Class SignerBuilder
- Namespace
- SimpleSign.PAdES
- Assembly
- SimpleSign.PAdES.dll
Immutable builder that accumulates signing configuration. Each method returns a new instance — no shared mutable state.
public sealed class SignerBuilder
- Inheritance
-
SignerBuilder
- Inherited Members
- Extension Methods
Properties
CountryExtensions
The registered country extensions. Consumed by PdfSignatureValidator during validation.
public IReadOnlyList<ICountryExtension> CountryExtensions { get; }
Property Value
Methods
AsCertification(CertificationLevel)
Creates a certification (DocMDP) signature that restricts subsequent document modifications. Only the first signature in a document can be a certification signature.
public SignerBuilder AsCertification(CertificationLevel level = CertificationLevel.FormFilling)
Parameters
levelCertificationLevelThe permitted modification level after certification.
Returns
SignAsync(Stream, CancellationToken)
Executes the signing operation and returns the signed PDF as a byte array.
public Task SignAsync(Stream outputStream, CancellationToken cancellationToken = default)
Parameters
outputStreamStreamcancellationTokenCancellationToken
Returns
Exceptions
- SigningException
Certificate is missing, expired, lacks private key, or document is DocMDP-locked.
- EncryptedPdfException
The PDF is encrypted.
- NotSupportedException
Unsupported hash algorithm or key type.
- HttpRequestException
Timestamp or LTV network operations failed.
SignAsync(CancellationToken)
Executes the signing operation and returns the signed PDF as a byte array.
public Task<byte[]> SignAsync(CancellationToken cancellationToken = default)
Parameters
cancellationTokenCancellationToken
Returns
Exceptions
- SigningException
Certificate is missing, expired, lacks private key, or document is DocMDP-locked.
- EncryptedPdfException
The PDF is encrypted.
- NotSupportedException
Unsupported hash algorithm or key type.
- HttpRequestException
Timestamp or LTV network operations failed.
SignWithDetailsAsync(CancellationToken)
Executes the signing operation and returns a PdfSigningResult with the signed PDF and any non-fatal warnings (e.g., LTV data unavailable, certificate lacks NonRepudiation). Prefer this method over SignAsync(CancellationToken) when you need to programmatically verify that LTV data was actually embedded.
public Task<PdfSigningResult> SignWithDetailsAsync(CancellationToken cancellationToken = default)
Parameters
cancellationTokenCancellationToken
Returns
WithAppearance(SignatureAppearance)
Adds a visual appearance (stamp) to the signature on a specific page. The stamp displays the signer name, date/time, and other configured metadata.
public SignerBuilder WithAppearance(SignatureAppearance appearance)
Parameters
appearanceSignatureAppearance
Returns
WithArchivalTimestamp(string?)
Enables PAdES-B-LTA by adding a document-level timestamp (DocTimeStamp) after LTV embedding. This is the highest level of PAdES compliance, guaranteeing archival validation. Requires LTV to be enabled (call WithLtv() first).
public SignerBuilder WithArchivalTimestamp(string? tsaUrl = null)
Parameters
tsaUrlstringTSA URL for the archival timestamp. If null, uses the same TSA as WithTimestamp.
Returns
Exceptions
- InvalidOperationException
Thrown if LTV has not been enabled.
WithCertificate(X509Certificate2)
Sets the certificate with private key for signing.
public SignerBuilder WithCertificate(X509Certificate2 certificate)
Parameters
certificateX509Certificate2
Returns
WithCertificate(X509Certificate2, IReadOnlyList<X509Certificate2>)
Sets the certificate and full chain (for LTV and offline validation).
public SignerBuilder WithCertificate(X509Certificate2 certificate, IReadOnlyList<X509Certificate2> chain)
Parameters
certificateX509Certificate2chainIReadOnlyList<X509Certificate2>
Returns
WithCountryExtension(ICountryExtension)
Registers a pre-configured country extension instance for DI scenarios where the extension needs constructor-injected dependencies (HttpClient, ILogger).
public SignerBuilder WithCountryExtension(ICountryExtension extension)
Parameters
extensionICountryExtension
Returns
WithCountryExtension<T>()
Registers a country/region-specific extension package (e.g., ICP-Brasil, eIDAS). Extensions provide trust anchors for validation and chain validation providers that enrich SignatureValidationResult with country-specific metadata (policy level, signer national ID, etc.).
public SignerBuilder WithCountryExtension<T>() where T : ICountryExtension, new()
Returns
Type Parameters
TA concrete ICountryExtension with a parameterless constructor.
WithExistingField(string)
Signs an existing empty signature field instead of creating a new one. The field must already exist in the PDF with an empty /V value.
public SignerBuilder WithExistingField(string fieldName)
Parameters
fieldNamestringThe name of the existing signature field (the /T value).
Returns
WithExternalSigner(X509Certificate2, Func<byte[], Task<byte[]>>)
Configures an external signing delegate with automatic algorithm detection from the certificate. Supports RSA, ECDSA, and EdDSA certificate public key OIDs.
public SignerBuilder WithExternalSigner(X509Certificate2 certificate, Func<byte[], Task<byte[]>> externalSigner)
Parameters
certificateX509Certificate2externalSignerFunc<byte[], Task<byte[]>>
Returns
WithExternalSigner(X509Certificate2, Func<byte[], Task<byte[]>>, IReadOnlyList<X509Certificate2>)
Configures an external signing delegate with automatic algorithm detection and supplies the pre-fetched intermediate certificate chain.
public SignerBuilder WithExternalSigner(X509Certificate2 certificate, Func<byte[], Task<byte[]>> externalSigner, IReadOnlyList<X509Certificate2> chain)
Parameters
certificateX509Certificate2The signer's public certificate (private key NOT required).
externalSignerFunc<byte[], Task<byte[]>>External signing delegate (DER input → raw signature).
chainIReadOnlyList<X509Certificate2>Intermediate CA certificates, ordered from the issuer up to (but not including) the root. May be empty.
Returns
WithExternalSigner(X509Certificate2, Func<byte[], Task<byte[]>>, string)
Configures an external signing delegate for A3 tokens, HSMs, or cloud KMS. The delegate receives the DER-encoded signed attributes and must return the raw signature bytes.
public SignerBuilder WithExternalSigner(X509Certificate2 certificate, Func<byte[], Task<byte[]>> externalSigner, string signatureAlgorithmOid)
Parameters
certificateX509Certificate2The signer's public certificate (private key NOT required).
externalSignerFunc<byte[], Task<byte[]>>Delegate that signs data externally. Input: DER-encoded signed attributes. Output: raw signature (RSA PKCS#1 or ECDSA DER SEQUENCE { r, s }).
signatureAlgorithmOidstringThe signature algorithm OID (e.g., "1.2.840.113549.1.1.11" for RSA-SHA256). Use Oids for common values.
Returns
WithExternalSigner(X509Certificate2, Func<byte[], Task<byte[]>>, string, IReadOnlyList<X509Certificate2>)
Configures an external signing delegate with an explicit signature algorithm OID and supplies the pre-fetched intermediate certificate chain. Use this when the signing service also returns the chain (e.g., an HSM API or cloud KMS endpoint) to avoid redundant AIA HTTP requests during LTV embedding.
public SignerBuilder WithExternalSigner(X509Certificate2 certificate, Func<byte[], Task<byte[]>> externalSigner, string signatureAlgorithmOid, IReadOnlyList<X509Certificate2> chain)
Parameters
certificateX509Certificate2The signer's public certificate (private key NOT required).
externalSignerFunc<byte[], Task<byte[]>>Delegate that signs data externally. Input: DER-encoded signed attributes. Output: raw signature (RSA PKCS#1 or ECDSA DER SEQUENCE { r, s }).
signatureAlgorithmOidstringThe signature algorithm OID (e.g., "1.2.840.113549.1.1.11" for RSA-SHA256). Use Oids for common values.
chainIReadOnlyList<X509Certificate2>Intermediate CA certificates, ordered from the issuer of
certificateup to (but not including) the root. May be empty.
Returns
WithFieldName(string)
Sets the signature field name.
public SignerBuilder WithFieldName(string fieldName)
Parameters
fieldNamestring
Returns
WithHashAlgorithm(HashAlgorithmName)
Sets the hash algorithm. Default: SHA-256 (recommended by ICP-Brasil).
public SignerBuilder WithHashAlgorithm(HashAlgorithmName algorithm)
Parameters
algorithmHashAlgorithmName
Returns
WithHttpClient(HttpClient)
Sets the default HttpClient for all outbound HTTP operations (OCSP, CRL, AIA, and TSA when no TSA-specific client is configured via WithTimestamp(string, HttpClient)).
public SignerBuilder WithHttpClient(HttpClient httpClient)
Parameters
httpClientHttpClient
Returns
WithHttpClientProvider(IHttpClientProvider)
Sets a custom IHttpClientProvider for all HTTP operations.
