-1

I try to implement signing a PDF with an external signature webService in iText. I used the example Client-Server-Signing provided by iText (https://raw.githubusercontent.com/itext/i5ns-tutorial/master/signatures/chapter4/C4_07_ClientServerSigning/C4_07_ClientServerSigning.cs) as a blueprint.

public class ServerSignature : IExternalSignature
{
    public String GetHashAlgorithm()
    {
        return DigestAlgorithms.SHA256;
    }

    public String GetEncryptionAlgorithm()
    {
        return "ECDSA";
        //return "1.2.840.10045.4.3.2";
    }

    public byte[] Sign(byte[] message)
    {
        string base64encodedMessage = Convert.ToBase64String(message);

        // upload to WebService and return response

        return Convert.FromBase64String(signatureValueFromWebServiceResponse)
    }
}

In method public byte[] sign(byte[] message) I upload the receveived message to a webservice using the following Request

<?xml version='1.0' encoding='UTF-8'?>
<CreateXMLSignatureRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'>
    <KeyboxIdentifier>SecureSignatureKeypair</KeyboxIdentifier>
    <DataObjectInfo Structure='detached'>
        <DataObject>
            <Base64Content>_BASE_64_ENCODED_MESSAGE_GOES_HERE_</Base64Content>
        </DataObject>
        <TransformsInfo>
            <FinalDataMetaInfo>
                <MimeType>application/octet-stream</MimeType>
            </FinalDataMetaInfo>
        </TransformsInfo>
    </DataObjectInfo>   
</CreateXMLSignatureRequest>

from the received response I return the base64-decoded value of dsig:SignatureValue. But the signature in the resultant pdf is invalid.

<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<sl:CreateXMLSignatureResponse xmlns:sl="http://www.buergerkarte.at/namespaces/securitylayer/1.2#">
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="signature-1-1">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
            <dsig:Reference Id="reference-1-1" URI="#signed-data-1-1">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
                        <xpf:XPath xmlns:xpf="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect">id('signed-data-1-1')/node()</xpf:XPath>
                    </dsig:Transform>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#base64"/>
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <dsig:DigestValue>7jsgSqDrGHnQkoM4DbxMl8zrw2uOPDCKssM40dbsnG4=</dsig:DigestValue>
            </dsig:Reference>
            <dsig:Reference Id="etsi-data-reference-1-1" Type="http://uri.etsi.org/01903/v1.1.1#SignedProperties" URI="">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
                        <xpf:XPath xmlns:xpf="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect" xmlns:etsi="http://uri.etsi.org/01903/v1.1.1#">//*[@Id='etsi-signed-1-1']/etsi:QualifyingProperties/etsi:SignedProperties</xpf:XPath>
                    </dsig:Transform>
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                <dsig:DigestValue>AJjWF42gp3Tqlm1e48cFpEag6qimlxxNLJCN3ifdILo=</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>OOf0hDYe3iviLhhI+ILVzDBMdFe81dyQ9wvGlJoPqK8x8EJ307sNhf6Ek+tG769BB5dwc4cfdA+FdImq32zCrw==</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:X509Data>
                <dsig:X509Certificate>MIIFm[...]RLIq62uftJSg==</dsig:X509Certificate>
            </dsig:X509Data>
        </dsig:KeyInfo>
        <dsig:Object Id="signed-data-1-1">MYGRMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwLwYJKoZIhvcNAQkEMSIEIKIfaQzzGO9vOx1dur+Rj8cLeE2YGq/0a3yiOSrhOPIyMEQGCyqGSIb3DQEJEAIvMTUwMzAxMC8wCwYJYIZIAWUDBAIBBCAr+qi8RnPA0LmY6f0eQiHiJSypOC4h8FIOOPMMN9TFsA==</dsig:Object>
        <dsig:Object Id="etsi-signed-1-1">
            <etsi:QualifyingProperties xmlns:etsi="http://uri.etsi.org/01903/v1.1.1#" Target="#signature-1-1">
                <etsi:SignedProperties>
                    <etsi:SignedSignatureProperties>
                        <etsi:SigningTime>2019-11-10T23:00:45Z</etsi:SigningTime>
                        <etsi:SigningCertificate>
                            <etsi:Cert>
                                <etsi:CertDigest>
                                    <etsi:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                    <etsi:DigestValue>2wlg8N3c1NxfsP3JJs9V/VJevH8=</etsi:DigestValue>
                                </etsi:CertDigest>
                                <etsi:IssuerSerial>
                                    <dsig:X509IssuerName>CN=a-sign-premium-mobile-05,OU=a-sign-premium-mobile-05,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT</dsig:X509IssuerName>
                                    <dsig:X509SerialNumber>548505616</dsig:X509SerialNumber>
                                </etsi:IssuerSerial>
                            </etsi:Cert>
                        </etsi:SigningCertificate>
                        <etsi:SignaturePolicyIdentifier>
                            <etsi:SignaturePolicyImplied/>
                        </etsi:SignaturePolicyIdentifier>
                    </etsi:SignedSignatureProperties>
                    <etsi:SignedDataObjectProperties>
                        <etsi:DataObjectFormat ObjectReference="#reference-1-1">
                            <etsi:MimeType>application/octet-stream</etsi:MimeType>
                        </etsi:DataObjectFormat>
                    </etsi:SignedDataObjectProperties>
                </etsi:SignedProperties>
            </etsi:QualifyingProperties>
        </dsig:Object>
    </dsig:Signature>
</sl:CreateXMLSignatureResponse>

does anybody know how I need to modify my code to generate valid signed pdfs?

Markus1980Wien
  • 471
  • 1
  • 5
  • 15

1 Answers1

0

If I see that correctly (I'm not that good with XML signatures, I'm more into CMS signatures), your XML signature signs two chunks of data,

  • first the content of the dsig:Object with ID signed-data-1-1, base64-decoded, and
  • then the etsi:SignedProperties in the dsig:Object with ID etsi-signed-1-1.

For the use case at hand, though, you'd need a signature of only the first part. But I doubt the signing service request for an XML signature (you use CreateXMLSignatureRequest after all) will allow you to not include any XML meta information at all.

I'd propose you instead try to use CreateCMSSignatureRequest to create a CMS signature container which you can embed completely into the PDF using iText 7. Beware, you'll need a IExternalSignatureContainer implementation instead of the IExternalSignature above.

Depending on the exact signature type you want you may try and execute the CreateCMSSignatureRequest call with PAdESCompatibility set to true.

You may want to take a look at Die österreichische Bürgerkarte and in particular the Schnittstellenspezifikation.

mkl
  • 90,588
  • 15
  • 125
  • 265