PDF Document API - PAdES - BES (LT and LTA levels) Signatures
As you may already know, our PDF Document API v20.1 offers digital signature support. For background information on our implementation, please review the following blog posts:
- PDF Document API v20.1 - Multiple Signatures and Timestamps
- PDF Document API - Signature Enhancements
Our PDF Document API (v20.2) fully supports PAdES signatures at B-LT and B-LTA levels. The PAdES B-LT (PAdES T- with added Long Term Validation information) level indicates that a document signature can be validated even if the signing environment (e.g., signing Certification Authority) is no longer available. This level is recommended for Advanced Electronic Signatures.
The PAdES B-LTA (PAdES LT- with added authoritative document timestamp signature) level may help validate a signature beyond any event that may limit its validity. This level is recommended for Qualified Electronic Signatures.
Both levels require that you add verification related information (VRI) (for B-LTA level – a timestamp’s VRI) to a Document Security Store (DSS) - an optional dictionary in a document. The VRI includes Online Certificate Status Protocol responses, Certificate Revocation Lists, and a chain of trust certificates (including the root certificate).
Call the PdfDocumentSigner.AddToDss method and pass a signed signature field as the method parameter to add signature information to the DSS. To provide certificates used to build a chain, you can specify a list of certificates, use a CertificateStoreProvider class, or create your own ICertificateStoreProvider interface implementation.
The code sample below retrieves the name of the first signature field, adds signature information to the DSS, and applies a timestamp to a document:
using (var signer = new PdfDocumentSigner(@"signed.pdf"))
{
ITsaClient tsaClient = new TsaClient(new Uri(@"https://freetsa.org/tsr"), HashAlgorithmType.SHA256);
string signatureName = signer.GetSignatureFieldNames(false)[0];
//Create a provider that retrieves certificates from a store:
using (var certificateStoreProvider = new CertificateStoreProvider(new X509Store(StoreLocation.CurrentUser), true))
{
//Add signature to the security store
//And specify the CrlClient and OcspClient objects
//Used to check status of the certificates' revocation
signer.AddToDss(signatureName, new CrlClient(), new OcspClient(), certificateStoreProvider);
}
signer.SaveDocument(@"signedLTV.pdf", new PdfSignatureBuilder(new PdfTimeStamp(tsaClient)));
}
Your Feedback Matters
As always, we welcome your thoughts. Please comment below and let us know what you think about these signature-related PDF API features. Should you have technical questions, feel free to contact us via the DevExpress Support Center.