Is there a list of Certificate Authorities that provides certificates valid also for digitally sign a document?

I have to digitally sign a pdf. I created a little app using the DSS library (an EU project, based on Bouncy Castle, very simple to use) that sign the PDF with PADES using a p12 file.

I know how to create a p12 file from a certificate using openssl. The problem is I only find Certificate Authorities that provides certificates for SSL.

There’s somewhere a list of official and trusted CAs that provides X.509 certificates also for signing documents? I’m interested in pricing in particular… 😛

Thank in advance.

Some digitally signed pdfs shown as verified in the pdf viewers while others are not

I have two pdf documents:

1 – My class 10 marksheet issued by the CISCE that I downloaded through digilocker.

2 – My Domicile certificate issued and downloaded from the aaplesarkar website.

Both documents are digitally signed, and show a green tick symbol when opened in Adobe Acrobat reader. But, when I the documents in a pdf viewer like Google Chrome on my PC or Pdf Viewer on my Android Phone, my marksheet shows a yellow question mark with the text “Signature Not Verified”

Signature Not Verified

while my domicile certificate shows a green tick with the text “Signature vaid”.
Signature Valid

Why is this so? Is there anything I can do so that my marksheet also shows a green tick when opened in a pdf viewer?

Thank you for your time.

rest service with digitally signed parameters

I’d like to build a rest service that will accept objects that has digital signature. This service has to support both xml and json data serialization formats. I’d like to use .Net core framework to build this service.

Controller has to check that digital signature is valid and dto properties were not modified.

This signature has to be stored (in the database) and used (if required) to verify that message was not changed while processing.

Sending flow is like below

  • client fills object with data
  • client calculates hash and sign it
  • client sends object and signature to the service
  • service calculate hash from object properties and verify signature
  • object and signature is stored in the db

The question is how to define and share hash calculation logic between service and client? Please note that client can be implemented using different framework or programming language.

UPD: Or, probably there is an alternative way to check data integrity that are sent by the client. Like Amazon has implemented.

I’ve thought that dto can have string GetHashData() method that will concatenate valuable dto properties to the string. Then hash can be calculated for this and is used to sign or to check the signature.

However having method in the dto object does not look good.

I can implement some helper class and use it in the rest service that to calculate hash for each object type. But this logic has to be implemented on the client side as well. It can make usage of the service a little bit tricky.

I know that both xml and json has digital signature, like XMLDSIG and JWS. But it makes digital signature to be dependent from the format that was used by the client to talk with service. I can not use JWS or XMLDSIG if object was deserialized and passed as parameter to the REST controller.

Is it possible to use WebAuthn for digitally signing documents in the browser?

WebAuthn is a relatively new API for authentication, and it uses public key cryptography instead of something like passwords.

I am wondering if it is possible to use the cryptographic part for a different purpose, specifically creating digital signatures of documents in the browser.

The idea is to find a way to have a user sign a document in the browser in a way that the server can’t fake or manipulate. So the web application itself must never know the private key that is used for signing, which is the case for WebAuthn as far as I understand.

So if instead of the random challenge that WebAuthn expects I’d send the contents of a document I want the user to sign, I should get back a cryptographically signed hash of my document, if I understand the explanation on MDN correctly.

In the end I should have a digital signature that could be used to prove that this document was signed by a specific private key from a specific hardware token. And neither the web application inside the browser nor the server component ever saw the private key, and can’t fake this signature (of course the application could compromise this by switching out the content before signing, but not later).

I couldn’t find anything on someone using WebAuthn for this purpose, and anything I could find related to digital signatures in the browser was about stuff like Java applets that is simply not an option today anymore.

Is my idea sound in general? Or am I misunderstanding how WebAuthn works and it’s simply not possible to use it in this way? Are there any weaknesses or flaws in this approach that I’m missing?