为什么我不能在iText7中的PKCS7.detached之前使用SHA1？

Question

如图所示，现在我可以实现1，这是我签名的成功代码，我用

pdfSigner.signExternalContainer(iExternalSignatureContainer, estimatedSize);

不是

 pdfSigner.signDetached();

public class PdfSignatureContainerExt implements IExternalSignatureContainer {

private MySignUtil mySignUtil;
public PdfSignatureContainerExt(MySignUtil mySignUtil){
    this.mySignUtil= mySignUtil;
}

/**
 * 
 * @param data , the data to sign
 * @return a container with the signature and other objects, like CRL and OCSP. The container will generally be a PKCS7 one.
 * @throws GeneralSecurityException
 */
@Override
public byte[] sign(InputStream data) throws GeneralSecurityException {

    byte[] dataBytes = streamToBytes(data);
    return  mySignUtil.signP7DetachData(dataBytes);

}

@Override
public void modifySigningDictionary(PdfDictionary signDic) {
    signDic.put(PdfName.Filter, PdfName.Adobe_PPKLite);
    signDic.put(PdfName.SubFilter, PdfName.Adbe_pkcs7_detached);
}}

为了实现2，我改变了输出结果无效的代码：

public class PdfSignatureContainerExt implements IExternalSignatureContainer {

private MySignUtil mySignUtil;
public PdfSignatureContainerExt(MySignUtil mySignUtil){
    this.mySignUtil= mySignUtil;
}


@Override
public byte[] sign(InputStream data) throws GeneralSecurityException {

        byte[] dataBytes = streamToBytes(data);
        //change here
        BouncyCastleProvider provider = new BouncyCastleProvider();
        Security.addProvider(provider);

        MessageDigest messageDigest = MessageDigest.getInstance("SHA1" , "BC");
        byte[] hash = messageDigest.digest(dataBytes);

        return  mySignUtil.signP7DetachData(hash);      
}

@Override
public void modifySigningDictionary(PdfDictionary signDic) {
    signDic.put(PdfName.Filter, PdfName.Adobe_PPKLite);
    //change here
    signDic.put(PdfName.SubFilter, PdfName.Adbe_pkcs7_sha1);
}}

并且输出符号结果失败，这是我失败的pdf。

invalid.pdf