External signing and signature embding
ekzobrain opened this issue · 7 comments
Hello.
We need to sign data with detached PKCS#7 signature externally (in the Web Browser) and would like to insert that signature inside PDF document some way. So the whole scenario would look like this:
- Get signable content from PDF document (may be a new method like pdf.get_signable_content)
- Sign that content with an external program (in PKCS#7 format)
- Insert signature with some annotation inside source PDF document. (may be a new method like pdf.add_signature).
- Steps 1-3 may be repeated several times to add multiple signatures to the same document.
Is it generally possible to implement this?
Thanks in advance.
Hi!
I'm trying to implement something similar. Take a look at the mobmewireless/origami-pdf fork especially at the prepare_for_sign method.
My problem currently is that I want to sign the whole document and not just the annotation, which the prepare_for_sign method does.
Maybe we could collaborate on this?
Thanks
Yes, we may try!
I see that a fork is based on an old 1.2 Origami version. Did you try to use it as is or to adopt those changes to the current version?
I am not very familiar with PDF structure for now, but I looked at prepare_for_sign() method and it seems to do the same as sign() method in current Origami except replacing null-terminated signature values with the real one. So it should return not just annotation, bul all contents for signing?
I also noticed that it returns SHA1 hash, while PKCS#7 detached signature is computed not from SHA1, but from raw content, so PKCS#7 detached signatures might be broken there (needs verification).
Hey, I think I have a working prototype! I'm trying to create my own fork, stay tuned.
So my flow looks something like this:
- Read PDF
- Call
prepare_for_signmethod, however I think there's an error in the ByteRange calculation in the old one, mine works a little bit different, return Base64 encoded PDF without the/Content <> - Have your Website sign the PDF Base64
- Put the Signature in with the
insert_signmethod
I thought it was not signing the whole PDF, but that's not true, it's just that their ByteRange calculation is wrong. Other than that their fork is working!
I suggest that you read this and this. It really helps understanding the PDF structure. Also looking at the PDF with a HexEditor helped a lot and comparing the Ruby output.
- Did you try to adopt changes to the latest Origami version? I think it should be the best way, because their version is too old and might contain various other bugs. Also if we create a new fork from the current version and adopt their changes - we could then make a pull request and Origami's author might participate in development.
- Did you also compare their's/your's ByteRange calculation with the current mainstream implementation?
- Do you plan to implement support for multiple signatures?
- When do you plan to push some working code to your repo? I would also like to make so experiments...
Hi @soulhunter1987 !
- I have successfully implemented my changes into a fork of the newest Origami. You're correct it's very old and it probably had some bugs. Check it out: https://github.com/moritzgloeckl/origami It's working great for me so far, I have put all the important information in the Readme
- I'm now using the updated Origami ByteRange calculation and it's working perfectly
- Currently no because we don't need that use case, however I think it might not be too hard to implement, but I haven't looked into it yet.
- It's live 🎉
That's great!
I recently found out that I also need to support PAdES (you also mention it in your README). And also multiple signatures, as I already mentioned. I will try to use your version soon and provide feedback. This will be the big first step forward. Then, I hope we will collaborate to implement remaining features.
Let's continue in my fork: moritzgloeckl#1