You
can secure a PDF document by certifying it with a particular type
of signature called a certified signature. A certified signature
is distinguished from a digital signature in these ways:
It must be the first signature applied to the PDF document;
that is, at the time the certified signature is applied, any other
signature fields in the document must be unsigned. Only one certified
signature is permitted in a PDF document. If you want to sign and
certify a PDF document, you must certify it before signing it. After
you certify a PDF document, you can digitally sign additional signature
fields.
The author or originator of the document can specify that
the document can be modified in certain ways without invalidating
the certified signature. For example, the document may permit filling
in forms or commenting. If the author specifies that a certain modification
is not permitted, Acrobat restricts users from modifying the document
in that way. If such modifications are made, such as by using another
application, the certified signature is invalid and Acrobat issues
a warning when a user opens the document. (With non-certified signatures,
modifications are not prevented, and normal editing operations do
not invalidate the original signature.)
At the time of signing, the document is scanned for specific
types of content that could make the contents of a document ambiguous
or misleading. For example, an annotation could obscure some text
on a page that is important for understanding what is being certified.
An explanation (legal attestation) can be provided about such content.
You can programmatically certify PDF documents by using the Signature service
Java API or the Signature web service API. When certifying a PDF document,
you must reference a security credential that exists in the Credential service.
For information about the security credential, see the Installing and Deploying LiveCycle guide
for your application server.
Hinweis: When certifying and signing the same PDF document,
if the certify signature is not trusted, a yellow triangle appears
next to the first sign signature when you open the PDF document
in Acrobat or Adobe Reader. The certifying signature must be trusted
to avoid this situation.
Hinweis: When using an nCipher nShield HSM credential
to sign or certify a PDF document, the new credential cannot be
used until the J2EE application server on which LiveCycle is deployed is restarted. However, you can set a configuration value,
resulting in the sign or certify operation working without restarting
the J2EE application server.
You can add the following configuration value in the cknfastrc
file, which is located at /opt/nfast/cknfastrc (or c:\nfast\cknfastrc):
CKNFAST_ASSUME_SINGLE_PROCESS=0
After you add this configuration value to the cknfastrc file,
the new credential can be used without restarting the J2EE application
server.
Summary of stepsTo certify a PDF document, perform the following tasks:
Include project files.
Create a Signature client.
Get the PDF document to certify.
Certify the PDF document.
Save the certified PDF document as a PDF file.
Include project filesInclude necessary files into your development
project. If you are creating a client application using Java, include
the necessary JAR files. If you are using web services, ensure that
you include the proxy files.
The following JAR files must
be added to your project’s classpath:
adobe-livecycle-client.jar
adobe-usermanager-client.jar
adobe-signatures-client.jar
adobe-utilities.jar (required if LiveCycle is deployed
on JBoss)
jbossall-client.jar (required if LiveCycle is deployed
on JBoss)
For information about the location of
these JAR files, see Including LiveCycle Java library files.
Create a Signature clientBefore you can programmatically perform
a Signature operation, you must create a Signature client.
Get the PDF document to certifyTo certify a PDF document,
you must obtain a PDF document that contains a signature field.
If a PDF document does not contain a signature field, it cannot be
certified. A signature field can be added by using Designer or programmatically.
For information about programmatically adding a signature field,
see Adding Signature Fields.
Certify the PDF documentTo successfully certify a PDF document,
you require the following input values that are used by the Signature
service to certify a PDF document:
PDF document:
A PDF document that contains a signature field, which is a form
field that contains a graphic representation of the certified signature.
A PDF document must contain a signature field before it can be certified.
A signature field can be added by using Designer or programmatically.
(See Adding Signature Fields.)
Signature field name: The fully-qualified name of
the signature field that is certified. The following value is an
example: form1[0].#subform[1].SignatureField3[3].
When using an XFA form field, the partial name of the signature field
can also be used: SignatureField3[3]. If a null value
is passed for the field name, an invisible signature field is dynamically created
and certified.
Security credential: A credential that is used to
certify the PDF document. This security credential contains a password
and an alias, which must match an alias that appears in the credential
that is located within the Credential service. The alias is a reference
to an actual credential that may be in a PKCS#12 file (with a .pfx
extension) or a hardware security module (HSM).
Hash algorithm: A hash algorithm to use to digest
the PDF document.
Reason for signing: A value that is displayed in Acrobat
or Adobe Reader so that other users know the reason why the PDF
document was certified.
Location of the signer: The location of the signer
specified by the credential.
Contact information: Contact information, such as address
and telephone number, of the signer.
Permission information: Permissions that control the actions
that an end user can perform on a document without causing the certified
signature to be invalid. For example, you can set the permission
so that any change to the PDF document causes the certified signature
to be invalid.
