Firme Digitali PAdES
★ Pro — Commercial License Required
I livelli firma PAdES B-T, B-LT e B-LTA richiedono il pacchetto Pro.
TCPDF-Next Pro implementa la pipeline PAdES completa (ETSI EN 319 142) usando CertificateInfo, DigitalSigner, ByteRangeCalculator e SignatureAppearance.
Livelli Firma
| Livello | Valore Enum | Cosa Aggiunge |
|---|---|---|
| B-B | SignatureLevel::PAdES_B_B | Firma CMS con certificato firma |
| B-T | SignatureLevel::PAdES_B_T | Timestamp firma RFC 3161 |
| B-LT | SignatureLevel::PAdES_B_LT | Dati revoca (OCSP + CRL) tramite DSS |
| B-LTA | SignatureLevel::PAdES_B_LTA | Timestamp documento per validità indefinita |
CertificateInfo
Carica e analizza certificati X.509 e chiavi private da file PEM o PKCS#12.
php
use Yeeefang\TcpdfNext\Pro\Security\Signature\CertificateInfo;
// Da file PEM
$cert = CertificateInfo::fromPem('/certs/signing.pem', '/certs/signing.key', 'pw');
$cert->chain(['/certs/intermediate.pem', '/certs/root.pem']);
// Da PKCS#12 (catena estratta automaticamente)
$cert = CertificateInfo::fromPkcs12('/certs/signing.p12', 'p12-password');
// Ispeziona dettagli certificato
echo $cert->subjectCN(); // "John Doe"
echo $cert->issuerCN(); // "Acme Intermediate CA"
echo $cert->validFrom(); // DateTimeImmutable
echo $cert->ocspResponderUrl(); // "https://ocsp.acme.com"DigitalSigner
Genera il container firma CMS/PKCS#7 e orchestra l'incorporamento timestamp e LTV.
php
use Yeeefang\TcpdfNext\Core\Document;
use Yeeefang\TcpdfNext\Pro\Security\Signature\DigitalSigner;
use Yeeefang\TcpdfNext\Pro\Security\Timestamp\TsaClient;
use Yeeefang\TcpdfNext\Contracts\Enums\SignatureLevel;
$pdf = Document::create()->addPage()->text('Documento contratto.');
$cert = CertificateInfo::fromPkcs12('/certs/signer.p12', 'pw');
$tsa = new TsaClient('https://tsa.example.com/timestamp');
$signer = new DigitalSigner($cert);
$signer->level(SignatureLevel::PAdES_B_LTA);
$signer->timestampAuthority($tsa);
$signer->reason('Approvazione documento');
$signer->location('Taipei, Taiwan');
$signer->sign($pdf);
$pdf->save('/output/signed.pdf');Ai livelli B-LT e B-LTA, LtvManager è invocato internamente per recuperare risposte OCSP e CRL e costruire il dizionario DSS.
ByteRangeCalculator
Gestisce il placeholder firma e calcola i byte range. Gestito internamente da DigitalSigner; l'uso diretto è per scenari avanzati.
SignatureAppearance
Controlla la rappresentazione visibile della firma sulla pagina. Le firme sono invisibili per impostazione predefinita.
php
use Yeeefang\TcpdfNext\Pro\Security\Signature\SignatureAppearance;
$appearance = SignatureAppearance::create()
->page(1)
->position(x: 20.0, y: 250.0, width: 80.0, height: 30.0)
->text("Firmato digitalmente da John Doe\nData: 2026-02-16")
->image('/images/handwritten-signature.png')
->imagePosition('left') // 'left', 'right', 'top', 'bottom', 'background'
->fontSize(8);
$signer->appearance($appearance);
$signer->sign($pdf);Esempio B-LTA Completo
php
use Yeeefang\TcpdfNext\Core\Document;
use Yeeefang\TcpdfNext\Pro\Security\Signature\{DigitalSigner, CertificateInfo, SignatureAppearance};
use Yeeefang\TcpdfNext\Pro\Security\Timestamp\TsaClient;
use Yeeefang\TcpdfNext\Contracts\Enums\SignatureLevel;
$pdf = Document::create()
->addPage()
->font('Helvetica', size: 14, style: 'B')
->text('Accordo Acquisto')
->font('Helvetica', size: 11)
->text('Questo accordo è stipulato il 16 febbraio 2026...');
$cert = CertificateInfo::fromPkcs12('/certs/legal.p12', 'passphrase');
$tsa = new TsaClient('https://tsa.example.com/timestamp');
$signer = new DigitalSigner($cert);
$signer->level(SignatureLevel::PAdES_B_LTA);
$signer->timestampAuthority($tsa);
$signer->appearance(
SignatureAppearance::create()
->page(1)
->position(x: 20.0, y: 250.0, width: 80.0, height: 25.0)
->text("Firmato da Uff. Legale\n2026-02-16")
);
$signer->reason('Esecuzione accordo acquisto');
$signer->location('Taipei, Taiwan');
$signer->sign($pdf);
$pdf->save('/contracts/purchase-agreement-signed.pdf');Prossimi Passi
- Long-Term Validation -- DSS, OCSP, CRL e timestamp archiviali.
- Integrazione HSM -- Firma con hardware security module tramite PKCS#11.
- Panoramica Pacchetto Pro -- Elenco moduli completo e informazioni licenza.