Inserting Multiple digital signatures into PDF using iTextSharp

Question

I am using iTextSharp & pkcs11RsaSignature to insert digital signature on every page of PDF document. following is my code:

        PdfReader pdfSource = new PdfReader(...);
        NumberOfPages = pdfSource.NumberOfPages;
        pdfSource.Close();
        CurrentPage = 1;

        while (CurrentPage <= NumberOfPages)
        {
            Temp3PDF = Temp1PDF;
            Temp1PDF = Temp2PDF;
            Temp2PDF = Temp3PDF;

            PdfReader pdfSrc = new PdfReader(Temp1PDF);
            FileStream pdfDes = new FileStream(Temp2PDF, FileMode.Create);
            PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfSrc, pdfDes, '\0', Path.GetTempFileName(), true);                
            PdfSignatureAppearance pdfSignAppearance = pdfStamper.SignatureAppearance;
            pdfSignAppearance.Acro6Layers = false;
            pdfSignAppearance.SetVisibleSignature(new iTextSharp.text.Rectangle(100, 100, 250, 150), CurrentPage, null);
            MakeSignature.SignDetached(pdfSignAppearance, pkcs11RsaSignature, certPath, null, null, null, 0, CryptoStandard.CADES);
            pdfStamper.Close();
            pdfDes.Close();
            pdfSrc.Close();
            CurrentPage++;
        }

As can be seen, this is NOT a very elegant way of programming as file is read and written as many times as number of pages. Is there any other way of inserting digital signature on every page of PDF document.

What is actually wanted to do here is that - in case the PDF document is split into pages (in future), since the contents haven't changed, so technically digital signature should be valid for the pages it is signed. But I realize the signature will get invalidated. (Rephrasing the question - Is there any way of digitally signing only one page of pdf and not entire document?)

To Bruno Lowagie (you are expert) : Except that it is not provided in PDF specification, it is possible to partially sign a PDF file by signing the hash computed only on selected components. Do you think it is possible to upgrade PDF specifications to accommodate such requirement. Thank you for your help.

Answer 1

What is actually wanted to do here is that - in case the PDF document is split into pages (in future), since the contents haven't changed, so technically digital signature should be valid for the pages it is signed.

This train of thought is based on a misconception. Yes, you have the visualization of the signature on one specific page, but cryptographically the signature signs the whole PDF with the sole exception of the embedded CMS signature container itself.

But you found out about this yourself. Thus, let's consider your rephrased question:

But I realize the signature will get invalidated. (Rephrasing the question - Is there any way of digitally signing only one page of pdf and not entire document?)

In the past there had been two ways which might have allowed to sign single pages:

• using an object digest focusing on the page in question;
• using a byte range digest only consisting of byte ranges covering objects related to the page in question.

Nowadays, though, these techniques are not usable options anymore because

• object digests have been deprecated a long time ago, the ISO PDF specification does not even mention them anymore;
• even though ISO 32000-1 still allows byte range digests to cover such a collection of fragments of the PDF, PDF processors (in particular Adobe Reader) require the byte ranges to cover the whole PDF file with the sole exception of the embedded signature container; newer specifications (e.g. the ETSI PAdES specifications and the ISO 32000-2 drafts) also require this.

Thus, no, there is no way of digitally signing only one page of pdf and not entire document, at least not in an interoperable manner.

---

An option for achieving something similar as page-wise signatures in a multi-page PDF would be to

• split the PDF into multiple PDFs, each containing a single page only;
• signing each of these single page PDFs; and
• putting all these single-page PDFs into a PDF portable collection (aka portfolio) and arranging it to display the individual contained PDFs one after the other in the correct order.