Sunday, July 18, 2010

XFRX now supports digital signatures in PDF (new version 14.0)

XFRX is now able to produce digitally signed PDF documents in all supported VFP versions.

The digital signature can be used to validate the document content and the identity of the signer. (You can find more at XFRX implements the "MDP (modification detection and prevention) signature" based on the PDF specification version 1.7, published in November 2006.

The signing algorithm in XFRX computes the encrypted document digest and places it, together with the user certificate, into the PDF document. When the PDF document is opened, the Adobe Acrobat (Reader) validates the digest to make sure the document has not been changed since it was signed. It also checks to see of the certificate is a trusted one and complains if it is not. The signature dictionary inside PDF can also contains additional information and user rights - see below.

At this moment XFRX supports invisible signatures only (Acrobat will show the signature information, but there is no visual element on the document itself linking to the digital signature). We will support visible signatures in future versions.

In the current version, XFRX is using the CMS/PKCS #7 detached messages signature algorithm in the .net framework to calculate the digest - which means the .NET framework 2.0 or newer is required. The actual process is run via an external exe - "", that is executed during the report conversion process. In future, we can alternatively use the OpenSSL library instead - please let us know which option you prefer.

The demo application that is bundled with the package (demo.scx/demo9.scx) contains a testing self-signed certificate file (TestEqeus.pfx) and a sample that creates a signed PDF using the pfx. Please note Acrobat will confirm the file has not changed since it was signed, but it will complaing the certificate is not trusted - you would either need to add the certificate as a trusted one or you would need to use a real certificate from a certification authority (such as VeriSign).

Your feedback is very important for us. Please let us if you find this feature useful and what features you're missing.

No comments: