Click or drag to resize
Pdftools logo

PdfTools.Crypto Namespace

Public enumerationHashAlgorithm
Public enumerationSignatureAlgorithm

Cryptographic signature algorithm

Public enumerationSignatureFormat
Public enumerationSignaturePaddingType

Padding scheme of the cryptographic signature algorithm

The signature algorithm is defined by the signing certificate's key type. For example, RSA or ECDSA. For some keys, e.g. RSA keys, there are different padding algorithms. Some cryptographic providers let you set this padding algorithm. However, this only has an effect on signatures created by the cryptographic provider itself. All signed data acquired from external sources may use other signing algorithms; more specifically, the issuer certificates of the trust chain, the time-stamp’s signature, or those used for the revocation information (CRL, OCSP). It is recommended to verify that the algorithms of all signatures provide a similar level of security.
Public enumerationValidationInformation

Whether to embed validation information to enable the long-term validation (LTV) of the signature

Embed revocation information such as online certificate status response (OCSP - RFC2560) and certificate revocation lists (CRL - RFC3280). Revocation information of a certificate is provided by a validation service at the time of signing and acts as proof that the certificate was valid at the time of signing. This is useful because even when the certificate expires or is revoked at a later time, the signature in the signed document remains valid.

Embedding revocation information is optional but suggested when applying advanced or qualified electronic signatures. This feature is not always available. It has to be supported by the signing certificate and the cryptographic provider. Also, it is not supported by document time-stamp signatures. For these cases, a subsequent invocation of Process(Document, Stream, OutputOptions, Provider) with AddValidationInformation is required.

Revocation information is embedded for the signing certificate and all certificates of its trust chain. This implies that both OCSP responses and CRLs can be present in the same message. The disadvantages of embedding revocation information are the increase of the file size (normally by around 20KB), and that it requires a web request to a validation service, which delays the process of signing. Embedding revocation information requires an online connection to the CA that issues them. The firewall must be configured accordingly. If a web proxy is used (see Proxy), make sure the following MIME types are supported:

  • application/ocsp-request
  • application/ocsp-response