tags:

views:

290

answers:

1
+1  Q: 

Digitally sign pdfs

My company has a web document management application and I have been assigned to find a way to sign pdf files with the user digital certificate.

The pdfs can go from a few kb to over 100Mb, this is over the internet so the signature must take place at the web server.

In order to do this i have built an activeX control that asks the user to choose the certificate, then uploads it to a webpage using WebClient.UploadData sending the certificate as a byte array.

On the web page when i'm trying to sign the pdf document i am getting an error "Key does not exist". This comes to no surprise to me because when i was using the certificate directly over an https connection after i choose the proper certificate i would be prompt for the key. This is not happening with the activeX.

This is how i'm getting the certificate from the user:

private static X509Certificate2 PickCertificate()
        {
            X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            try
            {
                store.Open(OpenFlags.ReadOnly);

                // pick a certificate from the store
                X509Certificate2 cert = X509Certificate2UI.SelectFromCollection(store.Certificates, "Title", "Message", X509SelectionFlag.SingleSelection)[0];

                // show certificate details dialog
                X509Certificate2UI.DisplayCertificate(cert);
                store.Close();
                return cert;
            }
            finally { store.Close(); }
        }

How can I ask the user to provide the key i am missing?

+4  A: 

You want the user to upload their certificate's private key to the webserver so that it may sign PDFs? If so, that's fundamentally broken from a security perspective.

I think you may have missed the point that public certificate != private key. (Most of us are sloppy and use the word "certificate" to refer to either (or both) of those things, so that's not entirely suprising). Going from memory, the CryptoAPI only has a select set of methods that will allow you to access the key. There must be an "export as PFX" method amongst those, so you could make your design work if you really, really wanted to, but there's no way I'd recommend this. (Risk of sending private keys to webserver, broken non-repudiation, etc etc).

If you really must do the signing on the server [I don't really understand your argument, signature should not add much data to the upload], then you should probably consider a multi-tiered architecture, and a key escrow mechanism. This way you can at least minimize some of the security concerns (but you'll still lose non-repudiation... and introduce other risks. No free lunch here).

So... you probably need to consider re-architecting your application so that PDF signature occurs on the client (in your ActiveX control), before the PDF file is uploaded. I imagine you will need a 3rd-party library for the signature step as discussed in this SO thread.

Martin Carpenter  2009-01-07 12:17:56
The previous version to sign pdfs worked on the client side. This is a problem when you want to sign a 100Mb document because you would have to upload it through the web. Just imagine how lont it would take on a 15kb/second upload connection...
Sergio  2009-01-07 12:23:30
download/sign/upload? I see. Then you either will need to send the keyfile up to the server, which is dangerous, or implement an escrow system (which will take work and may not even be possible depending on your target audience). Legal (liability) implications in either scenario.
Martin Carpenter  2009-01-07 12:36:23
I am getting the certificate from a smartcard. Do you have any ideia on how i can get the key?
Sergio  2009-01-07 14:45:31
You're probably out of luck in this case. Inaccessibility of the private key is one of the design criteria.
Martin Carpenter  2009-01-19 21:41:14

related questions

In C#, sign an xml with a x.509 certificate and check the signature
Only Allow applications digitally signed to access wcf service.
http post + digital certificate required.
smime C# encrypted emails with attchments
Extracting private key from .cer to .pem with openssl
Find out when a user's certificate is going to expire
X.509 Digital Signatures printed
Invalid Digital Certificate
SSL and Client Certificates
how to check if a file has a digital signature
How do I programmatically remove a certificate in Trusted Root Certification Authorities?
Client Certs on IIS - not sure I get it - experiences please ?
Standardized approach to digital signatures of files via .NET
How to force ie to ask for digital certificate
X.509 v3 certificate with non-repudiation and/or digital signature? Where can I get one?
m_safeCertContext is an invalid handle
Digital signature in PDF
Get Client certificate with activeX
Digital Certificate: How to import .cer file in to .truststore file using?
What is the best cross-browser solution for browser based document signing (w/ digital signature)?
Are CAs allowed to modify CSRs before signing?
How to decode a CSR File?
What's the difference between rapidSSL and geotrust certificates?
Reinstalling/ un-revoking digital certificate