SetaPDF-Signer Manual

Signature Modules

Overview

The SetaPDF-Signer component transfers the signature process into signature modules, which may use various signature backends to create the final signature.

All modules implement the \setasign\SetaPDF2\Signer\Signature\Module\ModuleInterface interface. The module has to create a DER-encoded PKCS#7/CMS binary data object containing the signature while no data shall be encapsulated in its SignedData field (detached). 

The SetaPDF-Signer component is shipped with several signature modules with different requirements and features:

If none of the above fits your needs see here for additional modules or create your own individual module.

Keys in PKCS#12 Format (.pfx / .p12)

A certificate and its private key may be stored in a PKCS#12 archive (.pfx / .p12) which cannot be passed directly to the PHP build in OpenSSL functions. You will need to read the data manually with the openssl_pkcs12_read() function and pass them along as strings: 

// read certificate and private key from the PFX file
$pkcs12 = [];
$pfxRead = openssl_pkcs12_read(
    file_get_contents('path/to/the/certificate.pfx'),
    $pkcs12,
    'the password to decrypt it'
);

// error handling
if (false === $pfxRead) {
    throw new \Exception('The certificate could not be read.');
}

// create e.g. a PAdES module instance
$module = new \setasign\SetaPDF2\Signer\Signature\Module\Pades();
// pass the certificate ...
$module->setCertificate($pkcs12['cert']);
// ...and private key to the module
$module->setPrivateKey($pkcs12['pkey']);

// pass extra certificates if included in the PFX file
if (isset($pkcs12['extracerts']) && count($pkcs12['extracerts'])) {
    $module->setExtraCertificates($pkcs12['extracerts']);
}

If you use a module which works with OpenSSL via command line you should convert your PKCS#12 file to a PEM file.  This can be done with OpenSSL that way:

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes