Digitally sign a PDF using AWS KMS and iText

ian.morris — Fri, 29 Jan 2021 13:10:15 +0000

Digitally sign a PDF using AWS KMS and iText ian.morris Fri, 01/29/2021 - 14:10

Introduction

Note: This article was originally written for iText Core version 7.1.x. However, the text and code examples have been revised to account for the API changes and improvements to digital signing we introduced in iText Core version 8.

Here at iText we’ve long been involved with PDF digital signatures. We first published our digital signatures eBook back in 2013, which provided a comprehensive overview of PDF features, industry standards and technology options relating to secure digital signatures, together with in-depth best practices, real-life examples, and code samples for PDF development.

Since then, we’ve continued to promote the technology for secure PDF documents, as it provides integrity, authenticity, non-repudiation, and assurance of when a document was signed. We’ve also kept pace with advances in the field, supporting the PAdES framework and PDF 2.0, and updating our Java and C# (.NET) code examples to apply to the latest versions of iText.

An essential component in creating a secure digital signature is the generation of an asymmetric key pair, consisting of both a public and a private key. There are a number of ways to generate such a key pair, but one of the most secure is the use of a hardware security module (or HSM). This is a physical computing device and is usually very expensive.

Here Comes a New Challenger

However, Amazon Web Services now offers the generation of asymmetric keys as part of its Key Management Service (KMS) which makes it easy to create and manage cryptographic keys and control their use across a range of AWS services and in your applications. Similar to the symmetric key features that were previously available, asymmetric keys can be generated as customer master keys (CMKs) where the private portion never leaves the service, or as a data key where the private portion is returned to your calling application encrypted under a CMK.

Since it’s a scalable service with no upfront charges, AWS KMS can be an attractive option for digitally signing PDFs. It’s not all plain sailing though. Since AWS KMS doesn’t store or associate digital certificates with asymmetric CMKs it creates, it’s not directly possible to use the asymmetric CMK for signing PDFs, as you would first have to generate a certificate for the public key of your AWS KMS signing key pair.

This topic came up in a recent Stack Overflow question, and the comprehensive answer provided by Michael Klink led to this article which we hope many of you will benefit from. We’ll walk through the whole process of accessing the AWS KMS API to generate a digital signature, and then applying that signature to a PDF with iText. In addition, we’ll also point out some things you’ll need to consider if you plan to do mass-signing operations with AWS KMS.

Of course, Amazon is not the only big player in cloud services, and so it should not be surprising that Google and Microsoft also provide similar functionality. Google has its Cloud Key Management and Microsoft Azure offers their Key Vault, both of which lower the cost of entry to using HSMs for cryptographic key management. While we won’t be covering them in this article, the process of signing a PDF using these services should be largely the same.

Once again, we’ve worked with independent PDF expert and top StackOverflow contributor Michael Klink (@mkl) who kindly provided C# versions of his Java code examples from his original answer for our .NET users. Each code snippet included in this article has a link leading to the full Java/C# example on our Knowledge Base.

Different strokes for different folks

A quick note before we continue. While the Java and C# iText Core APIs are largely the same, there are a number of differences in the code examples here, in part due to certain differences in the Java and .NET AWS KMS APIs. For example, the latter API uses the async pattern for .NET.

In addition, genuine .NET classes were used for the creation of the self-signed certificate and there are some differences between the BouncyCastle Java and .NET APIs. So, the differences in the code are not just in its method name capitalization...

Don’t worry though, as we’ll be pointing out these differences where they occur throughout the article

Signing a PdfDocument using the digital signature returned by AWS KMS

In the context of this article it is assumed that you have stored your credentials in the default section of your ~/.aws/credentials file and your region in the default section of your ~/.aws/config file. Otherwise, you'll have to adapt the KmsClient instantiation or initialization in the following code examples.

Generating a Certificate for an AWS KMS Key Pair

As we noted above, AWS KMS signs using a plain asymmetric key pair and it does not provide a X.509 certificate for the public key. However, interoperable PDF signatures require a X.509 certificate for the public key, to establish trust in the signature. Thus, the first step to take for interoperable AWS KMS PDF signing is to generate an X.509 certificate for the public key of your AWS KMS signing key pair.

