EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Distributed Signing Word 2013 document

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#25444
Posted: 06/25/2013 09:38:46
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Hi, We are assessing Eldos SDK before buying and need the following answers to make the final decision.

We need distributed signing of MS Word 2013 document.

There is a sample named "DistributedPDFSigner", but it is for PDFs. MS Word documents are a bit different compared to PDFs as they contain OpenXMLDocument, OpenXPSDocument and Binary data in them. We would really appreciate it if you can provide us with a sample signing Word document in distributed manner. It would be ideal if the signing in the sample is X-L (i.e. including timestamp, and revokation info).

Another question is regarding the signing process.

Code
TElDCStandardServer server = new TElDCStandardServer();
...
server.Process(reqStream, respStream, new TElDCXMLEncoding(), new TElDCXMLEncoding());


In the above piece of code, server.Process() method supposedly signs reqStream and puts the signature in respStream. But does respStream contain the whole document along with signature content or just the signature data?

Also, is it possible to replace the
Code
server.Process()
method's functionality completely with custom code? Actually, we want the actual signing to be performed by our code.

Thanks in advance
#25447
Posted: 06/25/2013 10:39:17
by Ken Ivanov (EldoS Corp.)

Hello Jahangir,

Thank you for your interest in our products.

While the structure of Office documents is indeed different to that of PDF ones, the signing is performed in a fairly similar way - you call the InitiateAsyncSign() method of the appropriate signature handler on the pre-signing stage (which produces a pre-signed document and the state to be passed to the signer), and the CompleteAsyncState() method on the finalization stage (which builds a final signed document from the pre-signed document and the state obtained from the signer).

I invite Dmytro to join us here in this topic and come up with a small code snippet.

Quote
In the above piece of code, server.Process() method supposedly signs reqStream and puts the signature in respStream. But does respStream contain the whole document along with signature content or just the signature data?

RespStream only contains a so-called 'state', a structure containing the signature itself together with some auxiliary protocol-specific information. Both reqStream and respStream are fairly small in size (up to a couple of kilobytes).

Quote
Also, is it possible to replace the server.Process() method's functionality completely with custom code?

Not exactly in this way, but yes, you can intercept the signing process. This is performed by creating a descendant of TElDCSignOperationHandler class and overriding its Sign() method. The Sign() method (implemented by you) must produce a signature from the hash passed to it by the owning TElDCStandardServer object.
#25450
Posted: 06/26/2013 01:57:37
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Thanks Ken for your prompt reply, we really appreciate it.

Quote
I invite Dmytro to join us here in this topic and come up with a small code snippet.

This is what we need in order to proceed further in our testing.

Regarding your info above:
Quote
This is performed by creating a descendant of TElDCSignOperationHandler class and overriding its Sign() method. The Sign() method (implemented by you) must produce a signature from the hash passed to it by the owning TElDCStandardServer object.


This might be exactly what we were looking for. Do you have a sample for this as well?

Our goal is to be able to provide our server with data to be signed in form of bytes, and our server would sign the bytes, and then put the signature back into the MSWord doc. So if we create the descendant of TElDCSignOperationHandler, would we be able to achieve our mentioned goal?
#25457
Posted: 06/26/2013 04:17:00
by Ken Ivanov (EldoS Corp.)

Hello Jahangir,

Quote
This is what we need in order to proceed further in our testing.

I've just had a chat with Dmytro. He is brushing up OfficeBlackbox + DC sample at the moment, so I hope we will be able to give you the complete and working sample either later today or tomorrow.

Quote
This might be exactly what we were looking for. Do you have a sample for this as well?

A typical implementation of the sign operation handler has the following look:
Code
    class MyDCSignOperationHandler : TElDCSignOperationHandler
    {
        protected override byte[] Sign(byte[] Data, byte[] HashAlg, bool IncludeKeys, SBRDN.TElRelativeDistinguishedName Keys, SBRDN.TElRelativeDistinguishedName Pars)
        {
            // Inputs:
            // Data contains a hash value to sign.
            // HashAlg contains the hash algorithm OID in ASN.1 encoded form.
            // IncludeKeys specifies whether the signer should include its certificate chain into the response.
            // Pars contain additional operation parameters.

