EldoS | Feel safer!

Software components for data protection, secure storage and transfer

[PHP] How to digitally sign a PDF/Docx file with usb token

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#34587
Posted: 10/02/2015 10:58:04
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
2. If I use the option of CreatePAdES as in the example in C#
Is there anything wrong here?

The PAdES async signing supports two async sign modes: PKCS#1 (default) and PKCS#7.
If PKCS#1 async mode is used for PAdES signing then it is required to pass the public signing certificate to the component. The public certificate could be passed by user on some initial step or it may be known by a service (e.g. user id, that was used to login to some service, is associated with the public certificate).
As for PKCS#7 async mode there is no need to pass public certificate to the component, as it will be embedded into the signature on the client part. But, in this case, there is more data transferred.
To perform async signing in PKCS#7 mode use a following code:
Code
state = doc->InitiateAsyncOperation(TSBDCAsyncSignMethod::asmPKCS7);

We will fix the sample code. Thank you for pointing this out.
#34612
Posted: 10/06/2015 01:06:07
by Tien Le (Basic support level)
Joined: 08/20/2015
Posts: 13

Thanks for previous help, Dmytro.

One more thing I want to ask is the way to change the visible signature in DC signing. Can you guide on:

---- (1) how to read signature information (such as signer DN, email, CA, etc.) from TElDCAsyncState after submit the applet. I can see the applet shows signature information such as issuers, CN, etc. but not sure how to get this outside the applet.

---- and (2) then apply changes (such as: signing reason, who is signing, name of signer, etc.) to the PDF visible signature (by WidgetProps)? I tried to get signature after completeAsyncOperation by re-opening the PDF file and get last signature >> get_WidgetProps >> change widget information but it seems it does not affect. In addition, I am not sure if the document is considered as changed if I re-open file and change the wdigetProps.

Thanks.
#34614
Posted: 10/06/2015 05:06:48
by Dmytro Bogatskyy (EldoS Corp.)

Hello,

Quote
---- (1) how to read signature information (such as signer DN, email, CA, etc.) from TElDCAsyncState after submit the applet. I can see the applet shows signature information such as issuers, CN, etc. but not sure how to get this outside the applet.

The applet extracts this information from the signer certificate (selected certificate).
The state (TElDCAsyncState) contains a signature produced by this certificate. For PKCS#7 async sign mode the state contains PKCS#7 signature that may include signer certificate (by default). So, to extract the above information you would need to parse the signature from the state object using TElMessageVerifier class. Another solution is to reload the pdf document after CompleteAsyncOperation() and then extract signer certificate from the last signature (using handler.GetSignerCertificate() method).
Quote

---- and (2) then apply changes (such as: signing reason, who is signing, name of signer, etc.) to the PDF visible signature (by WidgetProps)? I tried to get signature after completeAsyncOperation by re-opening the PDF file and get last signature >> get_WidgetProps >> change widget information but it seems it does not affect. In addition, I am not sure if the document is considered as changed if I re-open file and change the wdigetProps.

You can't modify signature information or widget properties after initiating async operation, as this information is signed along with pdf document.
#34615
Posted: 10/06/2015 05:20:12
by Tien Le (Basic support level)
Joined: 08/20/2015
Posts: 13

Quote
So, to extract the above information you would need to parse the signature from the state object using TElMessageVerifier class. Another solution is to reload the pdf document after CompleteAsyncOperation() and then extract signer certificate from the last signature (using handler.GetSignerCertificate() method).

Quote
You can't modify signature information or widget properties after initiating async operation, as this information is signed along with pdf document.


So what do I need to do if I want to add signer information (extracted from TElDCAsyncState) to the visible signature (widgetProps)? Since the process is:
1. init async operation
2. then load applet to get signature information from usb token / windows certificate store
3. finally complete async process

--> Can only have the signer information in the step 2, so it cannot be inserted to the visible signature?
#34616
Posted: 10/06/2015 05:44:49
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
Can only have the signer information in the step 2, so it cannot be inserted to the visible signature?

No, it's not possible to insert the signer information on this step. The only possibility to do this is to ask a user to select certificate prior starting signing:
1. Ask the user to select certificate.
2. Fill signature widget properties and initiate async operation.
3. Ask the user to confirm the signing operation.
4. Complete async operation.
#34617
Posted: 10/06/2015 05:54:02
by Tien Le (Basic support level)
Joined: 08/20/2015
Posts: 13

Quote
1. Ask the user to select certificate.
2. Fill signature widget properties and initiate async operation.
3. Ask the user to confirm the signing operation.
4. Complete async operation.


