SecurePDF Component
Properties Methods Events Config Settings Errors
TBD
Syntax
nsoftware.IPWorksPDF.SecurePDF
Remarks
TBD
Property List
The following is the full list of the properties of the component with short descriptions. Click on the links for further details.
| Attachments | A collection of all attached files found in the PDF document. |
| DecryptionCert | The decryption certificate. |
| DocumentCerts | A collection of certificates read from the document during processing. |
| EncryptionAlgorithm | The encryption algorithm to encrypt the PDF document with. |
| FieldIndex | The index of the empty signature field to sign. |
| Firewall | A set of properties related to firewall access. |
| InputData | A byte array containing the PDF document to process. |
| InputFile | The PDF file to process. |
| InputStream | A stream containing the PDF document to process. |
| KnownCerts | A collection of additional certificates for chain validation. |
| OutputData | A byte array containing the PDF document after processing. |
| OutputFile | The path to a local file where the output will be written. |
| OutputStream | The stream to write the processed document to. |
| Overwrite | Whether or not the component should overwrite files. |
| Password | The password to encrypt or decrypt the document with. |
| Proxy | A set of properties related to proxy access. |
| RecipientCert | The encryption certificate. |
| Signatures | A collection of all the signatures and empty fields found in the PDF document. |
| SigningCert | The certificate to be used for signing. |
| SigningSettings | Manages signing settings. |
| TimestampServer | The address of the timestamping server. |
| TrustedCerts | A collection of trusted certificates for chain validation. |
| TrustedLists | A list of Trusted Lists for chain validation. |
| TrustSources | The trust sources to use during chain validation. |
| ValidationSettings | Manages chain validation settings. |
Method List
The following is the full list of the methods of the component with short descriptions. Click on the links for further details.
| AddAttachment | Adds an attachment to a PDF document. |
| AddDocumentTimestamp | Adds a document timestamp to a PDF document. |
| Close | Closes an opened PDF document. |
| Config | Sets or retrieves a configuration setting. |
| Decrypt | Decrypts a PDF document. |
| Encrypt | Encrypts a PDF document. |
| GetPageProperty | Retrieves the value of a page property. |
| GetSignedVersion | Returns the part of a signed PDF document that is covered by the signature. |
| GetWidgetProperty | Retrieves the value of a signature widget property. |
| Interrupt | Interrupts the current action. |
| IsDocumentEncrypted | Checks whether a PDF document is encrypted. |
| IsDocumentSigned | Checks whether a PDF document is signed. |
| Open | Opens a PDF document for processing. |
| RemoveAttachment | Removes an attachment from a PDF document. |
| Reset | Resets the component. |
| SaveAttachment | Saves a PDF attachment to a file. |
| SetWidgetProperty | Sets the value of a signature widget property. |
| Sign | Signs a PDF document. |
| Unsign | Removes a signature from a PDF document. |
| Update | Updates a signature. |
| Verify | Verifies a signed PDF document. |
Event List
The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.
| ChainCertInfo | Fired when the component encounters a chain certificate. |
| DocumentInfo | Fired when the document has been processed. |
| EncryptionInfo | Fired when the component detects that the PDF document is encrypted. |
| Error | Fired when information is available about errors during data delivery. |
| Log | Fired when log information is available during processing. |
| SignatureInfo | Fired when the component finds a signature in the document. |
| SignatureProcessed | Fired after a signature has been processed. |
| SSLServerAuthentication | Fired after the server presents its certificate to the client. |
| SSLStatus | Fired when secure connection progress messages are available. |
Config Settings
The following is a list of config settings for the component with short descriptions. Click on the links for further details.
| BlockedCerts | The certificates that must be rejected as trust anchors. |
| CacheRevocationInfo | Whether revocation information should be cached. |
| CloseInputStreamAfterProcessing | Whether the input stream is closed after processing. |
| CloseOutputStreamAfterProcessing | Whether the output stream is closed after processing. |
| CollectTSARevocationInfo | Whether revocation information for timestamps should be collected automatically from online sources. |
| CompressDSS | Whether content in the DSS dictionary will be compressed. |
| ContactInfo[Index] | The signer's contact information. |
| CustomProfile | A pre-defined custom profile to apply when creating the signature. |
| EncryptMetadata | Whether to encrypt the document metadata. |
| ExtraSpace | The number of extra 0 bytes to allocate in the document behind the signature. |
| FilterName[Index] | The signature filter name. |
| FullSignatureName[Index] | The full name of the signature field. |
| GracePeriod | A grace period to apply during revocation checks. |
| HardenedKeyGeneration | Whether hardened key generation should be used. |
| HTTPRetryCount | The number of HTTP request retries. |
| HTTPRetryInterval | A time interval to apply between HTTP request retries. |
| IncludeRevocationInfo | Whether revocation information should be included in the document. |
| IncludeSigningChain | Whether the full signing chain should be included in the signature. |
| LogLevel | The level of detail that is logged. |
| OAEPMGF1HashAlgorithm | The MGF1 hash algorithm used with OAEP. |
| OAEPParams | The hex-encoded OAEP parameters. |
| OAEPRSAHashAlgorithm | The RSA hash algorithm used with OAEP. |
| OCSPHashAlgorithm | The hash algorithm to be used to identify certificates in OCSP requests. |
| OwnerPassword | The owner password to encrypt or decrypt the document with. |
| Permissions | The document permissions associated with the encryption. |
| PolicyHash | The signature policy hash value. |
| PolicyHashAlgorithm | The algorithm that was used to calculate the signature policy hash. |
| PolicyID | The policy ID to be included in the signature. |
| Qualifications[Index] | The qualifications associated with a qualified certificate. |
| RC4KeyBits | The number of key bits used for the RC4 algorithm. |
| SaveChanges | Whether changes made to the PDF document should be saved. |
| SignatureData[Index] | The hex-encoded representation of the underlying PKCS#7 signature blob. |
| TempPath | The location where temporary files are stored. |
| TimestampHashAlgorithm | A specific hash algorithm for use with the timestamping service. |
| TrustedListData | The Trusted List data that the component downloaded. |
| TSATLSClientCertStore | The TLS client certificate store to search. |
| TSATLSClientCertStorePassword | The password needed to open the TLS client certificate store. |
| TSATLSClientCertStoreType | The type of the TLS client certificate store. |
| TSATLSClientCertSubject | The subject of the TLS client certificate. |
| UseOAEP | Whether to use Optimal Asymmetric Encryption Padding (OAEP) during encryption and decryption. |
| UsePSS | Whether to use RSA-PSS during signing and verification. |
| ValidationFlags | Additional chain validation settings. |
| BuildInfo | Information about the product's build. |
| GUIAvailable | Whether or not a message loop is available for processing events. |
| LicenseInfo | Information about the current license. |
| MaskSensitiveData | Whether sensitive data is masked in log messages. |
| UseInternalSecurityAPI | Whether or not to use the system security libraries or an internal implementation. |
Attachments Property (SecurePDF Component)
A collection of all attached files found in the PDF document.
Syntax
public PDFAttachmentList Attachments { get; }
Public Property Attachments As PDFAttachmentList
Remarks
This property is used to access the details of all the attached files identified in the document. Use the AddAttachment, RemoveAttachment, and SaveAttachment methods to add, remove, and save attachments to/from this collection respectively. TBD
This property is not available at design time.
Please refer to the PDFAttachment type for a complete list of fields.DecryptionCert Property (SecurePDF Component)
The decryption certificate.
Syntax
public Certificate DecryptionCert { get; set; }
Public Property DecryptionCert As Certificate
Remarks
This property is used to provide the certificate used for decryption. Note that this certificate must have a private key associated with it. Uncommon because encryption/decryption are usually done via a password, but still needed. The encryption cert is RecipientCert. TBD
This property is not available at design time.
Please refer to the Certificate type for a complete list of fields.DocumentCerts Property (SecurePDF Component)
A collection of certificates read from the document during processing.
Syntax
public CertificateList DocumentCerts { get; }
Public ReadOnly Property DocumentCerts As CertificateList
Remarks
This property is used to access all certificates encountered during document processing and embedded into the signature by its creator. Not user-supplied but rather an "inbound" property.
A huge unsorted pile of certificates that we encounter from the signatures, timestamps, DSS, etc., including all the chains. Populated automatically during chain validation.
Along with KnownCerts, can potentially be useful for including the full signing chain into the signature (something users commonly want to do). See the IncludeSigningChain config.
Named as such because the SBB equivalent, Certificates, was too vague. TBD
This property is read-only and not available at design time.
Please refer to the Certificate type for a complete list of fields.EncryptionAlgorithm Property (SecurePDF Component)
The encryption algorithm to encrypt the PDF document with.
Syntax
Default Value
"AES256"
Remarks
This property is used to specify the encryption algorithm to encrypt the document with. For certificate-based encryption, set the RecipientCert property.
Possible values are:
- RC4
- AES128
- AES256
FieldIndex Property (SecurePDF Component)
The index of the empty signature field to sign.
Syntax
Default Value
-1
Remarks
This property is used to specify the empty signature field that should be signed. If the default value of -1 is assigned to this property, a new signature field will be created.
Users need to be able to specify which empty field to sign, for example if multiple people need to sign the document and it gets passed around.
Will be used after the document has already been "signed" with SigningSettings.Type = stEmptyField:
// assuming InputFile, OutputFile, SigningCert, etc. are already set
signer.SigningSettings.Type = PDFSignatureTypes.stEmptyField;
signer.Sign();
// later
signer.FieldIndex = 0;
// set Profile, widget properties, etc.
signer.Sign();
Can rename to EmptyFieldIndex (matches SBB) for clarity. TBD
Firewall Property (SecurePDF Component)
A set of properties related to firewall access.
Syntax
Remarks
This is a Firewall-type property, which contains fields describing the firewall through which the component will attempt to connect.
Please refer to the Firewall type for a complete list of fields.InputData Property (SecurePDF Component)
A byte array containing the PDF document to process.
Syntax
Remarks
This property is used to assign a byte array containing the PDF document to be processed. TBD
This property is not available at design time.
InputFile Property (SecurePDF Component)
The PDF file to process.
Syntax
Default Value
""
Remarks
This property is used to provide a path to the PDF document to be processed. TBD
InputStream Property (SecurePDF Component)
A stream containing the PDF document to process.
Syntax
public System.IO.Stream InputStream { get; set; }
Public Property InputStream As System.IO.Stream
Default Value
null
Remarks
This property is used to assign a stream containing the PDF document to be processed. TBD
This property is not available at design time.
KnownCerts Property (SecurePDF Component)
A collection of additional certificates for chain validation.
Syntax
public CertificateList KnownCerts { get; }
Public Property KnownCerts As CertificateList
Remarks
This property is used to supply a list of additional certificates to the component that might be needed for chain validation.
Part of the BlockedCerts-KnownCerts-TrustedCerts trio for chain validation. User-supplied. To prevent "known" chain certificates from residing in the same collection as trusted or blocked certificates.
Similar to DocumentCerts, an unsorted pile of certificates from different chains (TSA, OCSP, etc., not just the signing chain) but that we will use to actually build the chains if we can't find the certificates elsewhere.
Along with DocumentCerts, can potentially be useful for including the full signing chain into the signature (something users commonly want to do). See the IncludeSigningChain config.
The user can add Certificate objects to it if they have their own certificates on hand and want to provide them before validation. An example scenario is when intermediary CA certificates are absent from the standard system locations (or when there are no standard system locations) and therefore should be supplied to the component manually.
The purpose of certificates to be added to this collection is roughly equivalent to that of the Intermediate Certification Authorities system store in Windows.
Do not add trust anchors or root certificates to this collection; add them to TrustedCerts instead. TBD
This property is not available at design time.
Please refer to the Certificate type for a complete list of fields.OutputData Property (SecurePDF Component)
A byte array containing the PDF document after processing.
Syntax
Remarks
This property is used to read the byte array containing the produced output after the operation has completed. It will only be set if the OutputFile and OutputStream properties have not been assigned. TBD
This property is read-only and not available at design time.
OutputFile Property (SecurePDF Component)
The path to a local file where the output will be written.
Syntax
Default Value
""
Remarks
This property is used to provide a path where the resulting PDF document will be saved after the operation has completed. TBD
OutputStream Property (SecurePDF Component)
The stream to write the processed document to.
Syntax
public System.IO.Stream OutputStream { get; set; }
Public Property OutputStream As System.IO.Stream
Default Value
null
Remarks
This property is used to assign a stream where the resulting PDF document will be written to after the operation has completed. TBD
This property is not available at design time.
Overwrite Property (SecurePDF Component)
Whether or not the component should overwrite files.
Syntax
Default Value
False
Remarks
This property indicates whether or not the component will overwrite OutputFile, OutputData, or OutputStream. If set to false, an error will be thrown whenever OutputFile, OutputData, or OutputStream exists before an operation.
Password Property (SecurePDF Component)
The password to encrypt or decrypt the document with.
Syntax
Default Value
""
Remarks
This property is used to provide the user password for encryption/decryption. To specify the owner password, set the OwnerPassword configuration setting. Though it may be different from OwnerPassword, most implementations use the same value for both.
Most encrypted documents in the wild are "pseudo-encrypted" with an empty password in order to embed the permissions/access rights. TBD
Proxy Property (SecurePDF Component)
A set of properties related to proxy access.
Syntax
Remarks
This property contains fields describing the proxy through which the component will attempt to connect.
Please refer to the Proxy type for a complete list of fields.RecipientCert Property (SecurePDF Component)
The encryption certificate.
Syntax
public Certificate RecipientCert { get; set; }
Public Property RecipientCert As Certificate
Remarks
This property is used to provide the certificate used for encryption. Uncommon because encryption/decryption are usually done via a password, but still needed. Can rename to EncryptionCert for clarity/symmetry. We will not support encryption for multiple recipients. TBD
This property is not available at design time.
Please refer to the Certificate type for a complete list of fields.Signatures Property (SecurePDF Component)
A collection of all the signatures and empty fields found in the PDF document.
Syntax
public PDFSignatureList Signatures { get; }
Public ReadOnly Property Signatures As PDFSignatureList
Remarks
This property is used to access all the signatures and empty signature fields identified in the document. For example, the user may want to check a signature's Profile, SignatureValidationResult, or ChainValidationResult, or identify an empty field to sign later using FieldIndex.
Index can be obtained from the SignatureInfo/SignatureProcessed events' SigIndex parameter. TBD
This property is read-only and not available at design time.
Please refer to the PDFSignature type for a complete list of fields.SigningCert Property (SecurePDF Component)
The certificate to be used for signing.
Syntax
public Certificate SigningCert { get; set; }
Public Property SigningCert As Certificate
Remarks
This property is used to specify the certificate that should be used for signing the data. Note that this certificate should have a private key associated with it.
Use KnownCerts (or DocumentCerts) and the IncludeSigningChain config to supply the rest of the certificate chain for inclusion into the signature. TBD
This property is not available at design time.
Please refer to the Certificate type for a complete list of fields.SigningSettings Property (SecurePDF Component)
Manages signing settings.
Syntax
public PDFSigningSettings SigningSettings { get; }
Public ReadOnly Property SigningSettings As PDFSigningSettings
Remarks
This property is used to tune up new signature settings. To adjust the visual parameters of the signature widget, use the SetWidgetProperty method.
This property is read-only and not available at design time.
Please refer to the PDFSigningSettings type for a complete list of fields.TimestampServer Property (SecurePDF Component)
The address of the timestamping server.
Syntax
Default Value
""
Remarks
This property is used to specify the address of the TSA (Timestamping Authority) server to use for timestamping the signature (normal signing) or the document (LTV update). See the pseudocode in the Sign method for when it must be set.
