# From cratch implementation EC signature embbeded in PDF metadata
**Authors: Asgard Andrés Mendoza Flores <br> Diego Gutiérrez Vargas**

In [15]:
import asyncio
import nest_asyncio
nest_asyncio.apply()
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import serialization, hashes
from pyhanko.sign import signers
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter


# Firma de documentos

## 1. Carga de las llaves

In [16]:
# En un caso real se debería usar un archivo de clave privada proporicionado por el socio
private_key_path = r"C:\Users\asgar\private.key"
with open(private_key_path, "rb") as f:
    private_key = serialization.load_pem_private_key(
        f.read(),
        password=None  # If your key has a password, provide it here
    )
pem = private_key.private_bytes(
   encoding=serialization.Encoding.PEM,
   format=serialization.PrivateFormat.TraditionalOpenSSL,
   encryption_algorithm=serialization.NoEncryption()
)
pem.splitlines()

[b'-----BEGIN EC PRIVATE KEY-----',
 b'MHcCAQEEIOBl+X2+UYHTx8eXhZffUHWk9adagxvb8f5XMOndHrMpoAoGCCqGSM49',
 b'AwEHoUQDQgAE5SSU/bzbj1Ch/EyIhZISfO6TFwjXMwt/eP8RI0SOYXyDOoULj3Lz',
 b'Jv8GHC1KW0qGy5CDOkXZw5e931JhczG+8A==',
 b'-----END EC PRIVATE KEY-----']

## 2. Generación de la firma 

In [17]:
# Se carga el archivo PDF que se va a firmar
pdf_path = r"C:\Users\asgar\Downloads\Optimization_of_the_Restoration_Process_in_the_Mexican_Plateau (2).pdf"
with open(pdf_path, "rb") as f:
    pdf_data = f.read()
signature = private_key.sign(
    pdf_data,
    ec.ECDSA(hashes.SHA256())
)

## 3. Embedding de la firma al archivo

In [18]:
async def async_demo(signer, fname):
    with open(fname, 'rb') as doc:
        w = IncrementalPdfFileWriter(doc)
        out = await signers.async_sign_pdf(
            w, signers.PdfSignatureMetadata(field_name='Signature1'),
            signer=signer,
        )

        return out

cms_signer = signers.SimpleSigner.load(
    r"C:\Users\asgar\private.key", r"C:\Users\asgar\certificate.pem",    
    key_passphrase=None
)
signed_pdf = asyncio.run(async_demo(cms_signer, pdf_path))

# Save signed PDF to a new file
signed_pdf_path = r"C:\Users\asgar\Downloads\Documento_Firmado.pdf"
with open(signed_pdf_path, 'wb') as f:
    f.write(signed_pdf.getvalue())

# Validación de firma del archivo firmado

In [19]:
from pyhanko.keys import load_cert_from_pemder
from pyhanko_certvalidator import ValidationContext
from pyhanko.pdf_utils.reader import PdfFileReader
from pyhanko.sign.validation import validate_pdf_signature

root_cert = load_cert_from_pemder(r"C:\Users\asgar\certificate.pem")
vc = ValidationContext(trust_roots=[root_cert])

with open(signed_pdf_path, 'rb') as doc:
    r = PdfFileReader(doc)
    sig = r.embedded_signatures[0]
    status = validate_pdf_signature(sig, vc)
    print(status.pretty_print_details())

Signer info
-----------
Certificate subject: "Common Name: ., Organizational Unit: ., Organization: Casa Monarca, Locality: Monterrey, State/Province: Nuevo-Leon, Country: MX"
Certificate SHA1 fingerprint: 065a380371a4d297a66f01741fb48d3ae011d344
Certificate SHA256 fingerprint: 3f97a19f0d41b81cc3893ab0273e00524099d8c9b12f549eedc089ad2f205610
Trust anchor: "Common Name: ., Organizational Unit: ., Organization: Casa Monarca, Locality: Monterrey, State/Province: Nuevo-Leon, Country: MX"
The signer's certificate is trusted.


Integrity
---------
The signature is cryptographically sound.

The digest algorithm used was 'sha256'.
The signature mechanism used was 'sha256_ecdsa'.
The elliptic curve used for the signer's ECDSA public key was 'secp256r1' (OID: 1.2.840.10045.3.1.7).


Signing time
------------
Signing time as reported by signer: 2025-05-13T20:25:34+00:00


Modifications
-------------
The signature covers the entire file.


Bottom line
-----------
The signature is judged VALID.


