2021 September Release

Technical DetailsPermanent link for this heading

In this chapter, you can find technical details about how the digital signature within the Fabasoft Business Process Cloud is applied to stored documents.

File FormatPermanent link for this heading

The Fabasoft Business Process Cloud can automatically convert a huge number of native file formats (e.g. Microsoft Office documents) to PDF. Whenever you trigger the digital signature of a document inside the Fabasoft Business Process Cloud (either via the corresponding context menu entry or its related activity work item), the PDF representation of the document is finalized. This means that the properties of the Fabasoft Business Process Cloud object holding the document are set so that the document cannot be changed any further and its document is converted to PDF/A. Details related to the PDF file format can be found in the corresponding specifications PDF 1.7 (ISO-32000-1:2008) and PDF 2.0 (ISO-32000-2:2017).

Digital SignaturePermanent link for this heading

Digital signatures applied to documents within the Fabasoft Business Process Cloud follow the specifications defined within the PAdES standard (ETSI EN 319 142 PAdES digital signatures) published by the ETSI (European Telecommunication Standards Institute).

In preparation to apply the signature to the document, a so-called visual signature stream (a special PDF data structure that contains the visual representation of the digital signature) is prepared. The stream is assembled from the applied text fields (like signatory’s name, location, date, and free text fields), the image of the selected visual signature, or the selected stamp. The signature reason string will be assembled from the remark (if provided), the name of the user, the name of the organization, the login e-mail address, and the signatory identification. The signature location will be set to “Fabasoft Cloud” and the signature time will be set to the current time of the server.

Next, an SHA512 digest of the underlying PDF/A compatible document, including the signature streams with the visual signatures, the signature reason, the signature location and signature time, is calculated.

This SHA512 digest is securely sent to Fabasoft Secomo. The current Fabasoft Business Process Cloud user context is passed to Fabasoft Secomo by means of a signed JSON Web Token (JWT) that includes the login e-mail address and the Fabasoft Cloud ID of the current user, the Fabasoft Cloud ID of the signed object, and optionally the Fabasoft Cloud ID of the organization that provides the signing certificate.

Fabasoft Secomo calculates signatures according the Crypographic Message Syntax (CMS) standard (IETF RFC 5652) and the CAdES standard (ETSI EN 319 122 CAdES digital signatures) based on the given digest and the corresponding private key of the signing certificate which is secured within Fabasoft Secomo by a hardware security module (HSM) that meets the requirements of FIPS 140-2 Level 4 physical security certification. The signature algorithm RSA-4096 is used for the signature. Fabasoft Secomo will also add the identification data from the JWT to the signed CMS structure (i.e. the login e-mail address and the Fabasoft Cloud ID of the current user, the Fabasoft Cloud ID of the signed object, and optionally the Fabasoft Cloud ID of the organization that provides the signing certificate).

Afterwards, the DER-encoded signature data is returned and embedded in the PDF document according to the PAdES standard to keep the source document unchanged.

Due to this “Envelop Embedding Approach“ multiple Fabasoft Secomo signatures can be applied, one after the other. All the preceding signatures are part of the base document for the next signature. This means that each individual signature envelopes the entire base document without changing it.

Keeping the original document unchanged is a key requirement to validate signatures at a later time.

If more than one signature is applied in the same step, every signature image (visual signature or stamp) triggers a separate signature as if they were done sequentially.

Checking the Signatory IdentificationPermanent link for this heading

If you want to check the signatory identification, retrieve the Fabasoft Cloud ID from the user object you want to check, and calculate the SHA256 hash from it. For example, you can use the open source software OpenSSL to do so:

echo -n "COO.6505.100.1.15" | openssl dgst -sha256

Checking the CMS StructurePermanent link for this heading

The signature reason will be displayed in appropriate PDF viewers. However, under normal circumstances, PDF viewers do not show the data encoded in the CMS structure. Here are some tools that will allow you to analyze the CMS structure, too.

  1. You need a tool that will give you access to the CMS structure in the PDF document. You may use the open source software PDFBox (https://pdfbox.apache.org/download.html) for that.
    java -jar pdfbox-app-<version>.jar PDFDebugger
  2. Open the PDF file and choose “View” > “Show Internal Structure”.
  3. You should find the signature content under “Root” > “AcroForm” > “Fields” > [index] > “V” > “Contents”.
  4. Copy the hexadecimal content to a file and convert it to binary format.
    xxd -r -p signature.hex signature.bin
  5. Display the CMS structure with OpenSSL.
    openssl cms -in signature.bin -inform DER -cmsout -print

Note:

  • The additional identification data is stored in the attribute signer-attributes-v2 (OID 0.4.0.19122.1.1, defined by ETSI in the CAdES Standard).
  • The attribute with OID 1.3.6.1.4.1.17100.2.6 contains the “Domain ID” of the Fabasoft Cloud location.
  • The attribute emailAddress contains the login e-mail address of the signatory.
  • The attribute with OID 1.3.6.1.4.1.17100.2.5 contains the Fabasoft Cloud ID of the user object representing the signatory.
  • The attribute with OID 1.3.6.1.4.1.17100.2.1 contains the Fabasoft Cloud ID of the organization object that provides the signing certificate. If the default certificate was used for signing, the attribute is empty.
  • The attribute with OID 1.3.6.1.4.1.17100.2.4 contains the Fabasoft Cloud ID of the signed document.

RestrictionsPermanent link for this heading

Since the Fabasoft Business Process Cloud does not use personalized certificates by default, the name of the signatory, the organization, the login e-mail address, and the signatory identification are set in the signature reason property (optionally textually combined with the user entered remark) of the PDF signature options when signing the document. In addition, the CMS signature structure also contains the login e-mail address and the unique Fabasoft Cloud ID of the user object that applied the signature. This helps to ascertain which user applied the signature although there is no binding of a person to one specific and personally issued certificate.

The time of the signature will be retrieved from the server of the Fabasoft Business Process Cloud. A timestamp service is not used. The applied signature does not allow long-term validation (LTV). In order to validate the signature successfully, Internet access is required to load the revocation information from the certificate authority.