The PdfFileSignature.save() is not thread-safe

WaseemMuthu · March 28, 2025, 12:30am

Hi team,

We have encountered the issue when signing Digital Signature in Java by using PdfFileSignature.save() although we created the object for each thread.
Below is the code and thread-dump:

public byte[] signPdf(byte[] pdfBytes) {
        LOG.info("[ASPOSE] Signing pdf");
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
        Document doc = null;
        PdfFileSignature signature = null;
        try {
            PKCS7 pkcs7 = getPkcs7();
            Rectangle rect = new Rectangle(10, 0, 100, 30);
            doc = new Document(pdfBytes);
            if (doc.isEncrypted()) {
                doc.decrypt();
            }
            signature = new PdfFileSignature(doc);
            signature.sign(1, true, rect, pkcs7);
            signature.save(outputStream);

            return outputStream.toByteArray();
        } catch (Exception e) {
            LOG.error("Failed to sign PDF", e);
            throw new RuntimeException("PDF signing failed", e);
        } finally {
            IOUtils.closeQuietly(doc);
            IOUtils.closeQuietly(signature);
        }
    }

    private PKCS7 getPkcs7() {
        PKCS7 pkcs7 = new PKCS7(new ByteArrayInputStream(pfxFileContent), pdfFilePassword);
        pkcs7.setCustomAppearance(signatureAppearance);
        pkcs7.setShowProperties(true);
        pkcs7.setUseLtv(true);
        return pkcs7;
    }

thread-dump.zip (5.0 KB)

sergei.shibanov · March 28, 2025, 12:33pm

@WaseemMuthu
We are looking into it and will be sharing our feedback with you shortly.

asad.ali · March 28, 2025, 6:41pm

@WaseemMuthu

Can you please share the code snippet where you are calling these methods in Threads? Are you making sure that one file is accessed by one thread only at a time e.g. source PDF and PFX files?

WaseemMuthu · March 29, 2025, 6:46am

We call the method from @PostMapping method, and we can make sure that the Source PDF is accessed by one thread only, while for the PFX object is created as new one for each call to the signPdf() method

asad.ali · March 29, 2025, 6:46pm

@WaseemMuthu

If possible, could you please share a console application that has similar routine of job that your web application carries out using multi-threading? We will use it to replicate the scenario in our environment and address it accordingly. Instead of complete console application, you can share single Java File as well in .zip format.