sealsign bss integration guide for metro applications

[email protected]

elevenpaths.com

SealSign BSS (Biometric Signature Services) Integration Guide for Metro Applications

ElevenPaths, radical and disruptive innovation in security solutions


V.3.2 – October 2016

2016 © Telefónica Digital España, S.L.U. All rights reserved. of 15

TABLE OF CONTENT

1 Introduction ................................................................................................................ 3

2 Common Tasks ............................................................................................................ 4

2.1 Including Web Service References ........................................................................................... 4

2.2 Including the SealSignBSSClientLibrary Client .......................................................................... 6

2.3 Authentication of Calls to Web Services .................................................................................. 8

2.3.1 Credentials Transfer for Basic Authentication............................................................................ 8

2.3.2 Credentials Transfer for Windows Authentication ..................................................................... 8

3 Use Cases .................................................................................................................... 9

3.1 Biometric Signature .................................................................................................................. 9

3.1.1 Including the Handwritten Signature Capture Panel .................................................................. 9

3.1.2 Deleting the Capture .................................................................................................................. 9

3.1.3 Begining the Signature ............................................................................................................... 9

3.1.4 Client Cryptography .................................................................................................................. 10

3.1.5 Ending the Signature ................................................................................................................ 10

3.2 Verifying Signed Documents ................................................................................................... 10

3.3 Biometric Signature with Document Provider (Document on Server) ................................... 11

3.3.1 Beginning the Signature ........................................................................................................... 11

3.3.2 Cryptography in Client .............................................................................................................. 12

3.3.3 Ending the Signature ................................................................................................................ 12

3.1 Integrating BioSigner for Metro ............................................................................................. 12

4 Resources .................................................................................................................. 14




1 Introduction

SealSign BSS (Digital Signature Services) is a product designed to facilitate the integration of the electronic signature with corporate applications. SealSign BSS exposes its functionality through Web services based on WCF (Windows Comunication Framework) technology. These services can be invoked by applications implemented on most technologies on the market.

The SealSign BSS SDK also provides several panels to capture handwritten signatures available depending on the technology used by the client application.

This document is not intended as a manual for the specific aspects of the electronic signature, but a technical reference guide, developer-oriented, on integrating SealSign BSS in Metro Applications.




2 Common Tasks

2.1 Including Web Service References

The Web services layer is used to interact with the server platform. The “SealSign BSS - Web Services Reference” document details each service and its parameters. In this section you will learn, as an example, how to include the reference to a platform web service using Visual Studio 2013.

To add a reference to a web service, you just have to right-click on the .NET project button, select the Add option and then Service Reference…

Image 01: Add Service Reference Menu.

http://es.slideshare.net/elevenpaths/web-services-reference-sealsign-bss





The following wizard window will be displayed to add the reference to the Web service:

Image 02: Wizard window to add a Service Reference.

In this window you must include the Web service URL and, after clicking on the Go button, enter a name for the Namespace and click on the OK button. The reference is added to the project and displayed in the Solution Explorer panel:

Imagen 03: Web service reference in Solution Explorer.




Another method for invoking web services is to generate proxy classes with utilities like svcutil.exe, available both with the Microsoft Windows SDK and with the different versions of Microsoft Visual Studio.

svcutil is a command line tool that generates one or more code files (depending on the language stated) and a .config file with the appropriate configuration for the web service invocation.

An example of command line for the generation of SealSign BSS proxy classes would be as follows:

svcutil.exe /out:BiometricSignatureService.cs /config:BiometricSignatureService.config http://localhost/SealSignBSSService/BiometricSignatureService.svc /n:*,SealSignBSSService /n:http://schemas.datacontract.org/2004/07/SealSignDSSTypes,SealSignDSSTypes /n:http://schemas.datacontract.org/2004/07/SealSignBSSTypes,SealSignBSSTypes

In this example, svcutil.exe will generate two files: BiometricSignatureService.cs and Biometric SignatureService.config. The BiometricSignatureService.cs file will be incorporated to the .NET project as just one more code file, and the contents of the BiometricSignatureService.conf file will be added to the app.config file of the .NET project.

2.2 Including the SealSignBSSClientLibrary Client

To include the capture panels in the platform client, you must load the SealSignBSSClientLibrary library in the development environment for them to appear as items of the Visual Studio toolbox.