If the timestamping service enforces credential-based user authentication (basic or digest), the credentials can be provided in the same URL. For example:
signer.TimestampServer = "http://user:password@timestamp.server.com/TsaService";
Needed for both signature timestamps and document timestamps. Communication with the TSA operates over HTTP, so if it requires HTTP authentication we should parse user credentials from the string like above.
Since TSAs can operate over HTTPS too, we have the SSLServerAuthentication and SSLStatus events. In the rare case that the TSA requires TLS client authentication, the user can provide the client certificate via the TSATLSClientCertStoreType, TSATLSClientCertStore, TSATLSClientCertSubject, and TSATLSClientCertStorePassword configs. TBD
TrustedCerts Property (SecurePDF Component)
A collection of trusted certificates for chain validation.
Syntax
public CertificateList TrustedCerts { get; }
Public Property TrustedCerts As CertificateList
Remarks
This property is used to supply a list of trusted certificates to the component that might be needed for chain validation.
Part of the BlockedCerts-KnownCerts-TrustedCerts trio. User-supplied. To prevent trusted certificates from residing in the same collection as blocked certificates. If we find a certificate in a chain (any chain we encounter and process, not just the signing chain) that's also in this collection, the certificate is explicitly trusted, and prior certificates therefore chain up to a trust anchor (meaning the trust aspect of that portion of chain validation succeeds).
Similar to KnownCerts, the user can add Certificate objects to it if they have their own certificates on hand and want the component to register them as trust anchors. An example scenario is when root CA certificates are absent from the standard system locations (or when there are no standard system locations) and therefore should be supplied to the component manually.
The purpose of this certificate collection is largely the same as that of the Windows Trusted Root Certification Authorities system store.
Use this property with extreme care as it directly affects chain verifiability; a wrong certificate added to the list of trusted certificates may result in bad chains being accepted and forfeited signatures being recognized as genuine. Only add certificates that originate from the parties that you know and trust.
The original idea was to have a Trust field in the Certificate type instead of these 3 different collections, but we decided not to go through with that because it would lead to confusion in existing products. Overall we sought to leave the Certificate type and the CertMgr component as intact as possible. TBD
This property is not available at design time.
Please refer to the Certificate type for a complete list of fields.TrustedLists Property (SecurePDF Component)
A list of Trusted Lists for chain validation.
Syntax
Default Value
"%EUTL%"
Remarks
This property is used to supply a semicolon-separated list of URLs or paths of custom Trusted Lists to the component for chain validation.
A Trusted List is an XML document that contains a government-issued list of CAs that have passed regulated compliance checks. When validating the chain, the validator will consult the Trusted List to establish certificate trust and obtain certificate qualifications, ensuring that the CA is legitimate and entitled to issue certificates of the kind being checked.
The default value is the special %EUTL% macro, which, if applicable, instructs the component to check the root certificate against up-to-date versions of the primary EU Trusted Lists from the EU LOTL (https://ec.europa.eu/tools/lotl/eu-lotl.xml) (later on, we can add more macros for different countries if needed).
The user can append their own values:
securepdf.TrustedLists = "%EUTL%;http://my.company/tsl;c:\tsls\mytsl.xml";
Just like the chain validator downloads CRLs when required, it will download a Trusted List and check the certificate against it without any specific user involvement.
TBD
TrustSources Property (SecurePDF Component)
The trust sources to use during chain validation.
Syntax
public SecurePDFTrustSources TrustSources { get; set; }
enum SecurePDFTrustSources { tsLocal, tsTrustedLists, tsLocalAndTrustedLists }
Public Property TrustSources As SecurepdfTrustSources
Enum SecurePDFTrustSources tsLocal tsTrustedLists tsLocalAndTrustedLists End Enum
Default Value
2
Remarks
This property is used to specify the sources the component will use to establish certificate trust during chain validation.
Establishing trust for a particular certificate, when either signing or verifying, involves building a chain up to a valid trust anchor. This trust anchor is a root certificate that typically resides on the local system. If the certificate does not eventually chain up to a valid trust anchor, the chain is considered untrusted and therefore invalid. (TBD this info can go elsewhere)
Possible values are:
| 0 (tsLocal) | The component will consult local system stores (e.g., Windows Trusted Root Certification Authorities) as well as TrustedCerts. |
| 1 (tsTrustedLists) | The component will consult TrustedLists. |
| 2 (tsLocalAndTrustedLists - default) | The component will consult local system stores, TrustedCerts, and TrustedLists. |
ValidationSettings Property (SecurePDF Component)
Manages chain validation settings.
Syntax
public ValidationSettings ValidationSettings { get; }
Public ReadOnly Property ValidationSettings As ValidationSettings
Remarks
This property is used to tune up chain validation settings.
Probably the most important property for chain validation-related matters. Motivated by a need for users to have more fine-grained (and easier) control over the many parameters that dictate how chain validation should be performed in their environment. This includes both revocation and trust aspects.
Compared to SBB, it's more intuitive and packaged into one property here, with more advanced settings moved to Config that we expect will be used rarely (e.g. ValidationFlags). As opposed to something like IgnoreChainValidationErrors in SBB which is more of a catch-all. TBD
This property is read-only and not available at design time.
Please refer to the ValidationSettings type for a complete list of fields.AddAttachment Method (SecurePDF Component)
Adds an attachment to a PDF document.
Syntax
public void AddAttachment(string fileName, string description); Async Version public async Task AddAttachment(string fileName, string description); public async Task AddAttachment(string fileName, string description, CancellationToken cancellationToken);
Public Sub AddAttachment(ByVal FileName As String, ByVal Description As String) Async Version Public Sub AddAttachment(ByVal FileName As String, ByVal Description As String) As Task Public Sub AddAttachment(ByVal FileName As String, ByVal Description As String, cancellationToken As CancellationToken) As Task
Remarks
This method is used to add an attachment (embedded file) to the document specified in InputFile, InputData, or InputStream and to the Attachments collection.
The document containing the newly added attachment will be saved to OutputFile, OutputData, or OutputStream.
The FileName and Description parameters specify the filename and description of the attachment respectively.
Example usage:
securepdf.Open();
securepdf.AddAttachment("foo.txt", "desc");
securepdf.Close();
Alternatively, the user can create a PDFAttachment object and add it to Attachments manually:
PDFAttachment attachment = new PDFAttachment();
attachment.FileName = "foo.txt";
// or attachment.Data = byte array
// or attachment.InputStream = FileStream(...)
attachment.Description = "desc";
securepdf.Attachments.Add(attachment);
Or using one of the constructors:
PDFAttachment attachment = new PDFAttachment("foo.txt", "desc");
securepdf.Attachments.Add(attachment);
The full list of attachments is contained in the Attachments property.
TBD
AddDocumentTimestamp Method (SecurePDF Component)
Adds a document timestamp to a PDF document.
Syntax
public void AddDocumentTimestamp(); Async Version public async Task AddDocumentTimestamp(); public async Task AddDocumentTimestamp(CancellationToken cancellationToken);
Public Sub AddDocumentTimestamp() Async Version Public Sub AddDocumentTimestamp() As Task Public Sub AddDocumentTimestamp(cancellationToken As CancellationToken) As Task
Remarks
This method is used to obtain a document timestamp and embed it into the document specified in InputFile, InputData, or InputStream. The updated document will be saved to OutputFile, OutputData, or OutputStream.
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
Example usage:
// assuming InputFile and OutputFile are already set
securepdf.AddDocumentTimestamp();
For visibility, this method is a shortcut/alias for the following:
// assuming InputFile and OutputFile are already set
securepdf.SigningSettings.Type = stDTS;
securepdf.Update(0);
Can be used to update a B-B/B-T signature to B-LTA or extend an existing B-LTA.
In PDF, document timestamps are fully independent signatures made by the TSA, so TimestampServer will also need to be set before this method is called.
The user does not need to provide a signing certificate or chain when adding document timestamps, since this type of signature is done with a TSA's certificate. TBD
Close Method (SecurePDF Component)
Closes an opened PDF document.
Syntax
public void Close(); Async Version public async Task Close(); public async Task Close(CancellationToken cancellationToken);
Public Sub Close() Async Version Public Sub Close() As Task Public Sub Close(cancellationToken As CancellationToken) As Task
Remarks
This method is used to close the previously opened document specified in InputFile, InputData, or InputStream. It should always be preceded by a call to the Open method.
Example usage:
securepdf.InputFile = "input.pdf";
securepdf.Open();
// some action
securepdf.Close();
If any changes are made to the document, they will be saved automatically to OutputFile, OutputData, or OutputStream when this method is called. To configure this saving behavior, set the SaveChanges config.
We won't write to OutputFile, OutputData, or OutputStream by default if the document is unchanged. TBD
Config Method (SecurePDF Component)
Sets or retrieves a configuration setting.
Syntax
Remarks
Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.
These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.
To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).
To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.
Decrypt Method (SecurePDF Component)
Decrypts a PDF document.
Syntax
public void Decrypt(); Async Version public async Task Decrypt(); public async Task Decrypt(CancellationToken cancellationToken);
Public Sub Decrypt() Async Version Public Sub Decrypt() As Task Public Sub Decrypt(cancellationToken As CancellationToken) As Task
Remarks
This method is used to permanently remove encryption from the PDF document specified in InputFile, InputData, or InputStream. The document will be decrypted with either Password (for password-based encryption) or DecryptionCert (for certificate-based encryption) and saved in OutputFile, OutputData, or OutputStream.
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
Should be called consciously, i.e. when the user is aware that the document is encrypted. We therefore expect the user to set the correct decryption material before calling this method. But it will still fire the EncryptionInfo event (like Open does) which gives the user one last chance to provide the correct decryption material. We shouldn't necessarily advertise this approach though. In general,
- User is aware that the document is encrypted: set Password/DecryptionCert and call Decrypt. For example, users who will want to process encrypted documents as part of some batch flow.
- User is unaware that the document is encrypted: call Open and subscribe to EncryptionInfo. For example, users who will come across encrypted documents occasionally as part of the verification process.
Example usage:
securepdf.InputFile = "encrypted.pdf";
securepdf.OutputFile = "decrypted.pdf";
// set decryption material (Password or DecryptionCert) here
securepdf.Decrypt();
...
// then they can Sign(), AddAttachment(), etc.
Can also be called after the Open method to save a decrypted copy of the document before calling the Close method. For example:
securepdf.InputFile = "encrypted.pdf";
securepdf.Open();
// some action, say Verify() or SaveAttachment()
securepdf.OutputFile = "decrypted.pdf";
securepdf.Decrypt();
securepdf.Close();
The Verify method cannot be called after this method because since the encryption trailer gets removed when encryption is removed, invalidating all signatures.
Because of this, this method will call Unsign internally, automatically removing all signatures from the document. The user can/should Verify any signatures before this method is called.
TBD
Encrypt Method (SecurePDF Component)
Encrypts a PDF document.
Syntax
public void Encrypt(); Async Version public async Task Encrypt(); public async Task Encrypt(CancellationToken cancellationToken);
Public Sub Encrypt() Async Version Public Sub Encrypt() As Task Public Sub Encrypt(cancellationToken As CancellationToken) As Task
Remarks
This method is used to encrypt the PDF document specified in InputFile, InputData, or InputStream. The document will be encrypted with either Password (for password-based encryption) or RecipientCert (for certificate-based encryption), EncryptionAlgorithm, and saved in OutputFile, OutputData, or OutputStream.
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
Example usage:
securepdf.InputFile = "input.pdf";
securepdf.OutputFile = "encrypted.pdf";
securepdf.Password = "password";
securepdf.EncryptionAlgorithm = "AES256";
securepdf.Encrypt();
We will not support encryption for multiple recipients.
TBD
GetPageProperty Method (SecurePDF Component)
Retrieves the value of a page property.
Syntax
public string GetPageProperty(int page, string property); Async Version public async Task<string> GetPageProperty(int page, string property); public async Task<string> GetPageProperty(int page, string property, CancellationToken cancellationToken);
Public Function GetPageProperty(ByVal Page As Integer, ByVal Property As String) As String Async Version Public Function GetPageProperty(ByVal Page As Integer, ByVal Property As String) As Task(Of String) Public Function GetPageProperty(ByVal Page As Integer, ByVal Property As String, cancellationToken As CancellationToken) As Task(Of String)
Remarks
This method is used to read general information about the pages of the document specified in InputFile, InputData, or InputStream, such as their dimensions and content positioning details.
The Page parameter specifies the page to read information about, and the Property parameter specifies the page property to read. The latter is one of the following values:
| Page property | Default value | Description |
| CropLowerLeftX | 0 | Specifies the lower-left X coordinate of the page crop area in points. |
| CropLowerLeftY | 0 | Specifies the lower-left Y coordinate of the page crop area in points. |
| CropUpperRightX | 0 | Specifies the upper-right X coordinate of the page crop area in points. |
| CropUpperRightY | 0 | Specifies the upper-right Y coordinate of the page crop area in points. |
| Height | 0 | Specifies the height of the page in points. |
| MediaLowerLeftX | 0 | Specifies the lower-left X coordinate of the page media area in points. |
| MediaLowerLeftY | 0 | Specifies the lower-left Y coordinate of the page media area in points. |
| MediaUpperRightX | 0 | Specifies the upper-right X coordinate of the page media area in points. |
| MediaUpperRightY | 0 | Specifies the upper-right Y coordinate of the page media area in points. |
| Rotation | 0 | Specifies the rotation angle of the page in degrees. Possible values: 0, 90, 180, 270. |
| Width | 0 | Specifies the width of the page in points. |
Complements the PageCount parameter in the DocumentInfo event. For example:
int pageCount = 0;
securepdf.OnDocumentInfo += (s, e) => { pageCount = e.PageCount; };
securepdf.Open();
for (int i = 1; i <= pageCount; i++) securepdf.GetPageProperty(i, "Height");
securepdf.Close();
The alternative, which we dismissed, was to have a Pages collection and PDFPage type to house the same properties.
We thought having that info at the top level would pollute the API because the user only really needs to query the page properties to adjust the position of the signature widget based on the page dimensions. For example:
int x = int.Parse(securepdf.GetPageProperty(1, "Width")) - 100;
int y = int.Parse(securepdf.GetPageProperty(1, "Height")) - 100;
securepdf.SetWidgetProperty("OffsetX", x.ToString());
securepdf.SetWidgetProperty("OffsetY", y.ToString());
Having a Config-like method here also allows us to expand the properties in the future if needed.
There is no accompanying SetPageProperty method because these are read-only properties from the document itself, they cannot be modified. TBD
GetSignedVersion Method (SecurePDF Component)
Returns the part of a signed PDF document that is covered by the signature.
Syntax
public void GetSignedVersion(int sigIndex); Async Version public async Task GetSignedVersion(int sigIndex); public async Task GetSignedVersion(int sigIndex, CancellationToken cancellationToken);
Public Sub GetSignedVersion(ByVal SigIndex As Integer) Async Version Public Sub GetSignedVersion(ByVal SigIndex As Integer) As Task Public Sub GetSignedVersion(ByVal SigIndex As Integer, cancellationToken As CancellationToken) As Task
Remarks
This method is used to retrieve the revision of the document specified in InputFile, InputData, or InputStream that is covered by the signature specified by SigIndex. The extracted revision will be saved to OutputFile, OutputData, or OutputStream.
The SigIndex parameter is the index of the signature of interest in the Signatures collection.
Example usage:
// assuming InputFile and OutputFile are already set
securepdf.Open();
securepdf.GetSignedVersion(0);
securepdf.Close();
PDF documents often use an incremental update approach, with any changes being appended to the document without altering the existing revision.
This may lead to situations where a signature only covers part of the document (one of the past revisions), but not subsequent changes.
This method provides a means to extract the revision that is actually certified by the signature.
It is recommended that you use this method when validating signatures to make sure the signature covers what you expect it to cover.
