Develop Reference

Sign hash using asynchronous call

I am using iText7 for performing PDF and signing operations. My scenario is I am computing hash on my local machine and sending this hash to signing server and in response get the signed PKCS1(Raw signature) and then I am embedding this signature into PDF.
My code snippet is as follows:
1: Read public cert from smart card device.
2: Initialize PdfReader from original document bytes containing signature field named "Signature1"
3: Initialize PdfSigner and set signature appearance:
PdfSigner pdfSigner = new PdfSigner(pdfReader, outputStream, new StampingProperties().UseAppendMode());
pdfSigner.SetFieldName("Signature1");
pdfSigner.GetDocument().GetCatalog().SetModified();
ImageData imageData = ImageDataFactory.Create(handSignatureBytes);
PdfSignatureAppearance signatureAppearance = pdfSigner.GetSignatureAppearance();
signatureAppearance.SetContact("contactInfo");
signatureAppearance.SetLocation("locationInfo");
signatureAppearance.SetPageNumber(1);
signatureAppearance.SetReason("signingReason");
signatureAppearance.SetSignatureGraphic(imageData);
signatureAppearance.SetRenderingMode(PdfSignatureAppearance.RenderingMode.GRAPHIC);
signatureAppearance.SetSignatureCreator("Malik");
signatureAppearance.SetCertificate(x509Certificate);
4: I have implemented IExternalSignatureContainer interface to get document hash:
public class PreSigning : IExternalSignatureContainer
{
protected PdfDictionary sigDic;
private byte[] hash;
public PreSigning(PdfName filter, PdfName subFilter)
{
sigDic = new PdfDictionary();
sigDic.Put(PdfName.Filter, filter);
sigDic.Put(PdfName.SubFilter, subFilter);
}
public void ModifySigningDictionary(PdfDictionary signDic)
{
signDic.PutAll(sigDic);
}
public byte[] Sign(Stream data)
{
this.hash = DigestAlgorithms.Digest(data, DigestAlgorithms.GetMessageDigest("SHA256"));
return new byte[0];
}
public byte[] getHash()
{
return hash;
}
public void setHash(byte[] hash)
{
this.hash = hash;
}
}
5: Getting document hash:
PreSigning external = new PreSigning(PdfName.Adobe_PPKLite, PdfName.Adbe_pkcs7_detached);
pdfSigner.SignExternalContainer(external, estimatedSize);
byte[] documentHash = external.getHash();
6: Initialize PdfPKCS7 class to get Data To Be Signed and getting hash of Data To Be Signed to send to signing server:
PdfPKCS7 pdfPKCS7 = new PdfPKCS7(null, x509CertificatesChain, "SHA256", false);
dataToBeSigned = pdfPKCS7.GetAuthenticatedAttributeBytes(documentHash, PdfSigner.CryptoStandard.CMS, null, null);
byte[] dataToSignHash = DigestAlgorithms.Digest(new MemoryStream(dataToBeSigned), DigestAlgorithms.GetMessageDigest("SHA256"));
7: I have keep the outputStream from PdfSigner for signature embedding phase:
documentStreamBytes = ((MemoryStream)outputStream).ToArray();
8: Send the Data To Be Signed hash to signing server.
9: Get the PKCS1 data from signing server in response:
byte[] PKCS1 = Convert.FromBase64String(preSigningResponse.signedHash);
10: Initialized PdfPKCS7 class for getting PKCS7 from PKCS1:
PdfPKCS7 pdf = new PdfPKCS7(null, x509CertificatesChain, "SHA256", false);
pdf.SetExternalDigest(PKCS1, null, "RSA");
byte[] pkcs7Data = pdf.GetEncodedPKCS7(documentHash, PdfSigner.CryptoStandard.CMS, null, null, null);
11: Get the original document from documentStreamBytes:
Stream pdfReaderStream = new MemoryStream(documentStreamBytes);
PdfReader reader = new PdfReader(pdfReaderStream);
PdfDocument originalDocument = new PdfDocument(reader, new PdfWriter(new MemoryStream()));
12: I have implemented IExternalSignatureContainer for signature embedding using PdfSigner.SignDeferred() method:
public class PostSigning : IExternalSignatureContainer
{
protected byte[] _sig;
public PostSigning (byte[] sign)
{
_sig = sign;
}
public void ModifySigningDictionary(PdfDictionary signDic)
{
}
public byte[] Sign(Stream data)
{
return _sig;
}
}
13: Calling PdfSigner.SignDeferred() method to get the final document:
Stream resultStream = new MemoryStream();
IExternalSignatureContainer externalSignatureContainer = new PostSigning(pkcs7Data);
PdfSigner.SignDeferred(originalDocument, "Signature1", resultStream, externalSignatureContainer);
byte[] finalDoc = ((MemoryStream)resultStream).ToArray();
I am getting the following error:
Document has been altered or corrupted since the signature has been applied.
Can anyone help me regarding this scenario using iText7

