Change OpenDirectory-Mappings

Today I’m hacking together some things I’ve learned during administrating a bunch of Macs that had to use a centralized OpenLDAP-cluster as “OpenDirectory”-backend.

To get authentication as well as authorization to work we had to tweak the mapping of Apples DirectoryService-fields to the LDAP-Attributes of our OPenLDAP.

Luckily it’s not rocket science as Apples own OpenDirectory is based on OpenLDAP as well, so there are some parallels.

NOTE: ALL the things described here apply to MacOS 10.8 clients and an OpenLDAP-backend. They worked out for our settings. If you change any of your settings you are doing so on your own risk!

Weiterlesen

New and cool features in PHP5.6

PHP5.6 is, at the date of writing this, in the first beta phase. So the good question is: What new and cool features can we expect in the shiny new PHP-Version?

  • Exponential operator
  • importing namespaced functions
  • constant scalar expressions
  • variadic functions
  • argument unpacking
  • phpdbg
  • Streams for POST-data
  • Default Character-Encoding improvements
  • TLS improvements
  • More “under-the-hood”-Improvements

For a full list of changes have a look at the RFC-Part of the php.net wiki

Weiterlesen

Create signed PDF-Files

Some days ago a friend of mine asked me how to create PDF-Receipts. Background is that – at least in Germany – you can replace printed receipts with digitally signed PDF-Files. The signature has to comply to certain legal standards to be able to replace the printed copy but the way is the same whether it’s a self-signed certificate or an official one.

For the start I wanted to see how to sign a PDF-Document created with TCPDF. At a later time I will also have a look at how to sign a PDF-File using the libraries supported by PDFlib.com.

Signing PDF-files with TCPDF requires you to have the private key and the certificate available via a stream-ressource. That excludes certificates and keys on a signature-card as long as you can not export them.

Creating a signed PDF-File using TCPDF is rather simple as you can see in this code-snippet:

$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);

// set certificate file
$certificate = 'file://' . __DIR__ . '/cert/certificate.crt';
$privateKey = 'file://' . __DIR__ . '/cert/privateKey.crt';
// set document signature
$pdf->setSignature($certificate, $privateKey, 'test1234', '', 1, array());

// Do some more stuff here like creating the actual PDF-File

//Close and output PDF document
$pdf->output('test.pdf', 'D');

That’s it.

The hard part now is for one thing creating the actual PDF-File.
And the more important one question was “Which certificate-key-thingy goes where”.

That was the one that took me most of the time. When using a self-signed certificate as described in the TCPDF-Example you can somehow use the given openSSL shell-lines to get somehow to a result. But I wanted to sign the document with a “qualified electonical signature” which takes some more steps.

What is a qualified electronical signature? It’S nothing else than any other digital signature from a certification authority. The only difference is, that it has been issued according to the german “Signaturgesetz” which means, that it is based on a qualified certificate and has been created using a certain approved PKI. As I am not a lawyer, this is simply my own description of a legal process which might be inaccurate or plain false. So do not take my word as legally authoritative. A list of issuers for qualified electronical signatures can be found at http://www.nrca-ds.de/ZDAliste.htm

As I do not posses such a qualified electronical signature (and there currently is no need for me to get one) I tried the whole stuff with a certificate I got myself from CA-Cert. As far as I know (but I will verify that one soon) you can export a qualified electronic signature into a format that can be used for these purposes.

The relevant parts are the following variables

$certificate
needs to point to a certificate file in PEM-Format. Thats a plaintext-file with —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and some base64 encoded stuff in between.
$privateKey
needs to point to a private key file in binary PKCS7-Format. Those files normally end in something like ‘.p12′ or ‘.pfx’. To open this file you normally need a passphrase which you have to provide as third parameter to $pdf->setSignature.

Using that certificate and private key you can now sign your PDF-file.

SRWare Iron and PDF

Sadly SRWares Chromium-based Browser Iron doesn’t come with a built in PDF-Viewer.

For a long time I’ve simply taken that, but today I had to research vor PDF-stuff and finally I was fed up!

GoogleChrome to the rescue

As described in http://wiredhut.blogspot.de/2012/06/how-to-get-chromes-pdf-viewer-in-srware.html you can simply use Google Chromes PDF-Engine. And it does not only work out for Windows but also for Mac.

Simply open the Applications Content of your SRWare Iron by right-clicking onto the Application and selecting “Open Package Content”. You should get a Finder-window showing simply a folder “Contents”. Inside are several folders. One of them should be named “Versions”. Open that one and select the “newest” one inside. In my case that was “29.0.1600.1”. In there is a folder “Chromium Framework.framework” in which again is a folder “Internet Plug-Ins”. Thats the one we’re after!. So the path is as follows:
SRWare Iron.app > Contents > Versions > 29.0.1600.1 > Chromium Framework.framework > Internet Plug-Ins

Open the same folder of a Google Chrome-Browser (Note: The Version-Folder will be differently named, take the “newest”) and locate a Plug-In called PDF.plugin. Copy that one into the folder of your SRWare Iron, restart the application and open a PDF-file.

Thats it!