PDFlib PLOP DS 5 - PDF Linearization, Optimization, Protection, Digital Signature

PLOP DS (Digital Signature) is based on PDFlib PLOP, a versatile tool for linearizing, optimizing, repairing, analyzing, encrypting and decrypting PDF documents. PDFlib PLOP DS additionally offers the ability to apply digital signatures to PDF documents. It supports the latest trends and standards in digital signature technology including PDF 2.0 according to ISO 32000-2 and PAdES signatures (ETSI TS 102 778 and ETSI EN 319 142), which in turn are based on CAdES (ETSI TS 101 733).

Digital Signatures with PDFlib PLOP DS

PDFlib PLOP DS applies PDF signatures which can be validated with Adobe Reader, Acrobat, or any other validator which supports PDF signatures. PLOP DS reads the signer’s digital ID (i.e. the certificate plus corresponding private key) from memory, a disk file, or a secure hardware token such as a smartcard. The digital ID is used to create a cryptographic signature for the PDF document. Applying a signature can be combined with encryption.

PDF Signature Properties

Create signatures in existing PDF signature fields or generate new fields which hold the signature. The signatures can be invisible or visible at a particular location on the page.

Visualize digital signatures by importing a logo, scan of a handwritten signature or other representation as PDF page.

Create PDF certification (author) signatures which allow document changes such as form-filling without breaking the signature.

Validation information can be stored directly in the signature according to ISO 32000-1 or in a Document Security Store (DSS) as specified in ISO 32000-2 and PAdES part 4.

Signatures can be applied in an incremental PDF update section to preserve existing signatures and document structure, or by rewriting the document structure which allows optimization and encryption.

PDF Versions and Standards

PLOP DS supports all relevant PDF versions and standards:

PLOP DS processes all PDF versions up to Acrobat DC, i.e PDF 1.7 (ISO 32000-1) up to extension level 8. PLOP DS can also process documents according to the standard PDF 2.0 (ISO 32000-2).

PLOP DS is aware of the PDF/A-1/2/3 (ISO 19005) archiving standards: if the input document conforms to PDF/A, the output document is guaranteed to conform as well. PLOP fully supports XMP extension schemas as required by PDF/A. The ability to insert PDF/A-conforming XMP metadata in PDF documents is an important advantage of PLOP DS.

Similarly, PLOP DS is aware of the PDF/X-1a/3/4/5 (ISO 15930) print production standards, PDF/VT-1/2 (ISO 16612-2) for variable and transactional printing and PDF/UA-1 (ISO 14289) for accessible PDF.

Signature Characteristics

Signature Standards

CMS-based PDF signatures according to ISO 32000-1

Signatures for Long-Term Validation (LTV) according to PDF 2.0 (ISO 32000-2)

Supports PAdES (ETS TS 102 778 part 2, 3 and 4, ETSI EN 319 142), CAdES (ETSI TS 101 733), and eIDAS regulation

PAdES Signature Levels

Basic Signature (Level B-B)

Signature with Time (Level B-T)

Signature with Long-Term Validation Material (Level B-LT)

Signature providing Long Term Availability and Integrity of Validation Material (Level B-LTA)

Basic Electronic Signature (BES) and Explicit Policy-based Electronic Signature (EPES) according to PAdES part 3


Retrieve a time-stamp from a trusted Time-Stamp Authority (TSA) according to RFC 3161, RFC 5816 and ETSI EN 319 422, and embed it in the generated signature. TSA details can be read from AATL certificates to create time-stamps without any configuration.

Create document-level time-stamp signatures according to ISO 32000-2 and PAdES part 4. A document-level time-stamp assures the state of a document without applying any personal signature.

Support for the time-stamp policy parameter and all common time-stamp hash functions.

Cryptographic Signature Details

Signatures according to the RSA and DSA algorithms as well as the Elliptic Curve Digital Signature Algorithm (ECDSA) based on Elliptic Curve Cryptography. The elliptic curves recommended by NIST are supported as well as Brainpool curves.

Strong signatures and hash functions.

Embed the full certificate chain in the generated signatures, which means that signatures with certificates from a CA (Certificate Authority) on the Adobe Approved Trust List (AATL) or European Union Trust List (EUTL) can be validated in Acrobat and Adobe Reader without any configuration on the client side.

Embed Online Certificate Status Protocol responses (OCSP according to RFC 2560 and RFC 6960) and Certificate Revocation Lists (CRL according to RFC 3280) as revocation information for Long-Term Validation (LTV).

Signature Engines

PLOP DS supports multiple cryptographic engines, i.e. components for generating digital signatures:

The built-in engine implements the required cryptographic functions directly in PLOP DS without any external dependencies. The built-in engine supports software-based digital IDs in the common PKCS#12 and PFX formats.

PLOP DS can attach cryptographic tokens via the standard PKCS#11 interface. This way digital IDs on smartcards, USB sticks, and other secure devices can be used for signing. This includes devices with an integrated keyboard for secure PIN input.

The PKCS#11 interface can also be used to sign with a Hardware Security Module (HSM). HSMs offer secure key storage and ample performance for high-volume signing applications. PLOP DS uses PKCS#11 sessions to maximize performance of bulk signatures with HSMs. Our »Thales e-Security PDFlib PLOP DS Integration Guide« documents the use of PLOP DS with Thales e-Security HSM products.

On Windows PLOP DS can leverage the cryptographic infrastructure provided by Windows via the Microsoft Cryptographic API (MS CAPI). Digital IDs from the Windows certificate store can be used for signing, including software-based digital IDs and secure hardware tokens. Note that not all signature features are available with the MSCAPI engine, e.g. LTV.

Alternatively a user-supplied cryptographic engine can be used to ensure that all cryptographic operations (hashing and signing) are performed in a dedicated cryptographic library. Attaching such an external cryptographic module requires a special PLOP build which is available on request.


PLOP DS Library or Command-Line Tool?

PLOP DS is available as a programming library (component) for various development environments, and as a command-line tool for batch operations. Library and command-line tool offer similar features, but are suitable for different deployment tasks.

The PLOP DS programming library is used for integration into desktop or server application. Examples for using the library with all supported language bindings are included in the PLOP DS package. Since the PLOP DS library accepts PDF input documents from a disk file or directly in memory, it can easily be combined with other products. For example, using the combination of PDFlib and PLOP DS you can create PDF invoices and sign them before sending them to the customer.

The PLOP DS command-line tool is suited for batch processing PDF documents. It doesn’t require any programming, but offers powerful command-line options which can be used to integrate it into complex workflows. The PLOP DS command-line tool can also be called from environments which do not support the use of the PLOP DS library.

Supported Development Environments

PDFlib PLOP DS is everywhere - it runs on practically all computing platforms. We offer 32-bit and 64-bit packages for all common flavors of Windows, OS X/macOS, Linux and Unix, as well as for IBM zSeries mainframe systems. Versions for iOS and Android are also available.

The PLOP DS core is written in highly optimized C and C++ code for maximum performance and small overhead. Via a simple API (Application Programming Interface) the PLOP DS functionality is accessible from a variety of development environments:

COM for use with VB, ASP, etc.

C and C++

Java, including servlets and Java Application Server

.NET for use with C#, VB.NET, ASP.NET, etc.