Use this in ASP.NET Core to integrate with IHttpClientFactory.
public SignerBuilder WithHttpClientProvider(IHttpClientProvider provider)
Parameters
providerIHttpClientProvider
Returns
WithLegacyCms()
Produces a plain PKCS#7/CMS signature (adbe.pkcs7.detached) without PAdES-specific
attributes (no id-aa-signingCertificateV2 / ESS CertV2).
Use this to interoperate with legacy systems or to replicate signatures produced by tools
that predate PAdES (Level: CMS — no PAdES attributes).
public SignerBuilder WithLegacyCms()
Returns
Remarks
When this mode is active, the resulting signature is NOT considered PAdES-compliant. Validators that enforce PAdES (e.g., ITI) may report the signature as non-conformant.
WithLtv()
Enables LTV (Long-Term Validation) by embedding DSS with CRLs, OCSP responses, and VRI in the signed PDF. Requires an HttpClient for downloading revocation data. Requires a timestamp (call WithTimestamp(string) first) — PAdES B-LT needs B-T.
public SignerBuilder WithLtv()
Returns
Exceptions
- InvalidOperationException
Thrown if no TSA URL has been configured.
WithMetadata(SignatureMetadata)
Configures generic signer metadata for the signature.
Use this for country-agnostic signing with structured metadata.
For Brazil-specific signing, use WithAdvancedSignature from SimpleSign.Brasil.
public SignerBuilder WithMetadata(SignatureMetadata metadata)
Parameters
metadataSignatureMetadata
Returns
WithMetadata(string?, string?, string?, string?)
Sets visible metadata on the signature.
public SignerBuilder WithMetadata(string? signerName = null, string? reason = null, string? location = null, string? contactInfo = null)
Parameters
Returns
WithOperationId(string)
Sets an operation ID for correlation in log messages.
public SignerBuilder WithOperationId(string operationId)
Parameters
operationIdstring
Returns
WithPdfAPreservation()
Enables PDF/A conformance checking before signing. If the input document is a PDF/A file and the signature options are incompatible with that level, a SigningException is thrown during signing.
public SignerBuilder WithPdfAPreservation()
Returns
WithSignatureAlgorithm(string)
Forces a specific signature algorithm, overriding the algorithm inferred from the
certificate's public key type. The primary use case is producing RSASSA-PSS signatures
with a certificate whose public key OID is rsaEncryption
(1.2.840.113549.1.1.1) rather than id-RSASSA-PSS (1.2.840.113549.1.1.10).
Compatibility with the certificate's key type is validated at signing time.
public SignerBuilder WithSignatureAlgorithm(string signatureAlgorithmOid)
Parameters
signatureAlgorithmOidstringOID of the signature algorithm (e.g.,
Oids.RsaPss).
Returns
WithSubFilter(PdfSignatureSubFilter)
Sets the signature SubFilter value independently of PAdES attribute configuration. Default is EtsiCadesDetached. Use AdbePkcs7Detached for PDF/A-1 compatibility or when the target validator requires the legacy subfilter.
public SignerBuilder WithSubFilter(PdfSignatureSubFilter subFilter)
Parameters
subFilterPdfSignatureSubFilter
Returns
Remarks
Unlike WithLegacyCms(), this method does NOT disable CAdES/PAdES attributes. The resulting signature includes full PAdES-B-B attributes (signing-certificate-v2, etc.) while using the specified SubFilter value in the PDF signature dictionary.
WithTimestamp(string)
Configures the timestamp (TSA) using the default HttpClient.
public SignerBuilder WithTimestamp(string tsaUrl)
Parameters
tsaUrlstring
Returns
WithTimestamp(string, HttpClient)
Configures the timestamp with a custom HttpClient (for testing/proxy).
public SignerBuilder WithTimestamp(string tsaUrl, HttpClient httpClient)
Parameters
tsaUrlstringhttpClientHttpClient