Signature Modules

Overview

The SetaPDF-Signer component transfers the signature process into signature modules, which may use various signature backends to create the final signature.

All modules implement the SetaPDF_Signer_Signature_Module_ModuleInterface interface. The module has to create a DER-encoded PKCS#7/CMS binary data object containing the signature while no data shall be encapsulated in its SignedData field (detached). 

The SetaPDF-Signer component is shipped with several signature modules with different requirements and features:

Native PHP Control over digest algorithm CMS structure extendable PAdES conform
PAdES Module yes yes yes yes
CMS Module yes yes yes no
OpenSSL Module yes no no no
OpenSSL CLI S/MIME no yes no no
OpenSSL CLI CMS no yes no no

If none of the above fits your needs you can still create an individual module.

Keys in PKCS#12 Format (.pfx / .p12)

A certificate and its private key may be stored in a PKCS#12 archive (.pfx / .p12) which cannot be passed directly to the PHP build in OpenSSL functions. You will need to read the data manually with the openssl_pkcs12_read() function and pass them along as strings: 

PHP
// read certificate and private key from the PFX file
$pkcs12 = array();
$pfxRead = openssl_pkcs12_read(
    file_get_contents('path/to/the/certificate.pfx'),
    $pkcs12,
    'the password to decrypt it'
);

// error handling
if (false === $pfxRead) {
    throw new Exception('The certificate could not be read.');
}

// create e.g. a PAdES module instance
$module = new SetaPDF_Signer_Signature_Module_Pades();
// pass the certificate ...
$module->setCertificate($pkcs12['cert']);
// ...and private key to the module
$module->setPrivateKey($pkcs12['pkey']);

// pass extra certificates if included in the PFX file
if (isset($pkcs12['extracerts']) && count($pkcs12['extracerts'])) {
    $module->setExtraCertificates($pkcs12['extracerts']);
}

If you use a module which works with OpenSSL via command line you should convert your PKCS#12 file to a PEM file.  This can be done with OpenSSL that way:

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes