pdfcpusign

package module
v0.0.0-...-9a1ea71 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 25, 2025 License: Apache-2.0 Imports: 19 Imported by: 0

README

PDFCPU Sign

A Go-native PDF signing library, on top of pdfcpu.

Currently, the only implemented signature handler is Adobe PKCS#7 detached (CMS) which is by far the most widely used one.

Simple Usage Example

package main

import (
	"crypto"
	"log"
	"time"

	pdfcpusign "github.com/agcom/pdfcpu-sign"
	"github.com/agcom/pdfcpu-sign/testutils"
)

func main() {
	pvKey, _, cert := testutils.GenKert()
	sigHandler := pdfcpusign.NewAdobePkcs7DetachedSigHandler(pvKey, cert, nil, crypto.SHA256)

	err := pdfcpusign.SignFile(
		sigHandler,
		"./_samples/minimal.pdf", "./_samples/minimal-signed.pdf",
		(&pdfcpusign.SignInfo{
			Type:   pdfcpusign.SignTypeCert,
			DocMdp: pdfcpusign.DocMdpPermNoChanges,
			SignerInfo: &pdfcpusign.SignerInfo{
				Name:        "Alireza",
				Location:    "Earth",
				Reason:      "Test",
				ContactInfo: "example@example.org",
				Time:        time.Now(),
			},
		}).ToSig(),
	)
	if err != nil {
		log.Fatalf("Sign PDF failed: %s.\n", err)
	}
}

API Application

There is an API application at /cmds/api that utilizes keys over a PKCS#11 interface.

Documentation

Index

Constants

View Source 
const (
	SubFilterAdobeX509RsaSha1   = "adbe.x509.rsa_sha1" // Deprecated in PDF 2.0.
	SubFilterAdobePkcs7Sha1     = "adbe.pkcs7.sha1"    // Deprecated in PDF 2.0.
	SubFilterAdobePkcs7Detached = "adbe.pkcs7.detached"
	SubFilterEtsiCadesDetached  = "ETSI.CAdES.detached" // >= PDF 2.0.
	SubFilterEtsiRfc3161        = "ETSI.RFC3161"        // >= PDF 2.0; For TypeDocTimeStamp.
)
View Source 
const (
	FilterAdobePpkLite  = "Adobe.PPKLite"
	FilterAdobePpkms    = "Adobe.PPKMS"
	FilterEntrustPpkef  = "Entrust.PPKEF"
	FilterCiciSignIt    = "CICI.SignIt"
	FilterVeriSignPpkvs = "VeriSign.PPKVS"
)

Variables

This section is empty.

Functions

func SignFile 

func SignFile(h SigHandler, in string, out string, sig *Sig) error

func SignPipe 

func SignPipe(h SigHandler, in io.ReadSeeker, out io.Writer, sig *Sig, incrOnly bool) error

Types

type DocMdpPerm 

type DocMdpPerm int

DocMdpPerm - DocMDP stands for Document Modification Detection and Prevention; only to be used beside certification signatures. 

const (
	// DocMdpPermNoChanges allows no changes to the document after signing.
	DocMdpPermNoChanges DocMdpPerm = 1
	// DocMdpPermFormFillInAndPageTemplateInstAndSign allows form fill-in and adding additional digital signatures after signing.
	DocMdpPermFormFillInAndPageTemplateInstAndSign DocMdpPerm = 2
	// DocMdpPermFormFillInAndPageTemplateInstAndSignAndAnnot allows form fill-in, adding additional digital signatures, and adding annotations (for example commenting), post-signing.
	DocMdpPermFormFillInAndPageTemplateInstAndSignAndAnnot DocMdpPerm = 3
)

type FieldFlags 

type FieldFlags uint32
const (
	FieldFlagReadOnly FieldFlags = 1 << iota
	FieldFlagRequired
	FieldFlagNoExport
)

type FieldMdpAction 

type FieldMdpAction string
const (
	FieldMdpActionAll     FieldMdpAction = "All"
	FieldMdpActionInclude FieldMdpAction = "Include"
	FieldMdpActionExclude FieldMdpAction = "Exclude"
)

type PropAuthType 

type PropAuthType string
const (
	PropAuthTypePin         PropAuthType = "PIN"
	PropAuthTypePassword    PropAuthType = "Password"
	PropAuthTypeFingerprint PropAuthType = "Fingerprint"
)

type Sig 

type Sig struct {
	Type      SigType
	Filter    string
	SubFilter string

	Cert     []*x509.Certificate
	Contents []byte

	References []*SigRef // TODO: facilitate allowing indirect references to the signature reference dictionaries (only if ByteRange is not present).
	ByteRange  []int64

	HandlerVersion *int      // R; Deprecated in PDF 2.0.
	Time           time.Time // M
	Name           string
	Reason         string
	Location       string
	PropBuild      types.Dict // TODO: create its corresponding struct.
	PropAuthTime   *int
	PropAuthType   PropAuthType

	Changes       *SigChanges
	ContactInfo   string
	FormatVersion int // V
}

func (*Sig) ToPdfDict 

func (s *Sig) ToPdfDict() types.Dict

type SigChanges 

type SigChanges struct {
	PagesAltered   int
	FieldsAltered  int
	FieldsFilledIn int
}

func (*SigChanges) ToPdfArr 

func (sc *SigChanges) ToPdfArr() types.Array

type SigField 

type SigField struct {
	Page              *types.IndirectRef // P
	Parent            *types.IndirectRef
	Kids              []types.IndirectRef
	PartialName       string             // T
	AlternativeName   string             // TU
	MappingName       string             // TM
	FieldFlags        FieldFlags         // Ff
	Value             *types.IndirectRef // V. TODO: facilitate having a direct value.
	DefaultValue      *Sig               // DV. TODO: can a signature field have a default value?
	AdditionalActions types.Dict         // AA. TODO: create its corresponding struct.
	Lock              *types.IndirectRef
	SeedValue         *types.IndirectRef // SV. TODO: create its corresponding struct.
}

func (*SigField) ToPdfDict 

func (sf *SigField) ToPdfDict() types.Dict

type SigFieldLock 

type SigFieldLock struct {
	Action FieldMdpAction
	Fields []string
	Perm   DocMdpPerm
}

func (*SigFieldLock) ToPdfDict 

func (s *SigFieldLock) ToPdfDict() types.Dict

type SigHandler 

type SigHandler interface {
	// Sign
	// Beware that after calling this function, you should only call api.WriteIncrement on the given context.
	Sign(pdfCtx *model.Context, sig *Sig) error
}

func NewAdobePkcs7DetachedSigHandler 

func NewAdobePkcs7DetachedSigHandler(
	pvKey crypto.PrivateKey,
	cert *x509.Certificate,
	certParents []*x509.Certificate,
	digestAlg crypto.Hash,
) SigHandler

type SigRef 

type SigRef struct {
	TransformMethod TransformMethod
	TransformParams TransformParams // TODO: this can also be an indirect reference.
	Data            *types.IndirectRef
	DigestMethod    crypto.Hash // Deprecated in PDF 2.0. TODO: this value is way more limited than crypto.Hash available values.
}

func (*SigRef) ToPdfDict 

func (sr *SigRef) ToPdfDict() types.Dict

type SigType 

type SigType string
const (
	SigTypeSig          SigType = "Sig"
	SigTypeDocTimeStamp SigType = "DocTimeStamp"
)

type SignInfo 

type SignInfo struct {
	Type       SignType
	DocMdp     DocMdpPerm
	SignerInfo *SignerInfo
}

SignInfo holds a signing procedure information; it is only designed to be used in unmarshal positions (and not marshal positions) regarding ser/deserialization.

func (*SignInfo) ToSig 

func (si *SignInfo) ToSig() *Sig

type SignType 

type SignType string

SignType defines the signature type to use. 

const (
	// SignTypeCert is a signature type that can be applied once to a PDF document (it must be the first signature),
	// and is always to be associated with the DocMDP field.
	SignTypeCert SignType = "certification"

	// SignTypeApproval is a signature type that can be applied multiple times to a PDF document.
	SignTypeApproval = "approval"
)

type SignerInfo 

type SignerInfo struct {
	Name        string
	Location    string
	Reason      string
	ContactInfo string
	Time        time.Time
}

SignerInfo holds the signer (usually a person or a company) information; it is only designed to be used in unmarshal positions (and not marshal positions) regarding ser/deserialization.

type TransformMethod 

type TransformMethod string
const (
	TransformMethodDocMdp      TransformMethod = "DocMDP"
	TransformMethodUsageRights TransformMethod = "UR"
	TransformMethodFieldMdp    TransformMethod = "FieldMDP"
)

type TransformParams 

type TransformParams interface {
	ToPdfDict() types.Dict
	// contains filtered or unexported methods
}

TransformParams should either be TransformParamsDocMdp or TransformParamsFieldMdp.

type TransformParamsDocMdp 

type TransformParamsDocMdp struct {
	Perm    DocMdpPerm
	Version string // V
}

func NewTransformParamsDocMdp 

func NewTransformParamsDocMdp() *TransformParamsDocMdp

func (*TransformParamsDocMdp) ToPdfDict 

func (tp *TransformParamsDocMdp) ToPdfDict() types.Dict

type TransformParamsFieldMdp 

type TransformParamsFieldMdp struct {
	Action  FieldMdpAction
	Fields  []string
	Version string // V
}

func NewTransformParamsFieldMdp 

func NewTransformParamsFieldMdp() *TransformParamsFieldMdp

func (*TransformParamsFieldMdp) ToPdfDict 

func (tp *TransformParamsFieldMdp) ToPdfDict() types.Dict

Source Files

View all Source files

Directories

Path Synopsis
cmds
api command
api/internal/conf
api/internal/http
api/internal/pkcs11
Package pkcs11 is a coupled package that interacts with the PKCS#11 interface of a library specified through viper configuration; it fetches the key pair and their corresponding certificate which are specified by viper configuration (see the conf.go file in this package); it also exposes the *crypto11.Context under use.
 Package pkcs11 is a coupled package that interacts with the PKCS#11 interface of a library specified through viper configuration; it fetches the key pair and their corresponding certificate which are specified by viper configuration (see the conf.go file in this package); it also exposes the *crypto11.Context under use.
api/internal/signpdf
api/internal/testutils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.