Digitally sign MS Office (Word, Excel, etc..) and PDF files on the server

I need to digitally sign MS Office and PDF files that are stored on a server. I really mean a digital signature that is integrated in the document, according to each specific file formats.

This is the process I had in mind :

Create a hash of the file's content
Send the hash to a custom written java applet in the browser
The user encrypts the hash with his/her private key (on an usb token via PKCS#11 for example), thus effectively signing the file.
The applet then sends the signature to the server
On the server I would then incorporate the signature in the file's (MS Office and PDF files can do that without changing the file's content, probably by just setting some metadata field)

What is cool is that you never have to download and upload the complete file to the server again. What is even cooler, the customer doesn't need Office or PDF Writer to sign the files.

Parts 2, 3 and 4 are OK for me, my company bought all the JAVA technology I need for that for a previous project I worked on.

Problem : I can't seem to find any documentation/examples to do parts 1 and 5 for Office files . Are my google skills failing me this time ?

Do you have any pointers to documentation or examples for doing that for MS Office files ? The underlying technology isn't that important to me : I can use Java, .Net, COM, any working technology is OK !

Note : I'm 95% sure I can nail points 1 and 5 for PDF files using iText

Thanks

** Edit : If I can't do that with hashes and must download the complete file to the client, it's also possible. But then I still need the documentation to be able to sign Office file... in java this time (from an applet)

I agree, but the PDF and Office formats handle this issue. This is how I think it's done : each file is an enveloppe containing the actual content of the PDF/Ofice file + some metadata. When you sign the file, you sign the content, and then you store the signature in the metadata. The file has changed, but not the content. When Acrobat or Office then opens the file it checks whether the content and the signature stored in the metadata match.Exemple of this kind of signing for PDF files : http://itextpdf.sourceforge.net/howtosign.html#howtosign

Sébastien Nussbaumer 2010-06-08 13:51:53

Ah, so you don't want to hash the 'file' but the file's 'content', like the text in a word document...?

Andreas_D 2010-06-08 13:55:00

right, but not only the text but also the pictures and everything...I'll try to make my original question a bit clearer

Sébastien Nussbaumer 2010-06-08 13:55:54

There's nothing to invent here - all office file formats (old MS Office, OOXML and OpenOffice ODF) support signing, and so does PDF specification. Everything is documented and standard.

Eugene Mayevski 'EldoS Corp 2010-06-08 18:32:31

Thanks for the link. I will look into that.

Sébastien Nussbaumer 2010-06-10 12:04:28

Question ; will your add-on support PKCS#11 token for signing (with no specific configuration for each token : I have to support a ton of different tokens : Gemplus, Oberthur, ...) ?

Sébastien Nussbaumer 2010-06-10 12:07:17

Actually, signing with certificates and private keys stored on cryptographic hardware is available now (either via CryptoAPI or via PKCS#11 interface). So the only missing piece that is in the work now is an add-on for simplifying distributed signing.

Eugene Mayevski 'EldoS Corp 2010-06-11 06:26:56

ansaurus

tags:

views:

answers:

Digitally sign MS Office (Word, Excel, etc..) and PDF files on the server

related questions