Creating PAdES signature

1
votes

I am trying to create a PAdES signature using the following workflow:

  • PDF is prepared for signing and hash is calculated in the browser
  • hash is sent to the backend
  • detached CAdES signature is formed on the backend
  • detached CAdES is sent back to the browser where PAdES signature is assembled

We have a working example of PDF signature that works like this:

  • PDF is prepared and hash is calculated in the browser
  • hash is sent to the backend
  • detached PKCS7 signature is made on the backend (by using BouncyCastle lib)
  • detached PKCS7 is sent back to the browsere where PDF signature is assembled

This is working fine.

However, now instead of BouncyCastle we are using DSS library on the backend because we are trying to create a PAdES signature. So, DSS lib is creating detached CAdES (which should be the same as detached PAdES) instead of PKCS7. However, when the signature is assembled in the browser the signature is invalid (even the certificate info isn't visible).

From my understanding CAdES is an extension to PKCS7 so this approach should work.

I'm first trying to understand if something's wrong with our approach and if not, I'll try to share the code we're using to make a detached CAdES signature to see if something's wrong there.

1
pdfdigital-signaturepkcs#7pades
"detached CAdES (which should be the same as detached PAdES)" - beware, PAdES requires CAdES signatures of a specific profile. If you inject arbitrary CAdES signature containers into PDFs, you may end up with signatures which are neither PAdES nor ISO 32000-1 interoperable.mkl

1 Answers

0
votes

I figured it out. It was that the size of detached CaDES signature is more than 2 times bigger then detached PKCS7 signature, so we weren't leaving enough space for the signature to fit in, so the signature was basically overwritting the PDF content. When I increased the space for the signature everything is working as it should