9 Replies Latest reply on May 13, 2009 10:57 AM by roggeheflin

    certificate signing and excryption - some changes still allowed...

    roggeheflin

      I am trying to batch certify and encrypt PDFs.  The PDF should only allow the user to print the document; however, after the JS runs the user can still extract pages and copy content; all other permissions are behaving as expected.  Is another property missing that will trigger these misbehaviours to operate properly?

       

      Also how does one use and read the cLegalAttest property?  I have specificed this property, but I can not find the string in the signature panel.

       

      Thank you for your help!

       

       

      var certPath = "/C/Documents and Settings/rrh/Desktop/Sample/";
      var curDoc = this;


      var proCertPW = curDoc.info.cliId
      var proCertSig = curDoc.info.cliId + ".pfx";


      var proCertFile = curDoc.info.cliId + ".cer";
      var cliCertFile = curDoc.info.
      cliId + ".cer";


      var solCert = security.importFromFile({cType:"Certificate", cDIPath:certPath + proCertFile});
      var cliCert = security.importFromFile({cType:"Certificate", cDIPath:certPath + cliCertFile});


      var oEntity = [{certificates:cliCert, defaultEncryptCert:proCert}];


      curDoc.encryptForRecipients(
      {
          oGroups:
          [
              {
                  userEntities: oEntity,
                  permissions:
                  {
                      allowAll: false,
                      allowAccessibility: false,
                      allowContentExtraction: false,
                      allowChanges: "none",
                      allowPrinting: "lowQuality"
                   }
              }
          ],
          bMetaData:true
      });



      // Certify the Document without visible signature
      var f = curDoc.addField({cName:"CertifyDocument", cFieldType:"signature", nPageNum:0, oCoords:[0,0,0,0]});
      f.display = display.hidden;


      var s = {name: "My Company",
               location: "Monte Carlo, Monaco",
               reason: "I created this document specfically for " + curDoc.info.ClientName,
               contactInfo: "contact@MyCompany.com",
               password: proCertPW,
               mdp: "allowNone" };


      var sh = security.getHandler("Adobe.PPKLite");
      sh.login(proCertPW, certPath + proCertSig);
      sh.signInvisible = true;
      sh.signAuthor = true;


      f.signatureSign(
      {
          oSig: sh,
          oInfo: s,
          bUI: false,
          cLegalAttest:"Do not distribute this document."
      });


      ppklite.logout();

        • 1. Re: certificate signing and excryption - some changes still allowed...
          roggeheflin Level 1

          Also... can the Encryption Algorithm be selected with JS? if so how?

           

          What about setting the "Can be opened by:" property?

          • 2. Re: certificate signing and excryption - some changes still allowed...
            Patrick Leckey Level 3
            Also... can the Encryption Algorithm be selected with JS? if so how?

            No, it cannot.  You would need to write a plug-in in C/C++ for this.

             

            What about setting the "Can be opened by:" property?

            You need to use Doc.encryptForRecipients or an Adobe LiveCycle Rights Management ES server to set this.

            • 3. Re: certificate signing and excryption - some changes still allowed...
              roggeheflin Level 1

              You need to use Doc.encryptForRecipients

              I am.. curDoc.encryptForRecipients... at the top of the code is curdoc = this;

               

              I did not see any method or property in "js_api_reference 8.pdf" that set this property.

               

              (Win XP; Acorbat 9.0 Pro Extended)

              • 4. Re: certificate signing and excryption - some changes still allowed...
                Patrick Leckey Level 3

                Sorry, my fault, typo in my earlier posting.  It should read:

                 

                "You need to use Doc.encryptForRecipients and an Adobe LiveCycle Rights Management ES server to set this."

                 

                You cannot set that property by creating your policy object directly in JS.  It needs to be an LCRM policy that is being set.

                1 person found this helpful
                • 5. Re: certificate signing and excryption - some changes still allowed...
                  roggeheflin Level 1

                  Sounds good.