There are numerous issues in your code.
Starting a signature twice
Foremost: In your second part (Embed the returned PKCS1 into PDF) you start again with the original file and create a new signature field therein. This results in a slightly different PDF than the one you prepared in your first part; thus, the signature value you have retrieved between the two parts obviously cannot be used for this new PDF.
You must change your architecture.
If you want to keep your two-step approach, you have to keep the file you created in your first part in outputStream and re-use it in the second part. And to fill in the retrieved signature, you must use PdfSigner.signDeferred instead of starting with a new PdfSigner.
Alternatively you can do it in one step, putting the signature server call into a custom IExternalSignatureContainer implementation.
Signing the wrong PDF data
In your first part you appear to set the outputStream contents as the data to sign (actually you even put it into a field that by its name, responseObject.base64Hash, should only hold a hash value; I don't understand that at all). But the bytes to sign are not the complete outputStream contents, a placeholder therein for the final signature value must be excluded.
You must only sign the resulting PDF without that placeholder. You can get it if instead of the ExternalBlankSignatureContainer as is you extend it by overriding the byte[] Sign(Stream data) method and grabbing the Stream parameter thereof. This stream contains exactly the bytes to sign.
The wrong signature format
You mention you get the signed Pkcs1 from your signing server. What you need, though, is a CMS signature container.
If your signature server also offers to return CMS (or PKCS#7) signature containers, use that kind of call.
Otherwise you must build a CMS container yourself, e.g. using the iText PdfPKCS7 class or BouncyCastle mechanisms.

MakeSignature.SignDeferred & Embedding Signature Problem (Itextsharp)

