Documentation menu

Language

PythonJava.NETNode.jsPHP

API reference

All functions raise atick.AtickError on failure.

Signing

sign_pfx_sig.py
atick.sign_pfx(pdf, *, pfx, password, style, placements, mode="single",
    field_name="Atick_1", pades=True, hash_algo="sha256", timestamp=False,
    tsa_url=None, tsa_auth=None, ltv=False, lta=False, doc_tsa_url=None,
    doc_tsa_auth=None, reason=None, location=None, signing_time=None,
    signer_name=None, contents_size=0, certify=0, lock_fields=[], verify=False,
    trusted_roots=[], open_password=None, encrypt_password=None,
    owner_password=None, embed_revocation=True)

Sign pdf (bytes) with a PFX/P12. Returns the signed PDF (bytes).

Besides verify=True (which runs every pre-sign check and refuses to sign on failure), you can enable the individual checks:

  • verify_expiry=True — refuse to sign if the signing certificate has expired / is not yet valid.
  • verify_crl=True — pre-sign CRL revocation check (refuse if revoked).
  • verify_ocsp=True — pre-sign OCSP revocation check.
  • trusted_roots=[der, ...] — extra trusted root certificates (DER bytes) for the checks.
sign_pfx_checks.py
atick.sign_pfx(pdf, pfx, pw, style=..., placements=...,
    verify_expiry=True, verify_crl=True, verify_ocsp=True)
sign_pkcs11_sig.py
atick.sign_pkcs11(pdf, *, dll, pin, serial, style, placements, ...)

Sign with a PKCS#11 token / smart-card / HSM. Same options as sign_pfx (no PFX/encryption args).

sign_winstore_sig.py
atick.sign_winstore(pdf, *, style, placements, thumbprint=None, ...)

Sign with a certificate from the Windows store. thumbprint=None opens the certificate picker.

pkcs11_list_sig.py
atick.pkcs11_list(dll, pin)

Return [(serial_hex, common_name), …] for the certificates on a token.

Deferred / remote-key signing

prepare_deferred_sig.py
atick.prepare_deferred(pdf, style, *, page=1, rect=..., field_name="Atick_1",
    sub_filter="adbe.pkcs7.detached", ..., contents_size=16384, hash_algo="sha256")

Add an empty signature field + appearance + container; returns(prepared_pdf, ctx) where ctx["data"] are the bytes to sign and ctx["digest"] their hash.

prepare_deferred_multi_sig.py
atick.prepare_deferred_multi(pdf, style, placements, *, mode="single",
    field_name="Atick_1", sub_filter="adbe.pkcs7.detached", ..., certify=0, lock_fields=[])

The multi-placement form (one signature, several pages). Returns(prepared_pdf, ctx).

embed_sig.py
atick.embed(prepared, cms_der)

Embed a detached CMS/PKCS#7 into a prepared PDF. Returns the signed PDF.

embed_rawrsa_sig.py
atick.embed_rawrsa(prepared, raw_sig, signer_cert, *, chain=[], hash_algo="sha256")

Embed a raw RSA signature + signer certificate (e.g. an eSign rawrsa reply).

cms_pfx_sig.py
atick.cms_pfx(data, pfx, password, *, hash_algo="sha256", pades=False,
    timestamp=False, tsa_url=None, tsa_auth=None, revocation=False)

A detached CMS over data signed with a PFX. revocation=True adds the RevocationInfoArchival attribute (a pkcs7Pdf-style reply). Returns the CMS (bytes).

sign_hash_pfx_sig.py
atick.sign_hash_pfx(data, pfx, password, *, hash_algo="sha256")

A raw RSA signature over hash(data) with a PFX. Returns(signature, signer_certificate_der).

Low-level field API

prepare_sig.py
atick.prepare(pdf, style, *, page=1, rect=..., field_name="Atick_1")

Add ONE empty signature field with an appearance. Returns the PDF.

prepare_fields_sig.py
atick.prepare_fields(pdf, styles, placements, names)

Add SEVERAL empty fields at once (a template). Returns the PDF.

sign_field_sig.py
atick.sign_field(pdf, field_name, *, sub_filter="adbe.pkcs7.detached", ...)

Attach a container to an existing field by name; returns(prepared_pdf, ctx).

Long-term validation & timestamps

add_ltv_sig.py
atick.add_ltv(pdf, certs, crls=[], ocsps=[])

Add the DSS (validation material) for the given certificates / revocation.

add_doctimestamp_sig.py
atick.add_doctimestamp(pdf, *, tsa_url=None, tsa_auth=None, ltv=True, contents_size=16384)

Append a document timestamp (RFC-3161) over the whole PDF (PAdES-B-LTA).ltv=True also adds the DSS (validation material) for the timestamp's certificate chain.

Documents & utilities

set_metadata_sig.py
atick.set_metadata(pdf, *, title=None, author=None, subject=None, keywords=None,
    application=None, created=None, modified=None)

Set the /Info metadata on an unsigned PDF.

decrypt_sig.py
atick.decrypt(pdf, password)

Decrypt a password-protected PDF; returns the plaintext PDF.

set_fast_signing_sig.py
atick.set_fast_signing(on=True)

Enable/disable the in-memory revocation cache (default on). Disabling also clears it.

clear_revocation_cache_sig.py
atick.clear_revocation_cache()

Forget all cached revocation.

Appearance

style_sig.py
atick.Style(cn="", org="", ou="", location=None, reason=None, text=None,
    date=None, heading="Digitally Signed by:", *, show_mark=True, dn=None,
    image=None, image_rect=None, body=None, green_tick=None, always_check=False,
    mark_color="#FFFF66", mark_gradient=None, font_size=None, text_color=(0, 0, 0),
    bg_color=None, border=False, ..., width=200, height=100)

The verified-signature appearance. image="cn" draws the CN on the left; body= is a custom-text-only appearance (\\n = line,*x* = bold); green_tick=True is the "?" mark,always_check=True the embedded green tick.

Layout fine-tuning attributes:

  • top_reserve=0.32 — fraction of the appearance box height reserved at the top for the logo / validity mark (raise it for a taller logo area).
  • mark_scale, mark_dx, mark_dy — scale and nudge (x / y offset) the validity mark.
  • text_dx, text_top — nudge the text block horizontally / set its top.
  • border_color=(r, g, b), border_width=1.0 — colour and width of the appearance border (with border=True).
  • date_format="%d-%b-%Y %I:%M %p" — strftime format used whendate is not given explicitly.
certify_sig.py
atick.Certify

Certification levels: NONE (0), NO_CHANGES (1),FORM_FILLING (2), FORM_FILLING_ANNOTATIONS (3).

Exceptions

atickerror_sig.py
atick.AtickError

Raised for every failure (bad password, malformed PDF, network error, …).