Signature validation tic is missing from PDF digitally signed using code

Question

I'm using ItextSharp for applying digital signature to a PDF file. Using below code i'm able to apply signature to a PDF file also able to validate signature, But signatures validation mark is missing from the PDF file's signature box.

Code iTextSharp-(Runtime version = v2.0.50727) (Version = 5.5.10.0)

using Org.BouncyCastle.Pkcs;
using System.IO;
using iTextSharp.text.pdf;
using iTextSharp.text.pdf.security;

public class DigitalSignaturePDF
{
    public void DigiSignPdf(string sourceDocument,
        string destinationPath,
        Stream privateKeyStream,
        string keyPassword,
        string reason,
        string location,
        bool isVisibleSignature)
    {
        Pkcs12Store pk12 = new Pkcs12Store(privateKeyStream, keyPassword.ToCharArray());
        privateKeyStream.Dispose();

        //then Iterate throught certificate entries to find the private key entry
        string alias = null;
        foreach (string tAlias in pk12.Aliases)
        {
            if (pk12.IsKeyEntry(tAlias))
            {
                alias = tAlias;
                break;
            }
        }
        var pk = pk12.GetKey(alias).Key;

        // reader and stamper
        PdfReader reader = new PdfReader(sourceDocument);

        using (FileStream fout = new FileStream(destinationPath, FileMode.Append, FileAccess.Write))
        {
            using (PdfStamper stamper = PdfStamper.CreateSignature(reader, fout, '\0'))
            {
                // appearance
                PdfSignatureAppearance appearance = stamper.SignatureAppearance;
                //appearance.Image = new iTextSharp.text.pdf.PdfImage();
                appearance.Reason = reason;
                appearance.Location = location;
                if (isVisibleSignature)
                {
                    appearance.SetVisibleSignature(new iTextSharp.text.Rectangle(20, 10, 170, 60), reader.NumberOfPages, null);
                }
                //Get all certificate for validation
                X509CertificateEntry[] ce = pk12.GetCertificateChain(alias);
                Org.BouncyCastle.X509.X509Certificate[] chain;
                chain = new Org.BouncyCastle.X509.X509Certificate[ce.Length];
                for (int k = 0; k < ce.Length; ++k)
                {
                    chain[k] = ce[k].Certificate;
                }

                // digital signature
                IExternalSignature es = new PrivateKeySignature(pk, "SHA-256");
                MakeSignature.SignDetached(appearance, es, chain, null, null, null, 0, CryptoStandard.CMS);

                stamper.Close();
            }
        }
        reader.Close();
        reader.Dispose();
    }
}

Output file

As you can see in above image validation mark is missing from the signature box.

But when i tried with older version of ItextSharp using below code then it is showing green tic mark if signature is valid and a yellow question mark if signature is invalid.

Code iTextSharp-(Runtime version = v1.1.4322) (Version = 3.1.0.0)

public void Sign(string SigReason, string SigContact, string SigLocation, bool visible)
    {
        PdfReader reader = new PdfReader(this.inputPDF);
        PdfStamper st = PdfStamper.CreateSignature(reader, new FileStream(this.outputPDF, FileMode.Create, FileAccess.Write), '\0', null, true);
        PdfSignatureAppearance sap = st.SignatureAppearance;
        sap.SetCrypto(this.myCert.Akp, this.myCert.Chain, null, PdfSignatureAppearance.SELF_SIGNED);
        sap.Reason = SigReason;
        sap.Contact = SigContact;
        sap.Location = SigLocation;
        sap.SetVisibleSignature(new iTextSharp.text.Rectangle(100, 100, 25, 15), 1, null);
        st.Close();
    }

Output file

In above image a green tic mark is attached with signature box, that is showing that signature is valid.

Can any one have any idea why validation tic is missing when i'm using iTextSharp 5.5.10.0, what m i missing here.

Answer 1

You are asking for something that is in violation with the most recent standards. Allow me to quote from PAdES-6 aka ETSI TS 102 778-6 V1.1.1 (see the intro of chapter 6):

A conforming signature handler shall not display the result of the signature validation inside the page content.

NOTE: The conforming signature handler will use off-page display to present the verification result

The words in bold are also bold in the PAdES-6 standard. When an official standard uses the word "should not", the spec tells you that you should not do something, but if you do it anyway, you are not in violation with the standard. However, when an official standard uses the word "shall not"; the spec tells you that you mustn't do something, because if you do, you violate the standard.

In short: the signatures you used to create with iTextSharp 3.1.0.0 aren't conforming signatures anymore. Many years ago, they were fine, but today, those signatures are no longer valid. We have warned about using old iText and iTextSharp versions for signing PDF documents many times (see among others: Are PDF Signatures shattered?).

It seems that you now want a version of iTextSharp that is up-to-date with the current standards (PAdES and ISO-32000-2) to create a signature that is invalid according to those same standards. I hope you understand that this would be completely wrong.

I also hope that you understand that the code iTextSharp 3.1.0.0 sample your shared creates a signature that uses deprecated algorithms. If that code is still in use, you should inform your customer that all the documents that he signs with that code are no longer safe.