SautinSoft.Pdf.Security Namespace

Contains classes, structures, and enumerations that implement the following: - PDF encryption as specified in the PDF Specification ISO 32000-1:2008 (section 7.6). - X.509 Internet Public Key Infrastructure (PKI) as specified in RFC 5280 (PdfCertificate and PdfCertificateRevocationList), RFC 6960 (PdfOnlineCertificateStatusProtocolResponse), and RFC 3161 (PdfTimestamper) - Document security store as defined in ETSI EN 319 142-1 (PdfDocumentSecurityStore) - A cryptographic device that can store cryptographic information and perform cryptographic functions, as specified in PKCS #11 (PdfPkcs11Module and PdfPkcs11Token)Encryption-related information is stored in the PdfEncryption class and for password-based encryption, it is stored in the PdfPasswordEncryption class. PDF encryption is used with the Password property when loading a PDF document from an encrypted PDF file and with the Encryption property and SetPasswordEncryption() method when saving a PDF document to an encrypted PDF file.

Classes

Class

Description

InvalidPdfPasswordException

Exception that occurs when DocumentOpenPassword or PermissionsPassword is not correctly specified.

PdfCertificate

Represents an X.509 certificate sent to others so that they can verify your digital signature with a public key contained in the certificate.

PdfCertificateRevocationList

Represents an X.509 Certificate Revocation List (CRL) that is a time-stamped list identifying revoked certificates that is signed by a Certificate Authority (CA) or CRL issuer and made freely available in a public repository.

PdfDelayOrReSignDigitalId

Represents a digital ID used to delay-sign (deferred-sign) or re-sign a PDF file.

A PdfDelayOrReSignDigitalId does not perform the actual signing because it contains only a PdfCertificate (with a public key) and no private key. Instead, a PdfDelayOrReSignDigitalId is used in the following process:

Delay-sign a PDF file by using the Sign(PdfSigner) method followed by any of the Save methods. The Signature property must be and after the signing is done, the Hash property contains the hash of the (delay-)signed PDF file. The content of the delay-signed signature is empty (a sequence of bytes whose value is zero), thus the signature is not valid. But the signature content is replaced with the valid signature content when re-signing the PDF file.
Sign the Hash using an external signer.
Re-sign the PDF file by using the Sign(PdfSigner) method on the same PdfSignatureField on which delay-sign was performed (the Save method should not be called after as explained in the note of the Sign(PdfSigner) method). The Signature property must be set to a value returned by the external signer and after the signing is done, the Hash property contains the hash of the re-signed PDF file (that should be the same as the hash of the delay-signed PDF file).

The PdfSigner instances used in the delay-sign and re-sign should have equal properties so that the signature content created by re-signing fits into the delay-signed signature content that it replaces.

Delay-signing is also possible with Sign(FuncStream, Byte, PdfSignatureFormat, Int32) method, but then you must take care to provide the appropriate value of the estimatedSignatureContentsLength parameter that should be large enough to contain the entire signature content created when re-signing the PDF file. If the PdfCertificate is not available when performing the delay-sign, then delay-signing must be done by using the Sign(FuncStream, Byte, PdfSignatureFormat, Int32) method. The first parameter of that method should return an array of bytes whose value is zero of the estimatedSignatureContentsLength length. Note that if Format is not PKCS7, then delay-signing with Sign(FuncStream, Byte, PdfSignatureFormat, Int32) method is difficult because hash provided to the external signer is not ComputeHash(PdfHashAlgorithm) as explained in the Message Digest Calculation Process.

PdfDigitalId

A digital ID used to sign and encrypt documents.

The certificate that comes with your digital ID is sent to others so that they can verify your signature.

The most secure digital IDs are issued by trusted Certificate authorities and are based on secure devices like smart card or token. Some are based on files.

PdfDocumentSecurityStore

Represents a container that may contain:

a collection of all certificates used for the signatures, including timestamp signatures, that occur in the document. It shall also hold all the auxiliary certificates required to validate the certificates participating in certificate chain validations.
a collection of all Certificate Revocation Lists (CRLs) (see RFC 5280) used for some of the signatures, and
a collection of all Certificate Status Protocol (OCSP) responses (see RFC 6960) used for some of the signatures.

PdfEncryptedPayload

Identifies that the file specified in the EmbeddedFile of a PdfFileSpecification is an encrypted payload.

PdfEncryption

Stores encryption-related information.

PdfLoadingEncryptedEventArgs

Represents data for an event that occurs when a PDF document is being loaded from an encrypted PDF file.

PdfOnlineCertificateStatusProtocolResponse

Represents an X.509 Online Certificate Status Protocol Response useful in determining the current status of a digital certificate without requiring Certificate Revocation Lists.

PdfPasswordEncryption

Stores encryption-related information for a PDF’s standard security handler that shall allow up to two passwords to be specified for a document: a DocumentOpenPassword and a PermissionsPassword with access Permissions.

PdfPkcs11DigitalId

Represents a digital ID that is stored on a cryptographic device accessible through PKCS#11 application programming interface called "Cryptoki".

PdfPkcs11Module

Represents a cryptographic device that stores cryptographic information and possibly performs cryptographic functions accessible through PKCS#11 application programming interface called "Cryptoki".

Cryptographic device may be implemented as a smart card, smart disk, PCMCIA card, or with some other technology, including software-only.

Note
SautinSoft.Pdf uses Pkcs11Interop to communicate with a cryptographic device from a .NET runtime so your project must reference NuGet package Pkcs11Interop in order to use this class.

Important
After you are finished using PdfPkcs11Module make sure you either dispose it or call its Close method.

PdfPkcs11Token

Represents the logical view of a cryptographic device defined by Cryptoki.

Various objects can be stored on a token. These include data, certificates and keys.

Stored objects can be accessed and cryptographic functions performed only after the session (a logical connection between an application and a token) is opened.

PdfRSASignaturePadding

Represents the padding to use with RSA signature.

PdfTimestamper

Represents a timestamper that gets the TimeStampToken as specified in RFC 3161 as updated by RFC 5816.

The value of the messageImprint field within the TimeStampToken shall be a hash of either:

the bytes of the signature field within SignerInfo for the CMS-based Content if the generated timestamp token is included as a unsigned attribute of that SignerInfo (signature timestamp).
the bytes of the document indicated by the ByteRange and the ByteRange shall specify the complete PDF file contents (excepting the Content value) if the generated timestamp token is included as a content of a signature dictionary (whose Type entry has a value of DocTimeStamp) that is a value of a signature field added as an incremental update (document timestamp).

Structures

	Structure	Description
	PdfEncryptionLevel	Represents a symmetric encryption algorithm used in a PDF file and the length of the encryption key used in that algorithm.

Enumerations

	Enumeration	Description
	PdfEncryptionAlgorithm	Represents an encryption algorithm used in a PDF file.
	PdfEncryptionOptions	Represents options for PDF file password-based encryption.
	PdfHashAlgorithm	Represents a hash algorithm used in SautinSoft.Pdf cryptographic operations.
	PdfUserAccessPermissions	Represents user access permissions.