For testing purposes, you can create a self-signed certificate using this Java helper method which is based on code from this stack overflow answer:

<div data-pym-src="https://itext.jdoodle.com/embed/itext" data-java-libs="com.itextpdf:itext7-core:latest.release,org.slf4j:slf4j-api:1.7.28,org.slf4j:slf4j-simple:1.7.28,com.itextpdf:pdfocr-tesseract4:latest.release" data-csharp-libs="itext7:latest.release" data-show-upload="false" data-hide-execute="true" data-max-uploads="3" data-max-file-size="5000000"> <div data-script-type="java"><script>public static X509Certificate generateSelfSignedCertificate(String keyId, String subjectDN, Function<List<SigningAlgorithmSpec>, SigningAlgorithmSpec> selector) throws IOException, GeneralSecurityException { long now = System.currentTimeMillis(); Date startDate = new Date(now); X500Name dnName = new X500Name(subjectDN); BigInteger certSerialNumber = new BigInteger(Long.toString(now)); // <-- Using the current timestamp as the certificate serial number Calendar calendar = Calendar.getInstance(); calendar.setTime(startDate); calendar.add(Calendar.YEAR, 1); // <-- 1 Yr validity Date endDate = calendar.getTime(); PublicKey publicKey = null; SigningAlgorithmSpec signingAlgorithmSpec = null; try ( KmsClient kmsClient = KmsClient.create() ) { GetPublicKeyResponse response = kmsClient.getPublicKey(GetPublicKeyRequest.builder().keyId(keyId).build()); SubjectPublicKeyInfo spki = SubjectPublicKeyInfo.getInstance(response.publicKey().asByteArray()); JcaPEMKeyConverter converter = new JcaPEMKeyConverter(); publicKey = converter.getPublicKey(spki); List<SigningAlgorithmSpec> signingAlgorithms = response.signingAlgorithms(); signingAlgorithmSpec = selector.apply(signingAlgorithms); } JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, publicKey); ContentSigner contentSigner = new AwsKmsContentSigner(keyId, signingAlgorithmSpec); // Extensions -------------------------- // Basic Constraints BasicConstraints basicConstraints = new BasicConstraints(true); // <-- true for CA, false for EndEntity certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints); // Basic Constraints is usually marked as critical. // ------------------------------------- return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBuilder.build(contentSigner)); }</script></div> <div data-script-type="csharp"><script>public static X509Certificate2 GenerateSelfSignedCertificate(string keyId, string subjectDN, Func<List<string>, string> selector) { string signingAlgorithm = null; using (var kmsClient = new AmazonKeyManagementServiceClient()) { GetPublicKeyRequest getPublicKeyRequest = new GetPublicKeyRequest() { KeyId = keyId }; GetPublicKeyResponse getPublicKeyResponse = kmsClient.GetPublicKeyAsync(getPublicKeyRequest).Result; List<string> signingAlgorithms = getPublicKeyResponse.SigningAlgorithms; signingAlgorithm = selector.Invoke(signingAlgorithms); byte[] spkiBytes = getPublicKeyResponse.PublicKey.ToArray(); CertificateRequest certificateRequest = null; X509SignatureGenerator simpleGenerator = null; string keySpecString = getPublicKeyResponse.CustomerMasterKeySpec.ToString(); if (keySpecString.StartsWith("ECC")) { ECDsa ecdsa = ECDsa.Create(); int bytesRead = 0; ecdsa.ImportSubjectPublicKeyInfo(new ReadOnlySpan<byte>(spkiBytes), out bytesRead); certificateRequest = new CertificateRequest(subjectDN, ecdsa, GetHashAlgorithmName(signingAlgorithm)); simpleGenerator = X509SignatureGenerator.CreateForECDsa(ecdsa); } else if (keySpecString.StartsWith("RSA")) { RSA rsa = RSA.Create(); int bytesRead = 0; rsa.ImportSubjectPublicKeyInfo(new ReadOnlySpan<byte>(spkiBytes), out bytesRead); RSASignaturePadding rsaSignaturePadding = GetSignaturePadding(signingAlgorithm); certificateRequest = new CertificateRequest(subjectDN, rsa, GetHashAlgorithmName(signingAlgorithm), rsaSignaturePadding); simpleGenerator = X509SignatureGenerator.CreateForRSA(rsa, rsaSignaturePadding); } else { throw new ArgumentException("Cannot determine encryption algorithm for " + keySpecString, nameof(keyId)); } X509SignatureGenerator generator = new SignatureGenerator(keyId, signingAlgorithm, simpleGenerator); X509Certificate2 certificate = certificateRequest.Create(new X500DistinguishedName(subjectDN), generator, System.DateTimeOffset.Now, System.DateTimeOffset.Now.AddYears(2), new byte[] { 17 }); return certificate; } } public static HashAlgorithmName GetHashAlgorithmName(string signingAlgorithm) { if (signingAlgorithm.Contains("SHA_256")) { return HashAlgorithmName.SHA256; } else if (signingAlgorithm.Contains("SHA_384")) { return HashAlgorithmName.SHA384; } else if (signingAlgorithm.Contains("SHA_512")) { return HashAlgorithmName.SHA512; } else { throw new ArgumentException("Cannot determine hash algorithm for " + signingAlgorithm, nameof(signingAlgorithm)); } } public static RSASignaturePadding GetSignaturePadding(string signingAlgorithm) { if (signingAlgorithm.StartsWith("RSASSA_PKCS1_V1_5")) { return RSASignaturePadding.Pkcs1; } else if (signingAlgorithm.StartsWith("RSASSA_PSS")) { return RSASignaturePadding.Pss; } else { return null; } } class SignatureGenerator : X509SignatureGenerator { public SignatureGenerator(string keyId, string signingAlgorithm, X509SignatureGenerator simpleGenerator) { this.keyId = keyId; this.signingAlgorithm = signingAlgorithm; this.simpleGenerator = simpleGenerator; } public override byte[] GetSignatureAlgorithmIdentifier(HashAlgorithmName hashAlgorithm) { HashAlgorithmName hashAlgorithmHere = GetHashAlgorithmName(signingAlgorithm); if (hashAlgorithm != hashAlgorithmHere) { throw new ArgumentException("Hash algorithm " + hashAlgorithm + "does not match signing algorithm " + signingAlgorithm, nameof(hashAlgorithm)); } return simpleGenerator.GetSignatureAlgorithmIdentifier(hashAlgorithm); } public override byte[] SignData(byte[] data, HashAlgorithmName hashAlgorithm) { HashAlgorithmName hashAlgorithmHere = GetHashAlgorithmName(signingAlgorithm); if (hashAlgorithm != hashAlgorithmHere) { throw new ArgumentException("Hash algorithm " + hashAlgorithm + "does not match signing algorithm " + signingAlgorithm, nameof(hashAlgorithm)); } using (var kmsClient = new AmazonKeyManagementServiceClient()) { SignRequest signRequest = new SignRequest() { SigningAlgorithm = signingAlgorithm, KeyId = keyId, MessageType = MessageType.RAW, Message = new MemoryStream(data) }; SignResponse signResponse = kmsClient.SignAsync(signRequest).Result; return signResponse.Signature.ToArray(); } } protected override PublicKey BuildPublicKey() { return simpleGenerator.PublicKey; } string keyId; string signingAlgorithm; X509SignatureGenerator simpleGenerator; }</script></div> </div>

