iTextSharp not rendering digital signature

0
votes

I've read the I-TEXT digital signature e-text, and also previous posts answered by MKL (who seems to be the authority along with Bruno on this topic).

essentially I have an Azure app service that gets the digital sig (base 64) and certificate chain from the company's signing API. The company's signing API returns a signature in Base64 along with a certificate chain.

I just want the to insert a signature object/container into the pdf so it will show in the signature panel when an end user opens up the pdf. I prefer to use deferred signing.

I've shifted from chapter 4's "clientseversigning example" to instead Deferred Signing in MKL's "How to create a PDF signature without knowing the signer certificate early".

The Company API returns a "plain" signature, that I am pretty sure, and also returns a chain of 3 string certificates.

I should note I do have the root and sub certs in advance (2 .cer files) but I am not using them in "prepping" the pdf for hashing right now since the deferred signing example doesn't make use of them obviously. For the container construction code (after getting the response from the Company API), I use the 3 certs chain returned from the company API, but I also tried it with the 2 .cer files, to no avail.

The only difference between my code and the one in the example is instead of byte[] certificateBytes = THE_RETRIEVED_CERTIFICATE_BYTES; X509Certificate x509Certificate = new X509CertificateParser().ReadCertificate(certificateBytes); I build 3 x509Certificates (one for each string in the chain returned from the Company API.

Sadly things wont work, I get these errors in Acrobat: Signature is invalid, There are errors in the formatting or information contained in this signature, signature's identity has not yet been verified, signing time is from the clock on the signer's computer...also if I click Certificate details just below of this error in Acrobat it is blank. This was pretty much the errors I was getting when trying the "clientserversigning example"

I am trying really hard and wondering what it could be... should I try modifying the estimated size from 12000 and bump it up? or the errors I am getting in Acrobat, maybe they are hinting the certificate chain from the Company API is not being picked up by the signing deferral container construction code ... I am struggling but any tips would be so greatly appreciated

Evan

Just to clarify, I am following chapter 4's clientserversigningexample but I am getting the following once my pdf is recreated with the signature from the company API

resulting pdf not correctly signed

Its saying 1) there are errors in the formatting of information 2) signer's identity has not been verified 3) signing time is from the clock on the signer's computer

now as far as "prepping" the pdf before hashing it to send for signing...I don't see anything in the ClientSigning example that specifically preps it, can I assume the IText library is prepping it under the hood?

1
pdfitextdigital-signature
a) the PDF has to be prepared before hashing the byte ranges to be signed (which is not the whole prepared PDF!); b) whether it suffices to get the certificate only together with the signature, depends on the format the signature is returned in. If the company API returns a CMS signature container, you don't need the certificate before; if it's a plain signature, usually the certificate is required beforehand.mkl
"should I look at PDFBox instead of Itext" - you have indicated no special requirements for your signature (e.g. you mention no special profile to create like PAdES-LTA), so either library should do.mkl
github is down, but this woman has solutions for several pdf libraries: github.com/crs2195Tilman Hausherr
thanks mkl, suffice to say you're the authority on this stuff; I think its a plain signature the company API returns...I'm reading over all the texts...is it safe to assume if I don't have access to the certificates beforehand than I would use the deferred singing example and if I did have the certificates beforehand I would use the clientserversigningexample? In other words I'm having difficulty distinguishing between these two ... but I guess if the company API only returns the plainsignature (with a chain of certs mind you) it forces my hand and I have to use the clientseversigningexample?Evan Econo
just an addendum, I do have two certificates from the company API, root and sub, both are .cer files. Is it safe to assume I can create a chain using these two certs when building the call to the company api using the clientserversigningexample? Is the chain return value the company API returns any different would you think?Evan Econo

1 Answers

0
votes

In your question and in your comments to it you appear to be in particular interested in

  • whether or not one can use a signature API that returns the certificates only together with the signature, and
  • when to to deferred signing.

Can You Use a Signature API That Provides the User Certificate Only After Signing

To answer this one first has to clarify what kind of signatures the signature API in question creates, plain signature values (e.g. PKCS#1 RSA signatures) or full-fledged CMS signature containers.

If it creates full-fledged CMS signature containers, you can create signatures following arbitrary signature profiles as long as the signature containers follow the requirements for them (which they often do). They only restriction you have is that you cannot have information from the signer certificate in the signature visualization because that visualization is defined in the signed data of the PDF.

If it only creates plain signature values, the best you can do is create and embed simple CMS containers that don't contain pointers to the signer certificate in the signed attributes (if they have any signed attributes as all to start with). Many signature policies of interest do require such pointers, but at least Adobe Reader accepts signatures without.

If you are in this situation and want to try creating signatures with such simple signature containers, you may want to use the code from this answer, section "How to create a PDF signature without knowing the signer certificate early".

When to Use Deferred Signing

The difference between deferred signing and other iText signing calls is not that deferred signing requires less information (compared to ExternalContainer signing).

In contrast to the other iText signing methods, signDeferred re-uses the outermost existing, filled signature field of the PDF to sign and merely replaces the signature container therein.

The method name is derived from the most common use case it’s used for:

  • In a first step a signature field is (probably first created and then) filled using signExternalContainer with an IExternalSignatureContainer implementation that calculates the document hash to be signed but does not return the final CMS container yet, merely some (usually) empty array. The generated PDF with a filled signature field (albeit without the final signature container) is then temporarily stored (in the file system or a database).
  • In a second step a signature container for the determined document hash is requested and (probably asynchronously) awaited.
  • In a final step signDeferred is used to inject the retrieved signature container into the PDF prepared in the first step.

This deferred signing process usually is preferred in setups in which the second step, the signature container creation and retrieval, can take longer than one wants to keep the resources blocked which are required for the document in signing. This includes in particular signatures generated by remote servers or clients, especially if that signing process awaits some third party clearance or activation.