Legal explanation: When a document is certified, it
is automatically scanned for specific types of content that could
make the contents of a document ambiguous or misleading. For example,
an annotation could obscure some text on a page that is important
for understanding what is being certified. The scanning process
generates warnings about these types of content. This value provides
an additional explanation of the content that may have generated
warnings.
Appearance options: Options that control the appearance of
the certified signature. For example, the certified signature can
display date information.
Revocation checking: This value specifies whether revocation
checking is done for the signer's certificate. The default setting
of false means that revocation checking is not done.
OCSP settings: Settings for Online Certificate Status Protocol
(OCSP) support, which provides information about the status of the credential
that is used to certify the PDF document. You can, for example, specify
the URL of the server that provides information about the credential that
you are using to sign on to the PDF document.
CRL settings: Settings for certificate revocation
list (CRL) preferences if revocation checking is done. For example,
you can specify to always check whether a credential was revoked.
Time stamping: Settings that define time stamping
information that is applied to the certified signature. A time stamp
indicates that specific data was established before a certain time.
This knowledge helps build a trusting relationship between the signer
and verifier.
Save the certified PDF document as a PDF fileAfter the Signature
service certifies the PDF document, you can save it as a PDF file
so that users can open it in Acrobat or Adobe Reader.
Certify PDF documents using the Java APICertify a PDF document by using the Signature API (Java):
Include project files
Include client JAR files,
such as adobe-signatures-client.jar, in your Java project’s class
path.
Create a Signature client
Get the PDF document to certify
Create a java.io.FileInputStream object
that represents the PDF document to certify by using its constructor
and passing a string value that specifies the location of the PDF
document.
Create a com.adobe.idp.Document object by
using its constructor and passing the java.io.FileInputStream object.
Certify the PDF document
Certify the PDF document
by invoking the SignatureServiceClient object’s certify method
and passing the following values:
The com.adobe.idp.Document object
that represents the PDF document to certify.
A string value that represents the name of the signature
field that will contain the signature.
A Credential object that represents the credential
that is used to certify the PDF document. Create a Credential object
by invoking the Credential object’s static getInstance method
and passing a string value that specifies the alias value that corresponds
to the security credential.
A HashAlgorithm object that specifies a static
data member that represents the hash algorithm used to digest the PDF
document. For example, you can specify HashAlgorithm.SHA1 to
use the SHA1 algorithm.
A string value that represents the reason why the PDF document was
certified.
A string value that represents the signer’s contact information.
A MDPPermissions object that specifies actions
that can be performed on the PDF document that invalidates the signature.
A PDFSignatureAppearanceOptions object that
controls the appearance of the certified signature. If desired, modify
the appearance of the signature by invoking a method, such as setShowDate.
A string value that provides an explanation of what actions
invalidate the signature.
A java.lang.Boolean object that specifies
whether to perform revocation checking on the signer's certificate.
If this revocation checking is done, it is embedded in the signature. The
default is false.
A java.lang.Boolean object that specifies
whether the signature field being certified is locked. If the field
is locked, the signature field is marked as read only, its properties
cannot be modified, and it cannot be cleared by anyone who does
not have the required permissions. The default is false.
An OCSPPreferences object that stores preferences
for Online Certificate Status Protocol (OCSP) support. If revocation
checking is not done, this parameter is not used and you can specify null.
For information about this object, See LiveCycle API Reference.
A CRLPreferences object that stores certificate
revocation list (CRL) preferences. If revocation checking is not done,
this parameter is not used and you can specify null.
A TSPPreferences object that stores preferences
for time stamp provider (TSP) support. For example, after you create
a TSPPreferences object, you can set the URL of
the TSP server by invoking the TSPPreferences object’s setTspServerURL method.
This parameter is optional and can be null. For
more information, see Services Reference for LiveCycle.
The certify method
returns a com.adobe.idp.Document object that represents the
certified PDF document.
Save the certified PDF document as a PDF file
Create a java.io.File object and ensure
that the file extension is .pdf.
Invoke the com.adobe.idp.Document object’s copyToFile method
to copy the contents of the com.adobe.idp.Document object
to the file.
Certify PDF documents using the web service APICertify a PDF document by using the Signature API (web service):
Include project files
Create a Microsoft .NET
project that uses MTOM. Ensure that you use the following WSDL definition: http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.
Hinweis: Replace localhost with the IP
address of the server hosting LiveCycle.
Create a Signature client
Create a SignatureServiceClient object
by using its default constructor.
Create a SignatureServiceClient.Endpoint.Address object
by using the System.ServiceModel.EndpointAddress constructor.
