# From cratch implementation EC signature embbeded in PDF metadata
**Authors: Asgard Andrés Mendoza Flores <br> Diego Gutiérrez Vargas**

In [2]:
import asyncio
import nest_asyncio
nest_asyncio.apply()
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import serialization, hashes
from pyhanko.sign import signers
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter


# Firma de documentos

## 1. Carga de las llaves

In [16]:
# En un caso real se debería usar un archivo de clave privada proporicionado por el socio
private_key_path = r"C:\Users\asgar\private.key"
with open(private_key_path, "rb") as f:
    private_key = serialization.load_pem_private_key(
        f.read(),
        password=None  # If your key has a password, provide it here
    )
pem = private_key.private_bytes(
   encoding=serialization.Encoding.PEM,
   format=serialization.PrivateFormat.TraditionalOpenSSL,
   encryption_algorithm=serialization.NoEncryption()
)
pem.splitlines()

[b'-----BEGIN EC PRIVATE KEY-----',
 b'MHcCAQEEIOBl+X2+UYHTx8eXhZffUHWk9adagxvb8f5XMOndHrMpoAoGCCqGSM49',
 b'AwEHoUQDQgAE5SSU/bzbj1Ch/EyIhZISfO6TFwjXMwt/eP8RI0SOYXyDOoULj3Lz',
 b'Jv8GHC1KW0qGy5CDOkXZw5e931JhczG+8A==',
 b'-----END EC PRIVATE KEY-----']

In [6]:
import os
from cryptography.hazmat.primitives import serialization

# 1) Ruta exacta a tu llave privada
private_key_path = r"C:\Users\DAVIDOmenlap\Desktop\iwo\private.key"

# 2) Comprobación de existencia
if not os.path.isfile(private_key_path):
    raise FileNotFoundError(f"No se encontró 'private.key' en: {private_key_path}")

# 3) Carga de la clave y generación del PEM
with open(private_key_path, "rb") as f:
    key_data = f.read()
    private_key = serialization.load_pem_private_key(
        key_data,
        password=None  # si tu clave tuviera contraseña, pon aquí b"tu_password"
    )

pem = private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.TraditionalOpenSSL,
    encryption_algorithm=serialization.NoEncryption()
)

# 4) Impresión línea a línea del PEM
print("=== PEM de la clave privada ===")
for line in pem.splitlines():
    print(line.decode())


=== PEM de la clave privada ===
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOBl+X2+UYHTx8eXhZffUHWk9adagxvb8f5XMOndHrMpoAoGCCqGSM49
AwEHoUQDQgAE5SSU/bzbj1Ch/EyIhZISfO6TFwjXMwt/eP8RI0SOYXyDOoULj3Lz
Jv8GHC1KW0qGy5CDOkXZw5e931JhczG+8A==
-----END EC PRIVATE KEY-----


## 2. Generación de la firma 

In [8]:
import os
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.primitives.asymmetric import ec

# 1) Carpeta donde tienes la key y el PDF
folder = r"C:\Users\DAVIDOmenlap\Desktop\iwo"

# 2) Comprueba su contenido y detecta el PDF
print("Contenido de carpeta:", os.listdir(folder))
pdf_files = [f for f in os.listdir(folder) if f.lower().endswith(".pdf")]
if not pdf_files:
    raise FileNotFoundError(f"No se encontró ningún PDF en {folder}")
# Si hay varios, escogemos el primero (o cámbialo por el nombre exacto)
pdf_filename = pdf_files[0]

# 3) Rutas completas
private_key_path = os.path.join(folder, "private.key")
pdf_path         = os.path.join(folder, pdf_filename)

# 4) Verificaciones
if not os.path.isfile(private_key_path):
    raise FileNotFoundError(f"No se encontró la clave en: {private_key_path}")
if not os.path.isfile(pdf_path):
    raise FileNotFoundError(f"No se encontró el PDF en: {pdf_path}")

# 5) Carga de la clave privada
with open(private_key_path, "rb") as f:
    key_data = f.read()
    private_key = serialization.load_pem_private_key(
        key_data,
        password=None  # si tu key tuviera pass, pon aquí b"tu_password"
    )

# 6) Genera la firma del PDF usando ECDSA + SHA256
with open(pdf_path, "rb") as f:
    pdf_data = f.read()

signature = private_key.sign(
    pdf_data,
    ec.ECDSA(hashes.SHA256())
)

# 7) Muestra un resumen
print(f"PDF firmado: {pdf_filename}")
print("Firma (hex, primeros 64 bytes):", signature[:64].hex(), "…")


Contenido de carpeta: ['Firma digital.ipynb', 'Optimization_of_the_Restoration_Process_in_the_Mexican_Plateau (2).pdf', 'private.key']
PDF firmado: Optimization_of_the_Restoration_Process_in_the_Mexican_Plateau (2).pdf
Firma (hex, primeros 64 bytes): 30440220207674e3e8e7a462d908f3dc5616041b3aed524c2752e71232e3e2a4e720edbc02200f28b1614d90ebe20cba87842c87814f31c0dc0fcbd550f85325 …


## 3. Embedding de la firma al archivo

In [18]:
async def async_demo(signer, fname):
    with open(fname, 'rb') as doc:
        w = IncrementalPdfFileWriter(doc)
        out = await signers.async_sign_pdf(
            w, signers.PdfSignatureMetadata(field_name='Signature1'),
            signer=signer,
        )

        return out

cms_signer = signers.SimpleSigner.load(
    r"C:\Users\asgar\private.key", r"C:\Users\asgar\certificate.pem",    
    key_passphrase=None
)
signed_pdf = asyncio.run(async_demo(cms_signer, pdf_path))