I have a smart card reader. I want to sign a pdf with it. I almost succedded but i get an error when i open pdf in acrobat reader:
Signed by DENİZ KASAR
"Document has been altered or corrupted since it was signed"
Here is my certs, raw and final pdf.
toBeSignedSTR
BF080D04029AB900082C6DC1E1E21E947C5B61F57BD91B974138657DBA7FFDB0
signedDataSTR
7FC9509A4A025B4B92A61464F94D5C3DA1EC66AF7C4D0E6C96436DCDDF46E415CDD220B817CFCAD06F47E2C7F3CF724EC018519D783D93B5A7478533C3C7D1992DE36E7FFDC586DBE9A30987098587354623B12A915A6CAE49585E0DE8C67FC4E06AD760EFF37E06C6C2CD81617B06AE60CFD3547C512A2D47D71F818D64F72405A681E6FAC3FC74346E313A5F7DA343FAF202108786CA6070A185BA711B41DA9D4AA13D6024BC697422D3298B78B5500A18BDC8DAFAD907DE42F997F2B244337904E5D63D40FF36D7266BC3D5169F9CBC63295EFC5B65951194FD6ED6AED5CCDD0818D3D7D86C29C14090BB31BFD8B273A546EDC19319A6757381D482A97EB8
private void button2_Click(object sender, EventArgs e)
{
string rawPDF = System.IO.Path.Combine(Application.StartupPath, "files", "pdf_raw.pdf");
string tempPDF = System.IO.Path.Combine(Application.StartupPath, "files", "pdf_temp.pdf");
string finalPDF = System.IO.Path.Combine(Application.StartupPath, "files", "pdf_signed.pdf");
var chain = tckk_api_basic_samples.pcsc.CertValidation.GetChain();
var dotNetCert = tckk_api_basic_samples.pcsc.CertValidation.GetSigningCert();
var x509cert = new myalias.Org.BouncyCastle.X509.X509CertificateParser().ReadCertificate(dotNetCert.GetRawCertData());
var sgn = new PdfPKCS7(null, chain, "SHA256", false);
var toBeSigned = CreatePDF(rawPDF, tempPDF, chain, x509cert);// return DigestAlgorithms.Digest(sap.GetRangeStream(), "SHA256");
var att = sgn.getAuthenticatedAttributeBytes(toBeSigned, null, null, CryptoStandard.CMS);//77bytes
//SIGNING func
var signedData = tckk_api_basic_samples.pcsc.Sign_Validate.Sign(att, "578310");//256bytes
sgn.SetExternalDigest(signedData, null, "RSA");
byte[] encodedSignature = sgn.GetEncodedPKCS7(att, null, null, null, CryptoStandard.CMS);
EmbedSignature2(tempPDF, finalPDF, encodedSignature);
Process.Start(finalPDF);
}
public static myalias::Org.BouncyCastle.X509.X509Certificate[] GetChain()
{
IServiceContainer4All serviceContainer = new TCKKServiceContainer(1);
X509Certificate certificate = serviceContainer.GetCertificateService().GetKimlikDogrulamaCertificate();
X509Chain x509chain = new X509Chain();
x509chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
X509Certificate2 rootCert = new X509Certificate2(Resources.kokshs_t2);
X509Certificate2 intermediateCert = new X509Certificate2(Resources.kyshs_t2);
X509Certificate2 clientCert = new X509Certificate2(certificate);
x509chain.ChainPolicy.ExtraStore.Add(rootCert);
x509chain.ChainPolicy.ExtraStore.Add(intermediateCert);
if (x509chain.Build(clientCert))
{
var chain = new List<myalias::Org.BouncyCastle.X509.X509Certificate>();
foreach (X509ChainElement x509ChainElement in x509chain.ChainElements)
chain.Add(myalias::Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(x509ChainElement.Certificate));
return chain.ToArray();
}
else
return null;
}
private byte[] CreatePDF(string rawPDF, string tempPDF, myalias.Org.BouncyCastle.X509.X509Certificate cert)
{
byte[] toBeSigned = null;
using (PdfReader pdfReader = new PdfReader(rawPDF))
{
using (FileStream signedPdf = new FileStream(tempPDF, FileMode.Create))
{
PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfReader, signedPdf, '\0');
PdfSignatureAppearance sap = pdfStamper.SignatureAppearance;
sap.SetVisibleSignature(new myalias.iTextSharp.text.Rectangle(36, 748, 250, 400), 1, "SIG");
sap.Reason = "MyRes";
sap.Location = "MyLoc";
sap.Certificate = cert;
IExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
MakeSignature.SignExternalContainer(sap, external, 8192);
toBeSigned = DigestAlgorithms.Digest(sap.GetRangeStream(), "SHA256");
}
}
return toBeSigned;
}
void EmbedSig(string tempPDF, string finalPDF, byte[] sign)
{
using (PdfReader reader = new PdfReader(tempPDF))
{
using (FileStream os = new FileStream(finalPDF, FileMode.Create))
{
IExternalSignatureContainer external = new MyExternalSignatureContainer(sign);
MakeSignature.SignDeferred(reader, "SIG", os, external);
}
}
}
class MyExternalSignatureContainer : IExternalSignatureContainer
{
byte[] sig = null;
public MyExternalSignatureContainer(byte[] sig)
{
this.sig = sig;
}
public void ModifySigningDictionary(myalias.iTextSharp.text.pdf.PdfDictionary signDic)
{
throw new NotImplementedException();
}
public byte[] Sign(Stream data)
{
return this.sig;
}
}

