PLOP DS Features

PDFlib PLOP DS 5 - PDF Linearization, Optimization, Protection, Digital Signature

PLOP DS (Digital Signature) is based on PDFlib PLOP, a versatile tool for linearizing, optimizing, repairing, analyzing, encrypting and decrypting PDF documents (see here for a detailed feature list). PDFlib PLOP DS additionally offers the ability to apply digital signatures to PDF documents. It supports the latest standards in digital signature technology including PDF 2.0 according to ISO 32000-2 and PAdES signatures which are required by the European eIDAS regulation.

Digital Signatures with PDFlib PLOP DS

PDFlib PLOP DS applies PDF signatures which can be validated with Adobe Reader, Acrobat or any other validator which supports PDF signatures. PLOP DS reads the signer’s digital ID (the certificate plus corresponding private key) from memory, a disk file, the Windows certificate store or a secure hardware token. The digital ID is used to create a cryptographic signature for the PDF document. Applying a signature can be combined with encryption.

PDF Signature Properties

  • Create signatures in existing PDF signature fields or generate new fields which hold the signature. The signatures can be invisible or visible at a particular location on the page.
  • Visualize digital signatures by importing a logo, scan of a handwritten signature or other representation as PDF page.
  • Create PDF certification (author) signatures which allow document changes such as form-filling without breaking the signature.
  • Validation information can be stored directly in the signature according to ISO 32000-1 or in a Document Security Store (DSS) as specified in ISO 32000-2 and PAdES part 4.
  • Signatures can be applied in an incremental PDF update section to preserve existing signatures and document structure, or by rewriting the document structure which allows optimization and encryption.

PDF Versions and Standards

PLOP DS supports all relevant PDF versions and standards:

  • PLOP processes all PDF versions up to PDF 1.7 (ISO 32000-1) including extension level 8 and PDF 2.0 (ISO 32000-2).
  • PLOP DS is aware of the PDF/A-1/2/3 (ISO 19005) archiving standards: if the input document conforms to PDF/A, the output document is guaranteed to conform as well. PLOP fully supports XMP extension schemas as required by PDF/A. The ability to insert PDF/A-conforming XMP metadata in PDF documents is an important advantage of PLOP DS.
  • Similarly, PLOP DS is aware of the PDF/X-3/4/5 (ISO 15930) print production standards, PDF/VT-1 (ISO 16612-2) for variable and transactional printing and PDF/UA-1 (ISO 14289) for accessible PDF.

Signature Characteristics

Signature Standards

  • CMS-based PDF signatures according to PDF 1.7 (ISO 32000-1)
  • Signatures for Long-Term Validation (LTV) according to PDF 2.0 (ISO 32000-2)
  • PAdES (ETSI TS 102 778 part 2, 3 and 4, ETSI EN 319 142) and CAdES (ETSI TS 101 733) for qualified eIDAS signatures

PAdES Signature Levels

  • Basic Signature (Level B-B)
  • Signature with Time (Level B-T)
  • Signature with Long-Term Validation Material (Level B-LT)
  • Signature providing Long Term Availability and Integrity of Validation Material (Level B-LTA): required for eIDAS conformance
  • Basic Electronic Signature (BES) and Explicit Policy-based Electronic Signature (EPES) according to PAdES part 3


  • Retrieve a timestamp from a trusted Timestamp Authority (TSA) according to RFC 3161, RFC 5816 and ETSI EN 319 422, and embed it in the generated signature. TSA details can be read from AATL certificates to create timestamps without any configuration.
  • Create document-level timestamp signatures according to ISO 32000-2 and PAdES part 4. A document-level timestamp assures the state of a document without applying any personal signature.

Cryptographic Signature Details

  • Signatures according to the RSA and DSA algorithms as well as the Elliptic Curve Digital Signature Algorithm (ECDSA). PKCS#1 v1.5 and PKCS#1 v2.1 (PSS) encoding for RSA are supported.
  • Strong signature and hash functions.
  • Embed the full certificate chain in the generated signatures, which means that signatures with certificates from a CA (Certificate Authority) on the Adobe Approved Trust List (AATL) or European Union Trust List (EUTL) can be validated in Acrobat and Adobe Reader without any configuration on the client side.
  • Embed Online Certificate Status Protocol responses (OCSP according to RFC 2560 and RFC 6960) and Certificate Revocation Lists (CRL according to RFC 3280) as revocation information for Long-Term Validation (LTV).

Signature Engines

PLOP DS supports multiple cryptographic engines, i.e. components for generating digital signatures:

  • The built-in engine implements the required cryptographic functions directly in PLOP DS without any external dependencies. The built-in engine supports software-based digital IDs in the common PKCS#12 and PFX formats.
  • PLOP DS can attach cryptographic tokens via the standard PKCS#11 interface. This way digital IDs on smartcards, USB sticks, and other secure devices can be used for signing. This includes devices with an integrated keyboard for secure PIN input.
  • The PKCS#11 engine can also be used to sign with a Hardware Security Module (HSM). HSMs offer secure key storage and ample performance for high-volume signing applications. PLOP DS uses PKCS#11 sessions to maximize performance of bulk signatures with HSMs. PLOP DS can also be used with HSMs in the cloud such as AWS CloudHSM
  • On Windows PLOP DS can leverage the cryptographic infrastructure provided by the operating system (MSCAPI). Digital IDs from the Windows certificate store can be used for signing, including software-based digital IDs and secure hardware tokens. Note that not all signature features are available with the MSCAPI engine, e.g. LTV.
  • Alternatively a user-supplied cryptographic engine can be used to ensure that all cryptographic operations (hashing and signing) are performed in a dedicated cryptographic library.


PLOP DS Library or Command-Line Tool?

PLOP DS is available as a programming library (component) for various development environments and as a command-line tool for batch operations. Library and command-line tool offer similar features, but are suitable for different deployment tasks.

The PLOP DS programming library is used for integration in desktop or server application. Programming examples for using the library with all supported language bindings are included in the PLOP DS package. Since the PLOP DS library accepts PDF input documents from a disk file or directly in memory it can easily be combined with other products. For example, using the combination of PDFlib and PLOP DS you can create PDF invoices and sign them before sending them to the customers.

The PLOP DS command-line tool is suited for batch processing PDF documents. It doesn’t require any programming, but offers powerful command-line options which can be used to integrate it into complex workflows.

Supported Development Environments

PDFlib PLOP DS is everywhere - it runs on practically all computing platforms. We offer 32-bit and 64-bit packages for all common flavors of Windows, macOS and Linux.

The PLOP DS core is written in highly optimized C and C++ code for maximum performance and small overhead. Via a simple API (Application Programming Interface) the PLOP DS functionality is accessible from a variety of development environments:

  • C and C++
  • Java
  • .NET
  • Objective-C (macOS) and Swift
  • Perl
  • PHP
  • Python
  • Ruby