Question
I'm writing a service where I pre-sign a pdf file with an empty container, take a hash of a byte range from the pdf file and send it to another service, that will allow a user to sign the hash using a mobile phone. I get back a certificate that I will inject into the signature container in the pre-signed pdf file.
Everything works so far, except that I want to have visible signatures in the document. The visible signatures require the certificate to get information from it (like who signed it and when) but it seems that I need to add the visible signature before I actually sign it.
My question is therefore, is it possible to change the appearance of the signature within the document after signing it? The visible signature image seems to be outside the signed byte range of the document.
I am pre-signing the file with a blank container:
https://stackoverflow.com/questions/21410465
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianIExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKLITE, PdfName.ETSI_CADES_DETACHED);
MakeSignature.SignExternalContainer(_sap, external, 8192 * 2);
Where _sap is the SignatureAppearance from a stamper initialized the following way:
PdfStamper stamper = PdfStamper.CreateSignature(reader, baos, '\0', null, true);
The returning a hash of the byterange from the SignatureAppearance:
Stream data = _sap.GetRangeStream();
_hash = DigestAlgorithms.Digest(data, DigestAlgorithms.SHA1);
_hashStr = Convert.ToBase64String(_hash);
return _hashStr;
And then when I get the certification I create a custom container:
IExternalSignatureContainer container = new CustomContainer(cert);
MakeSignature.SignDeferred(reader, _signatureFieldName, baos, container);
The custom container doesn't do anything except to return the cert in it's public byte[] Sign(Stream data) method.
The signing itself works, the digital signatures are valid but I just need to change the text of the visible signature itself. I would think that it's possible, since the visible signature doesn't actually have anything to do with the certificate itself, it's just a convenience to display the name from the certificate, especially with multiple signatures.
Solution
You were right when you wrote: it seems that I need to add the visible signature before I actually sign it. You were wrong when you wrote: I would think that it's possible.
The appearance of the signature consists of dictionaries and streams stored in the PDF document. These objects are part of the bytes that are hashed and subsequently signed. You can't change these bytes without breaking the signature.