Your original code and example signature
To start with, decrypting the signature bytes with your certificate's public key results in something that clearly is neither PKCS1-v1_5 padded nor EMSA-PSS encoded. Thus, your smart card either does not sign using the private key associated with that certificate C=TR,SERIALNUMBER=90000000684,CN=DENİZ KASAR or the result it returns is not the plain signature bytes array for a RSASSA-PKCS1-v1_5 or RSASSA-PSS signature for your input of a hash value.
Probably there are multiple private keys for different certificates on your card and you addressed the wrong one. Probably there is a different issue.
Furthermore, you call getAuthenticatedAttributeBytes with these parameters
byte[] signatureHash = signature.getAuthenticatedAttributeBytes(hash, null, null, CryptoStandard.CMS);
then store hash in a local variable _hash, but finally call GetEncodedPKCS7 with these parameters
byte[] encodedSignature = _signature.GetEncodedPKCS7(_signatureHash, null, null, null, CryptoStandard.CMS);
This looks incorrect, the parameters of these calls (except the TSA client) are expected to coincide, you should use _hash here, too.
Your later example signature
In a comment you confirmed that your smart card has two certificates. Apparently in you newer code you also successfully addressed the signing application for the certificate you want to sign with as the signature bytes after RSA decryption end with 0xbc which is an indicator for RSASSA-PSS signatures.
This also has a downside, though: The iText 5.x signing API was not implemented with RSASSA-PSS in mind and in particular the PdfPKCS7 class cannot properly build CMS containers from RSASSA-PSS signatures.
That doesn't mean, though, that you cannot use iText for signing with your card, you merely have to implement more in your own code, in particular you have to build the whole signature container.
For this you use this MakeSignature helper
/**
* Sign the document using an external container, usually a PKCS7. The signature is fully composed
* externally, iText will just put the container inside the document.
* #param sap the PdfSignatureAppearance
* #param externalSignatureContainer the interface providing the actual signing
* #param estimatedSize the reserved size for the signature
* #throws GeneralSecurityException
* #throws IOException
* #throws DocumentException
*/
public static void SignExternalContainer(PdfSignatureAppearance sap, IExternalSignatureContainer externalSignatureContainer, int estimatedSize)
and merely have to implement IExternalSignatureContainer to build and return a CMS signature container in its Sign method which signs the data from the given stream.
You can build that CMS container using BouncyCastle classes or probably even Microsoft classes. Unfortunately, though, I'm mostly into this hands-on signing stuff in Java, not in .Net, so I cannot really help with that.
In case of RSASSA-PKCS1-v1_5 signatures
An alternative approach would be to check whether you can tell your smart card to generate RSASSA-PKCS1-v1_5 signatures instead as this would allow you to use iText to generate your CMS container. I wouldn't recommend this as RSASSA-PKCS1-v1_5 is more open to attacks than RSASSA-PSS.
In a comment, though, you specifically asked about that case. In that case I'd propose you change your signing code considerably. It currently uses a mix of the old, more low-level, and the new, more high-level, iText signing APIs. You should use the new API only.
In that case your signing code would reduce to this pivotal code
using (PdfReader reader = new PdfReader(SRC))
using (FileStream os = new FileStream(DEST, FileMode.Create))
{
PdfStamper stamper = PdfStamper.CreateSignature(reader, os, '\0');
// Creating the appearance
PdfSignatureAppearance appearance = stamper.SignatureAppearance;
appearance.Reason = "MyRes";
appearance.Location = "MyLoc";
appearance.SetVisibleSignature(new Rectangle(36, 748, 250, 400), 1, "SIG");
// Creating the signature
CustomExternalSignature pks = new CustomExternalSignature();
MakeSignature.SignDetached(appearance, pks, pks.GetChain(), null, null, null, 0, CryptoStandard.CMS);
}
in combination with the CustomExternalSignature helper class bundling your device specific code:
public class CustomExternalSignature : IExternalSignature
{
public ICollection<X509Certificate> GetChain()
{
[essentially your GetChain method, but return the List as is, don't make it an array]]
}
public string GetEncryptionAlgorithm()
{
return "RSA";
}
public string GetHashAlgorithm()
{
return "SHA256";
}
public byte[] Sign(byte[] message)
{
[your code to call the smart card function to sign the message using RSASSA-PKCS1-v1_5]
[you might or might not have to hash the message first, I don't know that smart card API you use]
}
}

C# PKCS7 Smartcard Digital Signature - Document has been altered or corrupted since it was signed

