PDFSeedValueOptionSpec

Data items
Datatype specific settings

A complex data type used by the Add Invisible Signature Field operation and Add Visible Signature Field operation operations of the Signature service. It represents the seed value dictionary that is associated with a signature field. A seed value dictionary contains entries that constrain information that is used when the signature is applied.

For information about data that can be accessed using Xpath Expressions, see Data items .

For information about configuring default properties, see Datatype specific settings .

Data items

The data items that PDFSeedValueOptionSpec variables contain.

addRevInfo

A boolean value that specifies whether revocation checking is performed. A value of true means that the viewer application must perform the following revocation tasks when signing a signature field:

Perform revocation checking of the certificate used to sign. The checking also includes the corresponding issuing certificates.
Include the revocation information within the signature value.

If the subFilterEx value is either adbe_pkcs7_detached or adbe_pkcs7_sha1 , this value must be set as true . If the subFilterEx value is x509_rsa_sha1 , this value must be omitted or specified as false , or the signature process fails.

The default value of false means that the revocation checking is not performed.

certificateSeedValueOptions

A CertificateSeedValueOptionSpec value that represents a certificate seed value dictionary. A certificate seed value dictionary provides constraining information that is used at the time the signature is applied.

CertificateSeeValueOptionSpec values contain the following data items:

flags

An int value that represents the flags associated with this certificate seed value. A value of 1 means that a signer is required to use only the specified values for the entry. A value of 0 means that other values are permissible. The default value is 0 .

issuers

A list of byte values that contains byte-encoded X.509v3 certificates of acceptable issuers. If the signer's certificate is in the chain of the listed issuers, the certificate is considered acceptable for signing.

keyUsage

A string value that specifies an acceptable key-usage extension that must be present in the signing certificate. Multiple strings are used to specify a range of acceptable extensions.

Each character in the string represents a key-usage type, where the order of the characters indicates the key-usage extension it represents. The first through ninth characters in the string represent the following key-usage extensions:

1 : digitalSignature

2 : non-Repudiation

3 : keyEncipherment

4 : dataEncipherment

5 : keyAgreement

6 : keyCertSign

7 : crlSign

8 : encipherOnly

9 : decipherOnly

Any additional characters are ignored. Any missing characters or characters that are not one of the above values is set to X.

Each string is composed of the following characters:

0 : Corresponding key-usage must not be set.

1 : Corresponding key-usage must be set.

X : The state of the corresponding key-usage does not matter.

Note: For example, the string values '1' and '1XXXXXXXX' represent settings where the key-usage type digitalSignature must be set, and the state of the other key-usage types does not matter.

oids

A list of string values, where each string contains object identifiers (OIDs) of the certificate policies that must be present in the signing certificate.

subjectDN

A list of string values, where each string contains key value pairs that specify the subject Distinguished Name (DN), must be present within the certificate to be acceptable for signing. The certificate must at least contain all the attributes specified in the dictionary, but can also contain other attributes.

subjects

An list of byte values that contains byte-encoded X.509v3 certificates that are acceptable for signing.

url

A string value that specifies the URL that can be used to enroll for a new credential if a matching credential is not found.

urlType

A string value that contains the name indicating the usage of the URL entry. There are standard and implementation-specific uses for the URL.

The value Browser represents a valid standard usage. It specifies that the URL references the content to be displayed in a web browser to allow enrolling for a new credential.

The value ASSP represents a valid implementation-specific usage, defined for use by Adobe Systems. It specifies that the URL references a signature web service used for server-based signing.

Note: Third parties can extend the use of this item with their own values. These values must conform to the guidelines described in Appendix E of the PDF Utilities.

digestMethod

A HashAlgorithm value that specifies the names of the acceptable digest algorithms to use while signing.

digestMethod can be one of these string values:

SHA1:: The Secure Hash Algorithm has a 160-bit hash value.
SHA256:: The Secure Hash Algorithm has a 256-bit hash value.
SHA384:: The Secure Hash Algorithm has a 384-bit hash value.
SHA512:: The Secure Hash Algorithm has a 512-bit hash value.
RIPEMD160:: The RACE Integrity Primitives Evaluation Message Digest has a 160-bit message digest algorithm.
Note: This data item is applicable only if the digital credential signing contains RSA public/private keys. If the digital credential contains DSA public/private key, the digest algorithm is always SHA1.

filter

Deprecated, use filterEX

filterEX

A PDFFilterType value that represents a signature handler that is used to sign the signature field. The only valid value is Adobe_PPKLite .

flags

An int value that represents the flag associated with the seed value. These values are valid:

1 (Filter):: The signature handler used to sign the signature field.
2 (SubFilter):: An array of names indicating acceptable encodings to use when signing.
3 (V):: The minimum required version number of the signature handler used to sign the signature field.
4 (Reasons):: An array of strings specifying possible reasons for signing a document.
5 (PDFLegalWarnings):: An array of strings specifying possible legal attestations.
6 (AddRevInfo):: Revision information.
7 (DigestMethod):: A name identifying the algorithm used when computing the digest.
The default value of 0 means that the associated entry is an optional constraint.

legalAttestations

A string value that represents a legal attestation associated with the seed value.

mdpValue

An MDPPermissions value that specifies the changes that can be done on a PDF document without invalidating the signature after the legal attestations are provided.

