wordpress hit counter
Digital Signature in WordProcessingML - OpenXML Developer - Blog - OpenXML Developer
Goodbye and Hello

OpenXmlDeveloper.org is Shutting Down

There is a time for all good things to come to an end, and the time has come to shut down OpenXmlDeveloper.org.

Screen-casts and blog posts: Content on OpenXmlDeveloper.org will be moving to EricWhite.com.

Forums: We are moving the forums to EricWhite.com and StackOverflow.com. Please do not post in the forums on OpenXmlDeveloper.org. Instead, please post in the forums at EricWhite.com or at StackOverflow.com.

Please see this blog post for more information about my plans moving forward.  Cheers, Eric

Digital Signature in WordProcessingML

Digital Signature in WordProcessingML

  • Comments 24

Article by Sheela E.N, Sonata Software Limited

 

This article explains about Digital Signature and how Digital Signature details are stored in Open XML file format in WordProcessingML.

 

When a document needs to be sent electronically, there should be techniques to ensure that the document sent is authentic and the content is not tampered which ensures integrity. This can be achieved by applying Digital Signature to the document.

 

A Digital Signature is a type of asymmetric cryptography used to simulate the security properties of a signature in a digital way, rather than in written form. When a Digital Signature is applied it normally generates two algorithms, one for signing which involves the user's secret or private key and the other for verifying signatures which involves the user's public key. The output of the signature process is called the "Digital Signature".

 

Document author appends Digital Signature to the content of the document along with digital certificate, if required. Document consumer validates the integrity of the content and authenticity of the document.

 

Steps to apply Digital Signature to an Open XML Microsoft Word document are as follows –

 

1.      Open Microsoft Word 2007

2.      Write some content into it.

3.      Save the document

4.      Apply Digital signature along with Digital Certificate

a.      Click on Office Icon (Left top corner)

b.      Click Prepare menu

c.      Click add a digital signature

d.      Give necessary details along with digital certificate

5.      Close the document

 

When the document is unzipped, the following parts are created to hold the Digital Signature details

 

1.      Digital Signature Origin Part - origin.sigs (by default)

 

This is the starting point for the digital signature. The package can include only one Digital Signature part. This file is of ZERO byte size and does not contain any data. The presence of this part indicates that the document is signed.

 

2.      Digital Signature XML signature Part - sig1.xml (by default)

 

This part is linked from the Digital Signature origin part. This contains Digital Signature markup details. A package/document can contain more than one Digital Signature XML part.

 

The reference from the Digital Signature Origin to the Digital Signature XML Signature part is by a relationship ID.

 

 

 

 

The XML signature contains the following details.

1.      The algorithm used for hashing the content

2.      The reference element used for signature

3.      The hash algorithm and hashed value

4.      Signature value (digital signature)

5.      Key information for encryption and decryption

6.      Digital certificate details

7.      The hashed value of the content

8.      For a selected relationships and parts, the hash algorithm and hashed value

9.      Signature property details for package specific object.

 

Sample signature value is mentioned as below –

 

<Signature Id="idPackageSignature" xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<Reference URI="#idPackageObject" Type="http://www.w3.org/2000/09/xmldsig#Object">