An alternative to this method is to check the CoverageEndsAt field of the signature object and match it to the document length. TBD
GetWidgetProperty Method (SecurePDF Component)
Retrieves the value of a signature widget property.
Syntax
public string GetWidgetProperty(int sigIndex, string property); Async Version public async Task<string> GetWidgetProperty(int sigIndex, string property); public async Task<string> GetWidgetProperty(int sigIndex, string property, CancellationToken cancellationToken);
Public Function GetWidgetProperty(ByVal SigIndex As Integer, ByVal Property As String) As String Async Version Public Function GetWidgetProperty(ByVal SigIndex As Integer, ByVal Property As String) As Task(Of String) Public Function GetWidgetProperty(ByVal SigIndex As Integer, ByVal Property As String, cancellationToken As CancellationToken) As Task(Of String)
Remarks
This method is used to retrieve the value of a signature widget property.
The SigIndex parameter is the index of the signature of interest in the Signatures collection, and the Property parameter specifies the widget property to read. The latter is one of the following values:
| Widget property | Default value | Description |
| CustomTextCount | 0 | The number of custom text blocks on the signature widget. |
| CustomTextFontResourceName[Index] | "" | The font resource name used for the custom text block. |
| CustomTextFontSizeX[Index] | 0 | The horizontal font size scale used for the custom text. |
| CustomTextFontSizeY[Index] | 0 | The vertical font size scale used for the custom text. |
| CustomTextX[Index] | 0 | The horizontal offset of the custom text block on the widget. |
| CustomTextY[Index] | 0 | The vertical offset of the custom text block on the widget. |
| CustomText[Index] | "" | The text shown on a custom signature
widget text block.
This indexed property provides access to the text placed on a specific signature widget text block. CustomText[0] specifies the text on the first block, CustomText[1] on the second block, and so on. Use the CustomTextCount property to get the number of custom text blocks. |
| Height | 70 | The height of the signature widget in points. This property is the same as WidgetHeight. |
| Invisible | "" | Whether the signature widget is invisible on the page. |
| OffsetX | 0 | The signature widget offset from the left-hand page border in points. This property is the same as WidgetOffsetX. |
| OffsetY | 0 | The signature widget offset from the bottom page border in points. This property is the same as WidgetOffsetY. |
| Pages | "" | The page numbers on which the signature is shown. This property is the same as WidgetPages. |
| Rotation | 0 | The rotation angle of the signature widget in degrees. Supported values: 0, 90, 180, 270. |
| Width | 70 | The width of the signature widget in points. This property is the same as WidgetWidth. |
Example usage:
securepdf.Open();
bool invisible = bool.Parse(securepdf.GetWidgetProperty(0, "Invisible"));
securepdf.Close();
Having a Config-like method here also allows us to expand the properties in the future if needed.
TBD
Interrupt Method (SecurePDF Component)
Interrupts the current action.
Syntax
public void Interrupt(); Async Version public async Task Interrupt(); public async Task Interrupt(CancellationToken cancellationToken);
Public Sub Interrupt() Async Version Public Sub Interrupt() As Task Public Sub Interrupt(cancellationToken As CancellationToken) As Task
Remarks
This method interrupts the current action. It can be used, for example, within the ChainCertInfo event to abort the chain validation procedure.
If there is no action in progress, this method simply returns, doing nothing.
IsDocumentEncrypted Method (SecurePDF Component)
Checks whether a PDF document is encrypted.
Syntax
public bool IsDocumentEncrypted(); Async Version public async Task<bool> IsDocumentEncrypted(); public async Task<bool> IsDocumentEncrypted(CancellationToken cancellationToken);
Public Function IsDocumentEncrypted() As Boolean Async Version Public Function IsDocumentEncrypted() As Task(Of Boolean) Public Function IsDocumentEncrypted(cancellationToken As CancellationToken) As Task(Of Boolean)
Remarks
This method is used to determine whether or not the document specified in InputFile, InputData, or InputStream is encrypted. Returns false if the document is pseudo-encrypted with an empty password.
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
Used to notify the user that the document is encrypted before they try to call Open or Decrypt. For example:
securepdf.InputFile = "input.pdf";
if (securepdf.IsDocumentEncrypted())
{
// set Password or DecryptionCert as an alternative to providing it in the EncryptionInfo event
}
securepdf.Open();
// some action
securepdf.Close();
securepdf.InputFile = "input.pdf";
if (securepdf.IsDocumentEncrypted())
{
securepdf.OutputFile = "decrypted.pdf";
// set Password or DecryptionCert
securepdf.Decrypt();
}
As for checking whether the document is encrypted, we need to parse the trailer first and then check if the Encrypt dictionary reference is present in the trailer.
Then parse xref to get the address of Encrypt dictionary and seek to read Encrypt dictionary.
If the Encrypt dictionary is found, then the document is encrypted.
In this process a temp file might be created in case of the inputStream is not seekable.
We do not need to call the Open method in the API. But it shares some logic.
So we will call Close internally to close stream and release temp file at the end of this method.
TBD
IsDocumentSigned Method (SecurePDF Component)
Checks whether a PDF document is signed.
Syntax
public bool IsDocumentSigned(); Async Version public async Task<bool> IsDocumentSigned(); public async Task<bool> IsDocumentSigned(CancellationToken cancellationToken);
Public Function IsDocumentSigned() As Boolean Async Version Public Function IsDocumentSigned() As Task(Of Boolean) Public Function IsDocumentSigned(cancellationToken As CancellationToken) As Task(Of Boolean)
Remarks
This method is used to determine whether or not the document specified in InputFile, InputData, or InputStream is signed.
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
Example usage:
securepdf.InputFile = "input.pdf";
if (securepdf.IsDocumentSigned()) securepdf.Verify();
TBD
Open Method (SecurePDF Component)
Opens a PDF document for processing.
Syntax
public void Open(); Async Version public async Task Open(); public async Task Open(CancellationToken cancellationToken);
Public Sub Open() Async Version Public Sub Open() As Task Public Sub Open(cancellationToken As CancellationToken) As Task
Remarks
This method is used to open the document specified in InputFile, InputData, or InputStream before performing some operation on it, such as signing, updating, verifying signatures, or removing signatures. When finished, call Close to complete or discard the operation. If changes were made, the modified document will be saved to OutputFile, OutputData, or OutputStream.
Will fire EncryptionInfo (when applicable) and DocumentInfo. To be used alongside Close whenever some action needs to be performed on the document, mostly for updating signatures. This method will NOT automatically verify signatures.
It is recommended to use this method (alongside Close) when performing multiple operations on the document at once.
Automatic Decryption Scheme
If this method is called and the document is encrypted, first EncryptionInfo will fire informing the user that the document must be decrypted before processing can continue.Once the user supplies the decryption material (or is unaware and Password is kept empty in the pseudo-encrypted case), we will then attempt to decrypt the document automatically within this method for two reasons:
- There is little point in having an opened yet still encrypted document. We can't get anything from such document unless we decrypt it. The only action that the user can do with such document is Decrypt it (or Close it). This makes the Decrypt call redundant - the user will be either forced to call it (if the document is encrypted) or forced not to call it (if it isn't).
- Most encrypted documents in the wild are "pseudo-encrypted" (with an empty password), and many users don't even know that their document is encrypted as Acrobat decrypts it on-the-fly and behind the scenes. Telling them a story of such pseudo-encrypted documents would be challenging both for such users and ourselves.
After we decrypt, the user can then conduct some manipulation on the document (verify signatures, extract attachments).
Now, if the user wants to get a decrypted copy of the document, they must call Decrypt - if they don't, we will preserve the document's encrypted status when saving it later.
The user calls Close (SaveChanges set to 1 or 2). The document is saved in decrypted form (Decrypt has been called) or in encrypted form (Decrypt was not called).
Automatic Decryption Scheme Issues
- The PDF may be encrypted with both a user password (Password) and an OwnerPassword. If these passwords are different (e.g. the OwnerPassword is empty to protect the permissions) and the user password is used to open the PDF, we will decrypt with the user password.
This means we will remove the owner password, which ultimately means the user can remove the permissions without knowing the owner password. We decided that the component shouldn't necessarily be responsible for enforcing the intent of the original owner. Can always add a config later if a customer comes in exposing this problem.
- For a signed AND encrypted PDF, if we first decrypt the PDF, we will modify the encryption trailer and then verification will fail. The encryption trailer needs to be preserved on Sign/Verify and deleted on Decrypt. So to allow the user to actually call methods, we need to keep the encryption trailer intact.
We should follow what SBB does with its dmSign decryption mode: only the necessary parts of the document are decrypted (e.g. those related to signatures), then optionally new objects (e.g. attachments, new signatures) are added, and then the decrypted and new objects are re-encrypted (assuming the de/encryption material is available). The Encrypt dictionary is not changed in this case.
Note that you can update an encrypted document in the 'incremental update' way (append new objects to the end), which lets you add new stuff without invalidating existing signatures.
RemoveAttachment Method (SecurePDF Component)
Removes an attachment from a PDF document.
Syntax
public void RemoveAttachment(int index); Async Version public async Task RemoveAttachment(int index); public async Task RemoveAttachment(int index, CancellationToken cancellationToken);
Public Sub RemoveAttachment(ByVal Index As Integer) Async Version Public Sub RemoveAttachment(ByVal Index As Integer) As Task Public Sub RemoveAttachment(ByVal Index As Integer, cancellationToken As CancellationToken) As Task
Remarks
This method is used to remove an attachment from the document specified in InputFile, InputData, or InputStream and from the Attachments collection.
The document without the attachment will be saved to OutputFile, OutputData, or OutputStream.
The Index parameter is the index of the attachment in the Attachments collection to be removed.
Example usage:
securepdf.Open();
securepdf.RemoveAttachment(0);
securepdf.Close();
Alternatively, the user can remove an attachment from Attachments manually:
securepdf.Open();
PDFAttachment attachment = securepdf.Attachments[0];
securepdf.Attachments.Remove(attachment);
securepdf.Close();
TBD
Reset Method (SecurePDF Component)
Resets the component.
Syntax
public void Reset(); Async Version public async Task Reset(); public async Task Reset(CancellationToken cancellationToken);
Public Sub Reset() Async Version Public Sub Reset() As Task Public Sub Reset(cancellationToken As CancellationToken) As Task
Remarks
This method is used to reset the component's properties to their default values.
SaveAttachment Method (SecurePDF Component)
Saves a PDF attachment to a file.
Syntax
Remarks
This method is used to retrieve the contents of an attachment from the document specified in InputFile, InputData, or InputStream and save it to the file specified by FileName. It does not modify the existence of the Attachments collection's contents.
The Index parameter is the index of the attachment in the Attachments collection to be saved.
The FileName parameter specifies the filename that the attachment will be saved to.
Example usage:
securepdf.Open();
securepdf.SaveAttachment(0, "a.dat");
securepdf.Close();
Saving to a stream:
securepdf.Attachments[0].OutputStream = myStream;
securepdf.SaveAttachment(0, ""); // empty string means use the OutputStream field if it's not null
TBD
SetWidgetProperty Method (SecurePDF Component)
Sets the value of a signature widget property.
Syntax
public void SetWidgetProperty(string property, string value); Async Version public async Task SetWidgetProperty(string property, string value); public async Task SetWidgetProperty(string property, string value, CancellationToken cancellationToken);
Public Sub SetWidgetProperty(ByVal Property As String, ByVal Value As String) Async Version Public Sub SetWidgetProperty(ByVal Property As String, ByVal Value As String) As Task Public Sub SetWidgetProperty(ByVal Property As String, ByVal Value As String, cancellationToken As CancellationToken) As Task
Remarks
This method is used to adjust the look of the signature widget when creating a signature.
The Property and Value parameters specify the widget property and value to set respectively. The former is one of the following values:
| Widget property | Default value | Description |
| AlgorithmCaption | #auto | The caption of the signature widget field with information about the signature algorithm. |
| AlgorithmInfo | #auto | Information about the algorithm to be displayed on the signature widget. Keep this property set to #auto to make the component generate the algorithm text automatically, in the form of "Algorithm/Key size", for example "RSA/1024 bits". |
| BackgroundData | "" | The data of the signature widget background bitmap. Assign the widget background data (in the form of a filename or hex-encoded JPEG or JPEG2000 bytes) to this property. |
| BackgroundImageColorSpace | "" | The background image color space. Supported values: none, RGB, CMYK, Gray. |
| BackgroundImageHeight | 0 | The height of the background image in
pixels.
It is important that this property matches the exact size of the image when a custom background is used. The width and height of the background image have no direct relation to the dimensions of the signature widget on the document page, and are only used to indicate the parameters of the image to the PDF processor. Big images will ultimately be squeezed to fit into the widget, and smaller ones stretched. |
| BackgroundImageType | JPEG2000 | The type of the image contained in BackgroundData. Supported values: JPEG2000, JPEG, custom (remove?). TBD |
| BackgroundImageWidth | 0 | The width of the background image in pixels.
It is important that this property matches the exact size of the image when a custom background is used. The width and height of the background image have no direct relation to the dimensions of the signature widget on the document page, and are only used to indicate the parameters of the image to the PDF processor. Big images will ultimately be squeezed to fit into the widget, and smaller ones stretched. |
| BackgroundPosition | "" | The position of the widget background image. The value may be the keyword value "center", which centers the image, or a pair of coordinates (e.g., "10 5.5") in which the first value defines X and the second defines Y starting from the bottom-left corner. |
| BackgroundStyle | default | The style of the signature widget background. Supported values: default, none, custom. |
| CustomTextCount | 0 | The number of custom text blocks on the signature widget. |
| CustomTextFontResourceName[Index] | "" | The font resource name to use for the custom text block. |
| CustomTextFontSizeX[Index] | 0 | The horizontal font size scale to use for the custom text. |
| CustomTextFontSizeY[Index] | 0 | The vertical font size scale to use for the custom text. |
| CustomTextX[Index] | 0 | The horizontal offset of the custom text block on the widget. |
| CustomTextY[Index] | 0 | The vertical offset of the custom text block on the widget. |
| CustomText[Index] | "" | The text to show on a custom signature
widget text block.
This indexed property provides access to the text to be placed on a specific signature widget text block. CustomText[0] specifies the text on the first block, CustomText[1] on the second block, and so on. Use the CustomTextCount property to set the number of custom text blocks. |
| DateFontSize | 0 | The font size of the date and time text on the signature widget. |
| DateFormat | "" | The format string used to display the
signing date and time in the signature widget.
Leave this property empty (default value) to use the default format. To convert UTC time to local time, set this property to "L" (default format) or use the "L:" prefix with a custom date time format string. |
| FontName | "" | The font name for the signature widget text.