CertificateUtils helper method

.NET offers its own means for the creation of certificate requests and self-signed certificates, the CertificateRequest class.

As with the BouncyCastle implementation in the Java example, this class also has the actual signature creation (for the self-signed certificate) delegated to a helper, which here is an X509SignatureGenerator instance. Obviously, .NET does not have a ready-to-use variant of that class for AWS KMS signing, so we have to provide one ourselves, the inner class SignatureGenerator in the .NET example. Fortunately, we can re-use .NET variants of X509SignatureGenerator for all methods except the actual SignData signing method.

Returning to our Java example, the AwsKmsContentSigner class used in the code above is this implementation of the BouncyCastle interface ContentSigner:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
public class AwsKmsContentSigner implements ContentSigner {
    final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    final String keyId;
    final SigningAlgorithmSpec signingAlgorithmSpec;
    final AlgorithmIdentifier signatureAlgorithm;
 
    public AwsKmsContentSigner(String keyId, SigningAlgorithmSpec signingAlgorithmSpec) {
        this.keyId = keyId;
        this.signingAlgorithmSpec = signingAlgorithmSpec;
        String signatureAlgorithmName = signingAlgorithmNameBySpec.get(signingAlgorithmSpec);
        if (signatureAlgorithmName == null)
            throw new IllegalArgumentException("Unknown signature algorithm " + signingAlgorithmSpec);
        this.signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithmName);
    }
 
    @Override
    public byte[] getSignature() {
        try (   KmsClient kmsClient = KmsClient.create() ) {
            SignRequest signRequest = SignRequest.builder()
                    .signingAlgorithm(signingAlgorithmSpec)
                    .keyId(keyId)
                    .messageType(MessageType.RAW)
                    .message(SdkBytes.fromByteArray(outputStream.toByteArray()))
                    .build();
            SignResponse signResponse = kmsClient.sign(signRequest);
            SdkBytes signatureSdkBytes = signResponse.signature();
            return signatureSdkBytes.asByteArray();
        } finally {
            outputStream.reset();
        }
    }
 
