EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Is it possible to create visible Asynch Office Signatures

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#23125
Posted: 01/10/2013 09:54:46
by wahaj khan (Basic support level)
Joined: 01/10/2013
Posts: 8

Hi Guys,

I am working on a project to digitally sign OOXML, binary and Open Office documents. I have looked at the .Net and Java samples. I have few question which will assist me whether to buy eldos for the upcoming project or not.

1) In visible signatures, what can be set i.e. text, images etc. I believe a complex signature appearance can be created which contains are mixture of text and images. In visible can I mention the position where signature needs to be placed i.e. page, X,Y location, Signature Line height width. Is there a sample or function which can further guide on this

2) Is it possible to get the hash from your office signing API so that I can sign it my self without requiring the Distributed Crypto Add-on and then once the signature is created i.e. XMLDSig then I supply it to the office signing API for further processing. I believe this avoids the license of Distributed Crypto Add-on. If not and I need a license for Distributed crypto then can I still use my own applet to sign stuff without using yours?

3) What hashing algorithms you guys support i.e. SHA1, SHA2

I need to know the answer for both Java and .Net (Windows only).
#23133
Posted: 01/10/2013 13:30:41
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

Quote
1) In visible signatures, what can be set i.e. text, images etc. I believe a complex signature appearance can be created which contains are mixture of text and images. In visible can I mention the position where signature needs to be placed i.e. page, X,Y location, Signature Line height width. Is there a sample or function which can further guide on this

Open document format (ODF) doesn't support visible signatures.
For binary documents and OOXML documents you can attach a signature to existent signature line. And you can modify some info for a signature, see TElOfficeXMLSignatureInfoV1 class properties: http://www.eldos.com/documentation/sb...nfov1.html
But a component doesn't support adding of new signature lines. Because it would require deep knowledge of the document structure, it is a complicated task which is out of scope of SecureBlackbox functionality.
For XPS documents a component support adding of signature definitions (visible signature info).
Quote
2) Is it possible to get the hash from your office signing API so that I can sign it my self without requiring the Distributed Crypto Add-on and then once the signature is created i.e. XMLDSig then I supply it to the office signing API for further processing. I believe this avoids the license of Distributed Crypto Add-on. If not and I need a license for Distributed crypto then can I still use my own applet to sign stuff without using yours?

No. Methods InitiateAsyncSign and CompleteAsyncSign requires SecureBlackbox.DC assembly that requires Distributed Crypto Add-on license.
Quote
3) What hashing algorithms you guys support i.e. SHA1, SHA2

Yes, they are supported. For the list of supported digest methods see: http://www.eldos.com/documentation/sb...ethod.html
#23137
Posted: 01/11/2013 07:59:34
by wahaj khan (Basic support level)
Joined: 01/10/2013
Posts: 8

OK thanks.

So in binary and OOXML there is no way to add a new Signature Line and only existing ones can be signed using visible/invisible - Fine.

Quote
For XPS documents a component support adding of signature definitions (visible signature info).

So I believe this does support adding a Signature Line at custom locations and then sign?

No. Methods InitiateAsyncSign and CompleteAsyncSign requires SecureBlackbox.DC assembly that requires Distributed Crypto Add-on license.

OK but can I use my own applet instead of using yours? OR some how wrap yours in mine. I believe the

Separately is it possible that once a signed word document arrives then I can extract the digital certificate for some advanced certificate validation? I think I read some where on your website that it can be done. Also can it extract the Time stamp if present.
#23138
Posted: 01/11/2013 08:25:54
by Dmytro Bogatskyy (EldoS Corp.)

Quote
OK but can I use my own applet instead of using yours? OR some how wrap yours in mine. I believe the

Yes. With a license you will get a source code of our applet and you are free to change it as you want.
Quote
Separately is it possible that once a signed word document arrives then I can extract the digital certificate for some advanced certificate validation? I think I read some where on your website that it can be done. Also can it extract the Time stamp if present.

Yes, you can extract a signing certificate and additional certificates. Please see SignerCertificate and Certificates/IntermediateCertificatesStorage properties of the signature handler. Also please check SecureOffice sample, it shows how to extract and validate certificates.
As for timestamps, you can use XAdESProcessor property of the signature handler to extract XAdES info (including timestamps). Please check XMLBlackbox\AdvancedSigner sample.
#23139
Posted: 01/11/2013 08:44:08
by wahaj khan (Basic support level)
Joined: 01/10/2013
Posts: 8

Fine.

Quote
For XPS documents a component support adding of signature definitions (visible signature info).


So I believe this does support adding a Signature Line at custom locations and then sign?

Also say the client signed and returned the XML signature to the server. Now to embed revocation and time-stamp inside this XML signature, can we override the SDK logic to supply time-stamp and revocation information rather than SDK pulling it self?
#23140
Posted: 01/11/2013 09:35:48
by Dmytro Bogatskyy (EldoS Corp.)

Quote
So I believe this does support adding a Signature Line at custom locations and then sign?

Yes. See: TElOfficeOpenXPSSignatureDefinition
Quote
Also say the client signed and returned the XML signature to the server. Now to embed revocation and time-stamp inside this XML signature, can we override the SDK logic to supply time-stamp and revocation information rather than SDK pulling it self?