Use this property to specify the Type 1 or TrueType font name for the signature widget text. The PDF format supports 14 standard Type 1 fonts: "Times-Roman", "Helvetica", "Courier", "Symbol", "Times-Bold", "Helvetica-Bold", "Courier-Bold", "ZapfDingbats", "Times-Italic", "Helvetica-Oblique", "Courier-Oblique", "Times-BoldItalic", "Helvetica-BoldOblique", "Courier-BoldOblique". For TrueType font names, the component supports full font names (e.g., "Times New Roman", "Arial Bold Italic"), its filename (e.g., "times.ttf", "arialbi.ttf"), or a full filename. If a TrueType font is used, then a font subset is embedded into the PDF document. TBD (Adobe no longer supports Type 1 fonts as of January 2023) |
| Header | #auto | The header text to put on the signature widget. Keep this property set to #auto to make the component generate the header automatically. |
| Height | 70 | The height of the signature widget in points. This property is the same as WidgetHeight. |
| HideDefaultText | false | Whether default headers for the signature widget will be generated. |
| IgnoreExistingAppearance | false | Whether to discard all existing widget parameters when signing empty signature fields. This property only makes sense for signatures created by signing existing empty signature fields with pre-defined widget descriptions. |
| Invisible | "" | Whether the signature widget is invisible on the page. We talked about people controlling this by setting the height, width, etc. to 0, but better to keep it explicit for code readability and to avoid confusion. TBD |
| OffsetX | 0 | The signature widget offset from the left-hand page border in points. This property is the same as WidgetOffsetX. |
| OffsetY | 0 | The signature widget offset from the bottom page border in points. This property is the same as WidgetOffsetY. |
| Pages | "" | The page numbers on which the signature is shown. This property is the same as WidgetPages. |
| PositionAnchor | default | The anchor to bind the position of the widget to. Supported values: default, bottomleft, bottomright, topleft, topright, center. TBD formatting |
| RenderOptions | A comma-separated list of rendering options. Supported values: unknown, norotate, noview, nozoom, print, readonly, togglenoview. TBD formatting | |
| Rotation | 0 | The rotation angle of the signature widget in degrees. Supported values: 0, 90, 180, 270. |
| SectionTextFontSize | 0 | The font size of general text on the signature widget. |
| SectionTitleFontSize | 0 | The font size of the section title on the signature widget. |
| ShowDate | true | Whether to display the signing date and time details on the widget. |
| SignerCaption | #auto | The caption for the signer section on the signature widget. Keep this property set to #auto to make the component generate the default signer caption, which is "Signer: ". |
| SignerInfo | #auto | Custom signer information to put on the signature widget. The standard signature widget allows for several short strings separated by carriage return line feed (CRLF). Keep this property set to #auto to make the component generate the signer text automatically. |
| TitleFontSize | 0 | The font size of the main title on the signature widget. |
| Width | 70 | The width of the signature widget in points. This property is the same as WidgetWidth. |
No index because setting is ONLY applicable to the signature the user is about to create. Widgets cannot be modified after the fact.
Example usage:
securepdf.SetWidgetProperty("Width", "100");
securepdf.SetWidgetProperty("Height", "100");
securepdf.Sign();
Having a Config-like method here also allows us to expand the properties in the future if needed.
TBD
Sign Method (SecurePDF Component)
Signs a PDF document.
Syntax
public void Sign(); Async Version public async Task Sign(); public async Task Sign(CancellationToken cancellationToken);
Public Sub Sign() Async Version Public Sub Sign() As Task Public Sub Sign(cancellationToken As CancellationToken) As Task
Remarks
This method is used to sign the document specified in InputFile, InputData, or InputStream. The document will be signed with SigningCert as configured in SigningSettings and saved in OutputFile, OutputData, or OutputStream.
Use KnownCerts, TrustedCerts, and ValidationSettings to adjust chain validation parameters. During signing, the chain validation log will be available via the Log event if applicable.
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
Achieving Each PAdES Profile
Creating a B-B from scratch:// assuming InputFile, OutputFile, SigningCert, etc. are already set
signer.SigningSettings.Profile = PDFSignatureProfiles.pfBaselineB;
// internally, SigningSettings.Type should now be set to stAdvanced
// we DON'T need to collect revocation info here
signer.Sign();
Creating a B-T from scratch:
// assuming InputFile, OutputFile, SigningCert, etc. are already set
signer.SigningSettings.Profile = PDFSignatureProfiles.pfBaselineT;
// internally, SigningSettings.Type should now be set to stAdvanced
// we DON'T need to collect revocation info here
signer.TimestampServer = "https://freetsa.org/tsr";
signer.Sign();
Creating a B-LT from scratch:
// assuming InputFile, OutputFile, SigningCert, etc. are already set
signer.SigningSettings.Profile = PDFSignatureProfiles.pfBaselineLT;
// internally, SigningSettings.Type should now be set to stAdvanced
// we DO need to collect revocation info here
signer.TimestampServer = "https://freetsa.org/tsr";
signer.Sign();
// the collection + inclusion of revocation info is what differentiates B-LT from B-T
// the user shouldn't need to call Update(), but if the embedding/validation of revocation
// info fails for some reason, the signature should still be B-T
Creating a B-LTA from scratch:
// assuming InputFile, OutputFile, SigningCert, etc. are already set
signer.SigningSettings.Profile = PDFSignatureProfiles.pfBaselineLTA;
// internally, SigningSettings.Type should now be set to stAdvanced
// we DO need to collect revocation info here
signer.TimestampServer = "https://freetsa.org/tsr";
signer.Sign();
signer.InputFile = signer.OutputFile;
signer.SigningSettings.Type = PDFSignatureTypes.stDTS;
signer.Update(0); // this will add the DTS
Creating a B-LTA from scratch (simpler alternative):
// assuming InputFile, OutputFile, SigningCert, etc. are already set
signer.SigningSettings.Profile = PDFSignatureProfiles.pfBaselineLTA;
// internally, SigningSettings.Type should now be set to stAdvanced
// we DO need to collect revocation info here
signer.TimestampServer = "https://freetsa.org/tsr";
signer.Sign();
signer.InputFile = signer.OutputFile;
signer.AddDocumentTimestamp();
Updating a B-B to B-T: Impossible. See Update for the reason.
Updating a B-B or B-T to B-LT:
// assuming InputFile, OutputFile, etc. are already set (don't need SigningCert here)
signer.TimestampServer = "https://freetsa.org/tsr";
// internally, we DO need to collect revocation info here
signer.Update(0);
Updating a B-B or B-T to B-LTA:
// assuming InputFile, OutputFile, etc. are already set (don't need SigningCert here)
signer.SigningSettings.Type = PDFSignatureTypes.stDTS;
signer.TimestampServer = "https://freetsa.org/tsr";
// internally, we DO need to collect revocation info here
signer.Update(0);
Updating a B-B or B-T to B-LTA (simpler alternative):
// assuming InputFile, OutputFile, etc. are already set (don't need SigningCert here)
signer.TimestampServer = "https://freetsa.org/tsr";
// internally, we DO need to collect revocation info here
signer.AddDocumentTimestamp();
Extending an existing B-LTA:
// assuming InputFile, OutputFile, etc. are already set (don't need SigningCert here)
signer.SigningSettings.Type = PDFSignatureTypes.stDTS;
signer.TimestampServer = "https://freetsa.org/tsr";
// internally, we DO need to collect revocation info here
signer.Update(0);
Extending an existing B-LTA (simpler alternative):
// assuming InputFile, OutputFile, etc. are already set (don't need SigningCert here)
signer.TimestampServer = "https://freetsa.org/tsr";
// internally, we DO need to collect revocation info here
signer.AddDocumentTimestamp();
TBD
Unsign Method (SecurePDF Component)
Removes a signature from a PDF document.
Syntax
Remarks
This method is used to remove/delete an existing signature specified by SigIndex from the document specified in InputFile, InputData, or InputStream. The document with the removed signature will be saved to OutputFile, OutputData, or OutputStream.
The SigIndex parameter is the index of the signature in the Signatures collection to be removed.
The UnsignKind parameter specifies the kind of unsign to perform. Possible values are:
| 0 (uskFull - default) | Remove the signature fully. |
| 1 (uskKeepField) | Remove the signature, but keep the form field it is in. |
| 2 (uskKeepAppearance) | Remove the signature, but keep the form field and its widget. |
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
Example usage:
securepdf.InputFile = "signed.pdf";
securepdf.Open();
securepdf.Unsign(0, 0); // uskFull
securepdf.Close();
Note that unsigning is different from GetSignedVersion. The latter returns the revision of the document including the mentioned signature (thus removing anything after that signature was created). Unsign removes the signature completely by carving it out of the document.
Will typically be sandwiched in between Open and Close because we will need to load existing signatures in order to remove them. Plus they can grab the SigIndex from e.g. the SignatureInfo event (which Verify will fire) to pass to this method. TBD
Update Method (SecurePDF Component)
Updates a signature.
Syntax
public void Update(int sigIndex); Async Version public async Task Update(int sigIndex); public async Task Update(int sigIndex, CancellationToken cancellationToken);
Public Sub Update(ByVal SigIndex As Integer) Async Version Public Sub Update(ByVal SigIndex As Integer) As Task Public Sub Update(ByVal SigIndex As Integer, cancellationToken As CancellationToken) As Task
Remarks
This method is used to update a signature specified by SigIndex by embedding newer or missing revocation information into the signed document specified in InputFile, InputData, or InputStream. The updated document will be saved to OutputFile, OutputData, or OutputStream.
The SigIndex parameter is the index of the signature in the Signatures collection to be updated.
Updating a signature starts with its cryptographic validation. Before any new validation material is inserted, the signature's integrity must be validated. If the signature is found to be correct, the component will proceed with chain validation and the retrieval of any missing chain elements. If the signature is cryptographically wrong, the component will throw an exception.
The update approach is typically used to extend the validity of an LTV signature. For LTA signatures, updating is typically accompanied with a document timestamping operation. Set TimestampServer and SigningSettings.Type to stDTS to have the component obtain and embed a document timestamp automatically. See the pseudocode in the Sign method for when these must be set (including for adding document timestamps).
Note that further validation material and document timestamps may be added to a document over time to maintain its authenticity and integrity.
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
We don't have a simple Timestamp method because adding a signature timestamp to an existing signature (i.e. "updating" B-B to B-T), though possible, is technically not permitted in PDF. The design flaw is that you can't extend a signature once you've added it because the space for the signature + timestamp must be pre-allocated.
Will typically be sandwiched in between Open and Close because we will need to load existing signatures in order to update them. Plus they can grab the SigIndex from e.g. the SignatureInfo event (which Verify will fire) to pass to this method. TBD
Verify Method (SecurePDF Component)
Verifies a signed PDF document.
Syntax
public void Verify(); Async Version public async Task Verify(); public async Task Verify(CancellationToken cancellationToken);
Public Sub Verify() Async Version Public Sub Verify() As Task Public Sub Verify(cancellationToken As CancellationToken) As Task
Remarks
This method is used to validate all signatures in the document specified in InputFile, InputData, or InputStream.
This method walks through the signed document and reports every signature via the SignatureInfo event. Subscribe to the event to be notified about the signatures and adjust validation settings on the fly.
Upon completion of this method, the signature details will be published in the Signatures property.
This method only validates the signatures and does not check their coverage. It is a good idea to use mechanisms such as GetSignedVersion or CoverageEndsAt to ensure that the signature covers the expected document revision.
Note: If the document is not already opened, this method will Open it, perform the operation, then Close it.
Example usage:
securepdf.InputFile = "signed.pdf";
securepdf.Verify();
PDFSignature signature = securepdf.Signatures[0];
if (signature.SignatureValidationResult == svrValid)
Console.WriteLine("Signature is good");
if (signature.ChainValidationResult == cvrValid)
Console.WriteLine("Chain is good");
In the case of document timestamps, signatures should be verified in a backwards order:
- Verify/check the validation result of the document timestamp.
- If the result is valid, use the document timestamp's ValidatedSigningTime as the ValidationMoment for the next "normal" signature.
We initially had a SigIndex parameter here so the user could validate each signature individually, but we removed it to match SBB and Adobe. To verify individual signatures, the user can subscribe to the SignatureInfo event and set the ValidateSignature and ValidateChain parameters. The results are reported via the SignatureProcessed event's SignatureValidationResult and ChainValidationResult parameters.
This provides enough flexibility to control the validation process, as chain validation can be a very time-consuming process, and just going ahead with the validation for every signature in the document may result in dramatic slowdowns. Two example use cases for individual control over validation:
- Letting the user stop further validation if one of the signatures is found to be invalid
- Providing an option for avoiding or tuning up chain validation for certain signing certificates (for example adjusting ValidationSettings on a per-signature basis within SignatureInfo)
ChainCertInfo Event (SecurePDF Component)
Fired when the component encounters a chain certificate.
Syntax
public event OnChainCertInfoHandler OnChainCertInfo; public delegate void OnChainCertInfoHandler(object sender, SecurePDFChainCertInfoEventArgs e); public class SecurePDFChainCertInfoEventArgs : EventArgs { public string CertEncoded { get; }
public byte[] CertEncodedB { get; } public string CertSubject { get; } public string CertIssuer { get; } public string ValidationMoment { get; } public int ValidationResult { get; } public int ValidationDetails { get; } }
Public Event OnChainCertInfo As OnChainCertInfoHandler Public Delegate Sub OnChainCertInfoHandler(sender As Object, e As SecurePDFChainCertInfoEventArgs) Public Class SecurePDFChainCertInfoEventArgs Inherits EventArgs Public ReadOnly Property CertEncoded As String
Public ReadOnly Property CertEncodedB As Byte() Public ReadOnly Property CertSubject As String Public ReadOnly Property CertIssuer As String Public ReadOnly Property ValidationMoment As String Public ReadOnly Property ValidationResult As Integer Public ReadOnly Property ValidationDetails As Integer End Class
Remarks
This event is fired once for each certificate encountered during chain validation to report that it is about to be processed. Could be from the main signing chain, a TSA chain, a CRL/OCSP chain, etc. The component will try to retrieve all required chain certificates automatically to prevent user involvement as much as possible.
The CertEncoded parameter specifies the PEM (Base64-encoded) public certificate.
The CertSubject and CertIssuer parameters specify the distinguished names of the certificate owner and issuer respectively.
The ValidationMoment parameter specifies the time point at which the certificate validity was established. The time is provided in UTC.
The ValidationResult parameter reports the outcome of the individual certificate validation and can be one of the following values:
| 0 (cvrUnknown - default) | Certificate validity is unknown. |
| 1 (cvrValid) | The certificate is valid. |
| 2 (cvrValidButUntrusted) | The certificate is valid but not trusted. |
| 3 (cvrInvalid) | The certificate is not valid (it is revoked, expired, or contains an invalid signature). |
| 4 (cvrCantBeEstablished) | The validity of the certificate cannot be established because of missing or unavailable validation information (certificates, CRLs, or OCSP responses). |
| 0x001 (cvdBadData) | The certificate is malformed. |
| 0x002 (cvdRevoked) | The certificate is revoked. |
| 0x004 (cvdExpiredOrNotYetValid) | The certificate is expired or not yet valid. |
| 0x008 (cvdInvalidSignature) | The certificate contains a non-valid digital signature. |
| 0x010 (cvdUnknownCA) | A CA certificate for the certificate has not been found (chain incomplete). |
| 0x020 (cvdPolicyViolated) | One of the CA certificates is not authorized to act as a CA, a mandatory key usage is not enabled, or a weak algorithm is used in the certificate. |
| 0x040 (cvdRevocationCheckFailed) | One or more CRLs or OCSP responses could not be verified. |
| 0x080 (cvdBlocked) | The certificate is blocked. |
| 0x100 (cvdGeneralFailure) | General validation failure. |
| 0x200 (cvdChainLoop) | One of the CA certificates recursively signs itself. |
Can potentially be useful for displaying the full chain for a particular signature as an asynchronous alternative to reading them from KnownCerts or DocumentCerts after validation. TBD
DocumentInfo Event (SecurePDF Component)
Fired when the document has been processed.
Syntax
public event OnDocumentInfoHandler OnDocumentInfo; public delegate void OnDocumentInfoHandler(object sender, SecurePDFDocumentInfoEventArgs e); public class SecurePDFDocumentInfoEventArgs : EventArgs { public int PageCount { get; } public int SigCount { get; } public int FieldCount { get; } }
Public Event OnDocumentInfo As OnDocumentInfoHandler Public Delegate Sub OnDocumentInfoHandler(sender As Object, e As SecurePDFDocumentInfoEventArgs) Public Class SecurePDFDocumentInfoEventArgs Inherits EventArgs Public ReadOnly Property PageCount As Integer Public ReadOnly Property SigCount As Integer Public ReadOnly Property FieldCount As Integer End Class
Remarks
This event is fired once per document processing routine to report the completion of the document processing.