    @Override
    public OutputStream getOutputStream() {
        return outputStream;
    }
 
    @Override
    public AlgorithmIdentifier getAlgorithmIdentifier() {
        return signatureAlgorithm;
    }
 
    final static Map<SigningAlgorithmSpec, String> signingAlgorithmNameBySpec;
 
    static {
        signingAlgorithmNameBySpec = new HashMap<>();
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.ECDSA_SHA_256, "SHA256withECDSA");
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.ECDSA_SHA_384, "SHA384withECDSA");
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.ECDSA_SHA_512, "SHA512withECDSA");
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256, "SHA256withRSA");
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_384, "SHA384withRSA");
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_512, "SHA512withRSA");
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.RSASSA_PSS_SHA_256, "SHA256withRSAandMGF1");
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.RSASSA_PSS_SHA_384, "SHA384withRSAandMGF1");
        signingAlgorithmNameBySpec.put(SigningAlgorithmSpec.RSASSA_PSS_SHA_512, "SHA512withRSAandMGF1");
    }
}

AwsContentSigner

For production purposes however, you'll usually want to use a certificate signed by a trusted Certificate Authority (CA). Similar to the example above you can create and sign a certificate request for your AWS KMS public key, send it to your CA of choice, and get back the certificate to use from them.

There’s no .NET equivalent of AwsKmsContentSigner.java since our .NET version of CertificateUtils doesn’t use BouncyCastle for certificate generation but instead uses the .NET X509SignatureGenerator, thus no BouncyCastle ContentSigner implementation is required.

Signing a PDF using an AWS KMS Key Pair

To sign a PDF with iText you need an implementation of the iText IExternalSignature or IExternalSignatureContainer interface. Here we use the former:

