How to embed a signed hash into a PDF-document

Several PDF specialists or corresponding libraries on the market can embed signed hash values into PDF documents. 

You can find here a selection of PDF library providers that have implemented the Signing Service API:

• Blocksigner, Switzerland (Skribble.com): https://api.skribble.com/swagger-ui.html
• Intarsys, Germany: OnPremise signing software «Sign Live! cloud suite gears»:  https://www.intarsys.de/produkte/fernsignatur
• iText, Belgium: https://itextpdf.com/products/product-tour. Swisscom Trust Services uses iText in its examples. But these examples are not updated because some functionalities have changed. But the basic handling can be seen there.
• Swisscom uses iText in its examples, but the examples are “out of date”, i.e., some functionalities have changed. However, the basic handling is evident there: GitHub Swisscom Trust Services
• PDF-Tools, Switzerland: 3-Heights PDF Suite: http://www.pdf-tools.com/pdf20/de/produkte/pdf-security-signature/pdf-security/
• Setasign, Germany: PHP Library, SetaPDF: https://www.setasign.com/products/setapdf-signer/demos/swisscom-all-in-signing-service/

If you wish to implement the signed hash in your signature application by yourself, you'll have to precalculate the space for the signature. Please visit Swisscom Trust Services Github for more information.

The following steps can help you how to embed a signed hash:

• Create a PDF with a blank and pre-filled signature field
• The byte range should be filled with zeros up to the expected size
• Calculate the hash of the document
• Sign the hash with the Signing Service
• Fill the signed hash into the empty signature field
• Iterate to the empty signature field
• Determine the byte range of the empty signature field
• Calculate the offset of the byte range
• Open the document with the empty signature field in read-write mode and find the offset where the hash was inserted.

In addition, it is essential to follow the guidelines for the PAdES standard and the Long-Term Validation: Swisscom Trust Services GitHub.

So that you know, we do not guarantee the correctness of this procedure since Swisscom focuses not on the setup of a customer signature application.