external signature results in corrupted pdf after signing

I am trying to sign a pdf document from a 3rd party signature provider. I send them the document hash, after creating the empty signature and they send a timestamp token (we agreed it would be a timestamp signature) and I add the signature back into the pdf. the api call to get the timestmp and crl and ocsp goes well, but once I generate the pdf with the signature, adobe says the signature is not valid and the error is:

Error during signature verification.

Signature contains incorrect, unrecognized, corrupted or suspicious data. Support Information: SigDict /Contents illegal data

this is the current code:

    public ByteArrayOutputStream sign(byte[] src, Rectangle rect, int signPage) throws Exception {"I am in the signing method");
    ByteArrayOutputStream dest = new ByteArrayOutputStream();
    PdfDocumentHandler handler = new PdfDocumentHandler(new ByteArrayInputStream(src), dest);
    handler.prepareForSigning(rect, signPage);
    TrustedTimestampService service = new TrustedTimestampService();
    SignResponseWrapper response = new SignResponseWrapper();
    response = service.signHash(handler.getEncodedDocumentHash());
    String timestampToken = response.getSignResponse().getSignatureObject().getOther().getScSignatureObjects().getScExtendedSignatureObject().getTimestamp().getRFC3161TimeStampToken();
    List<String> encodedCrlEntries = new ArrayList<String>();
    List<String> encodedOcspEntries = new ArrayList<String>();
    byte[] signed = handler.createSignedPdf(Base64.getDecoder().decode(timestampToken), 15000, encodedCrlEntries, encodedOcspEntries);
    return dest;

I will avoid adding the service, it simply sends the hash and gets the tokens

public PdfDocumentHandler(InputStream inputStream, ByteArrayOutputStream outputStream) { this.inputStream = inputStream; this.outputStream = outputStream;


public void prepareForSigning(Rectangle rect, int signPage)
    throws IOException, GeneralSecurityException {

    inMemoryStream = new ByteArrayOutputStream();

    boolean hasSignature = hasDocumentSignature();
    pdfReader = new PdfReader(new ByteArrayInputStream(inMemoryStream.toByteArray()), new ReaderProperties());
    pdfWriter = new PdfWriter(inMemoryStream, new WriterProperties().addXmpMetadata().setPdfVersion(PdfVersion.PDF_1_0));
    StampingProperties stampingProperties = new StampingProperties();
    pdfSigner = new PdfDocumentSigner(pdfReader, inMemoryStream, hasSignature ? stampingProperties.useAppendMode() : stampingProperties);


    try {
        imgStorage = new ImageStorage();
        ImageData imgData = ImageDataFactory.create(Base64.getDecoder().decode(imgStorage.getimgData().getBytes()));
    } catch(Exception e){
    Map<PdfName, PdfObject> signatureDictionary = new HashMap<>();
    signatureDictionary.put(PdfName.Filter, PdfName.Adobe_PPKLite);
    signatureDictionary.put(PdfName.SubFilter, PdfName.ETSI_RFC3161);

    Calendar signDate = Calendar.getInstance();

    PdfHashSignatureContainer hashSignatureContainer = new PdfHashSignatureContainer("SHA-512", new PdfDictionary(signatureDictionary));
    documentHash = pdfSigner.computeHash(hashSignatureContainer, 15_000);"prepared document - outputstream: " + Base64.getEncoder().encodeToString(outputStream.toByteArray()));"prepared document - inmemorystream: " + Base64.getEncoder().encodeToString(inMemoryStream.toByteArray()));

public byte[] createSignedPdf(byte[] externalSignature, int estimatedSize, List<String> encodedCrlEntries,
                            List<String> encodedOcspEntries) {
    if (pdfSigner.getCertificationLevel() == PdfSigner.CERTIFIED_NO_CHANGES_ALLOWED) {
        throw new RuntimeException(String.format("Could not apply signature because source file contains a certification that does not allow "
                                                   + "any changes to the document with id %s"));
    if (estimatedSize < externalSignature.length) {
        throw new RuntimeException(String.format("Not enough space for signature in the document. The estimated size needs to be " +
                                                   " %d bytes.", externalSignature.length));