<div data-pym-src="https://itext.jdoodle.com/embed/itext" data-java-libs="com.itextpdf:itext7-core:latest.release,org.slf4j:slf4j-api:1.7.28,org.slf4j:slf4j-simple:1.7.28,com.itextpdf:pdfocr-tesseract4:latest.release" data-csharp-libs="itext7:latest.release" data-show-upload="false" data-hide-execute="true" data-max-uploads="3" data-max-file-size="5000000"> <div data-script-type="java"><script>public class AwsKmsSignature implements IExternalSignature { public AwsKmsSignature(String keyId) { this(keyId, a -> a != null && a.size() > 0 ? a.get(0) : null); } public AwsKmsSignature(String keyId, Function<List<SigningAlgorithmSpec>, SigningAlgorithmSpec> selector) { this.keyId = keyId; try ( KmsClient kmsClient = KmsClient.create() ) { GetPublicKeyRequest getPublicKeyRequest = GetPublicKeyRequest.builder() .keyId(keyId) .build(); GetPublicKeyResponse getPublicKeyResponse = kmsClient.getPublicKey(getPublicKeyRequest); signingAlgorithmSpec = selector.apply(getPublicKeyResponse.signingAlgorithms()); switch(signingAlgorithmSpec) { case ECDSA_SHA_256: case ECDSA_SHA_384: case ECDSA_SHA_512: case RSASSA_PKCS1_V1_5_SHA_256: case RSASSA_PKCS1_V1_5_SHA_384: case RSASSA_PKCS1_V1_5_SHA_512: case RSASSA_PSS_SHA_256: case RSASSA_PSS_SHA_384: case RSASSA_PSS_SHA_512: break; default: throw new IllegalArgumentException(String.format("Unknown signing algorithm: %s", signingAlgorithmSpec)); } } } @Override public String getDigestAlgorithmName() { switch(signingAlgorithmSpec) { case ECDSA_SHA_256: case RSASSA_PKCS1_V1_5_SHA_256: case RSASSA_PSS_SHA_256: return "SHA-256"; case ECDSA_SHA_384: case RSASSA_PKCS1_V1_5_SHA_384: case RSASSA_PSS_SHA_384: return "SHA-384"; case ECDSA_SHA_512: case RSASSA_PKCS1_V1_5_SHA_512: case RSASSA_PSS_SHA_512: return "SHA-512"; default: return null; } } @Override public String getSignatureAlgorithmName() { switch(signingAlgorithmSpec) { case ECDSA_SHA_256: case ECDSA_SHA_384: case ECDSA_SHA_512: return "ECDSA"; case RSASSA_PKCS1_V1_5_SHA_256: case RSASSA_PKCS1_V1_5_SHA_384: case RSASSA_PKCS1_V1_5_SHA_512: return "RSA"; case RSASSA_PSS_SHA_256: case RSASSA_PSS_SHA_384: case RSASSA_PSS_SHA_512: return "RSASSA-PSS"; default: return null; } } @Override public ISignatureMechanismParams getSignatureMechanismParameters() { switch (signingAlgorithmSpec) { case RSASSA_PSS_SHA_256: return RSASSAPSSMechanismParams.createForDigestAlgorithm("SHA-256"); case RSASSA_PSS_SHA_384: return RSASSAPSSMechanismParams.createForDigestAlgorithm("SHA-384"); case RSASSA_PSS_SHA_512: return RSASSAPSSMechanismParams.createForDigestAlgorithm("SHA-512"); case ECDSA_SHA_256: case ECDSA_SHA_384: case ECDSA_SHA_512: case RSASSA_PKCS1_V1_5_SHA_256: case RSASSA_PKCS1_V1_5_SHA_384: case RSASSA_PKCS1_V1_5_SHA_512: default: return null; } } @Override public byte[] sign(byte[] message) throws GeneralSecurityException { try ( KmsClient kmsClient = KmsClient.create() ) { SignRequest signRequest = SignRequest.builder() .signingAlgorithm(signingAlgorithmSpec) .keyId(keyId) .messageType(MessageType.RAW) .message(SdkBytes.fromByteArray(message)) .build(); SignResponse signResponse = kmsClient.sign(signRequest); return signResponse.signature().asByteArray(); } } final String keyId; final SigningAlgorithmSpec signingAlgorithmSpec; }</script></div> <div data-script-type="csharp"><script>public class AwsKmsSignature : IExternalSignature { public AwsKmsSignature(string keyId, Func<List<string>, string> selector) { this.keyId = keyId; using (var kmsClient = new AmazonKeyManagementServiceClient()) { GetPublicKeyRequest getPublicKeyRequest = new GetPublicKeyRequest() { KeyId = keyId }; GetPublicKeyResponse getPublicKeyResponse = kmsClient.GetPublicKeyAsync(getPublicKeyRequest).Result; List<string> signingAlgorithms = getPublicKeyResponse.SigningAlgorithms; signingAlgorithm = selector.Invoke(signingAlgorithms); switch(signingAlgorithm) { case "ECDSA_SHA_256": case "ECDSA_SHA_384": case "ECDSA_SHA_512": case "RSASSA_PKCS1_V1_5_SHA_256": case "RSASSA_PKCS1_V1_5_SHA_384": case "RSASSA_PKCS1_V1_5_SHA_512": case "RSASSA_PSS_SHA_256": case "RSASSA_PSS_SHA_384": case "RSASSA_PSS_SHA_512": break; default: throw new ArgumentException(String.Format("Unknown signing algorithm: {0}", signingAlgorithm)); } } } public string GetSignatureAlgorithmName() { switch (signingAlgorithm) { case "ECDSA_SHA_256": case "ECDSA_SHA_384": case "ECDSA_SHA_512": return "ECDSA"; case "RSASSA_PKCS1_V1_5_SHA_256": case "RSASSA_PKCS1_V1_5_SHA_384": case "RSASSA_PKCS1_V1_5_SHA_512": return "RSA"; case "RSASSA_PSS_SHA_256": case "RSASSA_PSS_SHA_384": case "RSASSA_PSS_SHA_512": return "RSASSA-PSS"; default: return null; } } public string GetDigestAlgorithmName() { switch (signingAlgorithm) { case "ECDSA_SHA_256": case "RSASSA_PKCS1_V1_5_SHA_256": case "RSASSA_PSS_SHA_256": return "SHA-256"; case "ECDSA_SHA_384": case "RSASSA_PKCS1_V1_5_SHA_384": case "RSASSA_PSS_SHA_384": return "SHA-384"; case "ECDSA_SHA_512": case "RSASSA_PKCS1_V1_5_SHA_512": case "RSASSA_PSS_SHA_512": return "SHA-512"; default: return null; } } public ISignatureMechanismParams GetSignatureMechanismParameters() { switch (signingAlgorithm) { case "RSASSA_PSS_SHA_256": return RSASSAPSSMechanismParams.CreateForDigestAlgorithm("SHA-256"); case "RSASSA_PSS_SHA_384": return RSASSAPSSMechanismParams.CreateForDigestAlgorithm("SHA-384"); case "RSASSA_PSS_SHA_512": return RSASSAPSSMechanismParams.CreateForDigestAlgorithm("SHA-512"); case "ECDSA_SHA_256": case "ECDSA_SHA_384": case "ECDSA_SHA_512": case "RSASSA_PKCS1_V1_5_SHA_256": case "RSASSA_PKCS1_V1_5_SHA_384": case "RSASSA_PKCS1_V1_5_SHA_512": default: return null; } } public byte[] Sign(byte[] message) { using (var kmsClient = new AmazonKeyManagementServiceClient()) { SignRequest signRequest = new SignRequest() { SigningAlgorithm = signingAlgorithm, KeyId=keyId, MessageType=MessageType.RAW, Message=new MemoryStream(message) }; SignResponse signResponse = kmsClient.SignAsync(signRequest).Result; return signResponse.Signature.ToArray(); } } string keyId; string signingAlgorithm; } }</script></div> </div>

