1

I need to digitally sign MS Office and PDF files that are stored on a server. I really mean a digital signature that is integrated in the document, according to each specific file formats.

This is the process I had in mind :

  1. Create a hash of the file's content
  2. Send the hash to a custom written java applet in the browser
  3. The user encrypts the hash with his/her private key (on an usb token via PKCS#11 for example), thus effectively signing the file.
  4. The applet then sends the signature to the server
  5. On the server I would then incorporate the signature in the file's (MS Office and PDF files can do that without changing the file's content, probably by just setting some metadata field)

What is cool is that you never have to download and upload the complete file to the server again. What is even cooler, the customer doesn't need Office or PDF Writer to sign the files.

Parts 2, 3 and 4 are OK for me, my company bought all the JAVA technology I need for that for a previous project I worked on.

Problem : I can't seem to find any documentation/examples to do parts 1 and 5 for Office files . Are my google skills failing me this time ?

Do you have any pointers to documentation or examples for doing that for MS Office files ? The underlying technology isn't that important to me : I can use Java, .Net, COM, any working technology is OK !

Note : I'm 95% sure I can nail points 1 and 5 for PDF files using iText

Thanks

** Edit : If I can't do that with hashes and must download the complete file to the client, it's also possible. But then I still need the documentation to be able to sign Office file... in java this time (from an applet)

Sébastien Nussbaumer
  • 6,202
  • 5
  • 40
  • 58
  • 1
    You're 95% sure... be 100% sure, we have developed a solution that does exactly that for PDF files using iText – Carles Barrobés Dec 20 '10 at 10:17
  • Carles : do you have a link to a product ? – Sébastien Nussbaumer Jan 03 '11 at 11:20
  • Hi Sébastien, Did you find a good solution for your problem? I have currently the same challenge you had. I would appreciate very much if you share your experience. Thks in advance, José –  Mar 04 '11 at 18:30
  • @José : Sorry but I found no good solution for the moment. Carles proposed a solution but I couldn't find the product, too bad ! You could try contacting him, see if you have more luck than I did :-) The project I was working on has been postponed for the moment, I was just in the "reseach" part, that's why I didn't try harder. Good luck – Sébastien Nussbaumer Mar 07 '11 at 11:24

3 Answers3

1

In general, you can use our SecureBlackbox product to sign Office and PDF files. However, distributed signing like the one in your scenario is not trivial (though possible). We are currently working on an add-on to SecureBlackbox to simplify such distributed operations.

Update: distributed signing functionality is now available and described in details in this answer.

Community
  • 1
  • 1
Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • Question ; will your add-on support PKCS#11 token for signing (with no specific configuration for each token : I have to support a ton of different tokens : Gemplus, Oberthur, ...) ? – Sébastien Nussbaumer Jun 10 '10 at 12:07
  • Actually, signing with certificates and private keys stored on cryptographic hardware is available now (either via CryptoAPI or via PKCS#11 interface). So the only missing piece that is in the work now is an add-on for simplifying distributed signing. – Eugene Mayevski 'Callback Jun 11 '10 at 06:26
0

I see one problem: once you incorporate the signature into the file you immediatly change it's hash value. So if you take the signature later to verify that the file has not been changed, it will definitly fail.

Andreas Dolk
  • 113,398
  • 19
  • 180
  • 268
  • I agree, but the PDF and Office formats handle this issue. This is how I think it's done : each file is an enveloppe containing the actual content of the PDF/Ofice file + some metadata. When you sign the file, you sign the content, and then you store the signature in the metadata. The file has changed, but not the content. When Acrobat or Office then opens the file it checks whether the content and the signature stored in the metadata match. Exemple of this kind of signing for PDF files : http://itextpdf.sourceforge.net/howtosign.html#howtosign – Sébastien Nussbaumer Jun 08 '10 at 13:51
  • Ah, so you don't want to hash the 'file' but the file's 'content', like the text in a word document...? – Andreas Dolk Jun 08 '10 at 13:55
  • right, but not only the text but also the pictures and everything... I'll try to make my original question a bit clearer – Sébastien Nussbaumer Jun 08 '10 at 13:55
-1

You should not invent signature yourself. You can convert files to XML and use XMLDSIG (JSR 105), which is included in Java 6.

http://java.sun.com/javase/7/docs/technotes/guides/security/xmldsig/overview.html

If you can use Open Office file formats like docx, it's already XML so you just need to add signature.

ZZ Coder
  • 74,484
  • 29
  • 137
  • 169
  • 1
    There's nothing to invent here - all office file formats (old MS Office, OOXML and OpenOffice ODF) support signing, and so does PDF specification. Everything is documented and standard. – Eugene Mayevski 'Callback Jun 08 '10 at 18:32