PDF Document API - PAdES - BES (LT and LTA levels) Signatures

Office-Inspired Products
07 January 2021

As you may already know, our PDF Document API v20.1 offers digital signature support. For background information on our implementation, please review the following blog posts:

Our PDF Document API (v20.2) fully supports PAdES signatures at B-LT and B-LTA levels. The PAdES B-LT (PAdES T- with added Long Term Validation information) level indicates that a document signature can be validated even if the signing environment (e.g., signing Certification Authority) is no longer available. This level is recommended for Advanced Electronic Signatures.

The PAdES B-LTA (PAdES LT- with added authoritative document timestamp signature) level may help validate a signature beyond any event that may limit its validity. This level is recommended for Qualified Electronic Signatures.

Both levels require that you add verification related information (VRI) (for B-LTA level – a timestamp’s VRI) to a Document Security Store (DSS) - an optional dictionary in a document. The VRI includes Online Certificate Status Protocol responses, Certificate Revocation Lists, and a chain of trust certificates (including the root certificate).

Call the PdfDocumentSigner.AddToDss method and pass a signed signature field as the method parameter to add signature information to the DSS. To provide certificates used to build a chain, you can specify a list of certificates, use a CertificateStoreProvider class, or create your own ICertificateStoreProvider interface implementation.

The code sample below retrieves the name of the first signature field, adds signature information to the DSS, and applies a timestamp to a document:

using (var signer = new PdfDocumentSigner(@"signed.pdf"))
  ITsaClient tsaClient = new TsaClient(new Uri(@"https://freetsa.org/tsr"), HashAlgorithmType.SHA256);
  string signatureName = signer.GetSignatureFieldNames(false)[0]; 

  //Create a provider that retrieves certificates from a store:
  using (var certificateStoreProvider = new CertificateStoreProvider(new X509Store(StoreLocation.CurrentUser), true))
    //Add signature to the security store
    //And specify the CrlClient and OcspClient objects
    //Used to check status of the certificates' revocation
    signer.AddToDss(signatureName, new CrlClient(), new OcspClient(), certificateStoreProvider);

  signer.SaveDocument(@"signedLTV.pdf", new PdfSignatureBuilder(new PdfTimeStamp(tsaClient)));


Your Feedback Matters

As always, we welcome your thoughts. Please comment below and let us know what you think about these signature-related PDF API features. Should you have technical questions, feel free to contact us via the DevExpress Support Center.

Free DevExpress Products - Get Your Copy Today

The following free DevExpress product offers remain available. Should you have any questions about the free offers below, please submit a ticket via the DevExpress Support Center at your convenience. We'll be happy to follow-up.
No Comments

Please login or register to post comments.