The handler for this event is a good place to check the document structure and access document-related information such as page number and document file details. These may be useful when preparing the signature. For example, the GetPageProperty method can be used to find the optimal position for the signature widget.
The PageCount parameter reports the number of pages in the document.
The SigCount parameter reports the number of signatures in the document.
The FieldCount parameter reports the number of empty signature fields in the document.
(Signatures.Count = SigCount + FieldCount)
This event is fired when the Open method is called, but only after EncryptionInfo is fired (if applicable) and the document has been decrypted.
This event will populate the Attachments, DocumentCerts, and Signatures collections with any corresponding objects found in the document. TBD
EncryptionInfo Event (SecurePDF Component)
Fired when the component detects that the PDF document is encrypted.
Syntax
public event OnEncryptionInfoHandler OnEncryptionInfo; public delegate void OnEncryptionInfoHandler(object sender, SecurePDFEncryptionInfoEventArgs e); public class SecurePDFEncryptionInfoEventArgs : EventArgs { public bool CertUsed { get; } public string Issuer { get; } public string SerialNumber { get; } }
Public Event OnEncryptionInfo As OnEncryptionInfoHandler Public Delegate Sub OnEncryptionInfoHandler(sender As Object, e As SecurePDFEncryptionInfoEventArgs) Public Class SecurePDFEncryptionInfoEventArgs Inherits EventArgs Public ReadOnly Property CertUsed As Boolean Public ReadOnly Property Issuer As String Public ReadOnly Property SerialNumber As String End Class
Remarks
This event is fired during document processing to report that the document is encrypted and to pass certificate parameters. When Open or Decrypt is called, this event is fired once for each encryption mechanism used in the document, providing the opportunity to supply the correct decryption material via the DecryptionCert or Password property (depending on the encryption method used). Most of the time it will fire just once overall because encryption for multiple recipients is uncommon.
The CertUsed parameter indicates whether the document was encrypted with a certificate. If set to false, the document uses password encryption, so provide the password via the Password property.
The Issuer parameter specifies the subject of the issuer certificate (if CertUsed is set to true).
The SerialNumber parameter specifies the serial number of the encryption certificate (if CertUsed is set to true).
Note that the document may be encrypted with more than one certificate (or have "more than one recipient"), in which case each certificate will cause its own invocation of this event. We will not support encryption for multiple recipients though.
We will decrypt on-the-fly (once the user supplies the necessary decryption material by setting the Password or DecryptionCert properties within this event) but keep the decrypted document in memory unless the user calls Decrypt.
Even if the user does not subscribe to this event, they will still be able to process pseudo-encrypted documents as those will be decrypted for them automatically without their knowledge.
Will fire before DocumentInfo can fire because we can't process the document if it's still encrypted.
We originally had a Skip parameter here that would have skipped the current encryption mechanism. We determined it wasn't required because we don't fire this event repeatedly for a single encryption mechanism (only once), so skipping wouldn't do anything. TBD
Error Event (SecurePDF Component)
Fired when information is available about errors during data delivery.
Syntax
public event OnErrorHandler OnError; public delegate void OnErrorHandler(object sender, SecurePDFErrorEventArgs e); public class SecurePDFErrorEventArgs : EventArgs { public int ErrorCode { get; } public string Description { get; } }
Public Event OnError As OnErrorHandler Public Delegate Sub OnErrorHandler(sender As Object, e As SecurePDFErrorEventArgs) Public Class SecurePDFErrorEventArgs Inherits EventArgs Public ReadOnly Property ErrorCode As Integer Public ReadOnly Property Description As String End Class
Remarks
The Error event is fired in case of exceptional conditions during message processing. Normally the component throws an exception.
The ErrorCode parameter contains an error code, and the Description parameter contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.
Log Event (SecurePDF Component)
Fired when log information is available during processing.
Syntax
public event OnLogHandler OnLog; public delegate void OnLogHandler(object sender, SecurePDFLogEventArgs e); public class SecurePDFLogEventArgs : EventArgs { public int LogLevel { get; } public string Message { get; } public string LogType { get; } }
Public Event OnLog As OnLogHandler Public Delegate Sub OnLogHandler(sender As Object, e As SecurePDFLogEventArgs) Public Class SecurePDFLogEventArgs Inherits EventArgs Public ReadOnly Property LogLevel As Integer Public ReadOnly Property Message As String Public ReadOnly Property LogType As String End Class
Remarks
This event will need to be extremely detailed (LogLevel=3), especially for chain validation. SBB's ValidationLog uses a tree-like view with indentations which helps make it more readable. We want ours to be super readable too. TBD
SignatureInfo Event (SecurePDF Component)
Fired when the component finds a signature in the document.
Syntax
public event OnSignatureInfoHandler OnSignatureInfo; public delegate void OnSignatureInfoHandler(object sender, SecurePDFSignatureInfoEventArgs e); public class SecurePDFSignatureInfoEventArgs : EventArgs { public int SigIndex { get; } public bool ValidateSignature { get; set; } public bool ValidateChain { get; set; } }
Public Event OnSignatureInfo As OnSignatureInfoHandler Public Delegate Sub OnSignatureInfoHandler(sender As Object, e As SecurePDFSignatureInfoEventArgs) Public Class SecurePDFSignatureInfoEventArgs Inherits EventArgs Public ReadOnly Property SigIndex As Integer Public Property ValidateSignature As Boolean Public Property ValidateChain As Boolean End Class
Remarks
This event is fired once for each signature found in the document to report that the signature specified by SigIndex is about to be validated. Will fire for normal signatures as well as document timestamps.
The SigIndex parameter is the index of the signature in the Signatures collection. Can be used for example to read some of the indexed signature configs like FullSignatureName.
Signature validation consists of two independent stages: cryptographic signature validation and chain validation. The ValidateSignature and ValidateChain parameters determine whether each stage should be included in the validation. They can be overridden to modify the validation policy on a per-signature basis, allowing the user to verify signatures individually instead of all at once (what Verify does). To skip validation entirely, set both parameters to false.
We considered removing this event altogether since the user can iterate over all the signatures in the Signatures collection after the Open call succeeds anyway, but that was before ValidateSignature and ValidateChain were topics of discussion. TBD
SignatureProcessed Event (SecurePDF Component)
Fired after a signature has been processed.
Syntax
public event OnSignatureProcessedHandler OnSignatureProcessed; public delegate void OnSignatureProcessedHandler(object sender, SecurePDFSignatureProcessedEventArgs e); public class SecurePDFSignatureProcessedEventArgs : EventArgs { public int SigIndex { get; } public int SignatureValidationResult { get; } public int ChainValidationResult { get; } public int ChainValidationDetails { get; } }
Public Event OnSignatureProcessed As OnSignatureProcessedHandler Public Delegate Sub OnSignatureProcessedHandler(sender As Object, e As SecurePDFSignatureProcessedEventArgs) Public Class SecurePDFSignatureProcessedEventArgs Inherits EventArgs Public ReadOnly Property SigIndex As Integer Public ReadOnly Property SignatureValidationResult As Integer Public ReadOnly Property ChainValidationResult As Integer Public ReadOnly Property ChainValidationDetails As Integer End Class
Remarks
This event is fired once for each signature found in the document to report that the signature specified by SigIndex has completed validation. Will fire if Verify is called (verifying all signatures at once) OR if one or both of the ValidateSignature and ValidateChain parameters in SignatureInfo are true (verifying signatures individually). Will fire for normal signatures as well as document timestamps.
The SigIndex parameter is the index of the signature in the Signatures collection.
Signature validation consists of two independent stages: cryptographic signature validation and chain validation. Separate validation results are reported for each in the SignatureValidationResult and ChainValidationResult parameters.
The former reports the validity of the signature and can be one of the following values:
| 0 (svrUnknown - default) | Signature validity is unknown. |
| 1 (svrValid) | The signature is valid. |
| 2 (svrCorrupted) | The signature is corrupted. |
| 3 (svrSignerNotFound) | Failed to acquire the signing certificate. The signature cannot be validated. |
| 4 (svrFailure) | General failure. |
| 0 (cvrUnknown - default) | Chain validity is unknown. |
| 1 (cvrValid) | The chain is valid. |
| 2 (cvrValidButUntrusted) | The chain is valid, but the root certificate is not trusted. |
| 3 (cvrInvalid) | The chain is not valid (some of the certificates are revoked, expired, or contain an invalid signature). |
| 4 (cvrCantBeEstablished) | The validity of the chain cannot be established because of missing or unavailable validation information (certificates, CRLs, or OCSP responses). |
| 0x001 (cvdBadData) | One or more certificates in the validation path are malformed. |
| 0x002 (cvdRevoked) | One or more certificates are revoked. |
| 0x004 (cvdExpiredOrNotYetValid) | One or more certificates are expired or not yet valid. |
| 0x008 (cvdInvalidSignature) | A certificate contains a non-valid digital signature. |
| 0x010 (cvdUnknownCA) | A CA certificate for one or more certificates has not been found (chain incomplete). |
| 0x020 (cvdPolicyViolated) | One of the CA certificates is not authorized to act as a CA, a mandatory key usage is not enabled in one of the chain certificates, or a weak algorithm is used in the one of the certificates or revocation elements. |
| 0x040 (cvdRevocationCheckFailed) | One or more CRLs or OCSP responses could not be verified. |
| 0x080 (cvdBlocked) | One or more certificates are blocked. |
| 0x100 (cvdGeneralFailure) | General validation failure. |
| 0x200 (cvdChainLoop) | One of the CA certificates recursively signs itself. |
SignatureValidationResult, ChainValidationResult, and ChainValidationDetails can also be read from the PDFSignature type after chain validation completes. TBD
SSLServerAuthentication Event (SecurePDF Component)
Fired after the server presents its certificate to the client.
Syntax
public event OnSSLServerAuthenticationHandler OnSSLServerAuthentication; public delegate void OnSSLServerAuthenticationHandler(object sender, SecurePDFSSLServerAuthenticationEventArgs e); public class SecurePDFSSLServerAuthenticationEventArgs : EventArgs { public string CertEncoded { get; }
public byte[] CertEncodedB { get; } public string CertSubject { get; } public string CertIssuer { get; } public string Status { get; } public bool Accept { get; set; } }
Public Event OnSSLServerAuthentication As OnSSLServerAuthenticationHandler Public Delegate Sub OnSSLServerAuthenticationHandler(sender As Object, e As SecurePDFSSLServerAuthenticationEventArgs) Public Class SecurePDFSSLServerAuthenticationEventArgs Inherits EventArgs Public ReadOnly Property CertEncoded As String
Public ReadOnly Property CertEncodedB As Byte() Public ReadOnly Property CertSubject As String Public ReadOnly Property CertIssuer As String Public ReadOnly Property Status As String Public Property Accept As Boolean End Class
Remarks
During this event, the client can decide whether or not to continue with the connection process. The Accept parameter is a recommendation on whether to continue or close the connection. This is just a suggestion: application software must use its own logic to determine whether or not to continue.
When Accept is False, Status shows why the verification failed (otherwise, Status contains the string OK). If it is decided to continue, you can override and accept the certificate by setting the Accept parameter to True.
SSLStatus Event (SecurePDF Component)
Fired when secure connection progress messages are available.
Syntax
public event OnSSLStatusHandler OnSSLStatus; public delegate void OnSSLStatusHandler(object sender, SecurePDFSSLStatusEventArgs e); public class SecurePDFSSLStatusEventArgs : EventArgs { public string Message { get; } }
Public Event OnSSLStatus As OnSSLStatusHandler Public Delegate Sub OnSSLStatusHandler(sender As Object, e As SecurePDFSSLStatusEventArgs) Public Class SecurePDFSSLStatusEventArgs Inherits EventArgs Public ReadOnly Property Message As String End Class
Remarks
The event is fired for informational and logging purposes only. This event tracks the progress of the connection.
Certificate Type
This is the digital certificate being used.
Remarks
This type describes the current digital certificate. The certificate may be a public or private key. The fields are used to identify or select certificates.
Fields
EffectiveDate
string (read-only)
Default: ""
This is the date on which this certificate becomes valid. Before this date, it is not valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:
23-Jan-2000 15:00:00.
ExpirationDate
string (read-only)
Default: ""
This is the date the certificate expires. After this date, the certificate will no longer be valid. The date is localized to the system's time zone. The following example illustrates the format of an encoded date:
23-Jan-2001 15:00:00.
ExtendedKeyUsage
string (read-only)
Default: ""
This is a comma-delimited list of extended key usage identifiers. These are the same as ASN.1 object identifiers (OIDs).
Fingerprint
string (read-only)
Default: ""
This is the hex-encoded, 16-byte MD5 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.
The following example illustrates the format: bc:2a:72:af:fe:58:17:43:7a:5f:ba:5a:7c:90:f7:02
FingerprintSHA1
string (read-only)
Default: ""
This is the hex-encoded, 20-byte SHA-1 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.
The following example illustrates the format: 30:7b:fa:38:65:83:ff:da:b4:4e:07:3f:17:b8:a4:ed:80:be:ff:84
FingerprintSHA256
string (read-only)
Default: ""
This is the hex-encoded, 32-byte SHA-256 fingerprint of the certificate. This property is primarily used for keys which do not have a corresponding X.509 public certificate, such as PEM keys that only contain a private key. It is commonly used for SSH keys.
The following example illustrates the format: 6a:80:5c:33:a9:43:ea:b0:96:12:8a:64:96:30:ef:4a:8a:96:86:ce:f4:c7:be:10:24:8e:2b:60:9e:f3:59:53
Issuer
string (read-only)
Default: ""
This is the issuer of the certificate. This field contains a string representation of the name of the issuing authority for the certificate.
PrivateKey
string (read-only)
Default: ""
This is the private key of the certificate (if available). The key is provided as PEM/Base64-encoded data.
Note: The PrivateKey may be available but not exportable. In this case, PrivateKey returns an empty string.
PrivateKeyAvailable
bool (read-only)
Default: False
This field shows whether a PrivateKey is available for the selected certificate. If PrivateKeyAvailable is True, the certificate may be used for authentication purposes (e.g., server authentication).
PrivateKeyContainer
string (read-only)
Default: ""
This is the name of the PrivateKey container for the certificate (if available). This functionality is available only on Windows platforms.
PublicKey
string (read-only)
Default: ""
This is the public key of the certificate. The key is provided as PEM/Base64-encoded data.
PublicKeyAlgorithm
string (read-only)
Default: ""
This field contains the textual description of the certificate's public key algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_DH") or an object identifier (OID) string representing the algorithm.
PublicKeyLength
int (read-only)
Default: 0
This is the length of the certificate's public key (in bits). Common values are 512, 1024, and 2048.
SerialNumber
string (read-only)
Default: ""
This is the serial number of the certificate encoded as a string. The number is encoded as a series of hexadecimal digits, with each pair representing a byte of the serial number.
SignatureAlgorithm
string (read-only)
Default: ""
The field contains the text description of the certificate's signature algorithm. The property contains either the name of the algorithm (e.g., "RSA" or "RSA_MD5RSA") or an object identifier (OID) string representing the algorithm.
Store
string
Default: "MY"
This is the name of the certificate store for the client certificate.
The StoreType field denotes the type of the certificate store specified by Store. If the store is password protected, specify the password in StorePassword.
Store is used in conjunction with the Subject field to specify client certificates. If Store has a value, and Subject or Encoded is set, a search for a certificate is initiated. Please see the Subject field for details.
Designations of certificate stores are platform dependent.
The following designations are the most common User and Machine certificate stores in Windows:
| MY | A certificate store holding personal certificates with their associated private keys. |
| CA | Certifying authority certificates. |
| ROOT | Root certificates. |
When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).
