Using iText 7 and AWS KMS to digitally sign a PDF Document
Excerpt: iText is used by many businesses and signing services to integrate secure digital signatures into PDFs. This step-by-step article shows developers how to use iText 7 and the AWS KMS APIs to generate a digital signature and add it to a PDF document.
About the author:
Here at iText we’ve long been involved with PDF digital signatures. We first published our digital signatures eBook back in 2013, which provided a comprehensive overview of PDF features, industry standards and technology options relating to secure digital signatures, together with in-depth best practices, real-life examples, and code samples for PDF development.
Since then, we’ve continued to promote the technology for secure PDF documents, as it provides integrity, authenticity, non-repudiation, and assurance of when a document was signed. We’ve also kept pace with advances in the field, supporting the PAdES framework and PDF 2.0, and updating our Java and C# (.NET) code examples to apply to the latest versions of iText 7.
An essential component in creating a secure digital signature is the generation of an asymmetric key pair, consisting of both a public and a private key. There are a number of ways to generate such a key pair, but one of the most secure is the use of a hardware security module (or HSM). This is a physical computing device and is usually very expensive.
Here Comes a New Challenger
However, Amazon Web Services now offers the generation of asymmetric keys as part of its Key Management Service (KMS) which makes it easy to create and manage cryptographic keys and control their use across a range of AWS services and in your applications. Similar to the symmetric key features that were previously available, asymmetric keys can be generated as customer master keys (CMKs) where the private portion never leaves the service, or as a data key where the private portion is returned to your calling application encrypted under a CMK.
Since it’s a scalable service with no upfront charges, AWS KMS can be an attractive option for digitally signing PDFs. It’s not all plain sailing though. Since AWS KMS doesn’t store or associate digital certificates with asymmetric CMKs it creates, it’s not directly possible to use the asymmetric CMK for signing PDFs, as you would first have to generate a certificate for the public key of your AWS KMS signing key pair.
This topic came up in a recent Stack Overflow question, and the comprehensive answer provided by Michael Klink led to this article which we hope many of you will benefit from. We walk through the whole process of accessing the AWS KMS API to generate a digital signature, and then applying that signature to a PDF with iText 7. In addition, we also point out some things you’ll need to consider if you plan to do mass-signing operations with AWS KMS.
Of course, Amazon is not the only big player in cloud services, and so it should not be surprising that Google and Microsoft also provide similar functionality. Google has its Cloud Key Management and Microsoft Azure offers their Key Vault, both of which lower the cost of entry to using HSMs for cryptographic key management. While we don’t cover them directly in this article, the process of signing a PDF using these services should be largely the same.
We hope you will find this article and its code examples useful if you’ve run into issues when using the AWS KMS or equivalent services. Once again, we’d like to thank Michael Klink for taking the time to port his Java examples from the initial Stack Overflow question to .NET, and indeed for his many contributions to the iText community.
Would you like to know more?
Don’t hesitate to contact us if you have any additional questions about digitally signing PDFs, or anything else iText could help you with.
If you are interested in learning more about the iText 7 Suite, click here