DigitalSignature | sample application allowing to generate | Document Editor library

In a comment you mention that you get

signature length = 10721

in the log files and that you

didn't set any preferred size

By default PDFBox reserves 0x2500 bytes for the signature. That's 9472 bytes decimally. Thus, just like the exception says, there's not enough space.

You can set the size PDFBox reserves for the signature by using a SignatureOptions object during document.addSignature:

You are looking for the PEM format, but the function provides DER.

From the docs:

"To convert the return value to PEM format, make a string consisting of -----BEGIN CERTIFICATE REQUEST-----, a newline, the Base-64-encoded representation of the request (by convention, linewrapped at 64 characters), a newline, and -----END CERTIFICATE REQUEST-----."

So what you need is

How can I import the cert + private key without resorting to this awkward workaround?

By creating the key as a persisted key to begin with.

As mkl said custom signature container implementing IExternalSignatureContainer works well. Here's class example from PrivateKeySignatureContainerBC:

What am I missing for MS Edge? I

The certificate does not contain any subject alternative names, which makes it invalid for Edge and Chrome. There is an attempt to specify these information, but the attempt is wrong.

I created a selfsigned certificate following this tutorial.

Looks like this tutorial is broken.

openssl x509 -req ... -extensions "authorityKeyIdentifier ... subjectAltName=DNA:localhost"

The -extension command line option is used to give the name of an extension section in a configuration file and not the extensions itself. Additionally the subjectAltName should be DNS:... not DNA:....

To fix create an extension file my.ext which includes the extensions you want to use:

Self-signed certificates aren't considered trustworthy unless you tell machines to trust them. Because cybercreeps.

To make your self-signed certificate trusted by a Windows machine, you must import it into the Trusted Root Certification Authority / Certificates location in the machine's certificate store. There are plenty of tutorials out there to walk you through this. Look for "How to install a self-signed certificate on Windows".

For the validity duration problem: Add -NotAfter (Get-Date).AddYears(10) to your command line if you want a self-signed certificate good for ten years.

Docs here.

COMMON GOALS

It can be useful to run with SSL locally, and I like to start with real world URLs. This can also help you to think ahead to your production deployment design, which often involves a Private PKI these days, based on a self issued Root CA.

Web and API domains can sometimes be related these days, eg if an API issues secure cookies for the web origin. So for localhost development I first define URLs such as these:

• https://api.mycompany.com
• https://web.mycompany.com

DEVELOPER SETUP

Then add entries such as this to my hosts file:

Just like @mval mentioned in a comment, iText uses the public key algorithm OID as signature algorithm OID.

In case of RSA that is ok as here the same OID is specified for a RSA key and for RSASSA (with PKCS#1 v1.5 padding).

This is not the case for ECDSA, so eSignature DSS complains. Adobe Acrobat (Reader) on the other hand is very lax. It actually ignores the signature algorithm OID field, you could even have an ECDSA signature with the RSA OID in that field and the current Acrobat wouldn't complain.

To fix this use an IExternalSignatureContainer implementation instead of an IExternalSignature implementation and call MakeSignature.SignExternalContainer instead of MakeSignature.SignDetached. In your IExternalSignatureContainer implementation you can use BouncyCastle or Windows Crypto API classes to create a CMS signature container.

Other questions related to incorrect signature algorithm OIDs in respect to iText:

• ECDSA signed PDF fails signature verification with iText 7 (C#), but succeeds with Adobe Reader DC
• C# Itext7 signed pdf signature is invalid in Foxit PDF Reqader but valid in Acrobat reader

You can't do this. In order to use client certificate for subsequent cryptographic operations (like signing or decryption), you need a client's private key. However, client never sends its private key. Client's private key must never leave client machine. Your entire approach is non-working. Here is the relevant thread with a bit deeper explanation: Open X509 Certificates Selection Using USB Token in C# Hosted on IIS

What you can do is to move signing process to client side (execute in browser), but this approach has its own issues, like you will have to download entire PDF to client browser, sign somehow and then upload back to server.