StoreB
byte []
Default: "MY"
This is the name of the certificate store for the client certificate.
The StoreType field denotes the type of the certificate store specified by Store. If the store is password protected, specify the password in StorePassword.
Store is used in conjunction with the Subject field to specify client certificates. If Store has a value, and Subject or Encoded is set, a search for a certificate is initiated. Please see the Subject field for details.
Designations of certificate stores are platform dependent.
The following designations are the most common User and Machine certificate stores in Windows:
| MY | A certificate store holding personal certificates with their associated private keys. |
| CA | Certifying authority certificates. |
| ROOT | Root certificates. |
When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e., PKCS#12 certificate store).
StorePassword
string
Default: ""
If the type of certificate store requires a password, this property is used to specify the password needed to open the certificate store.
StoreType
CertStoreTypes
Default: 0
This is the type of certificate store for this certificate.
The component supports both public and private keys in a variety of formats. When the cstAuto value is used, the component will automatically determine the type. This field can take one of the following values:
| 0 (cstUser - default) | For Windows, this specifies that the certificate store is a certificate store owned by the current user.
Note: This store type is not available in Java. |
| 1 (cstMachine) | For Windows, this specifies that the certificate store is a machine store.
Note: This store type is not available in Java. |
| 2 (cstPFXFile) | The certificate store is the name of a PFX (PKCS#12) file containing certificates. |
| 3 (cstPFXBlob) | The certificate store is a string (binary or Base64-encoded) representing a certificate store in PFX (PKCS#12) format. |
| 4 (cstJKSFile) | The certificate store is the name of a Java Key Store (JKS) file containing certificates.
Note: This store type is only available in Java. |
| 5 (cstJKSBlob) | The certificate store is a string (binary or Base64-encoded) representing a certificate store in Java Key Store (JKS) format.
Note: this store type is only available in Java. |
| 6 (cstPEMKeyFile) | The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate. |
| 7 (cstPEMKeyBlob) | The certificate store is a string (binary or Base64-encoded) that contains a private key and an optional certificate. |
| 8 (cstPublicKeyFile) | The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate. |
| 9 (cstPublicKeyBlob) | The certificate store is a string (binary or Base64-encoded) that contains a PEM- or DER-encoded public key certificate. |
| 10 (cstSSHPublicKeyBlob) | The certificate store is a string (binary or Base64-encoded) that contains an SSH-style public key. |
| 11 (cstP7BFile) | The certificate store is the name of a PKCS#7 file containing certificates. |
| 12 (cstP7BBlob) | The certificate store is a string (binary) representing a certificate store in PKCS#7 format. |
| 13 (cstSSHPublicKeyFile) | The certificate store is the name of a file that contains an SSH-style public key. |
| 14 (cstPPKFile) | The certificate store is the name of a file that contains a PPK (PuTTY Private Key). |
| 15 (cstPPKBlob) | The certificate store is a string (binary) that contains a PPK (PuTTY Private Key). |
| 16 (cstXMLFile) | The certificate store is the name of a file that contains a certificate in XML format. |
| 17 (cstXMLBlob) | The certificate store is a string that contains a certificate in XML format. |
| 18 (cstJWKFile) | The certificate store is the name of a file that contains a JWK (JSON Web Key). |
| 19 (cstJWKBlob) | The certificate store is a string that contains a JWK (JSON Web Key). |
| 21 (cstBCFKSFile) | The certificate store is the name of a file that contains a BCFKS (Bouncy Castle FIPS Key Store).
Note: This store type is only available in Java and .NET. |
| 22 (cstBCFKSBlob) | The certificate store is a string (binary or Base64-encoded) representing a certificate store in BCFKS (Bouncy Castle FIPS Key Store) format.
Note: This store type is only available in Java and .NET. |
| 23 (cstPKCS11) | The certificate is present on a physical security key accessible via a PKCS#11 interface.
To use a security key, the necessary data must first be collected using the CertMgr component. The ListStoreCertificates method may be called after setting CertStoreType to cstPKCS11, CertStorePassword to the PIN, and CertStore to the full path of the PKCS#11 DLL. The certificate information returned in the CertList event's CertEncoded parameter may be saved for later use. When using a certificate, pass the previously saved security key information as the Store and set StorePassword to the PIN. Code Example. SSH Authentication with Security Key:
|
| 99 (cstAuto) | The store type is automatically detected from the input data. This setting may be used with both public and private keys and can detect any of the supported formats automatically. |
SubjectAltNames
string (read-only)
Default: ""
This field contains comma-separated lists of alternative subject names for the certificate.
ThumbprintMD5
string (read-only)
Default: ""
This field contains the MD5 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.
ThumbprintSHA1
string (read-only)
Default: ""
This field contains the SHA-1 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.
ThumbprintSHA256
string (read-only)
Default: ""
This field contains the SHA-256 hash of the certificate. It is primarily used for X.509 certificates. If the hash does not already exist, it is automatically computed.
Usage
string (read-only)
Default: ""
This field contains the text description of UsageFlags.
This value will be of one or more of the following strings and will be separated by commas:
- Digital Signature
- Non-Repudiation
- Key Encipherment
- Data Encipherment
- Key Agreement
- Certificate Signing
- CRL Signing
- Encipher Only
If the provider is OpenSSL, the value is a comma-separated list of X.509 certificate extension names.
UsageFlags
int (read-only)
Default: 0
This field contains the flags that show intended use for the certificate. The value of UsageFlags is a combination of the following flags:
| 0x80 | Digital Signature |
| 0x40 | Non-Repudiation |
| 0x20 | Key Encipherment |
| 0x10 | Data Encipherment |
| 0x08 | Key Agreement |
| 0x04 | Certificate Signing |
| 0x02 | CRL Signing |
| 0x01 | Encipher Only |
Please see the Usage field for a text representation of UsageFlags.
This functionality currently is not available when the provider is OpenSSL.
Version
string (read-only)
Default: ""
This field contains the certificate's version number. The possible values are the strings "V1", "V2", and "V3".
Subject
string
Default: ""
This is the subject of the certificate used for client authentication.
This field will be populated with the full subject of the loaded certificate. When loading a certificate, the subject is used to locate the certificate in the store.
If an exact match is not found, the store is searched for subjects containing the value of the property.
If a match is still not found, the property is set to an empty string, and no certificate is selected.
The special value "*" picks a random certificate in the certificate store.
The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:
| Field | Meaning |
| CN | Common Name. This is commonly a hostname like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
If a field value contains a comma, it must be quoted.
Encoded
string
Default: ""
This is the certificate (PEM/Base64 encoded). This field is used to assign a specific certificate. The Store and Subject fields also may be used to specify a certificate.
When Encoded is set, a search is initiated in the current Store for the private key of the certificate. If the key is found, Subject is updated to reflect the full subject of the selected certificate; otherwise, Subject is set to an empty string.
EncodedB
byte []
Default: ""
This is the certificate (PEM/Base64 encoded). This field is used to assign a specific certificate. The Store and Subject fields also may be used to specify a certificate.
When Encoded is set, a search is initiated in the current Store for the private key of the certificate. If the key is found, Subject is updated to reflect the full subject of the selected certificate; otherwise, Subject is set to an empty string.
Constructors
public Certificate();
Public Certificate()
Creates a Certificate instance whose properties can be set. This is useful for use with CERTMGR when generating new certificates.
public Certificate(string certificateFile);
Public Certificate(ByVal CertificateFile As String)
Opens CertificateFile and reads out the contents as an X.509 public key.
public Certificate(byte[] encoded);
Public Certificate(ByVal Encoded As Byte())
Parses Encoded as an X.509 public key.
public Certificate(CertStoreTypes storeType, string store, string storePassword, string subject);
Public Certificate(ByVal StoreType As CertStoreTypes, ByVal Store As String, ByVal StorePassword As String, ByVal Subject As String)
CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X.509 certificate's subject Distinguished Name (DN). The Subject parameter can also take an MD5, SHA-1, or SHA-256 thumbprint of the certificate to load in a "Thumbprint=value" format.
public Certificate(CertStoreTypes storeType, string store, string storePassword, string subject, string configurationString);
Public Certificate(ByVal StoreType As CertStoreTypes, ByVal Store As String, ByVal StorePassword As String, ByVal Subject As String, ByVal ConfigurationString As String)
CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. ConfigurationString is a newline separated list of name-value pairs that may be used to modify the default behavior. Possible values include "PersistPFXKey", which shows whether or not the PFX key is persisted after performing operations with the private key. This correlates to the PKCS12_NO_PERSIST_KEY CryptoAPI option. The default value is True (the key is persisted). "Thumbprint" - an MD5, SHA-1, or SHA-256 thumbprint of the certificate to load. When specified, this value is used to select the certificate in the store. This is applicable to cstUser, cstMachine, cstPublicKeyFile, and cstPFXFile store types. "UseInternalSecurityAPI" shows whether the platform (default) or the internal security API is used when performing certificate-related operations. After the store has been successfully opened, the component will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X.509 certificate's subject Distinguished Name (DN). The Subject parameter can also take an MD5, SHA-1, or SHA-256 thumbprint of the certificate to load in a "Thumbprint=value" format.
public Certificate(CertStoreTypes storeType, string store, string storePassword, byte[] encoded);
Public Certificate(ByVal StoreType As CertStoreTypes, ByVal Store As String, ByVal StorePassword As String, ByVal Encoded As Byte())
CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a file containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will load Encoded as an X.509 certificate and search the opened store for a corresponding private key.
public Certificate(CertStoreTypes storeType, byte[] store, string storePassword, string subject);
Public Certificate(ByVal StoreType As CertStoreTypes, ByVal Store As Byte(), ByVal StorePassword As String, ByVal Subject As String)
CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a string (binary- or Base64-encoded) containing the certificate data. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X.509 certificate's subject Distinguished Name (DN). The Subject parameter can also take an MD5, SHA-1, or SHA-256 thumbprint of the certificate to load in a "Thumbprint=value" format.
public Certificate(CertStoreTypes storeType, byte[] store, string storePassword, string subject, string configurationString);
Public Certificate(ByVal StoreType As CertStoreTypes, ByVal Store As Byte(), ByVal StorePassword As String, ByVal Subject As String, ByVal ConfigurationString As String)
CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a string (binary- or Base64-encoded) containing the certificate data. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will attempt to find the certificate identified by Subject . This can be either a complete or a substring match of the X.509 certificate's subject Distinguished Name (DN). The Subject parameter can also take an MD5, SHA-1, or SHA-256 thumbprint of the certificate to load in a "Thumbprint=value" format.
public Certificate(CertStoreTypes storeType, byte[] store, string storePassword, byte[] encoded);
Public Certificate(ByVal StoreType As CertStoreTypes, ByVal Store As Byte(), ByVal StorePassword As String, ByVal Encoded As Byte())
CertStoreType identifies the type of certificate store to use. See StoreType for descriptions of the different certificate stores. Store is a string (binary- or Base64-encoded) containing the certificate store. StorePassword is the password used to protect the store. After the store has been successfully opened, the component will load Encoded as an X.509 certificate and search the opened store for a corresponding private key.
Firewall Type
The firewall the component will connect through.
Remarks
When connecting through a firewall, this type is used to specify different properties of the firewall, such as the firewall Host and the FirewallType.
Fields
AutoDetect
bool
Default: False
This field tells the component whether or not to automatically detect and use firewall system settings, if available.
FirewallType
FirewallTypes
Default: 0
This field determines the type of firewall to connect through. The applicable values are as follows:
| fwNone (0) | No firewall (default setting). |
| fwTunnel (1) | Connect through a tunneling proxy. Port is set to 80. |
| fwSOCKS4 (2) | Connect through a SOCKS4 Proxy. Port is set to 1080. |
| fwSOCKS5 (3) | Connect through a SOCKS5 Proxy. Port is set to 1080. |
| fwSOCKS4A (10) | Connect through a SOCKS4A Proxy. Port is set to 1080. |
Host
string
Default: ""
This field contains the name or IP address of the firewall (optional). If a Host is given, the requested connections will be authenticated through the specified firewall when connecting.
If this field is set to a Domain Name, a DNS request is initiated. Upon successful termination of the request, this field is set to the corresponding address. If the search is not successful, the component throws an exception.
Password
string
Default: ""
This field contains a password if authentication is to be used when connecting through the firewall. If Host is specified, the User and Password fields are used to connect and authenticate to the given firewall. If the authentication fails, the component throws an exception.
Port
int
Default: 0
This field contains the Transmission Control Protocol (TCP) port for the firewall Host. See the description of the Host field for details.
Note: This field is set automatically when FirewallType is set to a valid value. See the description of the FirewallType field for details.
User
string
Default: ""
This field contains a username if authentication is to be used when connecting through a firewall. If Host is specified, this field and the Password field are used to connect and authenticate to the given Firewall. If the authentication fails, the component throws an exception.
Constructors
PDFAttachment Type
This describes the file being attached to the PDF document.
Remarks
This type contains information about the file that is being attached to the document.
Fields
ContentType
string
Default: ""
The content type of the attachment.
CreationDate
string
Default: ""
The creation date of the attachment.
Data
string
Default: ""
The raw data of the attachment.
If OutputStream is not set to a valid stream, the component will write to this field when an empty string is passed to the SaveAttachment method.
DataB
byte []
Default: ""
The raw data of the attachment.
If OutputStream is not set to a valid stream, the component will write to this field when an empty string is passed to the SaveAttachment method.
Description
string
Default: ""
A textual description of the attachment.
FileName
string
Default: ""
The path and filename of the attachment.
InputStream
System.IO.Stream
Default: ""
A stream containing the attachment.
If this field is set to a valid stream, the component will attach the data from the stream as the current attachment.
ModificationDate
string
Default: ""
The date and time of the file's last modification.
Name
string
Default: ""
The name of the attachment.
OutputStream
System.IO.Stream
Default: ""
The stream to write the attachment to.
If this field is set to a valid stream, the component will write to this field when an empty string is passed to the SaveAttachment method.
Size
long (read-only)
Default: 0
The attachment's size in bytes.
Constructors
public PDFAttachment();
Public PDFAttachment()
public PDFAttachment(string fileName);
Public PDFAttachment(ByVal FileName As String)
public PDFAttachment(string fileName, string description);
Public PDFAttachment(ByVal FileName As String, ByVal Description As String)
public PDFAttachment(byte[] data, string name, string description);
Public PDFAttachment(ByVal Data As Byte(), ByVal Name As String, ByVal Description As String)
public PDFAttachment(System.IO.Stream inputStream, string name, string description);
Public PDFAttachment(ByVal InputStream As System.IO.Stream, ByVal Name As String, ByVal Description As String)
PDFSignature Type
A container for PDF signature details.
Remarks
This type contains details about the signature. Use it to read information about the signature when processing it.
Fields
AuthorName
string (read-only)
Default: ""
The human-readable name of the signer. This is a PDF document property.
ChainValidationDetails
int (read-only)
Default: 0
The details of the signing certificate chain validation outcome. They may often suggest the reasons that contributed to the overall validation result in ChainValidationResult.
The value of this field is a bitmask of the following flags:
| 0x001 (cvdBadData) | One or more certificates in the validation path are malformed. |
| 0x002 (cvdRevoked) | One or more certificates are revoked. |
| 0x004 (cvdExpiredOrNotYetValid) | One or more certificates are expired or not yet valid. |
| 0x008 (cvdInvalidSignature) | A certificate contains a non-valid digital signature. |
| 0x010 (cvdUnknownCA) | A CA certificate for one or more certificates has not been found (chain incomplete). |
| 0x020 (cvdPolicyViolated) | One of the CA certificates is not authorized to act as a CA, a mandatory key usage is not enabled in one of the chain certificates, or a weak algorithm is used in the one of the certificates or revocation elements. |
| 0x040 (cvdRevocationCheckFailed) | One or more CRLs or OCSP responses could not be verified. |
| 0x080 (cvdBlocked) | One or more certificates are blocked. |
| 0x100 (cvdGeneralFailure) | General validation failure. |
| 0x200 (cvdChainLoop) | One of the CA certificates recursively signs itself. |
ChainValidationResult
ChainValidationResults (read-only)
Default: 0
The outcome of the certificate chain validation routine.
