I am writing a small library intended to be a high level (as in simple to use) library for digitally signing pdf's generated with the WeasyPrint library (https://github.com/Kozea/WeasyPrint).
I have already got it working for self-signed certificates and now I'm working on an adapter for digital signatures from the Globalsign DSS API (https://www.globalsign.com/en/resources/apis/api-documentation/digital-signing-service-api-documentation.html)
I've got everything working apart from LTV (Long Term Validation) which requires a DSS dictionary listing OCSP info and any certificates in the chain (To deal with revocation).
When I add the DSS, which has to come after the signature data has been written, I get an error in Adobe Acrobat stating that the signature byterange is invalid.
How do I go about enabling the DSS feature without invalidating the byterange?
I've studied the iText library somewhat intensively but it's so abstracted that it's hard to make out the actual data being written. I've still taken the liberty of tagging iText because it is somewhat of an industry standard in dealing with Digital Signatures in PDF's.
I figured this out thanks to this beautifully named document: Electronic Signatures and Infrastructures (ESI); PDF Advanced Electronic Signature Profiles; Part 4: PAdES Long Term - PAdES-LTV Profile The title may be a verbose mess but the document is actually a very concise and helpful read.
A DSS can be added after the original byterange by also adding a timestamp that takes a digest of another byterange that includes the entire file - including the DSS - at the end of the file. You have to enable an extension for this to work, see "Chapter 4.4 Extensions Dictionary". There are more detailed specifics in the linked document.
I think it's worth mentioning that I found out about some syntax errors in my PDF by using the Apache PDFBox utilities. I wish I had found it sooner.
If you're interested I published the library on github: https://github.com/hejsan/WeasySign. It already works but need some touching up.