Digital signing with custom hash Leave feedback
On this page
GroupDocs.Signature provides the ability to customize the hash algorithm used for digital signatures. This is particularly useful when you need to use specific cryptographic standards or have compliance requirements.
Here’s how to implement digital signing with a custom hash algorithm:
public void SignDocument()
{
string certFilePath = "cert.pfx";
string sampleFilePath = "sample.pdf";
string sampleOutputFilePath = "signed.pdf";
using (Signature.Signature signature = new Signature.Signature(sampleFilePath))
{
// initialize digital option with certificate file path
DigitalSignOptions options = new DigitalSignOptions(certFilePath)
{
// certificate password
Password = "1234567890",
// digital certificate details
Reason = "Sign",
Contact = "JohnSmith",
Location = "Office1",
AllPages = true,
Width = 80,
Height = 60,
VerticalAlignment = VerticalAlignment.Bottom,
HorizontalAlignment = HorizontalAlignment.Right,
Margin = new Padding() { Bottom = 10, Right = 10 },
HashAlgorithm = HashAlgorithm.Sha256
};
options.CustomSignHash = new CustomDigitalSigner();
signature.Sign(sampleOutputFilePath, options);
}
}
public class CustomDigitalSigner : ICustomSignHash
{
public byte[] CustomSignHash(
byte[] signableHash,
HashAlgorithm hashAlgorithm,
SignatureContext signatureContext)
{
string inputP12 = "";
var inputPfxPassword = "1234567890";
X509Certificate2 signerCert = new X509Certificate2(
inputP12,
inputPfxPassword,
X509KeyStorageFlags.Exportable);
RSACryptoServiceProvider rsaCSP = new RSACryptoServiceProvider();
var xmlString = signerCert.PrivateKey.ToXmlString(true);
rsaCSP.FromXmlString(xmlString);
byte[] signedData = rsaCSP.SignData(signableHash, hashAlgorithm);
return signedData;
}
}
Let’s break down the implementation into clear steps:
Setup the Signature Environment
string certFilePath = "cert.pfx"; string sampleFilePath = "sample.pdf"; string sampleOutputFilePath = "signed.pdf"; using (Signature.Signature signature = new Signature.Signature(sampleFilePath))- Define paths for your certificate, input document, and output file
- Create a new
Signatureinstance with your input document
Configure Digital Signature Options
DigitalSignOptions options = new DigitalSignOptions(certFilePath) { Password = "1234567890", Reason = "Sign", Contact = "JohnSmith", Location = "Office1", AllPages = true, Width = 80, Height = 60, VerticalAlignment = VerticalAlignment.Bottom, HorizontalAlignment = HorizontalAlignment.Right, Margin = new Padding() { Bottom = 10, Right = 10 }, HashAlgorithm = HashAlgorithm.Sha256 };- Create
DigitalSignOptionswith your certificate file - Set basic signature properties (password, reason, contact, location)
- Configure visual appearance (size, position, alignment)
- Specify the hash algorithm (SHA-256 in this example)
- Create
Implement Custom Hash Signing
options.CustomSignHash = new CustomDigitalSigner();- Assign your custom hash implementation to the options
Create Custom Hash Implementation
public class CustomDigitalSigner : ICustomSignHash { public byte[] CustomSignHash( byte[] signableHash, HashAlgorithm hashAlgorithm, SignatureContext signatureContext) { // Load certificate string inputP12 = ""; var inputPfxPassword = "1234567890"; X509Certificate2 signerCert = new X509Certificate2( inputP12, inputPfxPassword, X509KeyStorageFlags.Exportable); // Setup RSA provider RSACryptoServiceProvider rsaCSP = new RSACryptoServiceProvider(); var xmlString = signerCert.PrivateKey.ToXmlString(true); rsaCSP.FromXmlString(xmlString); // Sign the hash byte[] signedData = rsaCSP.SignData(signableHash, hashAlgorithm); return signedData; } }- Implement
ICustomSignHashinterface - Load your certificate with proper password and flags
- Configure RSA provider with the certificate’s private key
- Sign the hash using the specified algorithm
- Implement
Apply the Signature
signature.Sign(sampleOutputFilePath, options);- Call the
Signmethod with your output path and options - The document will be signed using your custom hash implementation
- Call the
- Make sure your certificate file is valid and accessible
- Keep your certificate password secure and never hardcode it in production code
- The custom hash implementation should handle the signing process securely
- Consider implementing proper error handling in production code
- The hash algorithm specified in options should match your security requirements
Hash algorithms are cryptographic functions that convert data of any size into a fixed-size output (hash value). In digital signatures, hash algorithms play a crucial role in ensuring document integrity and authenticity. Here’s how they work:
- The document content is processed through the hash algorithm to generate a unique hash value
- This hash value is then encrypted with the signer’s private key
- The encrypted hash becomes part of the digital signature
- When verifying the signature, the same hash algorithm is used to ensure the document hasn’t been tampered with
GroupDocs.Signature provides several hash algorithms for digital signing, each offering different levels of security and performance. Here are the available options:
Auto Selection: The system automatically chooses the most appropriate hash algorithm based on your document type and security requirements.
SHA-1:
- Produces a 160-bit (20-byte) hash value
- Widely supported but considered less secure for modern applications
- Best for legacy system compatibility
SHA-256:
- Produces a 256-bit (32-byte) hash value
- Currently recommended for most applications
- Provides a good balance of security and performance
- Widely supported across modern systems
SHA-384:
- Produces a 384-bit (48-byte) hash value
- Offers enhanced security compared to SHA-256
- Suitable for high-security applications
- May require more computational resources
SHA-512:
- Produces a 512-bit (64-byte) hash value
- Provides the highest level of security among available options
- Best for applications requiring maximum security
- Requires the most computational resources
GroupDocs.Signature supports integration with Azure Key Vault for secure digital signing. This approach is particularly useful for cloud-based applications where you want to keep your signing keys secure in Azure Key Vault.
