PAdES B-LTA 長效驗證(LTV)¶
PAdES B-LTA(PDF Advanced Electronic Signatures — Baseline Long-Term Archive)是 ETSI EN 319 142-1 定義的最高等級簽章格式,確保數位簽章在簽署憑證到期後數十年仍可完整驗證。
LTV 透過在文件內嵌入驗證所需的所有資料(OCSP 回應、CRL、憑證鏈),消除對外部 CA 服務的長期依賴。
PAdES Profile 層次¶
B-B ──────── 基礎簽章(含簽署憑證)
└── B-T ── + 可信時戳(RFC 3161)
└── B-LT ── + OCSP / CRL / 憑證鏈嵌入(DSS 字典)
└── B-LTA ── + 存檔時戳(保護 DSS 字典不可竄改)
NextPDF Pro 提供 B-B。NextPDF Enterprise 在此基礎上新增 B-LT 與 B-LTA 能力。
核心 API¶
LtvSignature¶
use NextPDF\Enterprise\Signatures\LtvSignature;
use NextPDF\Enterprise\Signatures\LtvConfig;
use NextPDF\Enterprise\Signatures\OcspProvider;
use NextPDF\Enterprise\Signatures\CrlProvider;
use NextPDF\Enterprise\Signatures\TsaProvider;
$config = LtvConfig::create()
->withOcspProvider(
OcspProvider::http(
url: 'http://ocsp.acmeca.com',
timeout: 10,
cacheSeconds: 3600,
)
)
->withCrlProvider(
CrlProvider::http(
distributionPoints: 'auto', // 從憑證 CDP 擴充欄位自動取得
refreshIntervalHours: 24,
)
)
->withTsaProvider(
TsaProvider::rfc3161(
url: 'https://tsa.acmeca.com',
hashAlgorithm: 'SHA-384',
requireSignedResponse: true,
)
)
->embedCertificateChain(true) // 嵌入完整憑證鏈
->targetProfile(PadesProfile::BLta); // B-LTA
$ltv = new LtvSignature($config);
$signedDocument = $ltv->sign(
document: $document,
signerCredential: $pkcs12Credential,
signatureAppearance: SignatureAppearance::visible(
page: 1,
x: 400.0,
y: 50.0,
width: 180.0,
height: 60.0,
),
reason: 'Contract Approval — FY2025',
location: 'Taipei, Taiwan',
contactInfo: '[email protected]',
);
PHP Compatibility
This example uses PHP 8.5 syntax. If your environment runs PHP 8.1 or 7.4, use NextPDF Backport for a backward-compatible build.
DssBuilder¶
DSS(Document Security Store)字典是 PAdES B-LT/B-LTA 的核心資料結構,儲存所有驗證材料:
use NextPDF\Enterprise\Signatures\DssBuilder;
use NextPDF\Enterprise\Signatures\VriEntry;
$dssBuilder = DssBuilder::create()
->addCertificate($signerCert)
->addCertificate($intermediateCert)
->addCertificate($rootCert)
->addOcspResponse($signerOcspResponse)
->addOcspResponse($intermediateOcspResponse)
->addCrl($crlData)
->addVriEntry(
VriEntry::create(
signatureHash: $signatureHash,
certificates: [$signerCert, $intermediateCert],
ocspResponses: [$signerOcspResponse],
crls: [$crlData],
timestamp: $tst,
)
);
// DSS 更新後自動觸發存檔時戳(B-LTA)
$updatedDocument = $ltv->addDssAndArchiveTimestamp(
document: $bLtDocument,
dssBuilder: $dssBuilder,
);
LTV 驗證¶
use NextPDF\Enterprise\Signatures\LtvValidator;
$validator = new LtvValidator(
trustedRoots: $caBundle,
allowOfflineValidation: true, // 使用 DSS 中嵌入的資料,不需網路
);
$result = $validator->validate($signedPdfBytes);
foreach ($result->signatures() as $sig) {
echo $sig->signerDN();
echo $sig->signingTime()->format('c');
echo $sig->profile()->name; // B_B | B_T | B_LT | B_LTA
echo $sig->validationStatus()->name; // VALID | INDETERMINATE | INVALID
// 長效驗證材料
echo $sig->ltvData()->ocspResponseCount();
echo $sig->ltvData()->crlCount();
echo $sig->ltvData()->archiveTimestampCount();
echo $sig->ltvData()->estimatedValidUntil()->format('Y'); // 預估有效年限
}
存檔時戳(Archive Timestamp)¶
存檔時戳是 B-LTA 的關鍵,蓋過整個文件(包含 DSS 字典),確保驗證材料本身不可被竄改:
sequenceDiagram
participant Doc as 文件
participant TSA as 時戳局(TSA)
participant DSS as DSS 字典
Doc->>TSA: 簽章 hash(B-B)
TSA-->>Doc: 時戳 Token(B-T)
Doc->>Doc: 嵌入 OCSP + CRL + 憑證鏈(B-LT)
Doc->>TSA: 文件 hash(含 DSS)
TSA-->>Doc: 存檔時戳 Token(B-LTA)
Note over Doc,DSS: 任何後續修改均使存檔時戳失效憑證鏈嵌入¶
use NextPDF\Enterprise\Signatures\CertificateChainEmbedder;
$embedder = new CertificateChainEmbedder(
trustedRoots: $caBundle,
includeRoot: false, // 根 CA 通常不嵌入(驗證方應自行持有)
resolveAia: true, // 自動從 AIA 擴充欄位下載中間 CA
);
$chain = $embedder->buildChain($signerCertificate);
效能規格¶
| 操作 | 指標 |
|---|---|
| B-LT 簽章(含 OCSP + CRL 嵌入) | |
| B-LTA 存檔時戳新增 | |
| LTV 離線驗證(完整鏈) |