Possible values are:
| 0 (cvrUnknown - default) | Chain validity is unknown. |
| 1 (cvrValid) | The chain is valid. |
| 2 (cvrValidButUntrusted) | The chain is valid, but the root certificate is not trusted. |
| 3 (cvrInvalid) | The chain is not valid (some of the certificates are revoked, expired, or contain an invalid signature). |
| 4 (cvrCantBeEstablished) | The validity of the chain cannot be established because of missing or unavailable validation information (certificates, CRLs, or OCSP responses). |
ClaimedSigningTime
string (read-only)
Default: ""
The signature's creation time.
Use this field to get the signature creation time from the signer's computer. Note that the claimed time, unlike ValidatedSigningTime, does not originate from a trusted TSA and may be forfeited or wrong.
The time is provided in UTC.
CoverageEndsAt
int (read-only)
Default: 0
The offset in the PDF file where the signature coverage ends.
PDF generators often use incremental updates to make changes in documents. This may result in the signature only covering a part of the document (one of the past revisions), but not the subsequent changes.
Use this field to identify the offset where the signature coverage ends. One option is to compare it to the length of the whole document to ensure that the signature covers the entire document. Alternatively, use the GetSignedVersion method to extract the exact revision that was signed.
This field is preferred to GetSignedVersion because it's more efficient and easier to use. The main advantage is that the user only needs to compare the length of the PDF document to this setting to ensure that the signature covers the entire document (rather than creating a copy with GetSignedVersion only to immediately discard it). We have both for flexibility. TBD
HashAlgorithm
string (read-only)
Default: "SHA256"
The hash algorithm that was used for signing.
Possible values are:
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
- MD5
Profile
PDFSignatureProfiles (read-only)
Default: 0
The pre-defined PAdES profile that was applied when creating the signature, as defined by ETSI.
Advanced signatures come in many variants, and they are often defined by parties that need to process them or by local standards. Profiles are sets of pre-defined configurations that correspond to particular signature variants.
Possible values are:
| 0 (pfNone - default) | No profile |
| 1 (pfBaselineB) | PAdES B-B profile |
| 2 (pfBaselineT) | PAdES B-T profile |
| 3 (pfBaselineLT) | PAdES B-LT profile |
| 4 (pfBaselineLTA) | PAdES B-LTA profile |
Reason
string (read-only)
Default: ""
The reason for signing. This is a PDF document property.
SignatureValidationResult
SignatureValidationResults (read-only)
Default: 0
The outcome of the cryptographic signature validation.
Possible values are:
| 0 (svrUnknown - default) | Signature validity is unknown. |
| 1 (svrValid) | The signature is valid. |
| 2 (svrCorrupted) | The signature is corrupted. |
| 3 (svrSignerNotFound) | Failed to acquire the signing certificate. The signature cannot be validated. |
| 4 (svrFailure) | General failure. |
SignerCertIndex
int (read-only)
Default: -1
The index of the signer certificate in the DocumentCerts collection.
Timestamped
bool (read-only)
Default: False
Whether the signature contains an embedded timestamp.
Type
PDFSignatureTypes (read-only)
Default: 0
The type of the signature that was created.
Possible values are:
| 0 (stLegacy - default) | Legacy Adobe signature (adbe.pkcs7.detached) |
| 1 (stAdvanced) | PAdES-compliant signature (ETSI.CAdES.detached) |
| 2 (stDTS) | Document timestamp (ETSI.RFC3161) |
| 3 (stEmptyField) | Empty signature field (signature placeholder) |
ValidatedSigningTime
string (read-only)
Default: ""
The certified signing time.
Use this field to obtain the signing time as certified by a timestamp from a trusted timestamping authority. This field is only nonempty if there is a valid timestamp included in the signature.
Note that the validated time, unlike ClaimedSigningTime, is the trusted signing time.
The time is provided in UTC.
WidgetHeight
int (read-only)
Default: 70
The height of the signature widget in points.
WidgetOffsetX
int (read-only)
Default: 0
The signature widget offset from the left-hand page border in points.
WidgetOffsetY
int (read-only)
Default: 0
The signature widget offset from the bottom page border in points.
WidgetPages
string (read-only)
Default: ""
The pages that the signature and its widget are placed on.
WidgetWidth
int (read-only)
Default: 70
The width of the signature widget in points.
Constructors
public PDFSignature();
Public PDFSignature()
PDFSigningSettings Type
A container for PDF signing settings.
Remarks
This type contains settings used to configure PDF signing. Use it to tune up signature properties and widget appearance when creating a signature.
Fields
AuthorName
string
Default: ""
The human-readable name of the signer. This is a PDF document property.
ClaimedSigningTime
string
Default: ""
The signature's creation time.
Use this field to set the signature creation time from the signer's computer.
The time is provided in UTC.
HashAlgorithm
string
Default: "SHA256"
The hash algorithm to be used for signing.
Possible values are:
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
- MD5
Profile
PDFSignatureProfiles
Default: 0
A pre-defined PAdES profile to apply when creating the signature, as defined by ETSI.
Advanced signatures come in many variants, and they are often defined by parties that need to process them or by local standards. Profiles are sets of pre-defined configurations that correspond to particular signature variants. Specifying a profile pre-configures the component to make it produce the signature that matches the configuration corresponding to that profile.
Possible values are:
| 0 (pfNone - default) | No profile |
| 1 (pfBaselineB) | PAdES B-B profile |
| 2 (pfBaselineT) | PAdES B-T profile |
| 3 (pfBaselineLT) | PAdES B-LT profile |
| 4 (pfBaselineLTA) | PAdES B-LTA profile |
In PAdES, the profile a given signature is compliant to describes the level of "completeness" of the validation material included in the signature. Note that "completeness" can be subjective and depends on several factors, including:
- The working environment. For example, an organization may choose to explicitly trust its own self-signed TSA certificate. Signatures timestamped with this certificate will be considered LTA by the organization, but for any external bodies those signatures would render as LT or even B, as they don't know/trust the custom TSA certificate.
- The time that has passed since the last document timestamp. If an archived (LTA) document is not re-timestamped before its last timestamp expires, it will drop back to being LT/B.
This profile, in both the BES and EPES settings, creates a basic signature that remains valid as long as the signing certificate has not expired or been revoked. Signatures at this level do not contain any validation material.
The PAdES B-T profile extends the basic BES or EPES signature by adding a signature timestamp. This timestamp certifies that the signature was created at a specific moment in time. Similar to the B-B profile, signatures at this level do not contain any validation material.
The PAdES B-LT profile extends the basic timestamped signature by incorporating all the material required to validate the signature, including signing certificates, timestamping certificates, and revocation information (e.g., CRLs and OCSP responses) into the signature. That is, the signature has complete validation material, but it is not certified by a document timestamp.
The PAdES B-LTA profile is used to achieve signatures that are equipped with long-term archival (LTA) or long-term validation (LTV) capabilities. It extends the LT signature by adding a document timestamp, which certifies the integrity of both the document and the complete validation material at a specific moment in time. This guarantees that no relevant certificates were expired or revoked at the signature creation time. It also enables the signature to be verified offline.
To apply a custom profile that is not defined by ETSI, set the CustomProfile configuration setting.
Multi-stage signing scenarios are popular. It is quite often that a document is B-signed first (e.g. on an offline server), and then T'ed and LTV'ed elsewhere shortly after. This is because T'ing or LTV'ing an existing signature does not require the private key, as they just add validation information to the existing signature. Everyone can LTV a signature, not necessarily the author.
This somewhat maps to the Level field in SBB, not the top-level Profile property because it applies to individual signatures. "Profile" and "level" are synonymous though.
The user doesn't have to set this (pfNone), but it's a convenient and structured way to achieve the desired PAdES signature level. TBD
Reason
string
Default: ""
The reason for signing. This is a PDF document property.
Type
PDFSignatureTypes
Default: 0
The type of the signature to create.
Possible values are:
| 0 (stLegacy - default) | Legacy Adobe signature (adbe.pkcs7.detached) |
| 1 (stAdvanced) | PAdES-compliant signature (ETSI.CAdES.detached) |
| 2 (stDTS) | Document timestamp (ETSI.RFC3161) |
| 3 (stEmptyField) | Empty signature field (signature placeholder) |
A Legacy Adobe signature is an original Adobe Acrobat document signature. This is a quite dated form of a PDF signature. While PAdES is loosely built on it, this signature type does not support extended features and is not compliant with PAdES. Unless the recipient of your signed documents expects you to specifically use this kind of signatures, it is unlikely that you will ever need them.
For a breakdown of the different PAdES signature profiles, refer to the Profile field.
A document timestamp is a fully independent signature that is added to the PDF document after the initial signature. Unlike the main signature, which is made by a document user, the document timestamp is made by a TSA. The purpose of document timestamps is to preserve the document's long-term validity. Typically it is done close to the expiration date of the certificate that produced the last timestamp in the document (which is either embedded in the main signature, or is a previous document timestamp). An LTV document therefore contains a chain of document timestamps updated periodically to keep its long-term status.
A certain share of customers need to manipulate signature fields (empty signature placeholders). A typical use case is to create a document with empty fields, send it over to a chain of partners, have everyone sign their field (sometimes with a simpler B or T signature), and then LTV the resulting document.
WidgetHeight
int
Default: 70
The height of the signature widget in points.
This is one of the more common and essential widget properties for users to modify, so it's more visible than everything else in SetWidgetProperty. TBD
WidgetOffsetX
int
Default: 0
The signature widget offset from the left-hand page border in points.
This is one of the more common and essential widget properties for users to modify, so it's more visible than everything else in SetWidgetProperty. TBD
WidgetOffsetY
int
Default: 0
The signature widget offset from the bottom page border in points.
This is one of the more common and essential widget properties for users to modify, so it's more visible than everything else in SetWidgetProperty. TBD
WidgetPages
string
Default: ""
The pages to place the signature and its widget on.
This field supports a variety of syntaxes:
- A single page number: 3
- A comma-separated list of page numbers: 1,2,5,7
- The asterisk character (*) indicates that the widget should be placed on all pages in the document.
- The first and last placeholders specify that the signature should be placed on the respective page, independently of its number.
WidgetWidth
int
Default: 70
The width of the signature widget in points.
This is one of the more common and essential widget properties for users to modify, so it's more visible than everything else in SetWidgetProperty. TBD
Constructors
public PDFSigningSettings();
Public PDFSigningSettings()
Proxy Type
The proxy the component will connect to.
Remarks
When connecting through a proxy, this type is used to specify different properties of the proxy, such as the Server and the AuthScheme.
Fields
AuthScheme
ProxyAuthSchemes
Default: 0
This field is used to tell the component which type of authorization to perform when connecting to the proxy. This is used only when the User and Password fields are set.
AuthScheme should be set to authNone (3) when no authentication is expected.
By default, AuthScheme is authBasic (0), and if the User and Password fields are set, the component will attempt basic authentication.
If AuthScheme is set to authDigest (1), digest authentication will be attempted instead.
If AuthScheme is set to authProprietary (2), then the authorization token will not be generated by the component. Look at the configuration file for the component being used to find more information about manually setting this token.
If AuthScheme is set to authNtlm (4), NTLM authentication will be used.
For security reasons, setting this field will clear the values of User and Password.
AutoDetect
bool
Default: False
This field tells the component whether or not to automatically detect and use proxy system settings, if available. The default value is false.
Password
string
Default: ""
This field contains a password if authentication is to be used for the proxy.
If AuthScheme is set to Basic Authentication, the User and Password fields are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].
If AuthScheme is set to Digest Authentication, the User and Password fields are used to respond to the Digest Authentication challenge from the server.
If AuthScheme is set to NTLM Authentication, the User and Password fields are used to authenticate through NTLM negotiation.
Port
int
Default: 80
This field contains the Transmission Control Protocol (TCP) port for the proxy Server (default 80). See the description of the Server field for details.
Server
string
Default: ""
If a proxy Server is given, then the HTTP request is sent to the proxy instead of the server otherwise specified.
If the Server field is set to a domain name, a DNS request is initiated. Upon successful termination of the request, the Server field is set to the corresponding address. If the search is not successful, an error is returned.
SSL
ProxySSLTypes
Default: 0
This field determines when to use a Secure Sockets Layer (SSL) for the connection to the proxy. The applicable values are as follows:
| psAutomatic (0) | Default setting. If the URL is an https URL, the component will use the psTunnel option. If the URL is an http URL, the component will use the psNever option. |
| psAlways (1) | The connection is always SSL-enabled. |
| psNever (2) | The connection is not SSL-enabled. |
| psTunnel (3) | The connection is made through a tunneling (HTTP) proxy. |
User
string
Default: ""
This field contains a username if authentication is to be used for the proxy.
If AuthScheme is set to Basic Authentication, the User and Password fields are Base64 encoded and the proxy authentication token will be generated in the form Basic [encoded-user-password].
If AuthScheme is set to Digest Authentication, the User and Password fields are used to respond to the Digest Authentication challenge from the server.
If AuthScheme is set to NTLM Authentication, the User and Password fields are used to authenticate through NTLM negotiation.
Constructors
ValidationSettings Type
A container for chain validation settings.
Remarks
This type contains settings used to configure chain validation, such as revocation checks and the overall validation policy.
Fields
OfflineMode
bool
Default: False
Specifies whether the component is operating in offline mode.
In offline mode, the component restricts itself from accessing online Trusted Lists and revocation information sources such as CRLs or OCSP responders. It may be useful to set this field to true if there is a need to verify the completeness of the validation information included within the signature or provided via KnownCerts.
RevocationCheck
RevocationChecks
Default: 6
Specifies the kind(s) of revocation check to perform for all chain certificates.
Revocation checking is necessary to ensure the integrity of the chain and to obtain up-to-date certificate validity and trust information.
Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses serve the same purpose of ensuring that the certificate has not been revoked by the Certificate Authority (CA) at the time of use. Depending on the circumstances and security policy requirements, either one or both of the revocation information source types may be used.
Possible values are:
| 0 (rcAllCRL) | All provided CRL endpoints will be checked, and all checks must succeed. |
| 1 (rcAllOCSP) | All provided OCSP endpoints will be checked, and all checks must succeed. |
| 2 (rcAllCRLAndOCSP) | All provided CRL and OCSP endpoints will be checked, and all checks must succeed. |
| 3 (rcAnyCRL) | All provided CRL endpoints will be checked, and at least one check must succeed. |
| 4 (rcAnyOCSP) | All provided OCSP endpoints will be checked, and at least one check must succeed. |
| 5 (rcAnyCRLOrOCSP) | All provided CRL and OCSP endpoints will be checked, and at least one check must succeed. CRL endpoints are checked first. |
| 6 (rcAnyOCSPOrCRL - default) | All provided CRL and OCSP endpoints will be checked, and at least one check must succeed. OCSP endpoints are checked first. |
This field controls the way revocation checks are performed for every certificate in the chain. Typically, certificates come with two types of revocation information sources: CRLs (Certificate Revocation Lists) and OCSP responses. CRLs are static objects periodically published by the CA at some online location. OCSP responders are active online services maintained by the CA that can provide up-to-date information on certificate statuses in near real time.
There are some conceptual differences between the two. CRLs are normally larger in size. Their use involves some latency because there is normally a delay between the time at which a certificate was revoked and the time at which the subsequent CRL mentioning that revocation is published. The benefits of CRLs are that the same object can provide statuses for all certificates issued by a particular CA, and that the whole technology is much simpler than OCSP (and thus is supported by more CAs).