I try to sign a pdf file using my smartcard (USB token) but encounter "Document has been altered or corrupted since it was signed" error when I open the signed pdf file in Adobe. The error is not so descriptive and I'm not sure where to look at because the code seems good to me but apparently it's not..
The code that I use is:
var signer = smartCardManager.getSigner("myTokenPassword");
var toBeSignedHash = GetHashOfPdf(File.ReadAllBytes(#"xxx\pdf.pdf"), cert.asX509Certificate2().RawData, "dsa", null, false);
var signature = signer.sign(toBeSignedHash);
var signedPdf = EmbedSignature(cert.getBytes(), signature);
File.WriteAllBytes(#"xxx\signedpdf.pdf", signedPdf);
public byte[] GetHashOfPdf(byte[] unsignedFile, byte[] userCertificate, string signatureFieldName, List<float> location, bool append)
{
byte[] result = null;
var chain = new List<Org.BouncyCastle.X509.X509Certificate>
{
Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(new X509Certificate2(userCertificate))
};
Org.BouncyCastle.X509.X509Certificate certificate = chain.ElementAt(0);
using (PdfReader reader = new PdfReader(unsignedFile))
{
using (var os = new MemoryStream())
{
PdfStamper stamper = PdfStamper.CreateSignature(reader, os, '\0', null, append);
PdfSignatureAppearance appearance = stamper.SignatureAppearance;
appearance.SetVisibleSignature(new iTextSharp.text.Rectangle(0,0,0,0), 1, signatureFieldName);
appearance.Certificate = certificate;
IExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
MakeSignature.SignExternalContainer(appearance, external, 8192);
Stream data = appearance.GetRangeStream();
byte[] hash = DigestAlgorithms.Digest(data, "SHA256");
var signatureContainer = new PdfPKCS7(null, chain, "SHA256", false);
byte[] signatureHash = signatureContainer.getAuthenticatedAttributeBytes(hash, null, null, CryptoStandard.CMS);
result = DigestAlgorithms.Digest(new MemoryStream(signatureHash), "SHA256");
this.hash = hash;
this.os = os.ToArray();
File.WriteAllBytes(#"xxx\temp.pdf", this.os);
}
}
return result;
}
public byte[] EmbedSignature(byte[] publicCert, byte[] sign)
{
var chain = new List<Org.BouncyCastle.X509.X509Certificate>
{
Org.BouncyCastle.Security.DotNetUtilities.FromX509Certificate(new X509Certificate2(publicCert))
};
var signatureContainer = new PdfPKCS7(null, chain, "SHA256", false);
using (var reader = new PdfReader(this.os))
{
using (var os2 = new MemoryStream())
{
signatureContainer.SetExternalDigest(sign, null, "RSA");
byte[] encodedSignature = signatureContainer.GetEncodedPKCS7(this.hash, null, null, null, CryptoStandard.CMS);
IExternalSignatureContainer external = new MyExternalSignatureContainer(encodedSignature);
MakeSignature.SignDeferred(reader, "dsa", os2, external);
return os2.ToArray();
}
}
}
The pdf file that I try to sign is this.
Temp pdf file that is created after adding signature fields is this.
Signed pdf file is this.
Base64 format of the hash that is signed is: klh6CGp7DUzayt62Eusiqjr1BFCcTZT4XdgnMBq7QeY=
Base64 format of the signature is: Uam/J6W0YX99rVP4M9mL9Lg9l6YzC2yiR4OtJ18AH1PtBVaNPteT3oPS7SUc+6ak2LfijgJ6j1RgdLamodDPKl/0E90kbBenry+/g1Ttd1bpO8lqTn1PWJU2TxeGHwyRyaFBOUga2AxpErIHrwxfuKCBcodB7wvAqRjso0jovnyP/4DluyOPm97QWh4na0S+rtUWOdqVmKGOuGJ3sBXuk019ewpvFcqWBX4Mvz7IKV56wcxQVQuJLCiyXsMXoazwyDCvdteaDz05K25IVwgEEjwLrppnc/7Ue9a9KVadFFzXWXfia7ndmUCgyd70r/Z+Oviu9MIAZL8GuTpkD7fJeA==

I use hex encoding of byte arrays here. Your base64 encoded hash
klh6CGp7DUzayt62Eusiqjr1BFCcTZT4XdgnMBq7QeY=
in hex encoding is equal to
92587A086A7B0D4CDACADEB612EB22AA3AF504509C4D94F85DD827301ABB41E6
###In short
Your code hashes the signed attributes twice. Simply don't hash the bytes returned by signatureContainer.getAuthenticatedAttributeBytes(hash, null, null, CryptoStandard.CMS) in GetHashOfPdf but instead use the authenticated attribute bytes themselves as return value.
###In detail
Analyzing the signature in your example PDF it turns out that
indeed the hash of the signed attributes is
92587A086A7B0D4CDACADEB612EB22AA3AF504509C4D94F85DD827301ABB41E6
but the hash in the RSA encrypted DigestInfo object of the signature is
1DC7CAA50D88243327A9D928D5FB4F1A61CBEFF9E947D393DDA705BD61B67F25
which turns out to be the hash of the before mentioned hash of the signed attributes.
Thus, your
var signature = signer.sign(toBeSignedHash);
call appears to hash the toBeSignedHash value again.
The most simple fix would be to replace
byte[] signatureHash = signatureContainer.getAuthenticatedAttributeBytes(hash, null, null, CryptoStandard.CMS);
result = DigestAlgorithms.Digest(new MemoryStream(signatureHash), "SHA256");
by
result = signatureContainer.getAuthenticatedAttributeBytes(hash, null, null, CryptoStandard.CMS);
in GetHashOfPdf to have only signer.sign do the hashing.
###Analyzing such issues
In a comment you asked
how did you figure all this out :)?
Well, yours is not the first question with a customized iText signing process resulting in errors or at least unwanted profiles.
In the course of the analysis of those questions the first step usually is to extract the embedded signature container and inspect it in an ASN.1 viewer.
In case of your PDF the main result of that inspection was that the signature as such looked ok and that your signed attributes don't contain any variable data.
If there had been some variable data (e.g. a signing time attribute) in them, a candidate for the cause of the issue would have been that you build the signed attributes twice, once explicitly in GetHashOfPdf, once implicitly in EmbedSignature, with different values for the variable data. But as mentioned above, this was not the case.
The next step here was to actually check the hashes involved. Checking the document hash is simple, one calculates the signed byte range hash and compares with the value of the MessageDigest signed attribute, cf. the ExtractHash test testSotnSignedpdf (in Java).
The result for your PDF turned out to be ok.
The following step was to inspect the signature container more thoroughly. In this context I once started to write some checks but did not get very far, cf. the SignatureAnalyzer class. I extended it a bit for the test of the hash of the signed attributes making use of the signature algorithm you used, the old RSASSA-PKCS1-v1_5: In contrast to many other signature algorithms, this one allows to trivially extract the signed hash.
Here the result for your PDF turned out not to be ok, the hash of the signed attributes differed from the signed hash.
There are two often seen causes for a mismatch here,
either the signed attributes are signed with a wrong encoding (it must be the regular DER encoding, not some arbitrary BER encoding and in particular not an encoding with the implicit tag the value stored in the signature has --- even larger players do this wrong sometimes, e.g. Docusign, cf. DSS-1343)
or the hash was somehow transformed during signing (e.g. the hash is base64 encoded or hashed again).
As it turned out, the latter was the case here, the hash was hashed again.