AwsKmsSignature

In the constructor we select a signing algorithm available for the key in question. The single argument constructor simply takes the first algorithm from the available ones, the double argument constructor allows you to select a specific one.

getDigestAlgorithmName returns the name of the respective part of the signature algorithm, getSignatureMechanismParameters returns additional parameters where required, and sign simply creates a signature.

For .NET, the AwsKmsSignature class could be ported from Java with very little changes required.

Putting It Into Action

Assuming your AWS KMS signing key pair has the alias SigningExamples-ECC_NIST_P256 and is indeed an ECC_NIST_P256 key pair you can use the code above to sign a PDF like this:

TestSignSimple test testSignSimpleEcdsa

Signing a PDF Using an AWS KMS Key Pair: Redux

Above we used an implementation of IExternalSignature for signing. While that is the easiest way, it has some drawbacks: The class PdfPKCS7 used in this case is not very flexible, e.g. it doesn't allow to to add custom attributes to the signature.

To not be subject to these limitations, we here use an implementation of IExternalSignatureContainer instead in which we build the complete CMS signature container ourselves using only BouncyCastle functionality.

For .NET, while the AwsKmsSignatureContainer class uses BouncyCastle to build the CMS signature container to embed just like in the Java version, there are certain differences in the .NET BouncyCastle API. In particular one does not use an instance of ContentSigner for the actual signing but an instance of ISignatureFactory; that interface represents a factory of IStreamCalculator instances which in their function are equivalent to the ContentSigner in Java. The implementations of these interfaces are AwsKmsSignatureFactory and AwsKmsStreamCalculator in the .NET example.

