILL NOT WORK due to dummy Azure credentials. // Supply valid credentials to actually sign the PDF. using var sg = new AzureSignatureGenerator( "keyVaultName", "tenantId", "clientId", "clientSecret", "certificateName"); var sp = new SignatureProperties() { SignatureBuilder = new Pkcs7SignatureBuilder() { SignatureGenerator = sg, CertificateChain = new X509Certificate2[] { sg.Certificate }, }, SignatureField = doc.AcroForm.Fields[0] }; doc.Sign(sp, stream); } catch (Exception) { var page = doc.Pages[0]; var r = doc.AcroForm.Fields[0].Widgets[0].Rect; Common.Util.AddNote( "Signing failed because dummy Azure credentials were used.\n" + "Use valid Azure Key Vault credentials to sign the PDF.", page, new RectangleF(r.Left, r.Bottom + 24, page.Size.Width - r.Left * 2, 0)); doc.Save(stream); } // Done. return doc.Pages.Count; } } /// <summary> /// Implements <see cref="IPkcs7SignatureGenerator"/> /// and allows generating a digital signature using /// a certificate stored in Azure Key Vault. /// </summary> public class AzureSignatureGenerator : IPkcs7SignatureGenerator, IDisposable { private CertificateClient _certificateClient; private X509Certificate2 _certificate; private CryptographyClient _cryptographyClient; /// <summary> /// Initializes a new instance of the <see cref="AzureSignatureGenerator"/> class. /// </summary> /// <param name="keyVaultName"> /// The name of the Key Vault storage used to create a URL in the form /// <b>https://{keyVaultName}.vault.azure.net/</b> that will be passed to /// the <see cref="CertificateClient"/> ctor.</param> /// <param name="tenantId"> /// The Azure Active Directory tenant (directory) ID of the service principal. /// This value will be used to create the <see cref="ClientSecretCredential"/>.</param> /// <param name="clientId"> /// The client (application) ID of the service principal. /// This value will be used to create the <see cref="ClientSecretCredential"/>.</param> /// <param name="clientSecret"> /// The client secret that was generated for the App Registration used to authenticate the client. /// This value will be used to create the <see cref="ClientSecretCredential"/>.</param> /// <param name="certificateName"> /// The name of the certificate to be used for the signature.</param> public AzureSignatureGenerator( string keyVaultName, string tenantId, string clientId, string clientSecret, string certificateName) { var keyVaultUri = new Uri($"https://{keyVaultName}.vault.azure.net/"); TokenCredential credential = new ClientSecretCredential(tenantId, clientId, clientSecret); _certificateClient = new CertificateClient(keyVaultUri, credential); var c = _certificateClient.GetCertificate(certificateName); _certificate = new X509Certificate2(c.Value.Cer); _cryptographyClient = new CryptographyClient(c.Value.KeyId, credential); } /// <summary> /// Gets the ID of the hash algorithm. /// </summary> public OID HashAlgorithm => OID.HashAlgorithms.SHA256; /// <summary> /// Gets the ID of the encryption algorithm. /// </summary> public OID DigestEncryptionAlgorithm => OID.EncryptionAlgorithms.RSA; /// <summary> /// Gets the certificate. /// </summary> public X509Certificate2 Certificate => _certificate; /// <summary> /// Signs data. /// </summary> /// <param name="input">The input data to sign.</param> /// <returns>The signed data.</returns> public byte[] SignData(byte[] input) { var hashDigest = new Sha256Digest(); byte[] hash = new byte[hashDigest.GetDigestSize()]; hashDigest.Reset(); hashDigest.BlockUpdate(input, 0, input.Length); hashDigest.DoFinal(hash, 0); byte[] result = _cryptographyClient.Sign(SignatureAlgorithm.RS256, hash).Signature; return result; } /// <summary> /// Releases resources used by this object. /// </summary> public void Dispose() { _certificateClient = null; if (_certificate != null) { _certificate.Dispose(); _certificate = null; } _cryptographyClient = null; } } }