Signature Modules


The SetaPDF-Signer component transfers the signature process into signature modules, which may use various signature backends to create the final signature.

All modules implement the SetaPDF_Signer_Signature_Module_ModuleInterface interface. The module has to create a DER-encoded PKCS#7/CMS binary data object containing the signature while no data shall be encapsulated in its SignedData field (detached). 

The SetaPDF-Signer component is shipped with several signature modules with different requirements and features: 

Native PHP Control over digest algorithm CMS structure extendable PAdES conform
OpenSSL Module yes no no no
CMS Module yes yes yes no
PAdES Module yes yes yes yes
OpenSSL S/MIME no yes no no
OpenSSL CMS no yes no no

If none of the above fits your needs you can still create an individual module.

Keys in PKCS#12 Format (.pfx / .p12)

A certificate and its private key may be stored in a PKCS#12 archive (.pfx / .p12) which cannot be passed directly to the PHP build in OpenSSL functions. You will need to read the data manually with the openssl_pkcs12_read() function and pass them along as strings: 

// read certificate and private key from the PFX file
$pkcs12 = array();
$pfxRead = openssl_pkcs12_read(
    'the password to decrypt it'

// error handling
if (false === $pfxRead) {
    throw new Exception('The certificate could not be read.');

// create e.g. a PAdES module instance
$module = new SetaPDF_Signer_Signature_Module_Pades();
// pass the certificate ...
// ...and private key to the module

// pass extra certificates if included in the PFX file
if (isset($pkcs12['extracerts']) && count($pkcs12['extracerts'])) {

If you use a module which works with OpenSSL via command line you should convert your PKCS#12 file to a PEM file.  This can be done with OpenSSL that way:

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes