pade | Fourier transform using the method of Padé approximants | Video Utils library

The problem is the following:

The PAdES norm ETSI EN 319 142 characterizes

PAdES signatures profiled in the present document build on PDF signatures specified in ISO 32000-1 with an alternative signature encoding to support digital signature formats equivalent to the signature format CAdES.

The PDF norm ISO 32000-1 characterizes

ISO 32000 specifies a digital form for representing documents called the Portable Document Format or usually referred to as PDF. PDF was developed and specified by Adobe Systems Incorporated beginning in 1993 and continuing until 2007 when this ISO standard was prepared. The Adobe Systems version PDF 1.7 is the basis for this ISO 32000 edition. The specifications for PDF are backward inclusive, meaning that PDF 1.7 includes all of the functionality previously documented in the Adobe PDF Specifications for versions 1.0 through 1.6. It should be noted that where Adobe removed certain features of PDF from their standard, they too are not contained herein.

(This may sound a bit confusing, on one hand PDF 1.7 includes all of the functionality previously documented in the Adobe PDF Specifications for versions 1.0 through 1.6, on the other hand Adobe removed certain features of PDF from their standard. Indeed, some features were removed but I don't believe your PDF 1.4 files are affected.)

Thus, a PDF file like yours claiming a version 1.4 also is a PDF 1.7 by backward inclusiveness and as such can get signed by PAdES signatures.

Thus, yes, PDF 1.4 files can (technically) validly be signed with PAdES signatures. (Unless, obviously, your files explicitly disallow this.)

(Actually one can also view PAdES signatures as adopted in ISO 32000-2; in this case your PDF 1.4 files by backward inclusiveness are also PDF 2.0 and as such can be signed using PAdES signatures as specified there.)

You also enquire about legal aspects. First of all, I am not a lawyer, so don't consider this formal legal consultation.

To start with, though, you have to make clear in which legal system you want to investigate legal validity.

While PAdES originally has been defined in the context of European Union signature regulations, a number of other countries also adopted PAdES as standard for their preferred PDF signatures.

So: Are you wondering about validity as signatures in the context of EU eIDAS signatures? Are you considering specific regulations of EU member states? Or are you wondering about the situation in other countries outside the EU?

In the EU your PAdES signatures should be generally accepted. Even though there may be some member state special regulations in specific contexts, they should only influence your choice of the PAdES profile you request for your signatures from DSS, they should not render your PDF 1.4 source PDFs unusable for PAdES signing.

I don't know specifics about non-EU legal systems with a PAdES preference. But I indeed would be surprised if any would be bothered by your PDFs being PDF 1.4.

In comments the question arose whether the signed file is also still a valid PDF 1.4 and if not whether the version 1.4 in the file header would be a concern.

Obviously PDF 1.4 does not know the details of the PAdES signature encodings. Fortunately, though, the PDF Reference 1.4 actually does not know any specific signature encoding at all! Thus, no signature encoding is invalid as long as it follows the very few rules present in the PDF 1.4 reference, and PAdES signatures do so.

Furthermore, the PDF 1.4 reference allows

A PDF producer or Acrobat plug-in extension may also add keys to any PDF object that is implemented as a dictionary, except the file trailer dictionary (see Section 3.4.4, “File Trailer”).

Thus, any keys added while applying the PAdES signature which are not defined in PDF 1.4 are harmless.

Thus, the PDF 1.4 files with PAdES signatures added are also still valid PDF 1.4 files. Obviously, though, a plain PDF 1.4 viewer does not know how to validate the PAdES signatures. But as it does not know how to validate any signatures at all, that's of no concern.

You use the DefaultSignedAttributeTableGenerator:

There are multiple issues in the PDF, both in the originally signed PDF and your additions.

You imply that before extending your signed PDF using appendVri validates just fine. I cannot reproduce this.

I extracted that originally signed PDF from your shared PDF by truncating to 67127 bytes, and already for that file I get the Error during signature verification. PKCS7 parsing error: Incorrect version. Thus, this issue already is in your PDF before extension.

The actual problem also becomes clear in the error message: Incorrect version. Let's look at the start of a ASN.1 dump of the embedded CMS container:

It is certainly possible to compute cosine on [0, π] with any desired error bound >= 0.5 ulp using just native precision operations. However, the closer the target is to a correctly rounded function, the more up-front design work and computational work at runtime is required.

Transcendental functions implementations typically consist of argument reduction, core approximation(s), final fixup to counteract the argument reduction. In cases where the argument reduction involves subtraction, catastrophic cancellation needs to be avoided by explicitly or implicitly using higher precision. Implicit techniques can be designed to rely just on native precision computation, for example by splitting a constant like π into an unevaluated sum such as 1.57079637e+0f - 4.37113883e-8f when using IEEE-754 binary32 (single precision).

Achieving high accuracy with native precision computation is a lot easier when the hardware provides a fused multiply-add (FMA) operation. OP did not specify whether their target platform provides this operation, so I will first show a very simple approach offering moderate accuracy (maximum error < 5 ulps) relying just on multiplies and adds. I am assuming hardware that adheres to the IEEE-754 standard, and assume that float is mapped to IEEE-754 binary32 format.

The following is based on a blog post by Colin Wallace titled "Approximating sin(x) to 5 ULP with Chebyshev polynomials", which is not available online at time of writing. I originally retrieved it here and Google presently retains a cached copy here. They propose to approximate sine on [-π, π] by using a polynomial in x² of sin(x)/(x*(x²-π²)), then multiplying this by x*(x²-π²). A standard trick to compute a²-b² more accurately is to rewrite it as (a-b) * (a+b). Representing π as an unevaluated sum of two floating-point numbers pi_high and pi_low avoids catastrophic cancellation during subtraction, which turns the computation x²-π² into ((x - pi_hi) - pi_lo) * ((x + pi_hi) + pi_lo).

The polynomial core approximation should ideally use a minimax approximation, which minimizes the maximum error. I have done so here. Various standard tools like Maple or Mathematics can be used for this, or one create one's own code based on the Remez algorithm.

For a cosine computation on [0, PI] we can make use of the fact that cos (t) = sin (π/2 - t). Substituting x = (π/2 - t) into x * (x - π/2) * (x + π/2) yields (π/2 - t) * (3π/2 - t) * (-π/2 - t). The constants can be split into high and low parts (or head and tail, to use another common idiom) as before.

There's definitely something wrong in your PDF. Behold one of the page dictionaries:

No, it is not possible, PAdES signatures are always sequential. Each signature is made on the current version of the document

Take a look to the ETSI TS 102 778-1 PDF Advanced Electronic Signature Profiles

4.4 PDF serial signatures

Signatures applied in parallel are currently not supported

Given the lack of logging output, you may have a problem with some logging related dependencies. For example, a dependency on commons-logging:commons-logging can cause problems and should be excluded in favour of org.springframework:spring-jcl. org.slf4j:jcl-over-slf4j should be treated similarly.

You can learn if you have either of these dependencies on the classpath using Gradle's dependencyInsight task:

First off, you say you require support for PADES but you don't mention which PAdES profile you need.

PAdES originally (in 2009/2010) was specified as an ETSI technical specification (ETSI TS 102 778 parts 1-6) with profiles

• PAdES Basic - PAdES-CMS Profile based on ISO 32000-1
• PAdES Enhanced - PAdES-BES and PAdES-EPES Profile
• Long Term - PAdES-LTV Profile
• PAdES for XML Content - Profiles for XAdES signatures of XML documents embedded in PDF Containers

Meanwhile (2016) it has been updates as an European Standard (ETSI EN 319 142 parts 1-2) with profiles

• PAdES baseline signatures at levels B-B, B-T, B-LT, and B-LTA
• Profile for CMS digital signatures in PDF
• Extended PAdES signature profiles at levels PAdES-E-BES, PAdES-E-EPES, and PAdES-E-LTV
• Profiles for XAdES Signatures signing XML content in PDF

(the latter three being re-christianed versions of the old profiles but the baseline profiles being in focus now).

As you found out the iText enumeration CryptoStandard knows two options CMS and CADES.

First of all, CADES is not for generating arbitrary CAdES signatures but for generating specially profiled CAdES signature containers and embedding them in PDFs as is required for non-CMS-profile PAdES signatures.

Concerning your question, therefore

I also require support for PADES. Is it possible to do it in iTextSharp?

Yes, iText 5.5.x does support simple PAdES profiles. In particular you'll use the CryptoStandard values for following profiles:

• CryptoStandard.CMS for the profile for CMS digital signatures in PDF;
• CryptoStandard.CADES for baseline signatures at level B-B and B-T and for extended ones at levels PAdES-E-BES and PAdES-E-EPES.