Add digital signatures to PDF reports using OpenSSL-generated self-si…

[Knogle]

…gned certificates

--

Add digital signatures to PDF reports using OpenSSL-generated self-signed certificates

• Implemented digital signing of PDF erasure certificates
  • Generates a self-signed X.509 certificate at runtime using OpenSSL.
  • Signs the generated PDF reports to ensure their authenticity and integrity.
• Embedded the digital signature within the PDF documents
  • Provides a method to verify that the reports are genuine and have not been tampered with.
• Enhances security and trustworthiness of the PDF reports
  • Ensures that recipients can validate the source and integrity of the reports.
• Uses locally trusted PKI for proof of concept
  • While a self-signed certificate is used for demonstration purposes, a certificate from a trusted Certificate Authority (CA) is recommended for production environments.

Due to specific business cases i have implemented a way to verify the PDFs and sign them for compliance purposes.
In the production enviroment we're using a genuine trustpoint though. We're using a locally generated X.509 PKI here.
Even though it might be of interested, just wanted to place this here if useful :)

[PartialVolume]

I've not tested any of this yet but it looks like you add the digital signature as text to the last PDF page. I was just wondering how big the signature was and whether it was small enough to be represented by a barcode or QR code as well as text?

[Knogle]

I've not tested any of this yet but it looks like you add the digital signature as text to the last PDF page. I was just wondering how big the signature was and whether it was small enough to be represented by a barcode or QR code as well as text?

Sure, it's possible. Please check which one you prefer, 17858c2 putting the stb_image_write.h dependency into the src folder and keeping it in our repo, or using 8bc0405 by including the external header using a submodule (which is kind of more elegant). The build fails, as the qrencode devel dependency is missing on the CI machine here.

[Knogle]

If one ot those two approaches suits you, i'd proceed.
In order to have a proper way to trust the PDFs, we create a .pem and .crt file manually, and include them in the src, or binary directory.

Later on you could take the following steps to ensure it's not tampered or something else.

Yes, it's possible to use a pre-generated key stored in the same directory as the PDF file to sign the PDF. This way, you can use OpenSSL to verify the signature against the pre-generated key, ensuring the integrity and authenticity of the PDF.

Place key.pem and cert.pem in the same directory where the PDF report will be saved.

Verification Process Using OpenSSL:

To verify the signature, follow these steps:

1. Compute the SHA-1 Hash of the Public Key:

   openssl rsa -in key.pem -pubout -outform DER | openssl sha1

   Ensure that the hash matches the SHA-1 hash included in the PDF.

2. Verify the Signature:

   Extract the signature from the PDF (assuming it's Base64-encoded and displayed in the PDF). Save it to a file, e.g., signature.b64.

   Decode the Base64 signature:

   base64 -d signature.b64 > signature.bin

   Compute the hash of the PDF file:

   openssl dgst -sha256 -binary pdf_file.pdf > pdf_hash.bin

   Verify the signature:

   openssl pkeyutl -verify -in pdf_hash.bin -sigfile signature.bin -inkey key.pem

   If the signature is valid, OpenSSL will output that the signature verification is successful.

Notes:

• Key Type: An RSA key is standard and widely supported.
• Certificate: Although we load the certificate, in this context, it's primarily used to extract the public key if needed.
• SHA-1 Hash: Including the SHA-1 hash of the public key in the PDF helps verifiers confirm they're using the correct key.

OR

We could include the verification process already, in a function like verify_signature, as part of the process in the program itself. Then we could leave the QR code and the text there, if someone want's to verify it manually by themself.