    try {
        pdfSigner.signWithAuthorizedSignature(new PdfSignatureContainer(externalSignature), estimatedSize);

        if (null != encodedCrlEntries || null!=encodedOcspEntries) {
            extendDocumentWithCrlOcspMetadata(encodedCrlEntries, encodedOcspEntries);
        } else {
  "No CRL and OCSP entries were received to be embedded into the PDF");
        closeResource(outputStream);"complete document - outputstream: " + Base64.getEncoder().encodeToString(outputStream.toByteArray()));"complete document - inmemorystream: " + Base64.getEncoder().encodeToString(inMemoryStream.toByteArray()));
    } catch (IOException | GeneralSecurityException e) {
        throw new RuntimeException(String.format("Failed to embed the signature in the document"), e);
    return outputStream.toByteArray();

private void extendDocumentWithCrlOcspMetadata(List<String> encodedCrlEntries, List<String> encodedOcspEntries) {
    if (pdfSigner.getCertificationLevel() == PdfSigner.CERTIFIED_NO_CHANGES_ALLOWED) {
        throw new RuntimeException(String.format("Could not apply revocation information (LTV) to the DSS Dictionary. Document contains a " +
                                                   "certification that does not allow any changes"));
    }"document without crl and ocsp - outputstream: " + Base64.getEncoder().encodeToString(outputStream.toByteArray()));"document without crl and ocsp - inmemorystream: " + Base64.getEncoder().encodeToString(inMemoryStream.toByteArray()));
    List<byte[]> crl = mapEncodedEntries(encodedCrlEntries, this::mapEncodedCrl);
    List<byte[]> ocsp = mapEncodedEntries(encodedOcspEntries, this::mapEncodedOcsp);

    try (InputStream documentStream = new ByteArrayInputStream(inMemoryStream.toByteArray());
         PdfReader reader = new PdfReader(documentStream);
         PdfWriter writer = new PdfWriter(outputStream);
         PdfDocument pdfDocument = new PdfDocument(reader, writer, new StampingProperties().preserveEncryption().useAppendMode())) {
        LtvVerification validation = new LtvVerification(pdfDocument);
        List<String> signatureNames = new SignatureUtil(pdfDocument).getSignatureNames();
        String signatureName = signatureNames.get(signatureNames.size() - 1);
        boolean isSignatureVerificationAdded = validation.addVerification(signatureName, ocsp, crl, null);

    } catch (Exception e) {
        throw new RuntimeException(String.format("Failed to embed the signature(s) in the document(s) and close the streams"));

public String getId() {
    return id;

public String getEncodedDocumentHash() {
    return Base64.getEncoder().encodeToString(documentHash);

private void logSignatureVerificationInfo(boolean isSignatureVerificationAdded) {
    if (isSignatureVerificationAdded) {"Merged LTV validation information to the output stream");
    } else {
        log.warn("Failed to merge LTV validation information to the output stream");

private List<byte[]> mapEncodedEntries(List<String> encodedEntries, Function<String, byte[]> mapperFunction) {
    return Objects.nonNull(encodedEntries)
           : Collections.emptyList();

private byte[] mapEncodedCrl(String encodedCrl) {
    try (InputStream inputStream = new ByteArrayInputStream(Base64.getDecoder().decode(encodedCrl))) {
        X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509").generateCRL(inputStream);
        return x509crl.getEncoded();
    } catch (IOException | CertificateException | CRLException e) {
        throw new RuntimeException(String.format("Failed to map the received encoded CRL entry"), e);

private byte[] mapEncodedOcsp(String encodedOcsp) {
    try (InputStream inputStream = new ByteArrayInputStream(Base64.getDecoder().decode(encodedOcsp))) {
        OCSPResp ocspResp = new OCSPResp(inputStream);
        BasicOCSPResp basicResp = (BasicOCSPResp) ocspResp.getResponseObject();
        logOcspInfo(ocspResp, basicResp);
        return basicResp.getEncoded();
    } catch (IOException | OCSPException e) {
        throw new RuntimeException(String.format("Failed to map the received encoded OCSP entry"), e);

private void logCrlInfo(X509CRL x509crl) {
    int revokedCertificatesNo = Objects.isNull(x509crl.getRevokedCertificates()) ? 0 : x509crl.getRevokedCertificates().size();

