Table of Contents

Class CmsSignatureBuilder

Namespace
SimpleSign.Core.Crypto
Assembly
SimpleSign.Core.dll

Builds a CMS/PKCS#7 SignedData compatible with PAdES (adbe.pkcs7.detached). Uses exclusively System.Security.Cryptography from .NET — zero external dependencies.

public sealed class CmsSignatureBuilder
Inheritance
CmsSignatureBuilder
Inherited Members

Methods

Build(ReadOnlySpan<byte>, X509Certificate2, HashAlgorithmName, DateTimeOffset?, IReadOnlyList<X509Certificate2>?, IReadOnlyList<CmsAttribute>?, bool, ILogger?)

Signs the provided bytes and returns a DER-encoded CMS/SignedData. The certificate must contain a private key (A1/PFX or Windows Store with minidriver).

public static byte[] Build(ReadOnlySpan<byte> dataToSign, X509Certificate2 certificate, HashAlgorithmName hashAlgorithm, DateTimeOffset? signingTime = null, IReadOnlyList<X509Certificate2>? extraCertificates = null, IReadOnlyList<CmsAttribute>? extraAttributes = null, bool padesAttributes = true, ILogger? logger = null)

Parameters

dataToSign ReadOnlySpan<byte>

The document bytes to be signed (ByteRange 1 + ByteRange 2).

certificate X509Certificate2

Certificate with private key.

hashAlgorithm HashAlgorithmName

Hash algorithm (SHA256 or SHA512).

signingTime DateTimeOffset?

Signing date/time (UTC).

extraCertificates IReadOnlyList<X509Certificate2>

Intermediate certificates to compose the chain.

extraAttributes IReadOnlyList<CmsAttribute>

Optional CAdES signed attributes (e.g., commitment-type, signature-policy).

padesAttributes bool

When true (default), adds the id-aa-signingCertificateV2 (ESS CertV2) attribute required by PAdES B-B. Set to false to produce a plain PKCS#7/CMS signature without PAdES-specific attributes (compatible with legacy validators and adbe.pkcs7.detached documents that predate PAdES).

logger ILogger

Optional logger for debug diagnostics.

Returns

byte[]

BuildAsync(ReadOnlyMemory<byte>, X509Certificate2, Func<byte[], Task<byte[]>>, string, HashAlgorithmName, DateTimeOffset?, IReadOnlyList<X509Certificate2>?, IReadOnlyList<CmsAttribute>?, bool, ILogger?)

Signs the provided bytes using an external signing delegate and returns a DER-encoded CMS/SignedData. Use this overload for A3 tokens, HSMs, cloud KMS, or any scenario where the private key is not directly accessible via X509Certificate2.

public static Task<byte[]> BuildAsync(ReadOnlyMemory<byte> dataToSign, X509Certificate2 certificate, Func<byte[], Task<byte[]>> externalSigner, string signatureAlgorithmOid, HashAlgorithmName hashAlgorithm, DateTimeOffset? signingTime = null, IReadOnlyList<X509Certificate2>? extraCertificates = null, IReadOnlyList<CmsAttribute>? extraAttributes = null, bool padesAttributes = true, ILogger? logger = null)

Parameters

dataToSign ReadOnlyMemory<byte>

The document bytes to be signed (ByteRange 1 + ByteRange 2).

certificate X509Certificate2

The signer's public certificate (private key NOT required).

externalSigner Func<byte[], Task<byte[]>>

A delegate that receives the DER-encoded signed attributes and returns the raw signature bytes. For RSA: PKCS#1 v1.5 signature. For ECDSA: DER SEQUENCE { r, s } (RFC 3279). For EdDSA: raw signature bytes.

signatureAlgorithmOid string

The OID of the signature algorithm (e.g., "1.2.840.113549.1.1.11" for RSA-SHA256). Must match the algorithm used by the external signer.

hashAlgorithm HashAlgorithmName

Hash algorithm (SHA256 or SHA512).

signingTime DateTimeOffset?

Signing date/time (UTC).

extraCertificates IReadOnlyList<X509Certificate2>

Intermediate certificates to compose the chain.

extraAttributes IReadOnlyList<CmsAttribute>

Optional CAdES signed attributes (e.g., commitment-type, signature-policy).

padesAttributes bool

When true (default), adds the id-aa-signingCertificateV2 (ESS CertV2) attribute required by PAdES B-B. Set to false to produce a plain PKCS#7/CMS signature without PAdES-specific attributes.

logger ILogger

Optional logger for debug diagnostics.

Returns

Task<byte[]>
Edit this page