To select the items that will be displayed in the Visual Studio toolbox, you must access the Tools menu and select the Choose Toolbox Items option.

Figure 04: Choose Toolbox Items Menu.




The selection window of toolbox items will be displayed:

Picture 05: Item Selection Window.

In this window, you need to select the Windows and Windows XAML Components tab, click on the Browse button and select the SealSignBSSClientLibrary.dll library corresponding to Windows Metro. Once you have done this, the SealSign BSS panel for Metro will appear as checked:

Figure 06: Selecting capture panels.

The SealSign BSS capture panel for metro will be available within the components of the Visual Studio toolbox by clicking on the OK button.




2.3 Authentication of Calls to Web Services

Depending on the configuration and operations you wish to conduct, requests to the platform web services will be conducted with authentication. For example, a certificate enumeration operation must be performed with authentication from the client, so that the use of allowed certificates is secure.

For .NET applications, depending on the scenario in which they run, it may not be necessary to provide the credentials programmatically, since they can use the integrated authentication of the Windows platform.

2.3.1 Credentials Transfer for Basic Authentication The following example shows the connection to a SealSign web service, configured with basic authentication and providing credentials through .NET code:

SignatureServiceBasicClient service = new SignatureServiceBasicClient(); service.ClientCredentials.UserName.UserName = "SealSignTest"; service.ClientCredentials.UserName.Password = "Passw0rd"; CertificateReference[] certs = service.GetCertificateReferences(null, false); service.Close();

2.3.2 Credentials Transfer for Windows Authentication The following example shows the connection to a SealSign web service, configured with Windows authentication and providing credentials through .NET code:

SignatureServiceClient service = new SignatureServiceClient(); service.ClientCredentials.Windows.ClientCredential.Domain = "localhost"; service.ClientCredentials.Windows.ClientCredential.UserName = "SealSignTest"; service.ClientCredentials.Windows.ClientCredential.Password = "Passw0rd"; CertificateReference[] certificates = service.GetCertificateReferences(null, false); service.Close();




3 Use Cases

3.1 Biometric Signature

3.1.1 Including the Handwritten Signature Capture Panel Once the SealSignBSSClientLibrary.dll has been added to Visual Studio, the next step is to add the capture panel appropriate for the signature form of the client application. In order to do this, you just need to access the toolbox and double click or drag the panel over the XAML page:

Imagen 07: Including the capture panel.

3.1.2 Deleting the Capture To reset and delete the capture, you can call the CleanSignature method of the signature panel:

sealSignBSSWacomSTUPanel1.CleanSignature();

3.1.3 Begining the Signature In order to biometrically sign, you need to follow these steps:

1. Notifying to the platform the document that will be signed.

2. Performing the biometric data fusion and cryptography operations through the SealSignBSSClientLibrary client library using data from the server (i.e., instance and signature token).

3. Notifying the platform of the operation result in order to complete the signature operation and form the final document.




The beginning of the signature is notified to the server platform by calling the BeginSignature method. The used service is /SealSignBSSService/BiometricSignatureService.svc.

The returned values and syntax of the method can be found in the “SealSign BSS - Web Services Reference” document.

var _Path = @"sample.pdf"; var _Folder = Windows.ApplicationModel.Package.Current.InstalledLocation; var _File = await _Folder.GetFileAsync(_Path); var _ReadThis = await Windows.Storage.FileIO.ReadBufferAsync(_File);

BiometricSignatureServiceClient service = new BiometricSignatureServiceClient(BiometricSignatureServiceClient.EndpointConfiguration.BasicHttpBinding_IBiometricSignatureService); service.Endpoint.Address = new System.ServiceModel.EndpointAddress( "http://localhost:81/SealSignBSSService/BiometricSignatureService.svc"); service.ClientCredentials.Windows.ClientCredential.Domain = "localhost"; service.ClientCredentials.Windows.ClientCredential.UserName = "test"; service.ClientCredentials.Windows.ClientCredential.Password = "Passw0rd"; BiometricSignatureBeginRequest request = new BiometricSignatureBeginRequest(); request.signingDocument = WindowsRuntimeBufferExtensions.ToArray(_ReadThis); BiometricSignatureBeginResponse response = await service.BeginSignatureAsync(request);

3.1.4 Client Cryptography Calling the signature panel results in the obtaining of biometric data and the cryptographic operation:

// Client encryption with SealSignBSSClientLibrary byte[] biometricFinalState = await signaturePanel.GetSignature(new Guid(response.instance), response.biometricState);

3.1.5 Ending the Signature The ending of the signature is notified to the platform and the final document is obtained. The used service is /SealSignBSSService/BiometricSignatureService.svc.