<div data-pym-src="https://itext.jdoodle.com/embed/itext" data-java-libs="com.itextpdf:itext7-core:latest.release,org.slf4j:slf4j-api:1.7.28,org.slf4j:slf4j-simple:1.7.28,com.itextpdf:pdfocr-tesseract4:latest.release" data-csharp-libs="itext7:latest.release" data-show-upload="false" data-hide-execute="true" data-max-uploads="3" data-max-file-size="5000000"> <div data-script-type="java"><script>public class AwsKmsSignatureContainer implements IExternalSignatureContainer { public AwsKmsSignatureContainer(X509Certificate x509Certificate, String keyId) { this(x509Certificate, keyId, a -> a != null && a.size() > 0 ? a.get(0) : null); } public AwsKmsSignatureContainer(X509Certificate x509Certificate, String keyId, Function<List<SigningAlgorithmSpec>, SigningAlgorithmSpec> selector) { this.x509Certificate = x509Certificate; this.keyId = keyId; try ( KmsClient kmsClient = KmsClient.create() ) { GetPublicKeyRequest getPublicKeyRequest = GetPublicKeyRequest.builder() .keyId(keyId) .build(); GetPublicKeyResponse getPublicKeyResponse = kmsClient.getPublicKey(getPublicKeyRequest); signingAlgorithmSpec = selector.apply(getPublicKeyResponse.signingAlgorithms()); if (signingAlgorithmSpec == null) throw new IllegalArgumentException("KMS key has no signing algorithms"); contentSigner = new AwsKmsContentSigner(keyId, signingAlgorithmSpec); } } @Override public byte[] sign(InputStream data) throws GeneralSecurityException { try { CMSTypedData msg = new CMSTypedDataInputStream(data); X509CertificateHolder signCert = new X509CertificateHolder(x509Certificate.getEncoded()); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); gen.addSignerInfoGenerator( new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()) .build(contentSigner, signCert)); gen.addCertificates(new JcaCertStore(Collections.singleton(signCert))); CMSSignedData sigData = gen.generate(msg, false); return sigData.getEncoded(); } catch (IOException | OperatorCreationException | CMSException e) { throw new GeneralSecurityException(e); } } @Override public void modifySigningDictionary(PdfDictionary signDic) { signDic.put(PdfName.Filter, new PdfName("MKLx_AWS_KMS_SIGNER")); signDic.put(PdfName.SubFilter, PdfName.Adbe_pkcs7_detached); } final X509Certificate x509Certificate; final String keyId; final SigningAlgorithmSpec signingAlgorithmSpec; final ContentSigner contentSigner; class CMSTypedDataInputStream implements CMSTypedData { InputStream in; public CMSTypedDataInputStream(InputStream is) { in = is; } @Override public ASN1ObjectIdentifier getContentType() { return PKCSObjectIdentifiers.data; } @Override public Object getContent() { return in; } @Override public void write(OutputStream out) throws IOException, CMSException { byte[] buffer = new byte[8 * 1024]; int read; while ((read = in.read(buffer)) != -1) { out.write(buffer, 0, read); } in.close(); } } }</script></div> <div data-script-type="csharp"><script> public class AwsKmsSignatureContainer : IExternalSignatureContainer { public AwsKmsSignatureContainer(X509Certificate x509Certificate, string keyId, Func<List<string>, string> selector) { this.x509Certificate = x509Certificate; this.keyId = keyId; using (var kmsClient = new AmazonKeyManagementServiceClient()) { GetPublicKeyRequest getPublicKeyRequest = new GetPublicKeyRequest() { KeyId = keyId }; GetPublicKeyResponse getPublicKeyResponse = kmsClient.GetPublicKeyAsync(getPublicKeyRequest).Result; List<string> signingAlgorithms = getPublicKeyResponse.SigningAlgorithms; this.signingAlgorithm = selector.Invoke(signingAlgorithms); if (signingAlgorithm == null) throw new ArgumentException("KMS key has no signing algorithms", nameof(keyId)); signatureFactory = new AwsKmsSignatureFactory(keyId, signingAlgorithm); } } public void ModifySigningDictionary(PdfDictionary signDic) { signDic.Put(PdfName.Filter, new PdfName("MKLx_AWS_KMS_SIGNER")); signDic.Put(PdfName.SubFilter, PdfName.Adbe_pkcs7_detached); } public byte[] Sign(Stream data) { CmsProcessable msg = new CmsProcessableInputStream(data); CmsSignedDataGenerator gen = new CmsSignedDataGenerator(); SignerInfoGenerator signerInfoGenerator = new SignerInfoGeneratorBuilder() .WithSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator()) .Build(signatureFactory, x509Certificate); gen.AddSignerInfoGenerator(signerInfoGenerator); IStore<X509Certificate> store =CollectionUtilities.CreateStore(new List<X509Certificate> { x509Certificate }); gen.AddCertificates(store); CmsSignedData sigData = gen.Generate(msg, false); return sigData.GetEncoded(); } X509Certificate x509Certificate; String keyId; string signingAlgorithm; ISignatureFactory signatureFactory; } class AwsKmsSignatureFactory : ISignatureFactory { private string keyId; private string signingAlgorithm; private AlgorithmIdentifier signatureAlgorithm; public AwsKmsSignatureFactory(string keyId, string signingAlgorithm) { this.keyId = keyId; this.signingAlgorithm = signingAlgorithm; string signatureAlgorithmName = signingAlgorithmNameBySpec[signingAlgorithm]; if (signatureAlgorithmName == null) throw new ArgumentException("Unknown signature algorithm " + signingAlgorithm, nameof(signingAlgorithm)); // Special treatment because of issue https://github.com/bcgit/bc-csharp/issues/250 switch (signatureAlgorithmName.ToUpperInvariant()) { case "SHA256WITHECDSA": this.signatureAlgorithm = new AlgorithmIdentifier(X9ObjectIdentifiers.ECDsaWithSha256); break; case "SHA512WITHECDSA": this.signatureAlgorithm = new AlgorithmIdentifier(X9ObjectIdentifiers.ECDsaWithSha512); break; default: this.signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder().Find(signatureAlgorithmName); break; } } public object AlgorithmDetails => signatureAlgorithm; public IStreamCalculator<IBlockResult> CreateCalculator() { return new AwsKmsStreamCalculator(keyId, signingAlgorithm); } static Dictionary<string, string> signingAlgorithmNameBySpec = new Dictionary<string, string>() { { "ECDSA_SHA_256", "SHA256withECDSA" }, { "ECDSA_SHA_384", "SHA384withECDSA" }, { "ECDSA_SHA_512", "SHA512withECDSA" }, { "RSASSA_PKCS1_V1_5_SHA_256", "SHA256withRSA" }, { "RSASSA_PKCS1_V1_5_SHA_384", "SHA384withRSA" }, { "RSASSA_PKCS1_V1_5_SHA_512", "SHA512withRSA" }, { "RSASSA_PSS_SHA_256", "SHA256withRSAandMGF1"}, { "RSASSA_PSS_SHA_384", "SHA384withRSAandMGF1"}, { "RSASSA_PSS_SHA_512", "SHA512withRSAandMGF1"} }; } class AwsKmsStreamCalculator : IStreamCalculator<IBlockResult> { private string keyId; private string signingAlgorithm; private MemoryStream stream = new MemoryStream(); public AwsKmsStreamCalculator(string keyId, string signingAlgorithm) { this.keyId = keyId; this.signingAlgorithm = signingAlgorithm; } public Stream Stream => stream; public IBlockResult GetResult() { try { using (var kmsClient = new AmazonKeyManagementServiceClient()) { SignRequest signRequest = new SignRequest() { SigningAlgorithm = signingAlgorithm, KeyId = keyId, MessageType = MessageType.RAW, Message = new MemoryStream(stream.ToArray()) }; SignResponse signResponse = kmsClient.SignAsync(signRequest).Result; return new SimpleBlockResult(signResponse.Signature.ToArray()); } } finally { stream = new MemoryStream(); } } }</script></div> </div>

