SecurityHandler methods

login

5.0

Provides a mechanism by which digital IDs can be accessed and selected for a particular Security Handler. Through the user interface, a default digital ID can be selected that persists either eternally or for as long as the application is running. If such a selection has been made through the UI, it might not be necessary to log into a Security Handler prior to using the digital ID.

Parameters tend to be specific to a particular handler. The behavior for Adobe.PPKLite and Adobe.PPKMS handlers is specified below.

The parameters cPassword and cDIPath are provided for backward compatibility, or they can be included as properties of the oParams object. This latter method is the preferred calling convention beginning in Acrobat 6.0.

See also logout, newUser, and loginName.

Parameters

cPassword	(optional, Acrobat 5.0) The password necessary to access the password-protected digital ID. This parameter is supported by Adobe.PPKLite for accessing digital ID files and PKCS#11 devices.
cDIPath	(optional, Acrobat 5.0) A device-independent path to the password-protected digital ID file or a PKCS#11 library. This parameter is supported by Adobe.PPKLite.
oParams	(optional, Acrobat 6.0) A LoginParameters object with parameters that are specific to a particular SecurityHandler object. The common fields in this object are described below. These fields include the cDIPath and cPassword values, thus allowing the parameter list to be expressed in different ways.
bUI	(optional, Acrobat 6.0) Set to true if the user interface should be used to log the user in. If set to false, the default engine associated with the user interface is not used and the logged in state for the digital ID is not shown in the Security Settings dialog box. This attribute should be supported by all security handlers that support this method.

Returns

Returns true if the login succeeded, false otherwise.

LoginParameters Object

This generic JavaScript object contains parameters for the login method. It has the following properties:

Property	Type	Version	Description
cDIPath	String	5.0	The path to a file that contains the digital ID or a PKCS#11 library. Supported by Adobe.PPKLite security handler.
cPassword	String	6.0	A password that is used to authenticate the user. This password may be used to access a password-protected digital ID file or a PKCS#11 device. Supported by Adobe.PPKLite security handler. Note that Acrobat does not guarantee that this password is obfuscated in memory.
cPFX	String	7.0	(optional) A hex-encoded PFX to log in to. If this parameter is specified, it takes precedence over cDIPath. Note:This parameter is only used internally. Currently, there is no way to retrieve a hex encoded PFX file through JavaScript.
oEndUserSignCert	generic object	6.0	Selects a digital ID for the purpose of performing end-user signing. The value of this property is a Certificate object (or a generic object with the same property names as a Certificate object), which defines the certificate that is being selected. It may not be necessary to call this method for a particular handler. For example, if logged in to a PKCS#12 file containing one signing digital ID with Adobe.PPKLite, a signing credential does not need to be selected. All security handlers must be able to process the binary and SHA1Hash properties of this object. This object can be empty if bUI is true.
cMsg	String	6.0	A message to display in the login dialog box, if bUI is true.
cURI	String	7.0	URI used to connect to a server. Supported by Adobe.APS and Adobe.PPKLite handlers. In the case of Adobe.PPKLite, the URI specifies a Roaming Credential server.
cUserId	String	7.0	User name used when connecting to a server. Supported by the Adobe.APS and Adobe.PPKLite handlers.
cDomain	String	7.0	Domain name used when connecting to a server. Only supported by the Adobe.APS handler.
iSlotID	Integer	7.0	Specifies the slot ID of a PKCS#11 device to log into. This parameter is supported by the Adobe.PPKLite handler only.
cTokenLabel	String	7.0	Specifies the token label of a PKCS#11 device to log into. This parameter is supported by the Adobe.PPKLite handler only.

Example 1

// Use the "Adobe.PPKLite" security handler object for the UI

var ppklite = security.getHandler( security.PPKLiteHandler, true );

var oParams = { cPassword: "dps017", cDIPath: "/C/DPSmith.pfx" }

ppklite.login( oParams );

<..... make a signature field and sign it ......>

ppklite.logout();

Use UI to select a credential, when already logged in.

ppklite.login(

{ oParams:

{ oEndUserSignCert: {},
cMsg: "Select your Digital ID" },

bUI : true

} );

var oCert = { SHA1Hash: "00000000" };

ppklite.login(

{ oParams:

{ cDIPath: "/C/test/DPSmith.pfx",
cPassword: "dps017",

oEndUserSignCert: oCert,

cMsg: "Select your Digital ID"

},
bUI : true

});

Example 2

Use the "Adobe.PPKMS" security handler object, and select the credentials to use when signing.

var ppkms = security.getHandler( "Adobe.PPKMS" );

var oCert = myCerts[0];

ppkms.login( { oParams: { oEndUserSignCert: oCert } } );

Example 3

Use security.APSHandler, see security constants.

var aps = security.getHandler( security.APSHandler, true );

var oParams = { cUserName: "Acrobat", cPassword: "adobedon" };

aps.login( oParams );

<..... encrypt a document using this handle and a policy id .....>

aps.logout();

See signatureSign for details on signing a PDF document.

logout

5.0

Logs out for the SecurityHandler object. This method is used by Adobe.PPKLite, not by Adobe.PPKMS.