The returned values and syntax of the method can be found in the “SealSign BSS - Web Services Reference” document:

// EndSignature

BiometricSignatureEndResponse endresponse = await service.EndSignatureAsync( response.instance, biometricFinalState); await service.CloseAsync();

3.2 Verifying Signed Documents

It is possible to verify a signature captured against the signatures located within a document. To do so, a single call is made to the Verify method of the server platform. The used service is /SealSignBSSService/BiometricSignatureService.svc. The returned values and syntax of the method can be found in the “SealSign BSS - Web Services Reference” document:

var _Path = @"sample.pdf"; var _Folder = Windows.ApplicationModel.Package.Current.InstalledLocation; var _File = await _Folder.GetFileAsync(_Path);









var _ReadThis = await Windows.Storage.FileIO.ReadBufferAsync(_File);

BiometricSignatureServiceClient service = new BiometricSignatureServiceClient(BiometricSignatureServiceClient.EndpointConfiguration.BasicHttpBinding_IBiometricSignatureService); service.Endpoint.Address = new System.ServiceModel.EndpointAddress( "http://localhost:81/SealSignBSSService/BiometricSignatureService.svc"); service.ClientCredentials.Windows.ClientCredential.Domain = "localhost"; service.ClientCredentials.Windows.ClientCredential.UserName = "test"; service.ClientCredentials.Windows.ClientCredential.Password = "Passw0rd"; byte[] biometricState = null; byte[] biometricFinalState = await signaturePanel.GetSignature(new Guid("00000000-0000-0000-0000-000000000000"), biometricState); if (biometricFinalState != null) {

BiometricVerificationResponse response = await service.VerifyAsync(WindowsRuntimeBufferExtensions.ToArray(_ReadThis));

} await service.CloseAsync();

3.3 Biometric Signature with Document Provider (Document on Server)

The signature procedure against the platform using a document provider is similar to that of the biometric signature, but the document does not have to be on the client. Instead, a URI that the document provider will use to get the document from a documentary Backend on the server part is specified.

3.3.1 Beginning the Signature The beginning of the signature is notified to the server platform by calling the BeginSignatureProvider method. The used service is /SealSignBSSService/BiometricSignatureService.svc.

The returned values and syntax of the method can be found in the “SealSign BSS - Web Services Reference” document:

BiometricSignatureServiceClient service = new BiometricSignatureServiceClient(BiometricSignatureServiceClient.EndpointConfiguration.BasicHttpBinding_IBiometricSignatureService); service.Endpoint.Address = new System.ServiceModel.EndpointAddress( "http://localhost:81/SealSignBSSService/BiometricSignatureService.svc"); service.ClientCredentials.Windows.ClientCredential.Domain = "localhost"; service.ClientCredentials.Windows.ClientCredential.UserName = "test"; service.ClientCredentials.Windows.ClientCredential.Password = "Passw0rd"; BiometricSignatureBeginProviderRequest request = new BiometricSignatureBeginProviderRequest(); request.id = ""; request.account = ""; request.uri = @"demo://c:\samples\sample.pdf"; request.providerParameter = null; request.signingDocument = null; BiometricSignatureBeginResponse response = await service.BeginSignatureProviderAsync( request);






3.3.2 Cryptography in Client Calling the signature panel performs the obtaining of biometric data and the cryptographic operation:

// Client encryption with SealSignBSSClientLibrary byte[] biometricFinalState = await signaturePanel.GetSignature(new Guid(response.instance), response.biometricState);

3.3.3 Ending the Signature The end of the signature is notified to the platform. The used service is /SealSignBSSService/ BiometricSignatureServiceBasic.svc. The returned values and syntax of the method can be found in the “SealSign BSS - Web Services Reference” document:

BiometricSignatureEndResponse endResponse = await service.EndSignatureProviderAsync( response.instance,

biometricFinalState, @"demo://c:\samples\sample.pdf", null, false); await service.CloseAsync();

3.1 Integrating BioSigner for Metro

ElevenPaths’ BioSigner app for Metro allows the biometric signature of electronic documents of different formats (PDF, Office, XML).