A wsKmsSignatureContainer

Putting It Into Action: Redux

Assuming you have an AWS KMS signing RSA_2048 key pair which has the alias SigningExamples-RSA_2048 you can use the code above like this to sign a PDF using RSASSA-PSS:

TestSignSimple test testSignSimpleRsaSsaPssExternal

with this selector function for Java:

1
2
3
4
5
6
static SigningAlgorithmSpec selectRsaSsaPss (List<SigningAlgorithmSpec> specs) {
    if (specs != null)
        return specs.stream().filter(spec -> spec.toString().startsWith("RSASSA_PSS")).findFirst().orElse(null);
    else
        return null;
}

For .NET, since the C# AWS KMS API works with String representations of the algorithm the corresponding expression on the C# side is:

1
Func<System.Collections.Generic.List<string>, string> selector = list => list.Find(name => name.StartsWith("RSASSA_PSS"));

Final Thoughts and Mass-Signing Considerations

If you plan to do mass-signing using AWS KMS, you should be aware of the request quotas established by AWS KMS for some of its operations:

Quota Name	Default value (per second)
Cryptographic operations (RSA) request rate	500 (shared) for RSA CMKs
Cryptographic operations (ECC) request rate	300 (shared) for elliptic curve (ECC) CMKs
GetPublicKey request rate	5

(excerpt from "AWS Key Management Service Developer Guide" / "Quotas" / "Request Quotas" / "Request quotas for each AWS KMS API operation" viewed 1/28/2021)

The RSA and ECC cryptographic operations request rates are probably not a problem. Or more to the point, if they are a problem, AWS KMS is most likely not the right signing product for your needs. You should instead look for actual HSMs, be they physical or as-a-service, e.g., AWS CloudHSM.

The GetPublicKey request rate on the other hand may well be a problem: Both the AwsKmsSignature and AwsKmsSignatureContainer constructors respectively call that method. Naive mass-signing code based on them, would therefore be limited to 5 signatures per second.

Depending on your use case there are different strategies to tackle this problem.

If very few instances of your signing code are running concurrently and they are using only a very few different keys, you can simply re-use your AwsKmsSignature and AwsKmsSignatureContainer objects, either creating them at start-up or on-demand, and then caching them.

Otherwise, you should refactor the use of the GetPublicKey method outside of the AwsKmsSignature and AwsKmsSignatureContainer constructors. It is used inside there only to determine which AWS KMS signing algorithm identifier to use when signing with the key in question. Obviously, you can instead store that identifier together with the key identifier, making that GetPublicKey call unnecessary.

Conclusion

We hope you have found this article and its code examples useful if you’ve run into issues when using the AWS KMS or equivalent services. Once again, we’d like to thank Michael Klink for taking the time to port his Java examples from the initial Stack Overflow question to .NET, and indeed for his many contributions to the iText community.

Main image

Using iText and AWS KMS teaser

Promoted to home page text

Newest blog: Digitally sign a PDF using AWS KMS and iText

AWS

iText DITO Now Available in AWS Marketplace, Offering Intuitive PDF Design and Generation Capabilities to a Wider Audience