These string values are valid:

NonAuthorSignature:: The signature is an ordinary signature.
NoChanges:: No changes to the document are allowed. Any change invalidates the signature.
FormChanges:: Permitted changes include filling in form, instantiating page templates, and signing the form.
AnnotationFormChanges:: In addition to FormChanges, other permitted changes include annotation creation, deletion, and modification.

reasons

A string value that specifies the reason for signing the PDF document.

subFilter

Deprecated, use subFilterEx.

subFilterEx

A PDFSubFilterType value that represents an encoding to use when signing the PDF form. These string values are valid:

adbe_pkcs7_detached:: No data is encapsulated in the PKCS#7-signed data field.
adbe_pkcs7_sha1:: The adbe.pkcs7.sha1 digest of the byte range is encapsulated in the PKCS#7-signed data field.
adbe_x509_rsa_sha1:: The adbe.x509.rsa.sha1 digest uses the RSA encryption algorithm and SHA-1 digest method.

timeStampSeed

A PDFTimeStampSeed value that represents the timestamp associated with this seed value dictionary. It contains two values:

url:: A string value that represents the URL of the timestamp server used. If the URL is null and a timestamp is required, the URL is obtained from the certificate that is used to sign the PDF document.
requiresTimeStamp:: A boolean value that specifies whether the timestamp is required while signing a PDF document.

version

A double value that specifies the minimum PDF version required to sign the signature field. The valid values are PDF 1.5 and PDF 1.7.

Datatype specific settings

Properties for the document signature.

For the properties that are formatted as an editable list, use the following buttons to manage the list:

Add A List Entry:: Adds an entry to the list. Depending on the option, type the information, select an item from a drop-down list, or select a file from a network location or computer. When you select a file from a location on your computer, during run time, the file must exist in the same location on AEM forms Server.
Delete Selected List Entry:: Removes an entry from the list.
Move Selected List Entry Up One Row:: Moves the selected entry up in the list.
Move Selected List Entry Down One Row:: Moves the selected entry down in the list.
Some properties have the Required option beside them. Selecting this option means that the property is a required constraint and without it, the signing fails.

Signature Handler Options

Options for specifying the filters and subfilters used for validating a signature field. The signature field is embedded in a PDF document and the seed value dictionary is associated with a signature field.

Signature Handler

A list of handlers to use for the digital signatures. Adobe.PPKLite is a string valid value that can be selected to represent the creation and validation of Adobe-specific signatures. You can use other signature handlers by typing values, such as Entrust.PPEF , CIC.SignIt , and VeriSign.PPKVS . For information about supported signature handlers, see PDF Utilities. No default value is selected.

Adobe.PPKLite:: The recommended handler for signing PDF documents.
Required:: Select to specify that the signature handler is used for the seed value. It is not selected by default.

Signature SubFilter

The supported subfilter names, which describes the encoding of the signature value and key information. Signature handlers must support the listed subfilters; otherwise, the signing fails. These string values are valid for public-key cryptographic (See PDF Utilities.), which you must type:

adbe.x509.rsa_sha1:: The key contains a DER-encoded PKCS#1 binary data object. The binary objects represent the signature obtained as the RSA encryption of the byte range SHA-1 digest with the private key of the signer. Use this value when signing PDF documents using PKCS#1 signatures.
adbe.pkcs7.detached:: The key is a DER-encoded PKCS#7 binary data object containing the signature. No data is encapsulated in the PKCS#7-signed data field.
adbe.pkcs7.sha1:: The key is a DER-encoded PKCS#7 binary object representing the signature value. The SHA-1 digest of the byte range digest is encapsulated in the PKCS#7 signed data.
Required:: Select to specify that signature subfilters are used for the seed value. It is not selected by default.

Digest Methods

The list of acceptable hashing algorithms to use. No default hashing algorithm is provided. Add an item to the list and select an encryption algorithm. Select one of these values:

SHA1:: The Secure Hash Algorithm that has a 160-bit hash value.
SHA256:: The Secure Hash Algorithm that has a 256-bit hash value.
SHA384:: The Secure Hash Algorithm that has a 384 bit-hash value.
SHA512:: The Secure Hash Algorithm that has a 512 bit-hash value.
RIPEMD160:: The RACE Integrity Primitives Evaluation Message Digest that has a 160-bit message digest algorithm and is not FIPS-compliant.
Required:: Select to specify that the signature encryption algorithms are used for the seed value. It is not selected by default.