Signature is Invalid for PDF File with iText

I am using swisscom digital signature service and we have a test account. Well the service requires the hash code the pdf file . We send it with
DIGEST_VALUE=$(openssl dgst -binary -SHA256 $FILE | openssl enc -base64 -A)
and I get a PKCS#7 response. You can decode the my signature response by using this website https://certlogik.com/decoder/
and the signature content is http://not_need_anymore
I have the same problem as follow (because we use the same code)
Digital Signature (PKCS#7 - Deferred Signing) / The document has been altered or corrupted since the signature was applied
my response has been with sha256 crypted.
Well I am using iText with c# to sign the pdf file. I sign and I see some details (such as reason, location etc).
here is the method that creates a pdf file with a signature field
public static string GetBytesToSign(string unsignedPdf, string tempPdf, string signatureFieldName)
{
if (File.Exists(tempPdf))
File.Delete(tempPdf);
using (PdfReader reader = new PdfReader(unsignedPdf))
{
using (FileStream os = File.OpenWrite(tempPdf))
{
PdfStamper stamper = PdfStamper.CreateSignature(reader, os, '\0');
PdfSignatureAppearance appearance = stamper.SignatureAppearance;
appearance.SetVisibleSignature(new Rectangle(36, 748, 250, 400), 1, signatureFieldName);
//IExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
IExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
PdfSignature external2 = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);//ADBE_PKCS7_SHA1);
//as pdf name I tried also PdfName.ETSI_RFC3161
//(ref => https://github.com/SCS-CBU-CED-IAM/itext-ais/blob/master/src/com/swisscom/ais/itext/PDF.java)
appearance.Reason = "For archive";
appearance.Location = "my loc";
appearance.SignDate = DateTime.Now;
appearance.Contact = "myemail#domain.ch";
appearance.CryptoDictionary = external2;
var level = reader.GetCertificationLevel();
// check: at most one certification per pdf is allowed
if (level != PdfSignatureAppearance.NOT_CERTIFIED)
throw new Exception("Could not apply -certlevel option. At most one certification per pdf is allowed, but source pdf contained already a certification.");
appearance.CertificationLevel = level;
MakeSignature.SignExternalContainer(appearance, external,30000);
byte[] array = SHA256Managed.Create().ComputeHash(appearance.GetRangeStream());
return Convert.ToBase64String(array);
}
}
}
Actualls I do not use what this method returns. Because it already creates a temp pdf file with signature field.
After that,I give the hash code of this pdf file and get PKCS#7 responde. and then using the following function, I am adding the signature to a pdf (it creates another pdf file).
public static void EmbedSignature(string tempPdf, string signedPdf,
string signatureFieldName, string signature)
{
byte[] signedBytes = Convert.FromBase64String(signature);
using (PdfReader reader = new PdfReader(tempPdf))
{
using (FileStream os = File.OpenWrite(signedPdf))
{
IExternalSignatureContainer external =
new MyExternalSignatureContainer(signedBytes);
MakeSignature.SignDeferred(reader, signatureFieldName, os, external);
}
}
}
the signature parameter in the method, I give p7s file content as follows
string signatureContent = File.ReadAllText(#"mypath\signed_cert.p7s");
signatureContent = signatureContent
.Replace("-----BEGIN PKCS7-----\n", "")
.Replace("-----END PKCS7-----\n","").Trim();
what am I missing or doing wrong?