                   

                  Does your answer also apply to page extraction and copy content settings which need to be disabled?  I also assume, that if i made a policy file in Acrobat, I would have to create a policy for each client.

                   

                  What do you know about this cLegalAttest property? I have not been able to find out how to trigger the results in the signature panel. (when i used the word read... this is what i meant, not read the value in code).

                   

                  thanks for your quick repsonses

                   

                  <Stands on soap box>

                   

                  I would prefer to use Livecycle, but i have had GREAT difficulty when i was evaluating the software.  Any recommendations?

                  I was using Win Server 2003, IBM WebSphere (eval), SQL Server 2005, Office 2007, Acrobat Pro Extended (Eval).  I could not get LC to convert a word doc to a PDF, nor could I get any useful workflows or policy to function.

                   

                  <returns to the ground near the soap box>

                  • 6. Re: certificate signing and excryption - some changes still allowed...
                    Patrick Leckey Level 3
                    <Stands on soap box>

                     

                    I would prefer to use Livecycle, but i have had GREAT difficulty when i was evaluating the software.  Any recommendations?

                    I was using Win Server 2003, IBM WebSphere (eval), SQL Server 2005, Office 2007, Acrobat Pro Extended (Eval).  I could not get LC to convert a word doc to a PDF, nor could I get any useful workflows or policy to function.

                     

                    <returns to the ground near the soap box>

                    First of all, I've always found it difficult to see my monitor from atop a soap box - much easier to make things work when you're seeing them at ground-level. 

                     

                    Do you still have your LC environment setup?  If you posted the errors you were encountering to the LC Forum I know several of the LC Engineers and Experts would be happy to help you get it working.  That being said, LC is a robust enterprise solution.  It's not designed to be an out-of-the-box application - it requires some serious setup time.  However, once setup, it is truly an amazing product and you'll be amazed at how much time you can save when integrating it into your worflows.

                     

                    To disable Copy Content and Page Extraction you need to set the MDP (Modification Detection and Prevention) properties of you SignatureInfo object appropritely and make sure you are using a certificate for signing that is allowed to perform document certification and not simply document approval.  Set your SignatureInfo.mdp value to "allowNone".  This is the same as doing "Certify with Visible Signature" from the "Sign & Certify" menu as opposed to simply choosing "Sign Document", which will leave copy & extraction allowed as well.  When the document is certified, copy & extraction are disabled.

                     

                    Ok, with cLegalAttest, this also has to do with an MDP certification.  When you apply an MDP signature to certify the document, it is scanned for legal warnings.  If any of these legal warnings are found, the string you supply in cLegalAttest is marked as the reason for accepting those legal warnings and certifying the document anyways.  You can check for any legal warnings yourself beforehand by calling Doc.getLegalWarnings(), the documentation for which also gives a decent definition of what I mean by "legal warnings" when certifying a document (basically, anything in violation of the PDF/SigQ1-A specification for document certification).

                    • 7. Re: certificate signing and excryption - some changes still allowed...
                      roggeheflin Level 1

                      Do you still have your LC environment setup?

                      No...   ran out of time. Where can I find 26-hour days?

                       

                      To disable Copy Content and Page Extraction you need to set the MDP (Modification Detection and Prevention) properties of you SignatureInfo object appropritely and make sure you are using a certificate for signing that is allowed to perform document certification and not simply document approval.  Set your SignatureInfo.mdp value to "allowNone".  This is the same as doing "Certify with Visible Signature" from the "Sign & Certify" menu as opposed to simply choosing "Sign Document", which will leave copy & extraction allowed as well.  When the document is certified, copy & extraction are disabled.

