Digitally sign PDF files

H

haxier

Hi all

I'm developing an application with some reports and we're looking for
advice. This reports should be openoffice.org .odf files, pdf files,
and perhaps microsoft word files (.doc, .docx?) and must be digitally
signed. Is out there some kind of libraries to ease this tasks?

* Access to the local user certificate store, and read PEM or PKCS12
certificate files.
* Read, parse and validate user certificates
* Sign documents: as a binary stream, within an specific document
(pdf, odt, doc)

I've been googling and found very few documentation about this --
except some examples using jython and ironpython.

Thanks
 
H

Hartmut Goebel

Hi,
I'm developing an application with some reports and we're looking for
advice. This reports should be openoffice.org .odf files, pdf files,
and perhaps microsoft word files (.doc, .docx?) and must be digitally
signed. Is out there some kind of libraries to ease this tasks?

For signing you can use OpenSSL or the more complete M2crypto modules.
But this is only the crypto part of the task.
> * Access to the local user certificate store, and read PEM or PKCS12
> certificate files.

If the certificate store is just a file, both packages can to this. If
the store is some otehr format or maybe the Windows registry, some
additional functions are required, but should be easy to implement.
> * Read, parse and validate user certificates

This can be easily done with both.
* Sign documents: as a binary stream, within an specific document
(pdf, odt, doc)

This is the hardest part of the task, since the signature has to be
embedded into the document.


--
Schönen Gruß - Regards
Hartmut Goebel

Goebel Consult
Spezialist für IT-Sicherheit in komplexen Umgebungen
http://www.goebel-consult.de
 
H

haxier

For signing you can use OpenSSL or the more complete M2crypto modules.
But this is only the crypto part of the task.

M2Crypto? I didn't know of it... surely I must check it.

It's a very delicate component (security and reliability is a must)
and don't know how openssl works in windows environments.
 > * Access to the local user certificate store, and read PEM or PKCS12
 > certificate files.

If the certificate store is just a file, both packages can to this. If
the store is some otehr format or maybe the Windows registry, some
additional functions are required, but should be easy to implement.

Certificates can be both: PKCS12 (.p12) files and under the windows
certificate store.

The best option could be some kind of thin wrapper around windows
CryotoAPI, so access to hardware tokens and smartcard readers should
be easy because under Linux everything seems tied to Mozilla NSS
libraries.
This is the hardest part of the task, since the signature has to be
embedded into the document.

OpenOffice.org uses XML DSIG (libxmlsec, libxml2) as stated here[1]
but I can't find more than this[2] implementation/wrapper of libxmlsec

PDF signing... I can't find something like iText for Python... I've
finded examples like this[3] based on Jython... perhaps I should look
at jython because java 1.6 has full access to Windows CryptoAPI and
full XML-DSIG support[4]

IronPython could also be an interesting option for obvious reasons and
there's and iText port for .NET

Thanks

[1] http://marketing.openoffice.org/ooocon2004/presentations/friday/timmermann_digital_signatures.pdf
[2] http://xmlsig.sourceforge.net/build.html
[3] http://kelpi.com/script/00cd7c
[4] http://java.sun.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html
 
H

Hartmut Goebel

haxier said:
M2Crypto? I didn't know of it... surely I must check it.

It's a very delicate component (security and reliability is a must)
and don't know how openssl works in windows environments.

M2crypto is available for windows, too. So I would not expect any
problems here.
The best option could be some kind of thin wrapper around windows
CryotoAPI, so access to hardware tokens and smartcard readers should

I'm not a windows guy, so I can't help here.
be easy because under Linux everything seems tied to Mozilla NSS
libraries.

Some is using NSS, some is OpenSSL. I personally use M2crypto, since the
licence fits me better.
OpenOffice.org uses XML DSIG (libxmlsec, libxml2) as stated here[1]
but I can't find more than this[2] implementation/wrapper of libxmlsec

I've not found a usefull specification, too. Digital Signing seams to
become part of ODF 1.2, but I've not found a clear statement on which
files have to be signed nor how.
PDF signing... I can't find something like iText for Python... I've

iText is overkill far what you need. You only want to sign, not generate
PDF files.

--
Schönen Gruß - Regards
Hartmut Goebel

Goebel Consult
Spezialist für IT-Sicherheit in komplexen Umgebungen
http://www.goebel-consult.de
 
J

John Krukoff

For signing you can use OpenSSL or the more complete M2crypto modules.
But this is only the crypto part of the task.

M2Crypto? I didn't know of it... surely I must check it.

It's a very delicate component (security and reliability is a must)
and don't know how openssl works in windows environments.
If the certificate store is just a file, both packages can to this. If
the store is some otehr format or maybe the Windows registry, some
additional functions are required, but should be easy to implement.

Certificates can be both: PKCS12 (.p12) files and under the windows
certificate store.

The best option could be some kind of thin wrapper around windows
CryotoAPI, so access to hardware tokens and smartcard readers should
be easy because under Linux everything seems tied to Mozilla NSS
libraries.
This is the hardest part of the task, since the signature has to be
embedded into the document.

OpenOffice.org uses XML DSIG (libxmlsec, libxml2) as stated here[1]
but I can't find more than this[2] implementation/wrapper of libxmlsec

PDF signing... I can't find something like iText for Python... I've
finded examples like this[3] based on Jython... perhaps I should look
at jython because java 1.6 has full access to Windows CryptoAPI and
full XML-DSIG support[4]

IronPython could also be an interesting option for obvious reasons and
there's and iText port for .NET

Thanks

[1] http://marketing.openoffice.org/ooocon2004/presentations/friday/timmermann_digital_signatures.pdf
[2] http://xmlsig.sourceforge.net/build.html
[3] http://kelpi.com/script/00cd7c
[4] http://java.sun.com/javase/6/docs/technotes/guides/security/xmldsig/XMLDigitalSignature.html

A note on libxmlsec, there are also these python bindings available:
http://pyxmlsec.labs.libre-entreprise.org/index.php?section=examples
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,983
Messages
2,570,187
Members
46,747
Latest member
jojoBizaroo

Latest Threads

Top