Thanks for the reply. So we might need to load the applet twice (for step 1 and 3). Since currently I cannot access the applet code, so cannot do as your suggestion. However I will confirm with the client that it can be done when the license is purchased and then we will modify the applet code to meet the displaying requirement.
#34632
Posted: 10/08/2015 01:08:43
by Tien Le (Basic support level)
Joined: 08/20/2015
Posts: 13

Hello,

Today when testing with IE11 on Windows 7, I got the following error:
Code
Fatal error: Uncaught exception 'SBException' with message 'SecureBlackbox library exception: EElPDFError(Message: 'Bad asynchronous operation state', ErrorCode: 0x000b013b)' in /path-to-files/includes/Class.DCWrapper.php:90 Stack trace: #0 /path-to-files/includes/Class.DCWrapper.php(90): TElPDFDocument->CompleteAsyncOperation(Object(TFileStream), Object(TElDCAsyncState), Object(TElPDFPublicKeySecurityHandler)) #1 /path-to-files/sbb-dc-result.php(71): DCWrapper->FinishSigning('/path-to-files...', '<?xml version="...') #2 {main} thrown in /path-to-files/Class.DCWrapper.php on line 90


It is quite strange since I can sign it without problem in Firefox, but not with IE. Is there any problem here?
#34633
Posted: 10/08/2015 01:53:16
by Eugene Mayevski (EldoS Corp.)

For us to better understand the problem with IE, I'd like to ask you to answer all of the questions below:

1)Do you use Java both in Firefox and in IE?
2) Is the problem with IE reproducible all the time for you or it happened just once?
3) Is there some simple test case which exposes the issue, which you could give us for testing? It's possible that the issue is specific to certain sequence of calls in your code or some other factor local to you, and so a test case which exposes the issue would be great.


Sincerely yours
Eugene Mayevski
#34634
Posted: 10/08/2015 02:06:38
by Tien Le (Basic support level)
Joined: 08/20/2015
Posts: 13

Hello Eugene Mayevski,

Quote
1)Do you use Java both in Firefox and in IE?

--> Yes, I used Java Applet in both Firefox and IE.

Quote
2) Is the problem with IE reproducible all the time for you or it happened just once?

--> In current testing environment, I use Windows 7 virtual machine with IE 11 and Firefox. Errors in IE always happen, while Firefox is always fine.

Quote
3) Is there some simple test case which exposes the issue, which you could give us for testing? It's possible that the issue is specific to certain sequence of calls in your code or some other factor local to you, and so a test case which exposes the issue would be great.

--> The code is as follows:
Code
$input = new TFileStream($signedfile, TFileMode::fmOpenReadWrite);
$doc->Open($input);
$handler = new TElPDFPublicKeySecurityHandler(null);
$handler->set_SignatureType(TSBPDFPublicKeySignatureType::pstPKCS7SHA1);
$handler->HashAlgorithm = SBConstants\SB_ALGORITHM_DGST_SHA1;
$handler->set_CustomName("Adobe.PPKMS");

$index = $doc->AddSignature();
$signature = $doc->get_Signatures($index);
$signature->set_SignatureType(TSBPDFSignatureType::stDocument);
$signature->set_Invisible(false);
$signature->set_Handler($handler);
$signature->set_SigningTime(SBUtils\DateTimeNow());

$widget = $signature->get_WidgetProps();//some other widget setting after that

$state = $doc->InitiateAsyncOperation();
$input->Free();

$output = new TElMemoryStream();
$state->SaveToStream($output, new TElDCXMLEncoding());
$output->Position = 0;
$buf = str_repeat(' ', $output->Size);
$output->Read($buf, strlen($buf));
$buf = base64_encode($buf);


Then, I put $buf as the data param in java applet. Then, user submitted data after applet will go to the php file with the signing code as follows:
Code
$signature = base64_decode($request_data);
$state = new TElDCAsyncState();
$input = new TElMemoryStream();
$input->Write($signature, strlen($signature));
$input->Position = 0;
$state->LoadFromStream($input,  new TElDCXMLEncoding());
$doc = new TElPDFDocument(null);
$handler = new TElPDFPublicKeySecurityHandler(null);
$handler->set_SignatureType(TSBPDFPublicKeySignatureType::pstPKCS7SHA1);
$file_stream = new TFileStream($fileName, TFileMode::fmOpenReadWrite);
$file_stream->Position = 0;
$doc->CompleteAsyncOperation($file_stream, $state, $handler);
$file_stream->Free();
$doc->Close(true);
#34655
Posted: 10/08/2015 05:43:27
by Dmytro Bogatskyy (EldoS Corp.)

I've moved the question to the helpdesk for investigation ( https://www.eldos.com/helpdesk/ ). You will see your (and only your) support tickets by following this URL. You will also get e-mail notifications about updates related to your support ticket.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 7888 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!