Digitally sign MS Office (Word, Excel, etc..) and PDF files on the server

0 votes
asked Jun 8, 2010 by s%c3%a9bastien-nussb

I need to digitally sign MS Office and PDF files that are stored on a server. I really mean a digital signature that is integrated in the document, according to each specific file formats.

This is the process I had in mind :

  1. Create a hash of the file's content
  2. Send the hash to a custom written java applet in the browser
  3. The user encrypts the hash with his/her private key (on an usb token via PKCS#11 for example), thus effectively signing the file.
  4. The applet then sends the signature to the server
  5. On the server I would then incorporate the signature in the file's (MS Office and PDF files can do that without changing the file's content, probably by just setting some metadata field)

What is cool is that you never have to download and upload the complete file to the server again. What is even cooler, the customer doesn't need Office or PDF Writer to sign the files.

Parts 2, 3 and 4 are OK for me, my company bought all the JAVA technology I need for that for a previous project I worked on.

Problem : I can't seem to find any documentation/examples to do parts 1 and 5 for Office files . Are my google skills failing me this time ?

Do you have any pointers to documentation or examples for doing that for MS Office files ? The underlying technology isn't that important to me : I can use Java, .Net, COM, any working technology is OK !

Note : I'm 95% sure I can nail points 1 and 5 for PDF files using iText

Thanks

** Edit : If I can't do that with hashes and must download the complete file to the client, it's also possible. But then I still need the documentation to be able to sign Office file... in java this time (from an applet)

3 Answers

0 votes
answered Jun 8, 2010 by andreas-d

I see one problem: once you incorporate the signature into the file you immediatly change it's hash value. So if you take the signature later to verify that the file has not been changed, it will definitly fail.

0 votes
answered Jun 8, 2010 by zz-coder

You should not invent signature yourself. You can convert files to XML and use XMLDSIG (JSR 105), which is included in Java 6.

http://java.sun.com/javase/7/docs/technotes/guides/security/xmldsig/overview.html

If you can use Open Office file formats like docx, it's already XML so you just need to add signature.

0 votes
answered Jun 8, 2010 by eugene-mayevski-alli

In general, you can use our SecureBlackbox product to sign Office and PDF files. However, distributed signing like the one in your scenario is not trivial (though possible). We are currently working on an add-on to SecureBlackbox to simplify such distributed operations.

Update: distributed signing functionality is now available and described in details in this answer.

Welcome to Q&A, where you can ask questions and receive answers from other members of the community.
Website Online Counter

...