 | |
Advanced Security Settings | |
SelectPdf can be used to set advanced security settings on existing pdf files, manage different permissions and digitally sign the documents.
This can be done using PdfSecurityManager object. Using it, the following settings can be customized:
Owner Password
User Password
Encryption Algorithm (RC4 or AES)
Encryption Key Length (40, 128 or 256 bits)
Assemble Document permission
Copy Content permission
Edit Annotations permission
Edit Content permission
Fill Form Fields permission
Print permission (including Full Quality Print)
Digital signatures can be added to an existing PDF document using the PdfSecurityManager object. Adding a digital signature requires a PKCS#12 certificate (provided as a .pfx file).
Code Sample// load the pdf document using the advanced security manager PdfSecurityManager security = new PdfSecurityManager(); security.Load(file); // encryption algorithm and key length security.EncryptionAlgorithm = PdfEncryptionAlgorithm.AES; security.EncryptionKeySize = PdfEncryptionKeySize.EncryptKey256Bit; // set document passwords security.OwnerPassword = "test1"; security.UserPassword = "test2"; //set document permissions security.CanAssembleDocument = false; security.CanCopyContent = true; security.CanEditAnnotations = true; security.CanEditContent = true; security.CanFillFields = true; security.CanPrint = true; // add the digital signature security.Sign(certFile, "password"); // save pdf document security.Save("Sample.pdf"); // close pdf document security.Close();
Digital Signature OverloadsPdfSecurityManager exposes five Sign(...) overloads. Each overload adds more signature metadata or a visible signature rectangle on top of the minimal one shown above:
Sign(certificateFileName, certificatePassword) - minimal invisible signature.
Sign(..., signatureName) - adds a named signature.
Sign(..., signatureName, reason, location, contactInfo) - adds signer metadata (reason for signing, location, and contact info).
Sign(..., signatureName, reason, location, contactInfo, pageIndex, bounds) - renders a visible signature box on the specified page (zero-based pageIndex), inside the supplied RectangleFbounds.
Sign(..., signatureName, reason, location, contactInfo, pageIndex, bounds, timeStampAuthority) - adds a trusted timestamp from the supplied TimeStampAuthority server.
The following sample signs a PDF with full metadata, a visible signature box on the first page, and a TSA-issued timestamp:
PdfSecurityManager security = new PdfSecurityManager(); security.Load("contract.pdf"); TimeStampAuthority tsa = new TimeStampAuthority(new Uri("https://tsa.example.com")); security.Sign( "cert.pfx", "pfxpwd", "Counter-signed by Example Corp", "Contract approval", "Amsterdam, NL", "legal@example.com", 0, new System.Drawing.RectangleF(400, 40, 150, 50), tsa); security.Save("contract-signed.pdf"); security.Close();
Trusted Timestamps (RFC 3161)A trusted timestamp proves that a signed PDF existed in its current form at a specific moment in time, independently of the signer's own clock. SelectPdf attaches a timestamp from an external Time Stamp Authority (TSA) by issuing an RFC 3161 timestamp request over HTTP/HTTPS, then embedding the returned timestamp token inside the signature container. The result is a signature with both an identity claim (your certificate) and a time claim (the TSA's certificate), which is what regulated workflows such as eIDAS / ETSI EN 319 422 expect.
A TSA endpoint is described with a TimeStampAuthority object. Pass the resulting instance to the last parameter of the seven-argument Sign(...) overload shown above.
TimeStampAuthority(Uri tsaServer) - creates a TSA reference pointing at the supplied RFC 3161 endpoint URL.
Server - the endpoint URL. Use the URL the TSA provider publishes for RFC 3161 requests, not the homepage of the provider.
UserName / Password - HTTP Basic credentials sent with the timestamp request, if the TSA requires authentication. Encoded as UTF-8 on the wire, so non-ASCII characters in the credentials are preserved correctly. Leave them unset for anonymous TSAs.
TimeOut - request timeout in seconds. Applies to the connect, write, and read phases of the call to the TSA. Defaults to the framework default if left at zero.
The following sample signs a PDF using an authenticated TSA with a 30-second timeout:
PdfSecurityManager security = new PdfSecurityManager(); security.Load("contract.pdf"); TimeStampAuthority tsa = new TimeStampAuthority( new Uri("https://tsa.example.com/rfc3161")); tsa.UserName = "tsa-account"; tsa.Password = "tsa-password"; tsa.TimeOut = 30; security.Sign( "cert.pfx", "pfxpwd", "Signed and time-stamped", "Contract approval", "Amsterdam, NL", "legal@example.com", 0, new System.Drawing.RectangleF(400, 40, 150, 50), tsa); security.Save("contract-signed.pdf"); security.Close();
The resulting PDF carries a single Adobe.PPKLite signature whose CMS signed-data container embeds the RFC 3161 timestamp token as an unsigned attribute. Acrobat, Reader, and other compliant validators will display the signature as "signed and time-stamped" and surface the TSA-asserted time alongside the signer identity.
Timestamp Error HandlingThe TSA call happens at Save time, after the document has been signed in memory but before the file is written. If the TSA cannot be reached or refuses to issue a token, Save throws and no signed file is produced. The most common failure cases:
Network failure - DNS resolution failure, connection refused, TLS handshake failure, or proxy interception. The thrown exception preserves the underlying network error as its inner exception, so the original cause is visible to the caller.
HTTP error response - the TSA returned a non-200 status code. The exception message includes the HTTP status code (for example, HTTP 401 Unauthorized when credentials are required but were not supplied).
TSA rejection - the TSA responded successfully at the HTTP layer but refused to issue a token (RFC 3161 PKI status 2 "rejection", 3 "waiting", 4 "revocationWarning", or 5 "revocationNotification"). The exception message names the status code and label. Typical causes are quota exhaustion, an unauthorized client certificate, or a TSA-side outage.
Timeout - the TSA accepted the connection but did not finish responding within the configured TimeOut window.
Because all four cases throw before any file is written, the application can safely catch the exception, switch to a backup TSA, and retry without producing a partial or unsigned output.
See Also