eusig-bundle

Symfony bundle for authentin/eusig — adds DI, configuration, and autowiring for eIDAS-compliant electronic signatures.

Installation

composer require authentin/eusig-bundle

You also need a PSR-18 HTTP client and PSR-17 factories:

composer require symfony/http-client nyholm/psr7

Prerequisites

A running EU DSS instance:

docker run -d -p 8080:8080 ghcr.io/authentin/dss:latest

Configuration

# config/packages/eusig.yaml
eusig:
    dss:
        base_url: '%env(DSS_BASE_URL)%'     # Required. e.g. http://localhost:8080/services/rest

    token:                                    # Optional. Omit if you only need validation.
        type: pkcs12                          # Currently supported: pkcs12
        path: '%env(PKCS12_PATH)%'            # Path to the .p12 keystore file
        password: '%env(PKCS12_PASSWORD)%'    # Keystore password (use env vars!)

    defaults:                                 # Optional. Sensible defaults are provided.
        signature_level: PAdES_BASELINE_B     # Any value from SignatureLevel enum
        digest_algorithm: SHA256              # Any value from DigestAlgorithm enum

Autowired services

The bundle registers these services, available via autowiring:

Interface	Service	Always available
SigningClientInterface	DSS signing client	Yes
ValidatorInterface	DSS validator	Yes
TokenInterface	PKCS#12 token	Only when token is configured
SignerInterface	Signer (signing client + token)	Only when token is configured

Usage

Signing a PDF

use Authentin\Eusig\Contract\SignerInterface;
use Authentin\Eusig\Model\Document;
use Authentin\Eusig\Model\SignatureLevel;
use Authentin\Eusig\Model\SignatureParameters;
use Symfony\Component\HttpFoundation\Response;

class SignController
{
    public function __invoke(SignerInterface $signer): Response
    {
        $signed = $signer->sign(
            Document::fromLocalFile('/path/to/document.pdf'),
            new SignatureParameters(signatureLevel: SignatureLevel::PAdES_BASELINE_B),
        );

        return new Response($signed->content, 200, [
            'Content-Type' => 'application/pdf',
            'Content-Disposition' => 'attachment; filename="signed.pdf"',
        ]);
    }
}

Validating a signature

use Authentin\Eusig\Contract\ValidatorInterface;
use Authentin\Eusig\Model\Document;

class ValidateController
{
    public function __invoke(ValidatorInterface $validator): Response
    {
        $result = $validator->validateSignature(
            Document::fromLocalFile('/path/to/signed.pdf'),
        );

        return $this->json([
            'valid' => $result->valid,
            'signatures' => $result->signaturesCount,
        ]);
    }
}

Extending a signature

use Authentin\Eusig\Contract\SigningClientInterface;
use Authentin\Eusig\Model\Document;
use Authentin\Eusig\Model\SignatureLevel;
use Authentin\Eusig\Model\SignatureParameters;

class ExtendController
{
    public function __invoke(SigningClientInterface $signingClient): Response
    {
        $extended = $signingClient->extendDocument(
            Document::fromLocalFile('/path/to/signed.pdf'),
            new SignatureParameters(signatureLevel: SignatureLevel::PAdES_BASELINE_T),
        );

        $extended->saveToFile('/path/to/extended.pdf');

        // ...
    }
}

Custom token

To use a different signing backend (HSM, remote provider), implement TokenInterface and register it:

# config/services.yaml
services:
    App\Signing\MyHsmToken:
        tags: ['authentin.eusig.token']

    Authentin\Eusig\Contract\TokenInterface:
        alias: App\Signing\MyHsmToken

Then omit the token section from eusig.yaml — the bundle will use your service.

Standalone usage

For non-Symfony projects, use authentin/eusig directly.

License

MIT