pkcs7 | Implements a subset of PKCS # 7/Crytpographic Message

GCM is a stream cipher mode and therefore does not require padding. During encryption, an authentication tag is implicitly generated, which is used for authentication during decryption. Also, an IV/nonce of 12 bytes is recommended for GCM.

The posted Python code unnecessarily pads and doesn't take the authentication tag into account, unlike the JavaScript code, which may be the main reason for the different ciphertexts. Whether this is the only reason and whether the JavaScript code implements GCM correctly, is difficult to say, since the getMessageEncoding() method was not posted, so testing this was not possible.

Also, both codes apply a 16 bytes IV/nonce instead of the recommended 12 bytes IV/nonce.

Cryptography offers two possible implementations for GCM. One implementation uses the architecture of the non-authenticating modes like CBC. The posted Python code applies this design, but does not take authentication into account and therefore implements GCM incompletely. A correct example for this design can be found here.
Cryptography generally recommends the other approach for GCM (s. the Danger note), namely the AESGCM class, which performs implicit authentication so that this cannot be accidentally forgotten or incorrectly implemented.

The following implementation uses the AESGCM class (and also takes into account the optional additional authenticated data):

The referenced Python code uses P-384 (aka secp384r1) as elliptic curve. This is compatible with the WebCrypto API, which supports three curves P-256 (aka secp256r1), P-384 and P-521 (aka secp521r1), see EcKeyImportParams.

The following WebCrypto code generates a shared secret using ECDH and derives an AES key from the shared secret using HKDF. In detail the following happens:

• To allow comparison of the derived key with that of the referenced Python code, predefined EC keys are applied. The private key is imported as PKCS#8, the public key as X.509/SPKI. Note that due to a Firefox bug concerning the import of EC keys, the script below cannot be run in the Firefox browser.
• After the import the shared secret is created with ECDH using deriveBits() (and not deriveKey()).
• The shared secret is imported with importKey() and then the AES key is derived using HKDF, again with deriveBits().

The VB code derives the key from the passhprase with MD5. TripleDES (aka 3DES) with a 16 bytes key (2TDEA) is used as the algorithm. ECB is applied as the mode. A possible decryption with CryptoJS is:

The issue is that your pip version is too old to install one of this project's subdependencies, cryptography, which is using newer features.

Upgrading pip with the following will make it possible to install this package:

In your architecture you have a ByteArrayOutputStream parameter in which you retrieve the pdf to LTV-enable and in which you also in the end return the LTV-enabled result pdf.

In such an architecture have to clear the ByteArrayOutputStream between retrieving the original content from it and adding the new content to it.

In your case, therefore, you have to clear it between

When calculating the hash of the to-be-signed attributes, you use the then current time as value of the signing time attribute:

"First 16 characters wrong; everything else looks good" typically means you got the IV wrong.

Everything in the code you provided looks legit; I suspect that the caller to decrypt is not passing the correct IV value.

As stated in my comment above, there is an error in your code that is not visible because you hide the exceptions with an empty catch block. The exception is a NotSupportedException and the message is

FlushFinalBlock() method was called twice on a CryptoStream. It can only be called once

The encryption works fine with text files that are under 1024 bytes in length but any file (also text files) with a larger size will crash because the code tries to call two or more time the cryptoStream.FlushFinalBlock();

So, I have tested this change to your code and it works

You add one OCSP response, the one you retrieve here: