I'm using itext7-dotnet 8.0.2 and I'm getting an "Unknown PdfException" from PdfPKCS7 constructor when the Pkcs7 has an unsigned attributes section without a TimeStampToken attribute:
iText.Kernel.Exceptions.PdfException
HResult=0x80131500
Message=Unknown PdfException.
Source=itext.sign
StackTrace:
at iText.Signatures.SignatureUtil.ReadSignatureData(String signatureFieldName)
...
This exception was originally thrown at this call stack:
iText.Bouncycastle.Asn1.Cms.AttributeBC.GetAttrValues()
iText.Signatures.PdfPKCS7.PdfPKCS7(byte[], iText.Kernel.Pdf.PdfName)
As far as I understand, the PAdES specs don't mandate the presence of the TimeStampToken attribute if unsigned attributes exist in the SignerInfo structure.
If for example I just include an UnstructuredName with some custom info among the unsigned attributes, the ETSI online validator (registration required) only reports a warning: "An unknown attribute, defined by OID 1.2.840.113549.1.9.2 has been reached. Its contents and their processing are unknown to the AdESCC. No further checks will be done to this component"
Looking at itext7-dotnet source code I noticed that when parsing the unsigned attributes section it tries to extract the id-aa-timeStampToken (1.2.840.113549.1.9.16.2.14) and checks the returned IAttribute instance to be not null and having values, but the IAttributeTable.Get(IDerObjectIdentifier oid) method of the itext7.bouncy-castle-adapter library doesn't check the actual existence of the OID-specified attribute in the table and instead returns a new instance of AttributeBC with a null value argument, causing the following GetAttrValues() in the PdfPKCS7 constructor to fail.
By reading the iText7 Java version of that same code it seems the same issue should be present there as well, though I didn't test it.