This field allows the validation course to be adjusted by including or excluding certain types of revocation sources from the validation process. The rcAnyOCSPOrCRL setting (give preference to the faster OCSP route and only demand one source to succeed) is a good choice for most typical validation environments. The rcAll* modes are much stricter, and may be used in scenarios where bulletproof validity information is essential.
Note: If no CRL or OCSP endpoints are provided by the CA, the revocation check will be considered successful. This is because the CA chose not to supply revocation information for its certificates, meaning they are considered irrevocable.
Note: Within each of the above settings, if any retrieved CRL or OCSP response indicates that the certificate has been revoked, the revocation check fails.
ValidationMoment
string
Default: ""
Specifies the time point at which the signature should be validated.
Leave this field empty to stick to the default moment. The component will then prioritize:
- the signature creation time if the signature contains a signature timestamp (ValidatedSigningTime), or
- the local time included in the signature by the signer (ClaimedSigningTime).
Note that the validity of the same signature may differ depending on the time point chosen due to temporal changes in chain validities, revocation statuses, and timestamp times.
The time is provided in UTC.
ValidationPolicy
ValidationPolicies
Default: 4
Specifies the level at which to perform chain validation.
Possible values are:
| 0 (vpNone) | No chain validation is attempted at all. |
| 1 (vpFull) | Revocation and trust checks must succeed for all chains. |
| 2 (vpFullNoTrust) | Revocation checks must succeed, but trust checks will not occur. |
| 3 (vpFullNoRevocation) | Trust checks must succeed, but revocation checks will not occur. |
| 4 (vpBestEffort - default) | The component will validate the chain to the maximal extent possible by attempting to retrieve and use all available chain elements. |
- Validate the chain properly and fully (expect the trust anchor and all the revocation material to be available). This is what customers do when validating the signature.
- Try to validate the chain properly and fully but do not expect good trust. This is often done when creating a signature in an environment that does not match the prospective validation environment.
- Try to validate the chain properly and fully, but do not expect success in trust or revocation collection. Often the first step before updating shortly afterwards.
- Forget about the chain and just create a basic signature. Used in test/debug environments or on offline systems.
The choice of validation policy will depend on the scenario for which the chain is validated.
When creating a new signature,
- Creating an LTV signature: full chain validation, unnecessary trust checks -> vpFullNoTrust
- Creating a B signature: no chain validation, unnecessary trust checks -> vpNone
When updating or extending an existing signature,
- B to LTV: full chain validation, with or without trust checks -> vpFull or vpFullNoTrust
- Extending LTV: full chain validation, with or without trust checks -> vpFull or vpFullNoTrust
When validating an existing signature,
- Archival validation: full chain validation, with trust checks -> vpFull
- B signature validation: "offline-only" validation (no revocation checks), with trust checks -> vpFullNoRevocation
- "To the maximal extent possible" validation: try to get whatever we can and report the result (valid/trusted, valid/untrusted, all/partial/none revocation info checked) -> vpBestEffort
This field used to be named ChainValidationMode. It essentially replaces SBB's IgnoreChainValidationErrors property by providing other secure options to fit customers' goals (instead of the kind of silver bullet for fixing various validation issues that is IgnoreChainValidationErrors). TBD
Constructors
public ValidationSettings();
Public ValidationSettings()
Config Settings (SecurePDF Component)
The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.SecurePDF Config Settings
This is called CollectRevInfoForTimestamps in SBB. If a customer wants to (1) sign + timestamp and then (2) add a DTS, they don't need the TSA revocation info in the first signature. Separating this from normal revocation info collection and IncludeRevocationInfo makes sense because they may want to include revocation info for the chain itself for it to get to the adbe-RevocationInfoArchival attribute. TBD
When creating a new signature, use -1 as the Index.
| "BR.AD_RB_v1_0" | Brazilian signature with Basic Reference (AD-RB) version 1.0 |
| "BR.AD_RB_v1_1" | Brazilian signature with Basic Reference (AD-RB) version 1.1 |
| "BR.AD_RT_v1_0" | Brazilian signature with Time Reference (AD-RT) version 1.0 |
| "BR.AD_RT_v1_1" | Brazilian signature with Time Reference (AD-RT) version 1.1 |
| "BR.AD_RC_v1_1" | Brazilian signature with Complete References (AD-RC) version 1.1 |
| "BR.AD_RC_v1_2" | Brazilian signature with Complete References (AD-RC) version 1.2 |
| "BR.AD_RA_v1_1" | Brazilian signature with References for Archiving (AD-RA) version 1.1 |
| "BR.AD_RA_v1_2" | Brazilian signature with References for Archiving (AD-RA) version 1.2 |
When creating a new signature, use -1 as the Index. If set to PBAD_PAdES, the component will create a PBAD.PAdES-compatible signature.
When creating a new signature, use -1 as the Index.
| 0x001 (rilAuto) | Revocation information will be included in either the DSS dictionary or the adbe-RevocationInfoArchival signature attribute depending on the signature Type. |
| 0x002 (rilDSS) | Revocation information will be included in the DSS dictionary. |
| 0x004 (rilAdbeAttribute) | Revocation information will be included in the adbe-RevocationInfoArchival signature attribute. |
We have this because of the scenario where the validation policy demands that revocation info should be collected but this config is set to 0. In this scenario, we are validating the chain fully but not inserting the data we've gathered into the signature. Can be useful if the user wants to create a B signature but validate the chain fully to make sure that the signing certificate is valid. Or if they have all the revocation info but still want to stick with B, e.g. if there's a huge CRL that they don't want to include. TBD
| 0 | Do not include the signing chain in the signature. |
| 1 (default) | Attempt to build the signing chain automatically, and if successful, include it in the signature. |
| 2 | Include the contents of KnownCerts in the signature. |
| 0 (None) | No events are logged. |
| 1 (Info - default) | Informational events (such as TBD) are logged. |
| 2 (Verbose) | Detailed data (such as TBD) are logged. |
| 3 (Debug) | Debug data (such as the full chain validation procedure) are logged. |
- "SHA1"
- "SHA224"
- "SHA256" (default)
- "SHA384"
- "SHA512"
- "RIPEMD160"
- "MD2"
- "MD5"
- "MD5SHA1"
Note: This setting is not applicable when UseFIPSCompliantAPI is set to true or when the private key of the signing certificate is not exportable since the underlying system implementation does not support separate OAEPRSAHashAlgorithm and OAEPMGF1HashAlgorithm values. In this case, the OAEPRSAHashAlgorithm is also used for MGF1.
- "SHA1"
- "SHA224"
- "SHA256" (default)
- "SHA384"
- "SHA512"
- "RIPEMD160"
- "MD2"
- "MD5"
- "MD5SHA1"
| 0x001 (pepAnnotations) | Annotating is allowed. |
| 0x002 (pepAssemble) | Assembling a new document on the basis of the processed one is allowed. |
| 0x004 (pepExtract) | Extraction/copying of the pictures and text from the document is allowed. |
| 0x008 (pepExtractAcc) | Content extraction is allowed for accessibility purposes only. |
| 0x010 (pepFillInForms) | Filling in forms is allowed. |
| 0x020 (pepHighQualityPrint) | High quality printing is allowed. |
| 0x040 (pepLowQualityPrint) | Low quality printing is allowed. |
| 0x080 (pepModify) | Modifications are allowed. |
Qualifications can be obtained from a Trusted List, and they define a set of policies or rules under which the certificate was issued. The two most popular qualifications are QCP-n-qscd and QCP-l-qscd, which indicate that the certificate's private key resides on a hardware security module (HSM). Such qualified information can come embedded in the certificate, or sometimes they can be specified (and/or duplicated) in the external Trusted List (normally for CAs, as you don't store regular certs in a Trusted List).
This setting is read-only. It is populated upon completion of the full validation routine performed by the Verify method (if TrustSources is tsTrustedLists or tsLocalAndTrustedLists) (because we will have already downloaded the respective Trusted List somewhere in the middle of the chain validation routine and saved the qualification data with the Certificate object). If this config is queried for a fresh certificate that did not participate in chain validation, we either return an error/unknown result/empty string, or run the chain validation from scratch and return the outcome (leaning towards the first option).
This setting can be used to check if a signature was created using a qualified certificate that came from a
qualified signature creation device (QSCD).
For example:
if (securepdf.Config("Qualifications[0]").Contains("QCWithSSCD"))
Console.WriteLine("The certificate is qualified and resides on a hardware device");
Adjust TrustedLists before validating the signature to properly obtain the qualified status.
The biggest share of customers who use this config will want to display some comments about the certificate in their UI, such as:
"The signing certificate was stored on a secure hardware device." "The signing certificate satisfies government regulations on electronic identification."
For those, just checking if a specific policy identifier is present in the returned string is enough.
It's becoming increasingly more common to integrate qualifications and Trusted List checks into the chain validation routine itself (as more and more CAs offer them) rather than separating them. We considered adding a GetCertProperty() method to CertMgr to pass the qualification data to the user (not just Qualifications but also things like TSLURL and TSLBody), but we didn't want to modify the CertMgr API. TBD
| 0 | Discard all changes. |
| 1 | Save the document to OutputFile, OutputData, or OutputStream, even if it has not been modified. |
| 2 (default) | Save the document to OutputFile, OutputData, or OutputStream, but only if it has been modified. |
Use the TrustedLists property to pass cached Trusted Lists back to the component.
This setting is read-only. TODO (keep it a list or make it indexed? we will need to make sure this works with TrustedLists)
| MY | A certificate store holding personal certificates with their associated private keys. |
| CA | Certifying authority certificates. |
| ROOT | Root certificates. |
When TSATLSClientCertStoreType is set to 2 (cstPFXFile), this setting must be set to the name of the file. When the type is set to 3 (cstPFXBlob), this setting must be set to the binary contents of a PFX file (i.e., a PKCS#12 certificate store). If the store is password-protected, specify the password in TSATLSClientCertStorePassword.
| 0 (cstUser - default) | For Windows, this specifies that the certificate store is a certificate store owned by the current user.
Note: This store type is not available in Java. |
| 1 (cstMachine) | For Windows, this specifies that the certificate store is a machine store.
Note: This store type is not available in Java. |
| 2 (cstPFXFile) | The certificate store is the name of a PFX (PKCS#12) file containing certificates. |
| 3 (cstPFXBlob) | The certificate store is a string (binary or Base64-encoded) representing a certificate store in PFX (PKCS#12) format. |
| 4 (cstJKSFile) | The certificate store is the name of a Java Key Store (JKS) file containing certificates.
Note: This store type is only available in Java. |
| 5 (cstJKSBlob) | The certificate store is a string (binary or Base64-encoded) representing a certificate store in Java Key Store (JKS) format.
Note: this store type is only available in Java. |
| 6 (cstPEMKeyFile) | The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate. |
| 7 (cstPEMKeyBlob) | The certificate store is a string (binary or Base64-encoded) that contains a private key and an optional certificate. |
| 8 (cstPublicKeyFile) | The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate. |
| 9 (cstPublicKeyBlob) | The certificate store is a string (binary or Base64-encoded) that contains a PEM- or DER-encoded public key certificate. |
| 10 (cstSSHPublicKeyBlob) | The certificate store is a string (binary or Base64-encoded) that contains an SSH-style public key. |
| 11 (cstP7BFile) | The certificate store is the name of a PKCS#7 file containing certificates. |
| 12 (cstP7BBlob) | The certificate store is a string (binary) representing a certificate store in PKCS#7 format. |
| 13 (cstSSHPublicKeyFile) | The certificate store is the name of a file that contains an SSH-style public key. |
| 14 (cstPPKFile) | The certificate store is the name of a file that contains a PPK (PuTTY Private Key). |
| 15 (cstPPKBlob) | The certificate store is a string (binary) that contains a PPK (PuTTY Private Key). |
| 16 (cstXMLFile) | The certificate store is the name of a file that contains a certificate in XML format. |
| 17 (cstXMLBlob) | The certificate store is a string that contains a certificate in XML format. |
| 18 (cstJWKFile) | The certificate store is the name of a file that contains a JWK (JSON Web Key). |
| 19 (cstJWKBlob) | The certificate store is a string that contains a JWK (JSON Web Key). |
| 21 (cstBCFKSFile) | The certificate store is the name of a file that contains a BCFKS (Bouncy Castle FIPS Key Store).
Note: This store type is only available in Java and .NET. |
| 22 (cstBCFKSBlob) | The certificate store is a string (binary or Base64-encoded) representing a certificate store in BCFKS (Bouncy Castle FIPS Key Store) format.
Note: This store type is only available in Java and .NET. |
| 23 (cstPKCS11) | The certificate is present on a physical security key accessible via a PKCS#11 interface.
To use a security key, the necessary data must first be collected using the CertMgr component. The ListStoreCertificates method may be called after setting CertStoreType to cstPKCS11, CertStorePassword to the PIN, and CertStore to the full path of the PKCS#11 DLL. The certificate information returned in the CertList event's CertEncoded parameter may be saved for later use. When using a certificate, pass the previously saved security key information as the Store and set StorePassword to the PIN. Code Example. SSH Authentication with Security Key:
|
| 99 (cstAuto) | The store type is automatically detected from the input data. This setting may be used with both public and private keys and can detect any of the supported formats automatically. |
The asterisk character (*) picks a random certificate in the certificate store.
The certificate subject is a comma-separated list of distinguished name fields and values. For instance, "CN=www.server.com, OU=test, C=US, E=support@nsoftware.com". Common fields and their meanings are as follows:
| Field | Meaning |
| CN | Common Name. This is commonly a hostname like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
If a field value contains a comma, it must be quoted.
To specify non-default OAEP options, please see OAEPRSAHashAlgorithm, OAEPMGF1HashAlgorithm, and OAEPParams.
| 0x001 (cvfForceCompleteChainValidationForTrusted) | Perform full chain validation for explicitly trusted intermediary or end-entity certificates. This may be useful when creating signatures to enforce completeness of the collected revocation information. It often makes sense to omit this flag when validating signatures to reduce validation time and avoid issues with poorly configured environments. |
| 0x002 (cvfIgnoreChainLoops) | Make the validation engine ignore chain loops. This may be useful when there is a need to process chains from buggy CAs that include subchains that sign themselves. |
| 0x004 (cvfIgnoreOCSPNoCheckExtension) | Make the validation engine ignore the ocsp-nocheck extension. This may be useful when validating severely non-compliant chains that misuse the extension, causing chain loops or other validation issues. |
| 0x008 (cvfTolerateMinorChainIssues) | Make the validation engine tolerate minor
technical issues when validating the chain. These are:
|
Base Config Settings
In some non-GUI applications, an invalid message loop may be discovered that will result in errant behavior. In these cases, setting GUIAvailable to false will ensure that the component does not attempt to process external events.
- Product: The product the license is for.
- Product Key: The key the license was generated from.
- License Source: Where the license was found (e.g., RuntimeLicense, License File).
- License Type: The type of license installed (e.g., Royalty Free, Single Server).
- Last Valid Build: The last valid build number for which the license will work.
This setting only works on these components: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.
Setting this configuration setting to true tells the component to use the internal implementation instead of using the system security libraries.
On Windows, this setting is set to false by default. On Linux/macOS, this setting is set to true by default.
If using the .NET Standard Library, this setting will be true on all platforms. The .NET Standard library does not support using the system security libraries.
Note: This setting is static. The value set is applicable to all components used in the application.
When this value is set, the product's system dynamic link library (DLL) is no longer required as a reference, as all unmanaged code is stored in that file.
Trappable Errors (SecurePDF Component)
SecurePDF Errors
| 104 | Cannot read or write file. |