                      I verified my code, and as far as i can tell, MDP is set properly.  I also tested without the encryption, but content copying (both) and page extraction are still allowed.  I double checked the Digital ID (pfx) that I made with Microsoft Certificate Services (via server); it was only for code signing.  I created a "temporary" digital ID though Acrobat and it has permissions for <all>.  The tickmarks for encryption, signing, etc in security settings were also verified.

                      var strcDIPath = curDoc.path.replace(".pdf", "");
                      
                      var f = curDoc.addField({cName:"CertifyDocument", cFieldType:"signature", nPageNum:0, oCoords:[0,0,0,0]});
                      f.display = display.hidden;
                      
                      var sh = security.getHandler("Adobe.PPKLite");
                      sh.login(solCertPW, certPath + solCertSig);
                      sh.signInvisible = true;
                      sh.signAuthor = true;
                      
                      var s = {name: "My Company",
                               location: "Monte Carlo, Monaco",
                               reason: "This document created specfically for " + curDoc.info.preparedFor + ".",
                               contactInfo: "contact@MyCompany.com",
                               password: solCertPW,
                               mdp: "allowNone"
                               };
                      
                      f.signatureSign(
                      {
                          oSig: sh,
                          oInfo: s,
                          cDIPath: strcDIPath + " (Certified).pdf",
                          bUI: false,
                          cLegalAttest: "Do not distribute this document."
                      });
                      
                      sh.logout()
                      

                       

                      I was able to get the permissions needed by using P/W secuirty then certifying the document.

                       

                      Ok, with cLegalAttest, this also has to do with an MDP certification. When you apply an MDP signature to certify the document, it is scanned for legal warnings.

                       

                      I suppose I have no legal warnings in my document.  Maybe i could use this Godfather reference as a warning (it is work safe)?

                      http://www.foreignpolicy.com/images/090419_horse.jpg

                       

                      Thank you for all your help and consideration.  I have been using "js_api_reference 8.pdf"; does Adobe have a resource other than this document for PDF security and code?  (I also have "acrobat_reader_security_9x.pdf")

                      • 8. Re: certificate signing and excryption - some changes still allowed...
                        Patrick Leckey Level 3

                        The only thing I could suggest is instead of building your SignatureInfo object from scratch, use Field.signatureInfo() to acquire the SignatureInfo object from that specific signature, and then just change the mdp property.  That way you are sure the rest of the properties are correct.

                        • 9. Re: certificate signing and excryption - some changes still allowed...
                          roggeheflin Level 1

                          Patrick:

                          Thanks for your help.  Setting the values differently got the code to function.

                           

                          var proCertPW = "CrazyPassword"
                          var proCertSig = "TESTCERT.pfx";
                          var certPath = "/C/Adobe® Acrobat®/";
                          var curDoc = this;
                          
                          var strcDIPath = curDoc.path.replace(".pdf", "");
                          
                          var f = curDoc.addField({cName:"CertifyDocument", cFieldType:"signature", nPageNum:0, oCoords:[0,0,0,0]});
                          f.display = display.hidden;
                          f.signatureSetSeedValue(
                          {
                              mdp: "allowNone"
                          });
                          
                          if (curDoc.info.ClientNumber != "")
                          {
                              var strPreparedFor = curDoc.info.Client + " (" + curdoc.info.ClientNumber + ")"
                          }
                          else
                          {
                              var strPreparedFor = curDoc.info.Client
                          };
                          
                          var s = (
                          {
                              password: proCertPW
                              , reason: "This document created specifically for " + strPreparedFor + "."
                              , location: "Monte Carlo, Monaco"
                          });
                          
                          var sh = security.getHandler("Adobe.PPKLite", false);
                          sh.login(proCertPW, certPath + proCertSig);
                          sh.signInvisible = true;
                          sh.signAuthor = true;
                          
                          f.signatureSign(
                          {
                              oSig: sh
                              , oInfo: s
                              , cDIPath: strcDIPath + " (Certified).pdf"
                              , bUI: false
                              , cLegalAttest:"This document is proteced by copyright, patents, and contracts with " + strPreparedFor + "."
                          });
                          
                          sh.logout();