Minimum Signature Compatibility Level

The minimum PDF version to use to sign the signature field. No default value is selected. Select one of these values:

PDF 1.5:: Use PDF Version 1.5.
PDF 1.7:: Use PDF Version 1.7.
Required:: Select to specify the minimum signature compatibility level is used for the seed value. It is not selected by default.

Signature Information

A group of options for specifying the reasons, timestamp, and details of the digital signature.

Include Revocation Information In Signature

Select to specify that revocation information must be embedded as part of the signature for long-term validation support. When you deselect this option, the revocation information is not embedded as part of the signature. By default, this option is deselected.

Required:: Select to specify that revocation checking is required for the seed value. It is not selected by default.

Signing Reasons

The list of reasons that are associated with the seed value dictionary used for signing the PDF document. Add an item to the list and type a reason.

Required:: Select to specify that the associated reasons are included for the seed value. It is not selected by default.

TimeStamp Server URL

The URL that specifies the location of the timestamp server to use when signing a PDF document.

Required:: Select to specify that the timestamp server is required for the seed value. It is not selected by default.

Signing/Enrollment Server URL

The location of the server that provides a web service. The web service digitally signs a PDF document or enrolls for new credentials.

Required:: Select to specify that the signing or enrollment server is used for the seed value. It is not selected by default.

Server Type

The type of server to use for the value specified for the Signing/Enrollment Server URL option. The default value is Browser. Select one of these values:

Browser:: The URL references content that is displayed in a web browser to allow enrolling for a new credential if a matching credential is not found.
ASSP:: The URL references a signature web service. The web service is used to digitally sign the PDF document on a server. The server is specified in the Signing/Enrollment Server URL option in this operation.
Required:: Select to use the web service to sign the PDF document. It is not selected by default.

Signature Type

The changes that are permitted after the signature is added and legal attestations are provided.

Type of Signature

The list representing the type of signatures that can be applied to the signature field. The default value is Any. Select one of these values.

Any:

Any type of signature can be applied when filling in forms, instantiating page templates, or creating, deleting, and modifying annotations.

Recipient Signature:

Constrains the signer to apply a Four Corner security model on the signature field.

Certification Signature:

Constrains the signer to apply a certification signature on the signature field with specified permissions. The specified permissions are configured in the Field MDP Options Spec property for this operation. No default value is selected. Select one of these values:

No changes allowed : The end user is not permitted to change the form. Any change invalidates the signature.
Form fill-in and digital signatures : The end user is permitted to fill in the form, instantiate page templates, and sign the form.
Annotations, form fill-in, and digital signatures : The end user is permitted to fill in the form, instantiate page templates, sign the form, and create annotations, deletions, and modifications.

Legal Attestations

The list of legal attestations associated with the seed value. Legal attestation constraints affect only a certification signature. Add a legal attestation to the list by typing it. No default legal attestations are provided.

Required:: Select to specify that legal attestations are used for the seed value. It is not selected by default.

Signing Certificates

The list of certificates, keys, issuers, and policies used for a digital signature. Add certificates, keys, issuers, and policies to the list using the Open dialog box.

Signing Certificates

A list of certificates used for certifying and verifying a signature.

Required:: Select to specify that signing certificates are used for the seed value. It is not selected by default.

Subject Distinguished Name

The list of dictionaries, where each dictionary contains key value pairs that specify the subject distinguished name (DN). The DN must be present within the certificate for it to be acceptable for signing. Add DNs to the list by using the Add Subject DN dialog box. (See Add Subject DN .)

Required:: Select to specify that subject distinguished names are used for the seed value. It is not selected by default.

KeyUsage

The list of key usage extensions that must be present for signing a certificate. Add an entry to the list and select the key usage. The default for both the DigitalSignature field and Non-Repudiation field is Don’t Care:

Don’t Care:: The key usage extension is optional.
Require Key Usage:: The key usage extension must be present.
Exclude Key Usage:: The key usage extension must not be present.
Required:: Select to specify that key usage extensions are used for the seed value. It is not selected by default.
Additional key usage entries are available in the PDF Utilities.

Issuers and Policies

The list of certificate issuers, policies, and associated object identifiers.

Certificate Issuers

The list of certificate issuers. Add certificate issuers to the list using the Open dialog box.

Required:: Select to specify that certificate issuers are used for the seed value. It is not selected by default.

Certificate Policies and Associated Object Identifiers

The list certificate policies associated with the certificate seed value. Add certificate policies to the list by typing it.

Required:: Select to specify that certificate policies and associated identifies are used for the seed value. It is not selected by default.