Class DeferredSigner

Namespace

SimpleSign.PAdES

Assembly

SimpleSign.PAdES.dll

Two-phase (deferred) signing API for web applications where the private key resides on a different machine (e.g., A3 hardware token in user's browser).

public static class DeferredSigner

Inheritance

object

DeferredSigner

Inherited Members

object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

object.ToString()

Examples

// Phase 1 — Server: prepare PDF and get hash for external signing
var result = await DeferredSigner.PrepareAsync(pdfBytes, publicCert);
// Send result.HashToSign to the client; store result.SessionData on server

// Phase 2 — Server: complete signing with the raw signature from client
byte[] signedPdf = await DeferredSigner.CompleteAsync(sessionData, rawSignature);

Methods

CompleteAsync(byte[], byte[], DeferredSigningCompleteOptions?, ILogger?, CancellationToken)

Phase 2: Completes the signing using the raw signature bytes produced by the external signer.

public static Task<byte[]> CompleteAsync(byte[] sessionData, byte[] rawSignature, DeferredSigningCompleteOptions? options = null, ILogger? logger = null, CancellationToken cancellationToken = default)

Parameters

sessionData byte[]

Serialized session from SessionData.

rawSignature byte[]

Raw signature bytes from the external signer. For RSA: PKCS#1 v1.5 signature. For ECDSA: DER SEQUENCE { r, s }. For EdDSA: raw signature.

options DeferredSigningCompleteOptions

Optional completion configuration (e.g., timestamp).

logger ILogger

Optional logger for debug diagnostics.

cancellationToken CancellationToken

Cancellation token.

Returns

Task<byte[]>

The fully signed PDF bytes.

PrepareAsync(byte[], X509Certificate2, DeferredSigningOptions?, ILogger?, CancellationToken)

Phase 1: Prepares a PDF for signing and returns the signed attributes to be signed externally. The HashToSign is the DER-encoded signed attributes that the external signer must sign (RSA PKCS#1 v1.5, ECDSA DER, or EdDSA raw).

public static Task<DeferredSigningPrepareResult> PrepareAsync(byte[] pdfBytes, X509Certificate2 certificate, DeferredSigningOptions? options = null, ILogger? logger = null, CancellationToken cancellationToken = default)

Parameters

pdfBytes byte[]

The original PDF document bytes.

certificate X509Certificate2

The signer's public certificate (private key NOT required).

options DeferredSigningOptions

Optional signing configuration.

logger ILogger

Optional logger for debug diagnostics.

cancellationToken CancellationToken

Cancellation token.

Returns

Task<DeferredSigningPrepareResult>

Prepare result containing the hash to sign and serialized session data.

Exceptions

SigningException

Certificate is expired or document is DocMDP-locked.