In contrast to the regular detached signatures which sign the whole signed file, integrated signatures in PDFs sign (and can only sign) everything but the space set aside for the signature itself.
(For more backgrounds read this answer)
Thus, when you after preparing the PDF with a placeholder to embed the signature
give the hash code of this pdf file and get PKCS#7 responde
you hash too much because your hashing included the (then empty, i.e. filled with '0' characters) placeholder for the actual signature. The method GetBytesToSign instead only returns the hash over the signed byte ranges, i.e. everything but the placeholder:
byte[] array = SHA256Managed.Create().ComputeHash(appearance.GetRangeStream());
You have to either takes this value or similarly hash only everything but the placeholder for the signature.

iTextSharp - How to get PDF content for signing and then sign at a later time

I'm developing a client-server application where clients have to sign PDF documents using their signatures and upload them to the server. The task is complicated by the fact that clients don't have the means to embed signatures into PDFs, they can only read raw bytes and produce the signature in the form of raw bytes.
I'm trying to implement the following workflow:
The client uploads the unsigned PDF to the server
The server opens the PDF, extracts the bytes that the client needs to sign, and sends those bytes back
The client receives these bytes, signs them using a client certificate and sends the signature to the server
The server embeds the received signature into the PDF it received earlier.
I found some code samples of extracting bytes to sign and embedding the signature bytes into the PDF (this is the main sample I'm using).
The problem is that this sample performs all the steps in one program, it embeds the signature right after getting the document hash without closing PdfStamper. What I need is some way to save the document after adding the signature field and getting sha.Hash, and then at some later time (when the server receives the computed signature) open the document and embed the signature value into the PDF.
Can you suggest a way to modify this code so that the steps (2) and (4) can be independent, and not require shared instances of PdfReader and PdfStamper?

Figured it out myself. This piece of code pointed me to the right direction.
Turns out the process on the server has to be the following:
Take the unsigned PDF and add an empty signature field
Compute the bytes that need to be signed based on the modified content of the file
Save the modified PDF with an empty signature into a temporary file
Send the computed bytes to the client
When the client responds with the signature, open the temporary file and insert the signature into the field created earlier
The relevant server code:
public static byte[] GetBytesToSign(string unsignedPdf, string tempPdf, string signatureFieldName)
{
using (PdfReader reader = new PdfReader(unsignedPdf))
{
using (FileStream os = File.OpenWrite(tempPdf))
{
PdfStamper stamper = PdfStamper.CreateSignature(reader, os, '\0');
PdfSignatureAppearance appearance = stamper.SignatureAppearance;
appearance.SetVisibleSignature(new Rectangle(36, 748, 144, 780), 1, signatureFieldName);
IExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_SHA1);
MakeSignature.SignExternalContainer(appearance, external, 8192);
return SHA1Managed.Create().ComputeHash(appearance.GetRangeStream());
}
}
}
public static void EmbedSignature(string tempPdf, string signedPdf, string signatureFieldName, byte[] signedBytes)
{
using (PdfReader reader = new PdfReader(tempPdf))
{
using (FileStream os = File.OpenWrite(signedPdf))
{
IExternalSignatureContainer external = new MyExternalSignatureContainer(signedBytes);
MakeSignature.SignDeferred(reader, signatureFieldName, os, external);
}
}
}
private class MyExternalSignatureContainer : IExternalSignatureContainer
{
private readonly byte[] signedBytes;
public MyExternalSignatureContainer(byte[] signedBytes)
{
this.signedBytes = signedBytes;
}
public byte[] Sign(Stream data)
{
return signedBytes;
}
public void ModifySigningDictionary(PdfDictionary signDic)
{
}
}
Side note: what bothers me in all those iText samples is the presence of magic numbers (like 8192 here) without any comments. This makes using this library so much more difficult and annoying than it could be.