Here’s how to implement PDF signing using Azure Key Vault:
public static void SignUsingAzureKeyVault()
{
string sampleFilePath = "sample.pdf";
string sampleOutputFilePath = "signed.pdf";
using (Signature signature = new Signature(sampleFilePath))
{
// initialize digital option with certificate file path
DigitalSignOptions options = new DigitalSignOptions()
{
Signature = new DigitalSignature(),
// certificate password
Password = "1234567890",
// digital certificate details
Reason = "Sign",
Contact = "JohnSmith",
Location = "Office1",
AllPages = true,
Width = 80,
Height = 60,
VerticalAlignment = VerticalAlignment.Bottom,
HorizontalAlignment = HorizontalAlignment.Right,
Margin = new Padding() { Bottom = 10, Right = 10 },
HashAlgorithm = HashAlgorithm.Sha256
};
var azureSigner = new AzureSigner();
options.CustomSignHash = azureSigner;
options.Signature.Certificate = azureSigner.GetPublicCertificateFromAzureStorage();
signature.Sign(sampleOutputFilePath, options);
}
}
public class AzureSigner : ICustomSignHash
{
public byte[] CustomSignHash(
byte[] hash,
HashAlgorithm hashAlgorithm,
SignatureContext signatureContext)
{
return SignWithAzure(hash);
}
private static byte[] SignWithAzure(byte[] signableHash)
{
var credential = GetAzureSecretCredential();
var certificateKeyId = "https://...";
CryptographyClient client = new CryptographyClient(
new Uri(certificateKeyId),
credential);
var result = client.Sign(SignatureAlgorithm.RS256, signableHash);
return result.Signature;
}
static ClientSecretCredential GetAzureSecretCredential()
{
string tenantId = "your tenantId";
string clientId = "your clientId";
string secret = "your secret";
ClientSecretCredential credential = new ClientSecretCredential(
tenantId,
clientId,
secret);
return credential;
}
public X509Certificate2 GetPublicCertificateFromAzureStorage()
{
string vaultUri = "https://test.vault.azure.net/";
var credential = GetAzureSecretCredential();
X509Certificate2 pubCertificate = GetPublicCertificateFromAzureStorage(
credential,
vaultUri);
return pubCertificate;
}
static X509Certificate2 GetPublicCertificateFromAzureStorage(
ClientSecretCredential credential,
string uri)
{
//Create certificate client.
CertificateClient certificateClient = new CertificateClient(
new Uri(uri),
credential);
//Get the certificate with public key.
KeyVaultCertificateWithPolicy certificate = certificateClient
.GetCertificateAsync("Certificate")
.Result;
//Create and return the X509Certificate2.
return new X509Certificate2(certificate.Cer);
}
}
Setup Azure Key Vault
- Create an Azure Key Vault instance
- Upload your signing certificate to the Key Vault
- Configure access policies for your application
Configure Azure Credentials
static ClientSecretCredential GetAzureSecretCredential() { string tenantId = "your tenantId"; string clientId = "your clientId"; string secret = "your secret"; return new ClientSecretCredential(tenantId, clientId, secret); }- Register your application in Azure AD
- Get the tenant ID, client ID, and client secret
- Create a credential object for Azure Key Vault access
Retrieve Certificate
public X509Certificate2 GetPublicCertificateFromAzureStorage() { string vaultUri = "https://test.vault.azure.net/"; var credential = GetAzureSecretCredential(); return GetPublicCertificateFromAzureStorage(credential, vaultUri); }- Connect to your Azure Key Vault
- Retrieve the public certificate for signature verification
Implement Custom Signing
private static byte[] SignWithAzure(byte[] signableHash) { var credential = GetAzureSecretCredential(); var certificateKeyId = "https://..."; CryptographyClient client = new CryptographyClient(new Uri(certificateKeyId), credential); var result = client.Sign(SignatureAlgorithm.RS256, signableHash); return result.Signature; }- Create a cryptography client
- Sign the hash using the Azure Key Vault key
- Return the signed data
Access Control
- Use managed identities when possible
- Implement least privilege access
- Regularly rotate credentials
Certificate Management
- Keep certificates up to date
- Monitor certificate expiration
- Implement certificate rotation procedures
Network Security
- Use private endpoints when possible
- Implement proper network security groups
- Monitor access logs
Error Handling
- Implement proper exception handling
- Log security events
- Monitor for suspicious activities
When choosing a hash algorithm for digital signatures, consider the following:
- Security Level: SHA256 and above are recommended for modern applications as they provide better security than SHA1 or MD5.
- Compatibility: Ensure the chosen algorithm is compatible with your target systems and compliance requirements.
- Performance: While stronger algorithms provide better security, they may require more computational resources.
You may easily run the code above and see the feature in action in our GitHub examples:
- GroupDocs.Signature for .NET examples, plugins, and showcase
- GroupDocs.Signature for Java examples, plugins, and showcase
- Document Signature for .NET MVC UI Example
- Document Signature for .NET App WebForms UI Example
- Document Signature for Java App Dropwizard UI Example
- Document Signature for Java Spring UI Example
Along with the full-featured .NET library, we provide simple but powerful free online apps.
To sign PDF, Word, Excel, PowerPoint, and other documents you can use the online apps from the GroupDocs.Signature App Product Family.
Was this page helpful?
Any additional feedback you'd like to share with us?
Please tell us how we can improve this page.
Thank you for your feedback!
We value your opinion. Your feedback will help us improve our documentation.
