DynaPDF Manual - Page 228
Previous Page 227 Index Next Page 229
Function Reference
Page 228 of 860
If the member TimeStampServer is set, the function adds a timestamp to the signature. The member
TimeOut specifies the maximum number of milliseconds to wait for retrieval. If the parameter is set
to zero, the function does not time out.
Note that HashType is still considered. If set to htDetached, a SHA256 hash is created from the
document and signed afterwards. Non-detached signatures support SHA1 only. The drawback of
detached signatures is that the document must be fully created in memory.
Supported PKCS#7 Format
PKCS #7 objects are ASN1 encoded binary objects. The ASN1 standard defines a set of Basic
Encoding Rules (BER) which describe how ASN1 objects must be encoded. This Standard defines
also a set of Distinguished Encoding Rules (DER) and a set of Canonical Encoding Rules (CER) both
of which provide constraints on the Basic Encoding Rules (BER). The key difference between them is
that DER uses the definite length form of encoding while CER uses the indefinite length form.
PDF compatible PKCS#7 objects must be DER encoded because Adobe's Acrobat or Reader does not
support indefinite length encoding. However, not all cryptographic providers support definite
length encoding. Whether this is the case or not is also often not documented.
The Windows CryptAPI creates DER encoded PKCS#7 objects which are fully PDF compatible.
However, when using another cryptographic library and if Adobe's Acrobat or Reader reports an
error like "Error reading BER encoded object" when trying to validate the signature, the library does
probably not create definite length encoded PKCS#7 objects.
Hardware Certificates
Signing a PDF file with a hardware certificate works exactly in the same way as with a software
certificate as long as the certificate was installed in the certificate store of the operating system.
Hardware certificates like smart cards, USB sticks, or something similar are normally delivered with
software that is able to install the certificate on the operating system. Once a certificate was installed
in the certificate store it can be used like any other certificate.
The Windows CryptAPI for example, hides the certificate type fully for the developer. Whether the
user selects a software or hardware certificate is simply not of interest because nothing special must
be done in either case. You still call CryptSignMessage(), that's all. If a password is required the
CryptAPI displays automatically a dialog to enter the password. The communication with the
hardware is done in background.
Remarks:
If the function succeeds the signature must be written to the PDF file with FinishSignature(). Take a
look into the example external_signatures to determine how the function can be used. It is usually
best to open the the output file right before FinishSignature() will be called (see OpenOutputFile()).
Previous topic: Signing with a PCCERT_CONTEXT handle
Next topic: CloseFile, CloseFileEx