    String message = "Embedding CRL response... ["
                     + "IssuerDN: " + x509crl.getIssuerX500Principal() + " "
                     + "This update: " + x509crl.getThisUpdate() + " "
                     + "Next update: " + x509crl.getNextUpdate() + " "
                     + "No. of revoked certificates: " + revokedCertificatesNo
                     + "]";;

private void logOcspInfo(OCSPResp ocspResp, BasicOCSPResp basicResp) {
    SingleResp response = basicResp.getResponses()[0];
    BigInteger serialNumber = response.getCertID().getSerialNumber();
    X509CertificateHolder firstCertificate = basicResp.getCerts()[0];

    String message = "Embedding OCSP response... ["
                     + "Status: " + (ocspResp.getStatus() == 0 ? "OK" : "NOK") + " "
                     + "Produced at: " + basicResp.getProducedAt() + " "
                     + "This update: " + response.getThisUpdate() + " "
                     + "Next update: " + response.getNextUpdate() + " "
                     + "X509 cert issuer: " + firstCertificate.getIssuer() + " "
                     + "X509 cert subject: " + firstCertificate.getSubject() + " "
                     + "Certificate ID: " + serialNumber.toString() + "(" + serialNumber.toString(16).toUpperCase() + ")"
                     + "]";;

private boolean hasDocumentSignature() throws IOException {
    try (ByteArrayInputStream is = new ByteArrayInputStream(inMemoryStream.toByteArray());
         PdfReader reader = new PdfReader(is, new ReaderProperties());
         PdfDocument pdfDocument = new PdfDocument(reader)) {
        SignatureUtil signatureUtil = new SignatureUtil(pdfDocument);
        return signatureUtil.getSignatureNames().size() > 0;

public class PdfDocumentSigner extends PdfSigner {

public PdfDocumentSigner(PdfReader reader, OutputStream outputStream, boolean properties) throws IOException {
    super(reader, outputStream, properties);

public byte[] computeHash(IExternalSignatureContainer externalHashContainer, int estimatedSize) throws GeneralSecurityException, IOException {
    if (closed) {
        throw new PdfException(PdfException.ThisInstanceOfPdfSignerAlreadyClosed);

    PdfSignature signatureDictionary = new PdfSignature();
    PdfSignatureAppearance appearance = getSignatureAppearance();
    signatureDictionary.setDate(new PdfDate(getSignDate()));
    cryptoDictionary = signatureDictionary;

    Map<PdfName, Integer> exc = new HashMap<>();
    exc.put(PdfName.Contents, estimatedSize * 2 + 2);

    InputStream dataRangeStream = getRangeStream();
    return externalHashContainer.sign(dataRangeStream);

public void signWithAuthorizedSignature(IExternalSignatureContainer externalSignatureContainer, int estimatedSize)
    throws GeneralSecurityException, IOException {
    InputStream dataRangeStream = getRangeStream();
    byte[] authorizedSignature = externalSignatureContainer.sign(dataRangeStream);

    if (estimatedSize < authorizedSignature.length) {
        throw new IOException(String.format("Not enough space. The estimated signature size [%d bytes] is less than the received authorized "
                                            + "signature [%d bytes] which needs to be embedded into the document.", estimatedSize,

    byte[] paddedSignature = new byte[estimatedSize];
    System.arraycopy(authorizedSignature, 0, paddedSignature, 0, authorizedSignature.length);

    PdfDictionary dic2 = new PdfDictionary();
    dic2.put(PdfName.Contents, new PdfString(paddedSignature).setHexWriting(true));

    closed = true;

I have been looking and it does seem like I am not missing anything, can anyone please help me figure this out? here vis the final pdf sample

  • pdfWriter = new PdfWriter(inMemoryStream, new WriterProperties().addXmpMetadata().setPdfVersion(PdfVersion.PDF_1_0));

    that was the issue, after changing it to

    pdfWriter = new PdfWriter(inMemoryStream, new WriterProperties().addXmpMetadata().setPdfVersion(PdfVersion.PDF_1_3));

    it worked perfectly