PDF Java Toolkit

Applying Signatures

Applying Recipient Signatures

To sign a signature field with a recipient signature, clients need to provide:

  • the signature field to be signed
  • a Credentials object containing the signer’s private key and certificate chain
  • a ByteWriter that specifies where the signed document will be written
  • Possibly a SignatureOptions object to control how the signature is generated and how its appearance is configured

Without the SignatureOptions object, the method to create a recipient signature will create a default signature using default digest algorithms, and a default signature appearance. The SignatureOptions class should provide control for the digest algorithms to be used, the signature appearance settings, and how the document is to be saved.  For example, the PDF document can use a full save or an incremental save.

The method that creates a signature also saves and signs the PDF data, because creating a recipient signature involves computing a byte range signature. Recipient signatures support timestamping, CRLs, and OCSP.

To apply a recipient signature, use one of sign() methods in the SignatureManager’s class.
/docs/com/adobe/pdfjt/services/digsig/SignatureManager.html

Applying Author Signatures

Author signatures, which are used to certify PDF documents, work in much the same way as recipient signatures. They are byte range signatures that include a DocMDP transform parameters dictionary. The DocMDP transform parameters provide the permissions settings that indicate the changes permitted to the certified document. For example, the permissions can include No Changes Allowed, or Form Fill Permitted.

The DocMDP transform parameters can provide for tamper detection over parts of the PDF that should not be updated while permitting changes to the PDF document that are allowed by the signature certification.  For example, after a PDF is signed and certified, the document could be updated to allow a user to add a recipient signature but not change any of the values that appear in the form fields elsewhere in the document, except for the recipient’s own name, address, and contact information.

Except for the DocMDP transform, the PDF Java Toolkit code used to apply a DocMDP signature will work the same as the code used for applying a recipient signature. PDF Java Toolkit only allows for applying a DocMDP signature to a signature field.  This product does not support creating DocMDP signatures that are found in the Perms entry of the catalog but that are not assigned to a signature field, and neither does Adobe Acrobat.

Like recipient signatures, author signatures will also need support for timestamping, CRLs, and OCSP.

To apply an author signature, use one of the certify() methods in the SignatureManager class. For a sample of document signing, see
samplessrcpdfjtcoredigitalSignaturesCertifyAndSignExistingSignatureFields.java