Pass a string value that specifies the WSDL to the LiveCycle service (for example, http://localhost:8080/soap/services/SignatureService?WSDL).
You do not need to use the lc_version attribute.
This attribute is used when you create a service reference.)
Create a System.ServiceModel.BasicHttpBinding object
by getting the value of the SignatureServiceClient.Endpoint.Binding field.
Cast the return value to BasicHttpBinding.
Set the System.ServiceModel.BasicHttpBinding object’s MessageEncoding field
to WSMessageEncoding.Mtom. This value ensures that
MTOM is used.
Enable basic HTTP authentication by performing the following tasks:
Assign the LiveCycle user name to the field SignatureServiceClient.ClientCredentials.UserName.UserName.
Assign the corresponding password value to the field SignatureServiceClient.ClientCredentials.UserName.Password.
Assign the constant value HttpClientCredentialType.Basic to
the field BasicHttpBindingSecurity.Transport.ClientCredentialType.
Assign the constant value BasicHttpSecurityMode.TransportCredentialOnly to
the field BasicHttpBindingSecurity.Security.Mode.
Get the PDF document to certify
Create a BLOB object
by using its constructor. The BLOB object is used
to store a PDF document that is certified.
Create a System.IO.FileStream object by
invoking its constructor and passing a string value that represents the
file location of the PDF document to certify and the mode in which
to open the file.
Create a byte array that stores the content of the System.IO.FileStream object.
You can determine the size of the byte array by getting the System.IO.FileStream object’s Length property.
Populate the byte array with stream data by invoking the System.IO.FileStream object’s Read method
and passing the byte array, the starting position, and the stream
length to read.
Populate the BLOB object by assigning its MTOM data
member the contents of the byte array.
Certify the PDF document
Certify the PDF document
by invoking the SignatureServiceClient object’s certify method
and passing the following values:
The BLOB object
that represents the PDF document to certify.
A string value that represents the name of the signature
field that will contain the signature.
A Credential object that represents the credential
that is used to certify the PDF document. Create a Credential object
by using its constructor, and specify the alias by assigning a value
to the Credential object’s alias property.
A HashAlgorithm object that specifies a static
data member that represents the hash algorithm used to digest the PDF
document. For example, you can specify HashAlgorithm.SHA1 to
use the SHA1 algorithm.
A Boolean value that specifies whether the hash algorithm
is used.
A string value that represents the reason why the PDF document was
certified.
A string value that represents the signer’s location.
A string value that represents the signer’s contact information.
An MDPPermissions object’s static data member
that specifies actions that can be performed on the PDF document that
invalidate the signature.
A Boolean value that specifies whether to use the MDPPermissions object
that was passed as the previous parameter value.
A string value that explains what actions invalidate the signature.
A PDFSignatureAppearanceOptions object that
controls the appearance of the certified signature. Create a PDFSignatureAppearanceOptions object
by using its constructor. You can modify the appearance of the signature
by setting one of its data members.
A System.Boolean object that specifies whether
to perform revocation checking on the signer's certificate. If this revocation
checking is done, it is embedded in the signature. The default is false.
A System.Boolean object that specifies whether
the signature field being certified is locked. If the field is locked,
the signature field is marked as read only, its properties cannot
be modified, and it cannot be cleared by anyone who does not have
the required permissions. The default is false.
A System.Boolean object that specifies whether
the signature field is locked. That is, if you pass true to
the previous parameter, then pass true to this
parameter.
An OCSPPreferences object that stores preferences
for Online Certificate Status Protocol (OCSP) support, which provides
information about the status of the credential that is used to certify
the PDF document. If revocation checking is not done, this parameter
is not used and you can specify null.
A CRLPreferences object that stores certificate
revocation list (CRL) preferences. If revocation checking is not done,
this parameter is not used and you can specify null.
A TSPPreferences object that stores preferences
for time stamp provider (TSP) support. For example, after you create
a TSPPreferences object, you can set the URL of
the TSP by setting the TSPPreferences object’s tspServerURL data
member. This parameter is optional and can be null.
The certify method
returns a BLOB object that represents the certified
PDF document.
Save the certified PDF document as a PDF file
Create a System.IO.FileStream object by
invoking its constructor and passing a string value that represents the
file location of the PDF document that will contain the certified
PDF document and the mode in which to open the file.
Create a byte array that stores the content of the BLOB object
that was returned by the certify method. Populate
the byte array by getting the value of the BLOB object’s binaryData data
member.
Create a System.IO.BinaryWriter object by
invoking its constructor and passing the System.IO.FileStream object.
Write the contents of the byte array to a PDF file by invoking
the System.IO.BinaryWriter object’s Write method
and passing the byte array.
|
|
|