Yes, you can use your own timestamp server or calculate a timestamp by your self, and for revocation info you can also add custom certificates, CRLs, OCSP responses.
#23192
Posted: 01/15/2013 10:03:58
by wahaj khan (Basic support level)
Joined: 01/10/2013
Posts: 8

Thanks..

Two more queries:

1) For a signature line, can I find he X,Y coordinates, page and size?

2) I tried to create 4 documents with signature lines and tried to sign with the sample signing app provided with the SecBBoxNetSetup.exe. Here are the results:

OOXML Signed the signature line successfully
DOC Created a new invisible signature and didn't sign the signature line
XPS Created a new invisible signature and didn't sign the signature line
ODF Created a new invisible signature and didn't sign the signature line

Are the results expected?

Quote
But a component doesn't support adding of new signature lines. Because it would require deep knowledge of the document structure, it is a complicated task which is out of scope of SecureBlackbox functionality.


Is this in your road-map? Our client use case does require this badly.
#23198
Posted: 01/15/2013 17:31:34
by Dmytro Bogatskyy (EldoS Corp.)

Quote
1) For a signature line, can I find he X,Y coordinates, page and size?

No, it is not supported.
Quote
2) I tried to create 4 documents with signature lines and tried to sign with the sample signing app provided with the SecBBoxNetSetup.exe. Here are the results:

Quote
DOC Created a new invisible signature and didn't sign the signature line

Binary documents have a limited support of signature lines. If you know a GUID of the signature line you can set it to SignatureHandler.SignatureInfoV1.SetupID property to attach a signature to the existing signature line. At the moment a component doesn't extract a GUID of existing signature lines from a binary document.
Quote

XPS Created a new invisible signature and didn't sign the signature line

What viever did you used? For example Microsoft XPS Viewer doesn't support visible signatures.
Quote
ODF Created a new invisible signature and didn't sign the signature line

As I mentioned before, ODF format doesn't support a signature lines. If you have a sample document that do have a signature line, then please post it here or to helpdesk,
Quote
Is this in your road-map? Our client use case does require this badly.

Not yet. You can add a request to our wish-list: http://eldos.com/sbb/wishlist.php
#25064
Posted: 05/27/2013 07:42:33
by wahaj khan (Basic support level)
Joined: 01/10/2013
Posts: 8

Hi Again,

Just wanted to clarify on the following bits:

I have downloaded the trial version, I hope I can experiment with the OOXML Distributed Signature generation concept?

What I am now aiming is this:

1) A .docx (generated with open office 2013) is sent from client to server with a signature line
2) Server identifies the list of signature lines.
3) Server starts signing of one of the signature line
4) As a custom handler is implemented hence hashing and signing will be done by the business app running on the server. In my case there is no applet, active or flex. So I don't want the hash to be sent to the client as the private keys are already held by the business application.

In 4. what signature format is expected by your engine? An xmlDSig structure or PKCS#1.

I would also be required to fill in the timestamp and revocation information my self can this be done via handler i.e. engine calls handler to get the revocation and timestamp. If handler can't be called for this information, what alternative I have? Can you point me to the reqd documentation which helps me understand this.

Also can you point me to the reqd documentation which mentions which handler functions are calls to retrieve hash and signature.

I believe I need to implement TElOfficeOpenXMLBaseSignatureHandler.

Do you have a sample hander based on TElOfficeOpenXMLBaseSignatureHandler?

I am starting for a Proof of Concept with trial version this week so need to know what's possible and what's not.

Regards,
Wahaj
#25067
Posted: 05/27/2013 09:42:23
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
4) As a custom handler is implemented hence hashing and signing will be done by the business app running on the server. In my case there is no applet, active or flex. So I don't want the hash to be sent to the client as the private keys are already held by the business application.

In 4. what signature format is expected by your engine? An xmlDSig structure or PKCS#1.

As you have a document and a certificate on the server, you may let a component to perform signing on the server.
If you need to perform signing on your side, then you may use distributed signing components to obtain a hash, and then sign it with PKCS#1 signature (the returned signature will be placed inside XML-DSig structure).
Please see this article: https://www.eldos.com/security/articles/7477.php
If you want to perform hashing of the data on your side too, then it might be easier to replace a default cryptoprovider then to reimplement a signature handler. It is not a standard practice to perform hashing on your side.

Quote
I would also be required to fill in the timestamp and revocation information my self can this be done via handler i.e. engine calls handler to get the revocation and timestamp. If handler can't be called for this information, what alternative I have? Can you point me to the reqd documentation which helps me understand this.

Yes, it could be done. For the timestamp you can use TElFileTSPClient. TElFileTSPClient has OnTimestampNeeded event where you get the block that needs to be sent to the server, and your code would be able to send that block to the server and return the response.
The custom revocation information could be set using XAdESProcessor property of the TElOfficeOpenXMLSignatureHandler class.
See: https://www.eldos.com/documentation/sb...igner.html or sample XMLBlackbox\AdvancedSigner
Quote
I believe I need to implement TElOfficeOpenXMLBaseSignatureHandler.
Do you have a sample hander based on TElOfficeOpenXMLBaseSignatureHandler?

No. No, we don't have such sample.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 3039 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!