            // Output:
            // The method should return an array containing an RSA PKCS#1 signature over the Data.

            // (1) Signing the hash by passing sign request to some external 'black box'.
            byte[] signature = ExternalSigner.Sign(Data, HashAlg);

            // (2) Including the certificates if asked.
            if (IncludeKeys)
            {
                // The signer's certificate should be provided separately from the rest of the chain.
                Keys.Add(SBDCPKIConstants.Unit.SB_OID_DC_SIGNING_CERTIFICATE, ExternalSigner.GetSigningCertBlob(), SBASN1Tree.Unit.SB_ASN1_OCTETSTRING);

                for (int i = 0; i < ExternalSigner.Chain.Count; i++)
                {
                    Keys.Add(SBDCPKIConstants.Unit.SB_OID_DC_CERTIFICATE, ExternalSigner.Chain[i].GetCertBlob(), SBASN1Tree.Unit.SB_ASN1_OCTETSTRING);
                }
            }

            // (3) Exiting.
            return signature;
        }
    }


ExternalSigner in the snippet above is a class that redirects sign operations to some external device or cryptographic module.

Quote
Our goal is to be able to provide our server with data to be signed in form of bytes, and our server would sign the bytes, and then put the signature back into the MSWord doc. So if we create the descendant of TElDCSignOperationHandler, would we be able to achieve our mentioned goal?

Yes, server-side (signing-side) DC components work with bytes. The server gets a document hash as a byte array and should return another byte array containing the corresponding RSA PKCS#1 signature.
#25458
Posted: 06/26/2013 06:08:35
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Quote
I've just had a chat with Dmytro. He is brushing up OfficeBlackbox + DC sample at the moment, so I hope we will be able to give you the complete and working sample either later today or tomorrow.


That's awesome :)

The sample code is also very helpful. we'll work with it for our tests. thanks.

Quote

Yes, server-side (signing-side) DC components work with bytes. The server gets a document hash as a byte array and should return another byte array containing the corresponding RSA PKCS#1 signature.

This is very good news.

Thanks for your prompt and valuable help Ken, we will use the provided info on our side for exploring Eldos SDK further. Kindly let us know when you have the sample ready.

Ken, as we will be using X-L (extended long-term) signatures, we will need to embed our timestamping and revocation info in the signature. so we will need your help in understanding the procedure of achieving that as well.

thanks
#25471
Posted: 06/28/2013 01:19:28
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Hi Ken,

Just wanted to know if the sample was ready. We have been modifying the DCPDFSigner sample to work for Word documents but there are too many subtle differences between the involved classes for the two procedures. So, we really need that sample to complete our "proof of concept" test.

regards
#25472
Posted: 06/28/2013 02:31:00
by Dmytro Bogatskyy (EldoS Corp.)

I will create a helpdesk ticket and will attach the sample. You will receive notification by e-mail when the ticket is available.
#25473
Posted: 06/28/2013 04:14:58
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Thats great news. We will be waiting for the email. Thanks for your help Ken. Much appreciated.
#25474
Posted: 06/28/2013 04:20:19
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Update: Just received the email with the sample. Our team will start working on it. We will contact you where ever we need assistance. Thanks again.

P.S: Thanks to Dmytro as well for his quick efforts :)
#25536
Posted: 07/04/2013 08:50:00
by Jahangir Shah (Basic support level)
Joined: 06/25/2013
Posts: 18

Hi,

We have been working with your provided sample. The sample is web based, and in order to completely understand the workings of ELDOS api, our developers have combined the entire signing operation in one console application.

The provided sample seems to be creating an invisible signature of type XAdES_EPES. Our requirement is to sign visible, already present signatureline, of type XAdES_X_L, with timestamp and revokation info.

Attached is the sample code our devs are working with, to create visible XAdES_X_L signature.

The problems is that if we try to sign existing signatureline, then InitiateAsyncSign() starts throwing exception. Furthermore, the signing process is taking a lot of time as well.

Kindly, have a look at the sample and help us make it work. Thanks


[ Download ]
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 8113 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!