Also see the login method.

Returns

Beginning in Acrobat 6.0, returns true if the logout succeeded, false otherwise. Previous Acrobat releases did not generate a return value.

newDirectory

5.0

Returns a new Directory object. This object must be activated using its info property before it is marked for persistence and before it can be used for searches. Existing directory objects can be discovered using the directories property.

Returns

A new Directory object

newUser

5.0

Supports enrollment with Adobe.PPKLite and Adobe.PPKMS security handlers by creating a new self-sign credential.

Note:This method will not allow the user to overwrite an existing file.

Parameters

cPassword	(optional) The password necessary to access the password-protected digital ID file. This parameter is ignored by Adobe.PPKMS.
cDIPath	(optional) The device-independent path to the password-protected digital ID file. This parameter is ignored by Adobe.PPKMS. Note:Beginning with Acrobat 6.0, the parameter cDIPath must be a safe path (see Safe path) and end with the extension .pfx.
oRDN	The relative distinguished name (RDN) as an RDN object, containing the issuer or subject name for a certificate. The only required field is cn. If the country c is provided, it must be two characters, using the ISO 3166 standard (for example, “US”).
oCPS	(optional, Acrobat 6.0) A generic object containing certificate policy information that will be embedded in the Certificate Policy extension of the certificate. The object has these properties: oid is required and indicates the certificate policy object identifier. url (optional) is a URL that points to detailed information about the policy under which the certificate has been issued notice (optional) is an abridged version of the information, embedded in the certificate.
bUI	(optional, Acrobat 6.0) If true, the user interface can be used to enroll. This parameter is supported by all security handlers that support this method.
cStore	(optional, Acrobat 7.0) A string identifying the store where the generated credential has to be stored. For the Adobe.PPKLite security handler, the valid store identifiers are “PKCS12” and “MSCAPI”. If this parameter is omitted and cDIPath is provided, the generated credential is stored in a PKCS#12 file, else it is stored in the CAPI store.

Returns

true if successful, throws an exception if not successful.

Example 1

Create a new PPKLite self-sign credential (Acrobat 5.0 syntax)

var ppklite = security.getHandler(security.PPKLiteHandler);

var oRDN = { cn: "Fred NewUser", c: "US" };

var oCPS = {oid: "1.2.3.4.5",

url: "http://www.example.com/mycps.html",

notice: "This is a self generated certificate, hence the "

+ "recipient must verify it’s authenticity through an out "

+ "of band mechanism" };

ppklite.newUser( "testtest", "/d/temp/FredNewUser.pfx", oRDN, oCPS);

// Alternate generic object syntax, allowing additional parameters

var oParams = {

cPassword : "myPassword",

cDIPath : "/d/temp/FredNewUser.pfx",

oRDN : oRDN,

oCPS : oCPS,

bUI : false

};

ppklite.newUser( oParams );

Example 2

Use a certificate from an existing signed field to create the RDN

var f = this.getField( "mySignature" );

f.signatureValidate();

var sigInfo = f.signatureInfo();

var certs = sigInfo.certificates;

var oSubjectDN = certs[0].subjectDN;

ppklite.newUser({

cPassword: "dps017",

cDIPath: "/c/temp/DPSmith.pfx",

oRDN: oSubjectDN

});

setPasswordTimeout

5.0

Sets the number of seconds after which password should expire between signatures. This method is only supported by the Adobe.PPKLite security handler. For this handler the default timeout value for a new user is 0 (password always required).

Parameters

cPassword	The password needed to set the timeout value.
iTimeout	The timeout value, in seconds. Set to 0 for always expire (that is, password always required). Set to 0x7FFFFFFF for never expire.

Returns

Throws an exception if the user has not logged in to the Adobe.PPKLite security handler, or unsuccessful for any other reason.

Example

This example logs in to the PPKLite security handler and sets the password timeout to 30 seconds. If the password timeout has expired—30 seconds in this example—the signer must provide a password. The password is not necessary if the password has not timed out.

var ppklite= security.getHandler( "Adobe.PPKLite" );

ppklite.login( "dps017", "/d/profiles/DPSmith.pfx" );
ppklite.setPasswordTimeout( "dps017", 30 );