Issues with signing pdf file with certificate from azure certificate vault with non-exportable private key

[arvydas-kezunas]

Greetings everyone, i am facing some issues with putting digital signatures on pdf files with using azure certificate vault. Problem appears when certificate is with non-exportable private key and have to rely on azure cryptography client. this is my current implementation:

   async signDocument(fileBuffer: Buffer, certName: string) {
    try {
      Logger.log(`Starting document signing process for certificate: ${certName}...`);

      Logger.log(`Retrieving certificate: ${certName} from Azure...`);
      const certificateData = await this.certificateClient.getCertificate(certName);

      Logger.log('Extracting Key ID from the certificate...');
      const keyId = certificateData.keyId;
      if (!keyId) {
        Logger.error('Key ID not found in the certificate.');
        throw new Error('Key ID not found for certificate');
      }
      Logger.log(`Key ID found: ${keyId}`);

      Logger.log(`Creating CryptographyClient with Key ID: ${keyId}...`);
      const cryptoClient = new CryptographyClient(keyId, this.credential);
      Logger.log('CryptographyClient created successfully.');

      Logger.log('Loading and modifying PDF document...');
      const pdfDoc = await PDFDocument.load(fileBuffer);
      pdflibAddPlaceholder({
        pdfDoc: pdfDoc,
        reason: 'I am the author of this document',
        location: 'Lithuania',
        contactInfo: 'namelastname@email.com',
        name: 'Name Lastname',
        widgetRect: [50, 100, 250, 150],
      });

      const pdfWithPlaceholderBytes = await pdfDoc.save();

      const documentHash = this.createHashWith(Buffer.from(pdfWithPlaceholderBytes));

      const signResult: SignResult = await cryptoClient.sign("RS256", documentHash);

      const azureSigner = new AzureVaultSigner(signResult.result);
      const signedPdfBytes = await SignPdf.sign(pdfWithPlaceholderBytes, azureSigner);

      Logger.log('Signature injected into PDF document successfully.');

      fs.writeFileSync('output-signed.pdf', signedPdfBytes);
      return signedPdfBytes;

    } catch (error) {
      Logger.error('Error signing document:', error.message);
      throw new Error(`Error signing document: ${error.message}`);
    }
  }  

    private createHashWith(buffer: Buffer): Buffer {
    const hash = createHash('sha256');
    hash.update(buffer);
    return hash.digest();
  }

import {Signer} from '@signpdf/signpdf'

class AzureVaultSigner extends Signer {
  signature: Buffer;
  constructor(signature: any) {
    super();
    this.signature = Buffer.from(signature);; // Store the signature
  }

  async sign(pdfBuffer, signingTime) {
    return pdfBuffer;
  }
}

export default AzureVaultSigner;

as i understand, Azures cryptoclient sign returns the signature it self, that later has to be injected in to original pdf. And i believe that issue is in my custom signer. and after running the api im getting this

[dhensby]

import {Signer} from '@signpdf/signpdf'

class AzureVaultSigner extends Signer {
  signature: Buffer;
  constructor(signature: any) {
    super();
    this.signature = Buffer.from(signature);; // Store the signature
  }

  async sign(pdfBuffer, signingTime) {
    return pdfBuffer;
  }
}

export default AzureVaultSigner;

You're just returning the PDF in your signer and not the signature. If you change that, it may work

[arvydas-kezunas]

i will check that

[arvydas-kezunas]

import {Signer} from '@signpdf/signpdf'

class AzureVaultSigner extends Signer {
  signature: Buffer;
  constructor(signature: any) {
    super();
    this.signature = Buffer.from(signature);; // Store the signature
  }

  async sign(pdfBuffer, signingTime) {
    return pdfBuffer;
  }
}

export default AzureVaultSigner;

You're just returning the PDF in your signer and not the signature. If you change that, it may work

Maybe you have idea where i could fine example of custom signer that would work with my issue?

[mbrevda]

Sounds similar to #270

[chrisl-bastion365-nl]

Looks like you're calculating the hash over the whole file including the placeholder, which will lead to verification errors, as the hash should be calculated on the file without the signature placeholder byterange (so that the signature itself doesn't affect the hash digest result after it's inserted).

Instead, hash the document buffer passed to the sign method of your custom signer, as signpdf will calculate the correct byterange for hashing beforehand, then will include this as an argument to the signer sign method.

[chrisl-bastion365-nl]

Regarding the ASN1 error, I would check that the signature is a proper CMS structured signature in ASN1 format (e.g. a CAdES or PKCS7, which can be created using either pksjs and asn1.js or node-forge), rather than a raw cryptographic signature result as returned from the Azure cryto client. This includes extra data such as signer certificates/IDs, object IDs that provide information about the algorithms used to hash and sign the original data, the signing time, the kind of data being signed etc., as well as allowing for signature and document timestamps etc.

A good spot to construct this asn1 signature around your raw azure signature result would be within the AzureVaultSigner sign method, which would then return the expected asn1 signature (not the pdf, as mentioned above -- that's returned by the pdfsign sign method instead).