iText7 PDF with multiple signatures

Question

I'm migrating code from iText5 to iText7 and currently i'm struggling with appending one signature to a PDF already containing another signature. Those signatures are made with our National ID Card (Citizen Card).

In iText5 i used PdfStamper but it's missing from iText7...

This is what i have so far:

package cartaocidadao;
    
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import javax.swing.JOptionPane;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.poreid.config.POReIDConfig;
import org.poreid.crypto.POReIDProvider;
import com.itextpdf.signatures.OcspClientBouncyCastle;
import com.itextpdf.signatures.TSAClientBouncyCastle;
import java.io.IOException;
import java.util.Collection;
    
import com.itextpdf.kernel.geom.Rectangle;
import com.itextpdf.kernel.pdf.PdfReader;
import com.itextpdf.signatures.BouncyCastleDigest;
import com.itextpdf.signatures.ICrlClient;
import com.itextpdf.signatures.DigestAlgorithms;
import com.itextpdf.signatures.IExternalDigest;
import com.itextpdf.signatures.IExternalSignature;
import com.itextpdf.signatures.IOcspClient;
import com.itextpdf.signatures.PdfSignatureAppearance;
import com.itextpdf.signatures.PdfSigner;
import com.itextpdf.signatures.PrivateKeySignature;
import com.itextpdf.signatures.ITSAClient;
import com.itextpdf.signatures.OCSPVerifier;
import java.security.GeneralSecurityException;
import static javax.swing.JOptionPane.ERROR_MESSAGE;

/**
 *
 * @author i.lourenco
 */
public class Signature {
        
    /**
     *  Signs the PDF with the Citizen Card Certificate
     * @param src Source file
     * @param dest Destination file
     * @return TRUE if the PDF was signed successfully
     */
    protected static boolean signPDF(String src, String dest) {   
        try {      
            Security.addProvider(new POReIDProvider()); 
            BouncyCastleProvider provider = new BouncyCastleProvider();
            Security.addProvider(provider);
            KeyStore ks = KeyStore.getInstance(POReIDConfig.POREID);
            ks.load(null);
                
            PrivateKey pk = (PrivateKey) ks.getKey(POReIDConfig.ASSINATURA, null);
                
            Certificate[] chain = ks.getCertificateChain(POReIDConfig.ASSINATURA);
                
            OCSPVerifier ocspVerifier = new OCSPVerifier(null, null);
                
            IOcspClient ocspClient = new OcspClientBouncyCastle(ocspVerifier);
                
            ITSAClient tsaClient = new TSAClientBouncyCastle("http://ts.cartaodecidadao.pt/tsa/server", "", "");
                
            sign(src, dest, chain, pk, DigestAlgorithms.SHA256, POReIDConfig.POREID, PdfSigner.CryptoStandard.CMS, "", "", null, ocspClient, tsaClient, 0);
            } catch (Exception e) {
           JOptionPane.showMessageDialog(null, e.getMessage(), "Erro", ERROR_MESSAGE);
        }
            
       return true;
   }
        
    /**
     * Applies the certificate, timestamp and revocation list to a PDF
     * @param src Original PDF document
     * @param dest Signed PDF document
     * @param chain List of certificates
     * @param pk Private key
     * @param digestAlgorithm Encryption algorithm
     * @param provider Citizen Card provider
     * @param subfilter CMS
     * @param reason Reason for signature
     * @param location Location
     * @param crlList Revocation list
     * @param ocspClient Online Certification Status
     * @param tsaClient Timestamp server
     * @param estimatedSize
     * @throws IOException
     * @throws GeneralSecurityException 
     */
    private static void sign(String src, String dest, Certificate[] chain, PrivateKey pk, String digestAlgorithm, 
            String provider, PdfSigner.CryptoStandard subfilter, String reason, String location, Collection<ICrlClient> crlList, 
            IOcspClient ocspClient, ITSAClient tsaClient, int estimatedSize) throws IOException, GeneralSecurityException {
            
        PdfReader reader = new PdfReader(src);
            
        PdfSigner signer = new PdfSigner(reader, new FileOutputStream(dest), false);
            
        PdfSignatureAppearance appearance = signer.getSignatureAppearance()
                .setReason(reason)
                .setLocation(location)
                .setReuseAppearance(false);
        Rectangle rect = new Rectangle(36, 648, 200, 100);
        appearance.setPageRect(rect).setPageNumber(1);
            
        signer.getNewSigFieldName();
            
        IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, provider);
        IExternalDigest digest = new BouncyCastleDigest();
            
        signer.signDetached(digest, pks, chain, crlList, ocspClient, tsaClient, estimatedSize, subfilter);
    }
    
        
}

POReID (https://github.com/poreid/poreid) is the library used to interact with the smart card.

When signing the document for the first time, it works fine. When signing the document again, it invalidates the first signature and only the last one is valid.

PDF:

Two Signatures

Answer 1

Your signature code is not opening the PDF in append mode, and hence will change the contents when signing the second time, breaking the first signature.

To sign in append mode, simply change the following line

PdfSigner signer = new PdfSigner(reader, new FileOutputStream(dest), false);

to

PdfSigner signer = new PdfSigner(reader, new FileOutputStream(dest), true);

The third argument in the constructor determines whether the signer is used in append mode.