Security and Signatures
Security and Signatures
Aspose.PDF FOSS for .NET supports PDF digital signatures, certificate-based
encryption, and custom security handlers. Use PdfSigner for signing
workflows and PdfCertificate for certificate management.
Signing a document
PdfSigner applies a digital signature to a PDF using a PFX certificate.
var cert = PdfCertificate.FromPfx("certificate.pfx", "password");
var signer = new PdfSigner();
signer.Sign(doc, cert);
doc.Save("signed.pdf");Verifying signatures
var signer = new PdfSigner();
bool valid = signer.Verify(doc);
Console.WriteLine($"Signature valid: {valid}");Signing with a visual appearance
signer.SignWithAppearance(doc, cert, signatureField, appearance);Certificate management
PdfCertificate loads certificates from PFX files or DER-encoded files.
// From PFX
var cert = PdfCertificate.FromPfx("cert.pfx", "password");
// From DER files (certificate + key)
var cert2 = PdfCertificate.FromDerFiles("cert.der", "key.der");Certificate-based encryption
CertificateEncryptionOptions encrypts a PDF so only specified certificate
holders can open it.
var options = new CertificateEncryptionOptions(cert);Custom security handlers
Implement ICustomSecurityHandler for custom encryption and decryption logic.
public class MyHandler : ICustomSecurityHandler
{
public void Initialize(EncryptionParameters parameters) { }
public byte[] CalculateEncryptionKey() { /* ... */ return Array.Empty<byte>(); }
public byte[] GetUserKey() { /* ... */ return Array.Empty<byte>(); }
public byte[] GetOwnerKey() { /* ... */ return Array.Empty<byte>(); }
public bool IsOwnerPassword(string password) { /* ... */ return false; }
public bool IsUserPassword(string password) { /* ... */ return false; }
}Signature algorithm information
SignatureAlgorithmInfo describes the algorithm used in an existing signature.
var info = new SignatureAlgorithmInfo("SHA256withRSA");
Console.WriteLine(info.ToString());Tips and Best Practices
- Always sign documents as the final step — any modification after signing invalidates the signature.
- Use PFX files with strong passwords for certificate storage.
- Verify signatures after loading a document to detect tampering.
- Certificate-based encryption requires the recipient’s public key certificate.
- Implement
ICustomSecurityHandleronly when standard encryption is insufficient.
Common Issues
| Issue | Cause | Fix |
|---|---|---|
| Signature shows as invalid | Document modified after signing | Re-sign after all modifications are complete |
| PFX loading fails | Wrong password or corrupted file | Verify the password and file integrity |
| Encryption prevents opening | Owner password not supplied | Use the correct owner or user password |
FAQ
What signature algorithms are supported?
RSA with SHA-256, SHA-384, and SHA-512 are commonly supported. The available algorithms depend on the certificate’s key type.
Can I add multiple signatures?
Yes. Each signature is applied to a separate signature field in the document.
Does signing require a commercial certificate?
No. Self-signed certificates work for testing. For production, use a certificate from a trusted CA.
API Reference Summary
| Class / Method | Description |
|---|---|
PdfSigner | Sign and verify PDF documents |
PdfSigner.Sign | Apply a digital signature |
PdfSigner.Verify | Check signature validity |
PdfSigner.SignWithAppearance | Sign with a visual signature field |
PdfCertificate | Certificate loader for PFX and DER formats |
PdfCertificate.FromPfx | Load from a PFX file with password |
PdfCertificate.FromDerFiles | Load from DER-encoded files |
CertificateEncryptionOptions | Certificate-based PDF encryption |
ICustomSecurityHandler | Interface for custom encryption/decryption |
EncryptionParameters | Parameters passed to custom security handlers |
SignatureAlgorithmInfo | Metadata about a signature’s algorithm |