This example was written for the article "Using iText 7 and AWS KMS to digitally sign a PDF document" and shows an implementation of IExternalSignatureContainer instead of IExternalSignature for signing While IExternalSignature is the easiest way, there are some drawbacks as the PdfPKCS7 class does not support RSASSA-PSS usage, and for ECDSA signatures it uses the wrong OID as the signature algorithm OID.

To avoid these issues we can build the complete CMS signature container ourselves using only BouncyCastle functionality.

For .NET, while the AwsKmsSignatureContainer class uses BouncyCastle to build the CMS signature container to embed just like in the Java version, there are certain differences in the .NET BouncyCastle API. In particular one does not use an instance of ContentSigner for the actual signing but an instance of ISignatureFactory; that interface represents a factory of IStreamCalculator instances which in their function are equivalent to the ContentSigner in Java. The implementations of these interfaces are AwsKmsSignatureFactory and AwsKmsStreamCalculator in the .NET example.

Note: The article assumes that you have stored your credentials in the default section of your ~/.aws/credentials file and your region in the default section of your ~/.aws/config file. Otherwise, you'll have to adapt the KmsClient instantiation or initialization in the code examples written for this article.

For the other examples relating to this article, please see the following links: