0

I want to place same externally signed signature container (signature value) at multiple places in a PDF.

I have referred the page 'How to place the Same Digital signatures to Multiple places in PDF using itextsharp.net'.

While working with the above mentioned work-around, I observed that whenever I tried to place multiple signatures on single page like 4-5 times, it never worked. Always shows only one valid signature field and other fields as unsigned (unsigned PDF form fields). So couldn't understand the problem.

Now I wanted to know whether any reference material is available to see how PdfLiteral and PdfIndirectReference works? I have gone through the itextsharp reference document but couldn't get enough information. In addition to this is there any limitation on how many annotations/signature fields one can add in a PDF? And If I have to use BlankSignatureContainer and MakeSignature.SignDeferred then how the signature will get attached to all the fields because in, 

MakeSignature.SignDeferred(pdfreader, "Sig", output, externalcontainer)

we have to pass only one signature field name.

Thank you.

Ktan
  • 11
  • 4

1 Answers1

2

You are asking for something of which mkl wrote:

Beware: While this procedure creates something which does not violate the letter of the PDF specifications (which only forbid the cases where the same field object is referenced from multiple pages, be it via the same or via distinct widgets), it clearly does violate its intent, its spirit. Thus, this procedure might also become forbidden as part of a Corrigenda document for the specification.

Actually, what you are asking does violate the specification. See section 12.7.5.5 of the ISO standard for PDF:

enter image description here

Allow me to repeat the last line of this screen shot:

signature fields shall never refer to more than one annotation.

There is a shall in this sentence, not a should. A should isn't normative. It means that you should or shouldn't do something, but that you are not in violation with the spec if don't or do. Not respecting results in a PDF document that is in violation with the PDF specification, and that in the strict sense isn't a real PDF file.

That is a path you don't want to go, because being in violation with the PDF specification voids your right to use a series of PDF patents owned by Adobe. Adobe owns patents that can be used by everyone for free (perpetual, non-exclusive, royalty-free,...) on condition that you respect the ISO specification.

For that reason, please do not expect an answer to your question, except for the recommendation to abandon your requirement. PDF viewers that comply with the PDF specification won't expect a single signature to be placed at different locations because that's not allowed by the spec, so even if you would adapt your software to create more than one widget annotation / appearance for a single signature field, there is no guarantee that a PDF viewer will understand what you're trying to do.