This application may be invoked as a component that performs the signature operation from a website that is displayed in the browser of the mobile device. The document to be signed in this way must be accessible by the SealSign server. The logic required to retrieve the document is implemented in the documents providers.

The required steps for this integration are:

1. Install the BioSigner application on the device. Through store, locate and install the “BioSigner” application.

2. Create a web page that invokes the BioSigner signature component by indicating the required parameters. The invocation of BioSigner from a website is performed invoking a special URL that has been registered in the device when installing the application. The URL has the following syntax:

mobilebssfe://?parametro1=valor&parametro2=valor&…

The parameters are:

a. viewerurl: Said URL will open in a web viewer behind the signature fields.

b. uri: It is the first value. It will be transferred to the server document provider in order to identify the document.

c. providerParameter: It is an optional value that is transferred to the server document provider with additional information about the document (e.g., metadata associated with the document).

d. serviceUrl: It identifies the URL of the SealSign Engine server that will be used.





e. serviceUsername: If this parameter is specified, the connection to the signature server will be conducted with this user. If it is not specified, an anonymous connection will be performed.

f. servicePassword: It indicates the password that will be used to connect to the SealSign signature server if a username is specified.

g. exitUrl: It specifies the exit URL that will be browsed after the signature operation.

The following is a complete example of integration with BioSigner:

mobilebssfe://?viewerurl=http://www.smartaccess.es&uri=demo://1-2-z.pdf&providerParameter=myProviderParameter&serviceUrl=http://demo.smartaccess.es/sealsigndssfrontend&serviceUsername=usuario&servicePassword=pwd&exitUrl=http://www.google.es




4 Resources

For information about the different SealSign services available, please go to this address:

https://www.elevenpaths.com/technology/sealsign/index.html

Also, on the ElevenPaths blog you can find interesting articles and innovations regarding this product.

You can find more information about Eleven Paths products on YouTube, on Vimeo and on Slideshare.

http://blog.elevenpaths.com/

https://www.youtube.com/user/ElevenPaths

http://vimeo.com/elevenpaths

http://www.slideshare.net/elevenpaths/




PUBLICATION

October 2016

At ElevenPaths we have our own way of thinking when we talk about security. Led by Chema Alonso, we are a team of experts who are passionate about their work, who are eager to redefine the industry and have great experience and knowledge about the security sector.

Security threats in technology evolve at an increasingly quicker and relentless pace. Thus, since June 2013, we have become a startup company within Telefónica aimed at working in an agile and dynamic way, transforming the concept of security and, consequently, staying a step ahead of our attackers.

Our head office is in Spain, but we can also be found in the UK, the USA, Brazil, Argentina and Colombia.

IF YOU WISH TO KNOW MORE ABOUT US, PLEASE CONTACT US AT:

elevenpaths.com Blog.elevenpaths.com @ElevenPaths Facebook.com/ElevenPaths YouTube.com/ElevenPaths

The information disclosed in this document is the property of Telefónica Digital España, S.L.U. (“TDE”) and/or any other entity within Telefónica Group and/or its licensors. TDE and/or any Telefonica Group entity or TDE’S licensors reserve all patent, copyright and other proprietary rights to this document, including all design, manufacturing, reproduction, use and sales rights thereto, except to the extent said rights are expressly granted to others. The information in this document is subject to change at any time, without notice.

Neither the whole nor any part of the information contained herein may be copied, distributed, adapted or reproduced in any material form except with the prior written consent of TDE.

This document is intended only to assist the reader in the use of the product or service described in the document. In consideration of receipt of this document, the recipient agrees to use such information for its own use and not for other use.

TDE shall not be liable for any loss or damage arising out from the use of the any information in this document or any error or omission in such information or any incorrect use of the product or service. The use of the product or service described in this document are regulated in accordance with the terms and conditions accepted by the reader.

TDE and its trademarks (or any other trademarks owned by Telefonica Group) are registered service marks.

sealsign bss integration guide for metro applications

Technology