<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

                               <DigestValue>FivpxBK+PuL1Cw53adbN/5mST+4=</DigestValue>

                             </Reference>

                             <Reference URI="#idOfficeObject">

<DigestMethod Algorithm="http:/    www.w3.org/2000/09/xmldsig#sha1" />

                             <DigestValue>fJ3P4Mvrumn9QYcj6maMDPZp3XU=</DigestValue>

                             </Reference>

          </SignedInfo>

<SignatureValue>MyqnA12bDRHwQ3sHEVBxXyVB2swNhfRz2aM

q6DBgfpKr2UDP2jKBWwjEHGDT23bXubp2W/aeCgmt21UFOnd7S

e+ihug0A712t5tTl97oPY2BePW0kkXcldAP3EawHxSON5SKMIU6w

VTgqUoiy13+DKhFinCF4roM7coq2f/6u6Y=</SignatureValue>

                   <KeyInfo>

<KeyName>L=HO, O=ssl, E=aaa.bbb@some.com, CN=name</KeyName>

                   <KeyValue>

<RSAKeyValue>    <Modulus>qllw/rXDHU4a+II7knwz2hEY71N6TG9JR

1MDkCuL2jKLU5B+DgRPfTw7PpxGjlvnC194jtGf/hN

XNSpallF5JlGAY+xWL8H3EJFu81EoYLf6+T8BJqKoE

vK59aYQABOYx0GfJ65IKWTUwPDUrPWUnBpyNRNK

twkydcjzujlgXXs=</Modulus>

                             <Exponent>AQAB</Exponent>

                             </RSAKeyValue>

                   </KeyValue>

          <X509Data>  

<X509Certificate>MIICODCCAaWgAwIBAgIQVSn8fgtvUY

RJmhbGI4lwfjAJBgUrDgMCHQUAMFYxEjAQBgNVBAMTCXN

oZWVsYS5lbjElMCMGCSqGSIb3DQEJARYWc2hlZWxhLmV

uQFNPTkFUQS5MT0NBTDEMMAoGA1UEChMDc3NsMQswC

QYDVQQHEwJITzAeFw0wNzA5MTIwNDQ0MzlaFw0wODA5

MTExMDQ0MzlaMFYxEjAQBgNVBAMTCXNoZWVsYS5lbjElM

CMGCSqGSIb3DQEJARYWc2hlZWxhLmVuQFNPTkFUQS5MT

0NBTDEMMAoGA1UEChMDc3NsMQswCQYDVQQHEwJITzCB

nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqllw/rXDHU4

a+II7knwz2hEY71N6TG9JR1MDkCuL2jKLU5B+DgRPfTw7Ppx

GjlvnC194jtGf/hNXNSpallF5JlGAY+xWL8H3EJFu81EoYLf6+T

8BJqKoEvK59aYQABOYx0GfJ65IKWTUwPDUrPWUnBpyNRNK

twkydcjzujlgXXsCAwEAAaMPMA0wCwYDVR0PBAQDAgbAMA

kGBSsOAwIdBQADgYEAKxYnX78mRGvqfMpeadE/EhfQ9mLdf

r25RnICs8fKGQQBCG3QmtWzgRJIF7U6Gd44FB9eeZHWP+wh

3NagsMVHdRh37EmFCR4Qz2UnmODlhXaut2C2bhdISSh13Uo

U6/pMsFzQQIXfY+g5I7pYo719/RNVt3tVa48CggcQ/RyjFHs=

</X509Certificate>

          </X509Data>

                   </KeyInfo>

                   <Object Id="idPackageObject">

                   <Manifest xmlns:opc="http://schemas.openxmlformats.org/package/2006/digital-signature">

<Reference URI="/word/document.xml?ContentType=application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml">

<DigestMethod Algorithm=http://www.w3.org/2000/09/xmldsig#sha1 />

                             <DigestValue>6r+1JTYqIdwPWIYlSe5X8Qv9KuM=</DigestValue>

                             </Reference>

                             </Manifest>

                             <SignatureProperties>

<SignatureProperty Id="idSignatureTime" Target="#idPackageSignature">

<SignatureTime xmlns="http://schemas.openxmlformats.org/package/2006/digital-signature">

                                                <Format>YYYY-MM-DDThh:mm:ss.sTZD</Format>

                                                <Value>2007-11-08T12:18:21.9+05:30</Value>

                                      </SignatureTime>

                                       </SignatureProperty>

                             </SignatureProperties>

                   </Object>

                   <Object Id="idOfficeObject">

                   <SignatureProperty Id="idOfficeV1Details" Target="#idPackageSignature">

<SignatureInfoV1 xmlns="http://schemas.microsoft.com/office/2006/digsig">        <ManifestHashAlgorithm>http://www.w3.org/2000/09/xmldsig#sha1

</ManifestHashAlgorithm>

                             </SignatureInfoV1>

                   </SignatureProperty>

                   </Object>

</Signature>

 

3.      Digital signature Certificate part

 

This part contains X.509 certificate for validating the signature. This detail is either embedded within the Digital Signature XML part or linked from local or remote certificate store.

 

Microsoft Word 2007 editor/application signs all parts and relationships within the document. But, OOXML offers flexibility in selecting parts and relationships within the document to sign. <Manifest> element in the above sample represents the part name and relationship name that are signed along with their digest values.

 

Once the signed document has reached the receiver, in order to ensure the integrity of the content the following can be done. Using the public key, the signature has to be decrypted and get the hash/digest value of the content. The original content has to be hashed again and compared with the decrypted value. If both of these are same then integrity of the content is ensured.

Note: For better user perspective, we have formatted some of the XML element values in the quoted example.

Page 1 of 2 (24 items) 12