Add digital signatures to PDF reports using OpenSSL-generated self-si… #612
Conversation
…gned certificates -- **Add digital signatures to PDF reports using OpenSSL-generated self-signed certificates** - **Implemented digital signing of PDF erasure certificates** - Generates a self-signed X.509 certificate at runtime using OpenSSL. - Signs the generated PDF reports to ensure their authenticity and integrity. - **Embedded the digital signature within the PDF documents** - Provides a method to verify that the reports are genuine and have not been tampered with. - **Enhances security and trustworthiness of the PDF reports** - Ensures that recipients can validate the source and integrity of the reports. - **Uses locally trusted PKI for proof of concept** - While a self-signed certificate is used for demonstration purposes, a certificate from a trusted Certificate Authority (CA) is recommended for production environments.
|
I've not tested any of this yet but it looks like you add the digital signature as text to the last PDF page. I was just wondering how big the signature was and whether it was small enough to be represented by a barcode or QR code as well as text? |
Sure, it's possible. Please check which one you prefer, 17858c2 putting the stb_image_write.h dependency into the src folder and keeping it in our repo, or using 8bc0405 by including the external header using a submodule (which is kind of more elegant). The build fails, as the qrencode devel dependency is missing on the CI machine here.
|
|
If one ot those two approaches suits you, i'd proceed. Later on you could take the following steps to ensure it's not tampered or something else. Yes, it's possible to use a pre-generated key stored in the same directory as the PDF file to sign the PDF. This way, you can use OpenSSL to verify the signature against the pre-generated key, ensuring the integrity and authenticity of the PDF. Place Verification Process Using OpenSSL: To verify the signature, follow these steps:
Notes:
OR We could include the verification process already, in a function like verify_signature, as part of the process in the program itself. Then we could leave the QR code and the text there, if someone want's to verify it manually by themself. |
|
@Knogle @PartialVolume does anybody of you know if self signed is enough or if a valid cert at moment of signature is needed? |
|
Isn't SHA-1 deprecated for years? Collision attacks and what not... |
You are right, i will make a minor adjustment and push it to SHA-3 or SHA-256 |
Depends on what we wan't to go for, maybe we can discuss this. |
Length adjustment vulnerability. |
Yes, I'd love to find the time to finish up the technical comparison of the wiping standards. |
…gned certificates
--
Add digital signatures to PDF reports using OpenSSL-generated self-signed certificates
Due to specific business cases i have implemented a way to verify the PDFs and sign them for compliance purposes.
In the production enviroment we're using a genuine trustpoint though. We're using a locally generated X.509 PKI here.
Even though it might be of interested, just wanted to place this here if useful :)