I use a ECM that a document is represented by many images (tifs). Each TIF representing a page of the document. The problem is that I need to digitally sign this document. I don't have nothing that represents only the document, so I want to avoid sign page by page.
So I need to group the tifs in a file, extract the byte array of this file, do the digital signature and discard that grouped file to some time later when I generate again to verify, it's good to have the same hash. Can somebody tell me in what way I can do that? What type of file Can I group this tifs?
Related
I am trying to write a DocuSign integration where a customer uploads a PDF file and sends it to a list of signees. The customer should not have to place the right amount of anchors in the document. Instead, a new page (or several pages if necessary) for signatures should be added to the document automatically, with one signature box per signee. I want to avoid modifying the PDF myself. Is there any way DocuSign can do this for me?
The easiest and best way to do this would be to utilize anchor strings, which you've mentioned above that you would rather not do. Normally under these circumstances I'd recommend using a template, however you've indicated that you want the customer to be able to upload the PDF, correct?
The issue there comes down to document dimensions. If you were using a template, the coordinates for a tab would be stored in the template and be applied automatically. If your customer is supplying a PDF, you don't have a guarantee on how small or large the page dimensions will be. IE: An image taken with a Retina display vs. a 6MP camera would be like a Post-It Note vs. a calendar. The remaining option would be to find a standard set of coordinates that would work. For example, when a customer upload a new PDF always have a signature or initial tab applied at x/y: 0,0 so it will always appear at the top left.
Alternatively, what we would normally recommend is that the customer add in a unique identifier like /signer1signature/, then apply the tab via anchor string where it will be applied at every instance, even if it's a single instance hidden on the signature line.
I'm sending a mass email though Emma (3rd party vendor) that will contain a link to a landing page. The landing page will be personalized and display some of the user's identifying info (name, title, email). Additionally, there will be a form collecting a few of the user's preferences that will be saved back to that user's record in Emma's database.
The user ID column in the 3rd party's database is incremental so I obviously can't just append that value through the query string otherwise user 522, for example, would get a link such as www.example.com?landing/?uid=522 allowing him (or anyone with the link)cto take a wild guess at other values for uid (such as 523... or 444) and change other users' preferences as well as view their personal data quite easily.
Bottom line is that I'm trying to find a secure way to pass an ID (or other unique value) that I can look up via API and use to dynamically display and then resubmit personal info/data on this landing page on a user-to-user basis.
I had an idea to add a custom column to my list in Emma for a unique identifier. I would then write a script (accessing Emma's API) to BASE64 Encode the ID (or possibly email address, as that would be unique as well) and add that to the list for each user. In my email, I could then pass that to the landing page in for the form of ?xy=ZGF2ZUBidWRvbmsuY29t, but I know this is encoding and not encrypting so not all that secure... or secure at all for that matter.
To my knowledge, there's no remote risk of anyone receiving the mailing having the ability and/or inclination to know what those extra characters in the link are, BASE64 Decode, BASE64 ENCODE another email address or integer an make a request with the newly BASE64 encoded value in order to manipulate my system in an an unintended way.
BUT for the purpose of this question, I'd like to know the "right" way to do this or what levels of security are currently being taken in similar circumstances. I've read about JWT tokens and some OOth stuff, but I'm not quite sure that's possible given that I've got the Emma API to deal with as well... and/or if that is overkill.
What is appropriate/standard for passing values to a page that are in turn used for a form to be resubmitted along with other user-supplied values when giving the user the ability to submit a "compromised" (intentionally or not) form could, at worst, could cause one of their competitors to have bad preference and opt-in saved data in our Emma mailing list?
Security on the web is all about "acceptable risk". You can reduce risk in various ways, but ultimately there's always some risk exposure you must be willing to accept.
Your very best option would be to force users to be logged-in to view the page, and to avoid using any querystring parameters. That way the backend for the page can pull the ID (or whatever it might need) out of the server's session.
Your next best option still involves forcing the user to be logged in, but leave the uid in the URL -- just be sure to validate that the user has access to the uid (i.e. don't let a user access another user's info).
If you can't do that... then you could create random keys/ids that you store in a database, and use those values (rather than uid or email or real data) in the URL. BUT let's be clear: this isn't secure, as it's technically possible to guess/deduce the scheme.
Absolutely DO NOT try passing the info in the URL as base64 encoded data, that's likely to be the first thing a hacker will figure out.
Keep in mind that any unsecured API that returns PII of any kind will be abused by automated tools... not just a user farting around with your form.
To my knowledge, there's no remote risk of anyone receiving the
mailing having the ability and/or inclination to know
^ That's always always always a bad assumption. Even if the result is at worst something you think is trivial, it opens the door for escalation attacks and literally exposes the company to risks it likely doesn't want to accept.
If you're stuck between bad options, my professional advice is to have a meeting where you record the minutes (either video, or in a document) and have someone with "authority" approve the approach you take.
In case anyone needs a working example, I found this at https://bhoover.com/using-php-openssl_encrypt-openssl_decrypt-encrypt-decrypt-data/. It uses PHP's openssl_encrypt and openssl_decrypt, and it seems to work perfectly for my purposes
<?php
$key = base64_encode(openssl_random_pseudo_bytes(32));
function my_encrypt($data, $key) {
// Remove the base64 encoding from our key
$encryption_key = base64_decode($key);
// Generate an initialization vector
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
// Encrypt the data using AES 256 encryption in CBC mode using our encryption key and initialization vector.
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $encryption_key, 0, $iv);
// The $iv is just as important as the key for decrypting, so save it with our encrypted data using a unique separator (::)
return base64_encode($encrypted . '::' . $iv);
}
function my_decrypt($data, $key) {
// Remove the base64 encoding from our key
$encryption_key = base64_decode($key);
// To decrypt, split the encrypted data from our IV - our unique separator used was "::"
list($encrypted_data, $iv) = explode('::', base64_decode($data), 2);
return openssl_decrypt($encrypted_data, 'aes-256-cbc', $encryption_key, 0, $iv);
}
I first ran my_encrypt in a loop to encrypt the uid of each member in the list.
$members[$uid] = array('unique-identifier' => my_encrypt($uid, $key));
Next, through the API, I modified each member's record with the new value.
$ret = update_members_batch($members);
That only had to be done once.
Now in my email, I can pass the uid through the query string like this www.example.com/landing/?UID=<% unique-identifier %>, which will look something like www.example.com/landing/?UID= XXXXX2ovR2xrVmorbjlMMklYd0RNSDNPMUp0dmVLNVBaZmd3TDYyTjBFMjRkejVHRjVkSEhEQmlYaXVIcGxVczo6Dm3HmE3IxGRO1HkLijQTNg==
And in my page, I'll decrypt the query string value and use it via the API to get the email address with something like:
$member_email = get_member(my_decrypt($_GET['UID']))['email'];
and display it in the appropriate location(s) on my page.
I think this covers all my bases, but I am going to have a stakeholder meeting to get sign-off. What potential vulnerabilities does this expose that I should warn them about?
I'm creating an application in which users can create notes that are displayed in a grid. When a note is created, a corresponding text file is also created. When a user opens the application, the application reads the directory of note files, retrieves the content of each note file, and then displays it in the grid.
The idea is to make the grid of notes rearrangeable via drag-and-drop.
I've never done anything this before, so I'm struggling to devise an efficient way to cache or remember the order in which the user has arranged the notes. I thought of storing the position of each note in the filename itself.
1_note3.txt
2_note7.txt
3_note4.txt
4_note2.txt
5_note6.txt
6_note8.txt
7_note5.txt
8_note1.txt
This doesn't seem like a good approach since, anytime the the notes are rearranged, I'll have to rename a bunch of the files. For example, say the user creates a new note — which would be inserted as the first child of the grid for the sake of user experience — all of the filenames would have to be renamed.
1_note9.txt
2_note3.txt
3_note7.txt
4_note4.txt
5_note2.txt
6_note6.txt
7_note8.txt
8_note5.txt
9_note1.txt
Further, say a user now rearranges the notes by moving the first note to the fourth position in the top row. I'd now have to rename that file and all of the following files.
2_note3.txt
3_note7.txt
4_note4.txt
5_note9.txt
6_note2.txt
7_note6.txt
8_note8.txt
9_note5.txt
10_note1.txt
I could also store the order or arrangement in a separate file, and exclusively manipulate the content of this file instead of the actual filenames.
arrangement.txt
note3.txt
note7.txt
note4.txt
...
Although this may be superior to the last approach, it also doesn't seem that great since there is still additional overhead. For instance, when the application is launched, I'll first have to read that file in order to obtain the user arrangement before sorting files accordingly.
Does anybody have any experience implementing something like this? Is there a better way to go about it?
You may like to maintain state of your note grid in a key-value map data structure. you can cache this map in-memory or persist it in a separate file. This key-value map will store note grid data where "Key" will have position order in the grid and "Value" will have name of the corresponding text file. In case notes are rearranged you only need to update value of two keys.
I am using the rest API calling the envelope.Create() passing in a List of Byte arrays and filenames.
How can I retrieve each individual document separately after the signing ceremony?
The GetCompletedDocument sends me back the whole thing in one PDF. GetEnvelopeDocumentInfo just gets me names and URIs.
Using /restapi/v2
https://docs.docusign.com/esign/restapi/Envelopes/EnvelopeDocuments/get/
That should give you an idea of how to grab individual documents.
I am sending documents for signature from salesforce using DocuSign. I am having an issue with aligning the tag - \s1\, \t1\, \d1\ on the document.
My understanding is Docusign will replace tags automatically for specific signers to sign. But they are off by few pixels and come over the line marked in the document.
could anyone tell me how i could configure sure that the user don't enter details over the line on the document but above the line.
Thanks in advance for the response.
Getting proper tag placement with anchor text usually takes some trial and error -- i.e., testing DocuSign tag placement based upon various positions of the anchor text strings (\s1\,\t1\, \d1\, etc.) that you put in your document(s).
One tip: If you're creating your documents (i.e., adding the anchor text strings) with Word or something similar, putting each anchor text string inside a textbox (with no textbox borders) is a good way to give you more finite control over tag placement -- because you can move the textbox wherever you want to, regardless of where underlying text exists in the document. For example, here's a screenshot from Word where I've added an **\s1** tag inside a textbox, and placed it precisely where I want it over the signature line:
If I sent this document through DocuSign and thought the Signature tag was placed lower than I wanted it to be, I'd just edit the document to move the textbox up a few pixels (without affecting the signature line placement itself), and then re-test.