PDF Signing - PCKS7 - How to set up signature policy? RRS feed

  • Question

  • Hi,.

    I'm working on a projet where I need to digitaly sign a PDF file using CADES enveloped PKCS7.

    Anything was going well. I can generate the .p7s signed file showing the original files. But I need set up a signature policy used by ICP Brasil (PA_AD_RB) and all the attributes needed for it. So I need to do these next steps and don't find how to anywherer:

    1-insert the signature policy attribute (SigPolicyAttribute)

    2-insert the SigningCertificateV3 attribute (I think this is from CADES.. maybe any misconfiguring here)

    This is the code I'm using today to do this work:

                byte[] data = File.ReadAllBytes(inputPDF);
                ContentInfo content = new ContentInfo(data);
                SignedCms signedCms = new SignedCms(content, false);
                CmsSigner signer = new CmsSigner(SubjectIdentifierType.IssuerAndSerialNumber, myCert);
                signer.IncludeOption = X509IncludeOption.WholeChain;
                signer.SignedAttributes.Add(new Pkcs9SigningTime());
                byte[] signeddata = signedCms.Encode();
                File.WriteAllBytes(outputPDF + ".p7s", signeddata);

    The Oid from signature policy I need is and it's URL is

    Any help will be very nice

    Thanks is advance for all.


    Sunday, July 14, 2019 9:43 PM

All replies

  • Hi Cladiney,

    Thank you for posting here.

    According to your description, you want to sign the pdf file with PCKS7.

    I want to know what is myCert in your code. Could you tell me what happened after you running the code?

    Based my search, the following link is helpful for you.

    Note:This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact

    Monday, July 15, 2019 9:13 AM
  • Hi Jack.

    Thank you a lot for your answer.

    You're right. I need to sign the pdf with PKCS7. 

    The link you sent me was exactly what I used as reference. And it's working fine. Just after this code run I have the .p7s file showing the original file when open on Adobe Reader and showing the signature when open with any verification software.

    The problem is that I can't set up the signature policy, and so the signature is incomplete according to the policy set by ICP Brasil ( - in portuguese). 

    I've tried using iTextSharp first and it has a parameter to set this poliy. But I couldn't generate the enveloped file. And didn't find any example too.

    Here it's all working. But only this policy and it's attributes none.

    In this code I've sent there's some local variables

    inputPDF - string with path to file to sign

    outputPDF - string with path to generate the signed file.

    myCert - X509Certificate2 with the certificate used to sign (from pfx or selected from repository)


    Here you have an image of a validation software I'm using here with a pdf signed file with the correct attributes and policy and the signed pdf:!AsLSRkGbtoksjLU9-a-OYzg2pYVu0w?e=KcIvpD!AsLSRkGbtoksjLU_aNiQoKr7vGgYBQ?e=9vsXAL

    And here's one with my signed file:!AsLSRkGbtoksjLU-xW9DoAfDl2_gIQ?e=qOWrvs!AsLSRkGbtoksjLVATdPOLQrehQEVEg?e=GFXSGG

    Thank you very much for your support.


    Monday, July 15, 2019 6:08 PM
  • Hi Claudiney,

    Thanks for the feedback.

    Now I have known your problem. However, I still have some questions to ask.

    First, how do you get the correct.PDF.7ps file? I want to know its principle of production.

    Second, could you tell me what is Registradores software?

    Finally, this is an English forum, I suggest that you could use English to express your thought in picture.

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact

    Tuesday, July 16, 2019 7:12 AM
  • Hi Jack,

    thank you once more.

    That correct file I signed using the Registradores software. It's a signer and validating software I'm using here to compare.

    I'm sorry this software do not have an english version. That's why it's in portuguese. But anything you are in doubt please ask me and I'll tell you.

    In the images I marked some things:

    CAdES is the standart used to sign. That's ok with my file.

    Assinatura digital com referência básica - Digital Signature with basic reference is the signature policy set by ICP Brasil, responsable for the standards on digital signature here.

    SigPolicyIdAttribute and SigningCertificateV2 are the two attributes that I need to insert in my signature. First one has the policy attribute and the second one is required by the policy. Using iTextSharp it inserts SigningCertificateV2 automatically once I set the signature as CAdES. The SigPolicyAttribute it has a class to set up this, where I inform the Oid, hash and URL from the policy, all data from ICP Brasil description.

    That's my problem. How to insert these attributes on my signature.

    Here you have how to set up this on iTextSharp:

            byte[] policyHash = Encoding.UTF8.GetBytes("e98bc76b0149e632cd639de76682ee72d97f927c255c28b04a3dbcfec632285f");
            SignaturePolicyInfo spi = new SignaturePolicyInfo("", policyHash, DigestAlgorithms.SHA256, "");

    I think there's a way to insert these attributes on signedCMS too. Or there's any other way to sign the file with these attributes. I'v just tried to use CmsSigner.SignedAttributes.Add function to do this, but with no success. I just insert the signing date using this, but none about the policy.

    Please, feel free to ask me any other information you need. 

    Thank you for your help.


    Tuesday, July 16, 2019 12:29 PM