Assinaturas Digitais PAdES
★ Pro — Commercial License Required
Os níveis de assinatura PAdES B-T, B-LT e B-LTA requerem o pacote Pro.
O TCPDF-Next Pro implementa o pipeline completo PAdES (ETSI EN 319 142) usando CertificateInfo, DigitalSigner, ByteRangeCalculator e SignatureAppearance.
Níveis de Assinatura
| Nível | Valor do Enum | O Que Adiciona |
|---|---|---|
| B-B | SignatureLevel::PAdES_B_B | Assinatura CMS com certificado de assinatura |
| B-T | SignatureLevel::PAdES_B_T | Timestamp de assinatura RFC 3161 |
| B-LT | SignatureLevel::PAdES_B_LT | Dados de revogação (OCSP + CRL) via DSS |
| B-LTA | SignatureLevel::PAdES_B_LTA | Timestamp de documento para validade indefinida |
CertificateInfo
Carrega e analisa certificados X.509 e chaves privadas a partir de arquivos PEM ou PKCS#12.
php
use Yeeefang\TcpdfNext\Pro\Security\Signature\CertificateInfo;
// From PEM files
$cert = CertificateInfo::fromPem('/certs/signing.pem', '/certs/signing.key', 'pw');
$cert->chain(['/certs/intermediate.pem', '/certs/root.pem']);
// From PKCS#12 (chain extracted automatically)
$cert = CertificateInfo::fromPkcs12('/certs/signing.p12', 'p12-password');
// Inspect certificate details
echo $cert->subjectCN(); // "John Doe"
echo $cert->issuerCN(); // "Acme Intermediate CA"
echo $cert->validFrom(); // DateTimeImmutable
echo $cert->ocspResponderUrl(); // "https://ocsp.acme.com"DigitalSigner
Gera o container de assinatura CMS/PKCS#7 e orquestra a incorporação de timestamp e LTV.
php
use Yeeefang\TcpdfNext\Core\Document;
use Yeeefang\TcpdfNext\Pro\Security\Signature\DigitalSigner;
use Yeeefang\TcpdfNext\Pro\Security\Timestamp\TsaClient;
use Yeeefang\TcpdfNext\Contracts\Enums\SignatureLevel;
$pdf = Document::create()->addPage()->text('Contract document.');
$cert = CertificateInfo::fromPkcs12('/certs/signer.p12', 'pw');
$tsa = new TsaClient('https://tsa.example.com/timestamp');
$signer = new DigitalSigner($cert);
$signer->level(SignatureLevel::PAdES_B_LTA);
$signer->timestampAuthority($tsa);
$signer->reason('Document approval');
$signer->location('Taipei, Taiwan');
$signer->sign($pdf);
$pdf->save('/output/signed.pdf');Nos níveis B-LT e B-LTA, o LtvManager é invocado internamente para buscar respostas OCSP e CRLs e construir o dicionário DSS.
ByteRangeCalculator
Gerencia o placeholder da assinatura e calcula os byte ranges. Tratado internamente pelo DigitalSigner; uso direto é para cenários avançados.
SignatureAppearance
Controla a representação visual da assinatura na página. As assinaturas são invisíveis por padrão.
php
use Yeeefang\TcpdfNext\Pro\Security\Signature\SignatureAppearance;
$appearance = SignatureAppearance::create()
->page(1)
->position(x: 20.0, y: 250.0, width: 80.0, height: 30.0)
->text("Digitally signed by John Doe\nDate: 2026-02-16")
->image('/images/handwritten-signature.png')
->imagePosition('left') // 'left', 'right', 'top', 'bottom', 'background'
->fontSize(8);
$signer->appearance($appearance);
$signer->sign($pdf);Exemplo Completo B-LTA
php
use Yeeefang\TcpdfNext\Core\Document;
use Yeeefang\TcpdfNext\Pro\Security\Signature\{DigitalSigner, CertificateInfo, SignatureAppearance};
use Yeeefang\TcpdfNext\Pro\Security\Timestamp\TsaClient;
use Yeeefang\TcpdfNext\Contracts\Enums\SignatureLevel;
$pdf = Document::create()
->addPage()
->font('Helvetica', size: 14, style: 'B')
->text('Purchase Agreement')
->font('Helvetica', size: 11)
->text('This agreement is entered into on February 16, 2026...');
$cert = CertificateInfo::fromPkcs12('/certs/legal.p12', 'passphrase');
$tsa = new TsaClient('https://tsa.example.com/timestamp');
$signer = new DigitalSigner($cert);
$signer->level(SignatureLevel::PAdES_B_LTA);
$signer->timestampAuthority($tsa);
$signer->appearance(
SignatureAppearance::create()
->page(1)
->position(x: 20.0, y: 250.0, width: 80.0, height: 25.0)
->text("Signed by Legal Dept.\n2026-02-16")
);
$signer->reason('Purchase agreement execution');
$signer->location('Taipei, Taiwan');
$signer->sign($pdf);
$pdf->save('/contracts/purchase-agreement-signed.pdf');Próximos Passos
- Long-Term Validation -- DSS, OCSP, CRL e timestamps de arquivamento.
- Integração HSM -- Assine com módulos de segurança de hardware via PKCS#11.
- Visão Geral do Pacote Pro -- Listagem completa de módulos e informações de licença.