Am 13.10.2016 um 23:25 schrieb

On 2016-09-09 12:56 (-0300), Tilman Hausherr <> wrote:
If you're using PDFBox for signing, please have a look at PDFBOX-3065.
Please give any feedback ASAP.
Oh it's already closed, so I'm probably late here. But I'd like to present my 
usecase and see if my reasoning is ok.

I want to decouple (in time) generating the hash from actually writing the 
signature. So, something like the following API:

     /* Give me the content that needs to be signed */
     InputStream getContentToSign(PDocument doc)

     /* Create a signature with the following cmsSignature */
     void attachSignature(PDocument doc, byte[] cms)

I can use ExternalSigningSupport and saveIncrementalForExternalSigning to 
implement the first method. However, save... requires an OutputStream which I 
don't care about because I *still* don't want to save the document, just 
generate the hash. The hash will be signed by somebody else and eventually 
attachSignature will be called to update the document for real (after checking 
the hash is still the same).

What I'm planning to do is use a memory backed OutputStream and then just 
discard it.
Does it make sense? Is there something that the pdfbox API can do to avoid the 

See the javadoc of saveIncrementalForExternalSigning. I believe it would work for you - after getting the content with

  InputStream dataToBeSigned = externalSigningSupport.getContent();

you can have it signed, hashed, whatever. Then you'll call


and this will append the incremental part to your signature stream.

I think that the javadoc needs some slight clarification - setSignature() is not a setter, and it doesn't just write the signature, it writes the incremental part including the signature /Contents.

However you do need an output stream at the moment you're calling saveIncrementalForExternalSigning(). If you don't have it at that time then yes, you'll have to write to memory.


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to