Bruno Lowagie
  • 75,994
  • 9
  • 109
  • 165
  • Noted. Will try to convince people over here. If possible, can you please let me know, why it behaves like mentioned above,'whenever I tried to place multiple signatures on single page like 4-5 times, it never worked'.. this is with respect to the work around provided by mkl – Ktan Mar 23 '18 at 11:34
  • "It never worked" is [too cryptic to comment on](http://lowagie.com/doesntwork). My guess: PDF viewers adapted to the spec and no longer show the additional widgets. In any case: there is no reason why it should ever work. – Bruno Lowagie Mar 23 '18 at 11:48
  • OK. Actually I had explained the problem in original question saying 'Always shows only one valid signature field and other fields as unsigned (unsigned PDF form fields).' All signatures are valid when any page has 2-3 signature fields. If it goes more than that then only one field gets the signature and others remain unsigned. – Ktan Mar 23 '18 at 12:05
  • And is there any reference material available to see how PdfLiteral and PdfIndirectReference works in itextsharp? – Ktan Mar 23 '18 at 12:06
  • Probably, but iTextSharp is old (version 5 or earlier). The current version is iText 7. If you still want support for old versions, you need to get a support contract. – Bruno Lowagie Mar 23 '18 at 12:30
  • @BrunoLowagie Your quote of me was from a somewhat interesting context, the OP in the associated question *did* follow the "signature fields shall never refer to more than one annotation" requirement by simply creating multiple signature fields referring to the same value dictionary. This way each signature *field* indeed referred to not more than one annotation... For that reason my estimation that the result was allowed by the letter but not by the intent of the specification. – mkl Mar 23 '18 at 13:03
  • @Ktan *"'whenever I tried to place multiple signatures on single page like 4-5 times, it never worked'.. this is with respect to the work around provided by mkl"* - the code in my answer there does work (or it at least did at the time I wrote the answer) but it is very sensitive to small changes of the use case. E.g. the predicted object numbers depend on the use case adding exactly one field per page. Your use case of "placing multiple signatures on single page" would require different object number predictions. – mkl Mar 23 '18 at 13:14
  • @mkl precisely for that I wanted to understand how PdfLiteral and PdfIndirectReference works. Because it seemed to me that whenever the predictions/size is relatively close to the actual signature size, it worked. So is there any way to work out the predictions? Any reference material? or anything you might be able to suggest. – Ktan Mar 23 '18 at 13:49
  • OK @mkl I didn't fully read that answer. I just looked at the intention: one signature visualized on different places. If you create different signature fields then indeed: it should work (but it's kind of madness to do this). Questions about `PdfLiteral` and `PdfIndirectReference` aren't questions that can be answered on a forum such as Stack Overflow, unless you have 100% certainty that the person asking the question knows ISO 32000 inside-out. – Bruno Lowagie Mar 23 '18 at 13:55
  • @BrunoLowagie *"it should work (but it's kind of madness to do this)"* - Yes, it was a nice riddle... ;) – mkl Mar 23 '18 at 13:57
  • 1
    @Ktan An indirect reference references an indirect PDF object, i.e. an object that has been given an object number by which it can be referenced. In the context at hand one has to predict how many new indirect object numbers will be issued until iText code will request the indirect object number for the signature value object. As meanwhile edited into that referenced question, this prediction process is very delicate. Because of that it was fun to make a proof-of-concept run, but the process is too brittle to actually use it in production code with a clear conscience. – mkl Mar 23 '18 at 14:13
  • @mkl Regarding another query mentioned in question, will this work with [MakeSignature.SignDeferred(pdfreader, "Sig", output, externalcontainer)] and [ExternalBlankSignatureContainer] because here we have to give signature field name.. – Ktan Mar 23 '18 at 17:17
  • You can set the name as last parameter of `appearance.SetVisibleSignature`. In my poc code that parameter is `null` which creates a new signature name. – mkl Mar 24 '18 at 18:30
  • @mkl I tried that option along with moving the modifyDictionary code to ExternalBlankSignatureContainer class instead of IExternalSignatureContainer class but with no success. I made changes as below... //create signature `appearance.SetVisibleSignature(new Rectangle( 120, 200, 60, 250), 1, "Sig");` `IExternalSignatureContainer ext = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_SHA1,appearance,chain);//changes in Modify dictionary method` `MakeSignature.SignExternalContainer(appearance, ext, 8192);` – Ktan Mar 24 '18 at 20:39
  • //then //gets the hash of document and get it sign externally //embed signature `IExternalSignatureContainer external = new MyExternalSignatureContainer(signedBytes); //returns or sets the signed bytes` `MakeSignature.SignDeferred(reader, "Sig", os, external);` – Ktan Mar 24 '18 at 20:41
  • It gives invalid signature. Am I missing something? or it can happen due to wrong decoding of CMS container which I am trying to embed.. – Ktan Mar 24 '18 at 20:46
  • 1
    @Ktan Please don't put code (unless it's a short one-liner) into comments, that's very hard to read. Instead edit your answer to reflect the current state your efforts. That being said, I see you use `ADBE_PKCS7_SHA1`. This implies that you want to bring insecurity to your customer. Consider using mechanisms that can be taken seriously. – mkl Mar 27 '18 at 05:56
  • Indeed: you are using an old version of iText. Today, the use of `ADBE_PKCS7_SHA1` is forbidden in ISO 32000-2. You're acting as if we're still 2008. That's 10 years ago. Digital signature functionality has evolved – Bruno Lowagie Mar 27 '18 at 06:27
  • My bad.. I should have cross checked it. Anyway thank you for all pointers. At least now I got an idea of what can be done and what not.. – Ktan Mar 28 '18 at 05:15