Strategy for signing PDF

[TheRookster]

Hello, I'm trying to incorporate smart card PDF signatures into a C# Blazor web application with Fortify. I've made some good progress, but I can't quite figure out how to put it all together.

At a high level, the program flow is the following:

• Load PDF from file into memory
• "Reserve" the signature block by signing an existing signature field with a blank IExternalSignatureContainer (which calculates the SHA256 hash/digest). I'm using iText 7 for the PDF operations btw
• Pass the digest to Fortify and sign it similar to the example here: [https://fortifyapp.com/examples/signing/]
• Pass the CMS created by Fortify and apply it to the PDF memorystream prepared above using PdfSigner.SignDeferred
• Save the PDF to file

This produces a PDF signed with a certificate and chain that passes validation, however...something's not quite right: "The document has been altered or corrupted since the Signature was applied".

I suspect I'm not getting the correct hash/digest when creating the CMS. Or I am misunderstanding the process for reserving the signature and applying it.

Does anyone have a high level suggestion or observation to point me in the right direction? Sorry for being vague at this point, but I wanted to start by sanity checking my workflow/process before getting bogged down in code.

Thanks in advance.

[rmhrisk]

It sounds like you have an issue in what was signed rather than the signing itself.

We have our own libraries we use for this but they are not currently available to the public. The best external resource I am aware of for doing the PDF aspects of the work is this project:

https://github.com/vbuch/node-signpdf

A guess is that you are passing hash rather than data and that webcrypto commuting hash on a signing producing an invalid signature as a result

[TheRookster]

Thanks, I am reviewing this information.

One thing that puzzles me is that when I examine my test PDF in iText it appears to be valid all around. But then again, I only have half of an idea what I am doing :)

var su = new SignatureUtil(pdfDocument);

//all true
var se = su.DoesSignatureFieldExist("cacSig");
var vs = su.ReadSignatureData("cacSig");
var ia = vs.VerifySignatureIntegrityAndAuthenticity();
var sa = su.SignatureCoversWholeDocument("cacSig");

[rmhrisk]

That suggests the signature is good but the certificate isn't trusted or the chain isn't present.

[TheRookster]

You were correct that I was passing the document hash to Fortify. I have changed this around to using the prepared document bytes and happily I am now getting a valid signature!

I need to investigate a couple points with a fresh mind tomorrow:

• The graphical signature block itself does not display the subject name.
• Size of the pdf increased dramatically (500kb to 2.5mb). When I sign the same document natively in Acrobat the file size does not increase like this. Whether this is due to iText or just expected behavior I don't know. I need to read up on this.

Thanks again for your time and guidance.

(apologies for the paranoid redactions)

[rmhrisk]

Are you familiar with our Hancock.ink product? It can handle all the PDF and token integration for you.

[TheRookster]

Due to restrictions/policies at work I'm not sure this would be feasible, but it is on my radar.