The answer below was taken from our white paper on digital signatures, chapter 4, section 4.3.3 Signing a document on the server using a signature created on the client. Code examples here
The desired workflow can be seen as 3 major steps:
Presign:
Required: pdf, certificate chain
Serverside, setup signature infrastructure, extract message digest and send the digest to client as a byte-array
Signing:
Required: message digest as byte-array, private key
Clientside, apply cryptographic algorithms to message digest to generate the signed digest from the hash and send this signature to
the server
Postsign:
Required: signed digest as byte-array, pdf Serverside
insert the signed digest into the prepared signature, insert the
signature into the pdf-document
Code examples, iText5 and C#:
Presign (server)
//hello :
//location of the pdf on the server
//or
//bytestream variable with teh pdf loaded in
//chain: certificate chain
// we create a reader and a stamper
PdfReader reader = new PdfReader(hello);
Stream baos = new MemoryStream();
PdfStamper stamper = PdfStamper.CreateSignature(reader, baos., '\0');
// we create the signature appearance
PdfSignatureAppearance sap = stamper.SignatureAppearance;
sap.Reason = "Test";
sap.Location = "On a server!";
sap.SetVisibleSignature ( new Rectangle(36, 748, 144, 780), 1, "sig");
sap.Certificate = chain[0];
// we create the signature infrastructure
PdfSignature dic = new PdfSignature(
PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
dic.Reason = sap.Reason;
dic.Location = sap.Location;
dic.Contact = sap.Contact;
dic.Date = new PdfDate(sap.SignDate);
sap.CryptoDictionary = dic;
Dictionary<PdfName, int> exc = new Dictionary<PdfName, int>();
exc.Add(PdfName.CONTENTS, (int)(8192 * 2 + 2));
sap.PreClose(exc);
PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA256", false);
//Extract the bytes that need to be signed
Stream data = sap.GetRangeStream();
byte[] hash = DigestAlgorithms.Digest(data,"SHA256");
byte[] sh = sgn.getAuthenticatedAttributeBytes(hash,null, null, CryptoStandard.CMS);
//Store sgn, hash,sap and baos on the server
//...
//Send sh to client
Signing (client)
// we receive a hash that needs to be signed
Stream istream = response.GetResponseStream();
MemoryStream baos = new MemoryStream();
data = new byte[0x100];
while ((read = istream.Read(data, 0, data.Length)) != 0)
baos.Write(data, 0, read);
istream.Close();
byte[] hash = baos.ToArray();
// we load our private key from the key store
Pkcs12Store store = new Pkcs12Store(new FileStream(KEYSTORE, FileMode.Open), PASSWORD);
String alias = "";
// searching for private key
foreach (string al in store.Aliases)
if (store.IsKeyEntry(al) && store.GetKey(al).Key.IsPrivate) {
alias = al;
break;
}
AsymmetricKeyEntry pk = store.GetKey(alias);
// we sign the hash received from the server
ISigner sig = SignerUtilities.GetSigner("SHA256withRSA");
sig.Init(true, pk.Key);
sig.BlockUpdate(hash, 0, hash.Length);
data = sig.GenerateSignature();
// we make a connection to the PostSign Servlet
request = (HttpWebRequest)WebRequest.Create(POST);
request.Headers.Add(HttpRequestHeader.Cookie,cookies.Split(";".ToCharArray(), 2)[0]);
request.Method = "POST";
// we upload the signed bytes
os = request.GetRequestStream();
os.Write(data, 0, data.Length);
os.Flush();
os.Close();
Postsign (server)
// we read the signed bytes
MemoryStream baos = new MemoryStream();
Stream InputStream iStream = req.GetInputStream();
int read;
byte[] data = new byte[256];
while ((read = iStream.read(data, 0, data.Length)) != -1) {
baos.Write(data, 0, read);
}
// we complete the PDF signing process
sgn.SetExternalDigest(baos.ToArray(), null, "RSA");
byte[] encodedSig = sgn.getEncodedPKCS7(hash, cal, null,
null, null, CryptoStandard.CMS);
byte[] paddedSig = new byte[8192];
paddedSig.
encodedSig.CopyTo(paddedSig, 0);
PdfDictionary dic2 = new PdfDictionary();
dic2.Put(PdfName.CONTENTS, new PdfString(paddedSig).SetHexWriting(true));
try
{
sap.close(dic2);
}
catch (DocumentException e)
{
throw new IOException(e);
}
I've omitted most of the client-server communication code and focused on the signing logic. I've also not thoroughly tested these snippets, as I had to convert them from java code and I don't currently have a client-server setup to test them with, so copy and run at your own risk.