Inserting Multiple digital signatures into PDF using iTextSharp

1
votes

I am using iTextSharp & pkcs11RsaSignature to insert digital signature on every page of PDF document. following is my code:

        PdfReader pdfSource = new PdfReader(...);
        NumberOfPages = pdfSource.NumberOfPages;
        pdfSource.Close();
        CurrentPage = 1;

        while (CurrentPage <= NumberOfPages)
        {
            Temp3PDF = Temp1PDF;
            Temp1PDF = Temp2PDF;
            Temp2PDF = Temp3PDF;

            PdfReader pdfSrc = new PdfReader(Temp1PDF);
            FileStream pdfDes = new FileStream(Temp2PDF, FileMode.Create);
            PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfSrc, pdfDes, '\0', Path.GetTempFileName(), true);                
            PdfSignatureAppearance pdfSignAppearance = pdfStamper.SignatureAppearance;
            pdfSignAppearance.Acro6Layers = false;
            pdfSignAppearance.SetVisibleSignature(new iTextSharp.text.Rectangle(100, 100, 250, 150), CurrentPage, null);
            MakeSignature.SignDetached(pdfSignAppearance, pkcs11RsaSignature, certPath, null, null, null, 0, CryptoStandard.CADES);
            pdfStamper.Close();
            pdfDes.Close();
            pdfSrc.Close();
            CurrentPage++;
        }

As can be seen, this is NOT a very elegant way of programming as file is read and written as many times as number of pages. Is there any other way of inserting digital signature on every page of PDF document.

What is actually wanted to do here is that - in case the PDF document is split into pages (in future), since the contents haven't changed, so technically digital signature should be valid for the pages it is signed. But I realize the signature will get invalidated. (Rephrasing the question - Is there any way of digitally signing only one page of pdf and not entire document?)

To Bruno Lowagie (you are expert) : Except that it is not provided in PDF specification, it is possible to partially sign a PDF file by signing the hash computed only on selected components. Do you think it is possible to upgrade PDF specifications to accommodate such requirement. Thank you for your help.

1
pdfitextdigital-signaturepkcs#11
What is the point of adding a signature on every page? That doesn't make any sense. A digital signature signs the complete document. The concept of "initialing a document" doesn't exist in PDF. What you are doing is not done in PDF. You are right: what you're doing is not only NOT elegant, it's also stupid. It's as if you are confusing wet ink signatures with digital signatures.Bruno Lowagie
@Bruno It's as if you are confusing wet ink signatures with digital signatures. - Well, even wet ink signatures sign the whole document up to the signature, at least over here it is not necessary to sign each page of a document (as long as it is clear which pages in which order make up the document.)mkl
@mkl I meant wet ink initials. This is a typical question for people who want their PDF to look as if it's initialed.Bruno Lowagie
@Bruno ah, ok. Using initials like that is not very common here, so I did not think about that.mkl
@gsp I'm responsible for editing the section on digital signatures in PDF 2.0 (ISO-32000-2) and there are no plans to accommodate your requirement because it would be easy to exploit this feature. Moreover, there is a valid alternative for what you're trying to do: you can create a portfolio (portable collection) with a series of separately signed PDF files.Bruno Lowagie

1 Answers

2
votes

What is actually wanted to do here is that - in case the PDF document is split into pages (in future), since the contents haven't changed, so technically digital signature should be valid for the pages it is signed.

This train of thought is based on a misconception. Yes, you have the visualization of the signature on one specific page, but cryptographically the signature signs the whole PDF with the sole exception of the embedded CMS signature container itself.

But you found out about this yourself. Thus, let's consider your rephrased question:

But I realize the signature will get invalidated. (Rephrasing the question - Is there any way of digitally signing only one page of pdf and not entire document?)

In the past there had been two ways which might have allowed to sign single pages:

  • using an object digest focusing on the page in question;
  • using a byte range digest only consisting of byte ranges covering objects related to the page in question.

Nowadays, though, these techniques are not usable options anymore because

  • object digests have been deprecated a long time ago, the ISO PDF specification does not even mention them anymore;
  • even though ISO 32000-1 still allows byte range digests to cover such a collection of fragments of the PDF, PDF processors (in particular Adobe Reader) require the byte ranges to cover the whole PDF file with the sole exception of the embedded signature container; newer specifications (e.g. the ETSI PAdES specifications and the ISO 32000-2 drafts) also require this.

Thus, no, there is no way of digitally signing only one page of pdf and not entire document, at least not in an interoperable manner.

An option for achieving something similar as page-wise signatures in a multi-page PDF would be to

  • split the PDF into multiple PDFs, each containing a single page only;
  • signing each of these single page PDFs; and
  • putting all these single-page PDFs into a PDF portable collection (aka portfolio) and arranging it to display the individual contained PDFs one after the other in the correct order.