Hello,
I’m applying a digital signature to a PDF document but the resulting file is not compliant with government requirements.
The signature itself is valid but it lacks 2 requirements to be legally binding:
- the hash algorithm for the document contents should be at least SHA256, now it is SHA1 (see “DigestMethod” at https://archive.org/details/iso-32000-2-2020-sponsored/ISO_32000-2-2020_sponsored/page/545/mode/2up)
- SHA256 is required as per PDF 2.0 spec
- this post seems to raise the same issue but it is related to the java version:
PDFJAVA-43333
- the signer info attribute “contentType” (https://datatracker.ietf.org/doc/html/draft-ietf-sidr-res-certs-14#page-37) is either invalid or missing (I’m not sure which is the case)
This is a sample of the C# (.net 4.x) code used:
bool isFirstInvocation = true;
pdfFileSignature.Sign(
page: 1,
visible: false,
annotRect: System.Drawing.Rectangle.Empty,
sig: new ExternalSignature(publicCertX509)
{
CustomSignHash = (digestHash /*<= THIS HASH IS SHA1 */) =>
{
if (isFirstInvocation) // The function is called 2 times
{
// What is the first hash?
// - LTV should hash the whole document, not multiple ranges
// - will this hash always be the first one, could a new parameter
// be added to the function to avoid future problems?
isFirstInvocation = !isFirstInvocation;
return new byte[0];
}
return EXTERNA_PROVIDER.RawSignSHA256withRSA(digestHash);
},
TimestampSettings = new TimestampSettings(
tsaUrl,
$"{tsaUserName}:{tsaPassword}",
DigestHashAlgorithm.Sha256
)
}
);
Am I doing something wrong?
Thanks in advance.