# Save signed PDF to a new file
signed_pdf_path = r"C:\Users\asgar\Downloads\Documento_Firmado.pdf"
with open(signed_pdf_path, 'wb') as f:
    f.write(signed_pdf.getvalue())

In [11]:
import os
import asyncio
import nest_asyncio

from pyhanko.sign import signers
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter

# 0) Habilita bucle de eventos en Jupyter
nest_asyncio.apply()

# 1) Carpeta donde están todos tus archivos
folder = r"C:\Users\DAVIDOmenlap\Desktop\iwo"

# 2) Lista el contenido para que veas qué archivos hay
print("Contenido de 'iwo':", os.listdir(folder))

# 3) Detecta tu certificado (.pem, .cer o .crt)
cert_candidates = [
    f for f in os.listdir(folder)
    if f.lower().endswith(('.pem', '.cer', '.crt'))
]
if not cert_candidates:
    raise FileNotFoundError(
        "No encontré ningún archivo .pem/.cer/.crt en 'iwo'.\n"
        "Por favor copia ahí tu certificado (por ejemplo certificate.pem)."
    )
cert_filename = cert_candidates[0]
print("Usando certificado:", cert_filename)

# 4) Construye las rutas
private_key_path = os.path.join(folder, "private.key")
cert_path        = os.path.join(folder, cert_filename)
input_pdf_path   = os.path.join(folder,
    "Optimization_of_the_Restoration_Process_in_the_Mexican_Plateau (2).pdf"
)
signed_pdf_path  = os.path.join(folder, "Documento_Firmado.pdf")

# 5) Verifica existencia
for path in (private_key_path, cert_path, input_pdf_path):
    if not os.path.isfile(path):
        raise FileNotFoundError(f"No se encontró: {path}")

# 6) Crea el signer
cms_signer = signers.SimpleSigner.load(
    private_key_path,
    cert_path,
    key_passphrase=None
)

# 7) Función asíncrona para firmar
async def async_sign_pdf(signer, pdf_in):
    with open(pdf_in, "rb") as inf:
        writer = IncrementalPdfFileWriter(inf)
        signed = await signers.async_sign_pdf(
            writer,
            signers.PdfSignatureMetadata(field_name="Signature1"),
            signer=signer
        )
    return signed

# 8) Ejecuta la firma
signed_out = asyncio.run(async_sign_pdf(cms_signer, input_pdf_path))

# 9) Guarda el PDF firmado
with open(signed_pdf_path, "wb") as outf:
    outf.write(signed_out.getvalue())

print(f"\n✅ PDF firmado y guardado en:\n   {signed_pdf_path}")


Contenido de 'iwo': ['certificate.pem', 'Firma digital.ipynb', 'Optimization_of_the_Restoration_Process_in_the_Mexican_Plateau (2).pdf', 'private.key']
Usando certificado: certificate.pem

✅ PDF firmado y guardado en:
   C:\Users\DAVIDOmenlap\Desktop\iwo\Documento_Firmado.pdf


# Validación de firma del archivo firmado

In [13]:
import os
from pyhanko.keys import load_cert_from_pemder
from pyhanko_certvalidator import ValidationContext
from pyhanko.pdf_utils.reader import PdfFileReader
from pyhanko.sign.validation import validate_pdf_signature

folder = r"C:\Users\DAVIDOmenlap\Desktop\iwo"
cert_path = os.path.join(folder, "certificate.pem")
signed_pdf_path = os.path.join(folder, "Documento_Firmado.pdf")

# 1) Verifica existencia
for p in (cert_path, signed_pdf_path):
    if not os.path.isfile(p):
        raise FileNotFoundError(f"No se encontró: {p}")

# 2) Carga tu certificado raíz y configura el contexto de validación
root_cert = load_cert_from_pemder(cert_path)
vc = ValidationContext(trust_roots=[root_cert])

# 3) Abre el PDF Y valida la firma antes de cerrar el archivo
with open(signed_pdf_path, "rb") as f:
    reader = PdfFileReader(f)
    sig = reader.embedded_signatures[0]
    status = validate_pdf_signature(sig, vc)
    print(status.pretty_print_details())


Signer info
-----------
Certificate subject: "Common Name: ., Organizational Unit: ., Organization: Casa Monarca, Locality: Monterrey, State/Province: Nuevo-Leon, Country: MX"
Certificate SHA1 fingerprint: 065a380371a4d297a66f01741fb48d3ae011d344
Certificate SHA256 fingerprint: 3f97a19f0d41b81cc3893ab0273e00524099d8c9b12f549eedc089ad2f205610
Trust anchor: "Common Name: ., Organizational Unit: ., Organization: Casa Monarca, Locality: Monterrey, State/Province: Nuevo-Leon, Country: MX"
The signer's certificate is trusted.


Integrity
---------
The signature is cryptographically sound.

The digest algorithm used was 'sha256'.
The signature mechanism used was 'sha256_ecdsa'.
The elliptic curve used for the signer's ECDSA public key was 'secp256r1' (OID: 1.2.840.10045.3.1.7).


Signing time
------------
Signing time as reported by signer: 2025-05-27T12:30:00+00:00


Modifications
-------------
The signature covers the entire file.


Bottom line
-----------
The signature is judged VALID.


