Schlagwort-Archiv: php

Create signed PDF-Files

Some days ago a friend of mine asked me how to create PDF-Receipts. Background is that – at least in Germany – you can replace printed receipts with digitally signed PDF-Files. The signature has to comply to certain legal standards to be able to replace the printed copy but the way is the same whether it’s a self-signed certificate or an official one.

For the start I wanted to see how to sign a PDF-Document created with TCPDF. At a later time I will also have a look at how to sign a PDF-File using the libraries supported by PDFlib.com.

Signing PDF-files with TCPDF requires you to have the private key and the certificate available via a stream-ressource. That excludes certificates and keys on a signature-card as long as you can not export them.

Creating a signed PDF-File using TCPDF is rather simple as you can see in this code-snippet:

$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);

// set certificate file
$certificate = 'file://' . __DIR__ . '/cert/certificate.crt';
$privateKey = 'file://' . __DIR__ . '/cert/privateKey.crt';
// set document signature
$pdf->setSignature($certificate, $privateKey, 'test1234', '', 1, array());

// Do some more stuff here like creating the actual PDF-File

//Close and output PDF document
$pdf->output('test.pdf', 'D');

That’s it.

The hard part now is for one thing creating the actual PDF-File.
And the more important one question was “Which certificate-key-thingy goes where”.

That was the one that took me most of the time. When using a self-signed certificate as described in the TCPDF-Example you can somehow use the given openSSL shell-lines to get somehow to a result. But I wanted to sign the document with a “qualified electonical signature” which takes some more steps.

What is a qualified electronical signature? It’S nothing else than any other digital signature from a certification authority. The only difference is, that it has been issued according to the german “Signaturgesetz” which means, that it is based on a qualified certificate and has been created using a certain approved PKI. As I am not a lawyer, this is simply my own description of a legal process which might be inaccurate or plain false. So do not take my word as legally authoritative. A list of issuers for qualified electronical signatures can be found at http://www.nrca-ds.de/ZDAliste.htm

As I do not posses such a qualified electronical signature (and there currently is no need for me to get one) I tried the whole stuff with a certificate I got myself from CA-Cert. As far as I know (but I will verify that one soon) you can export a qualified electronic signature into a format that can be used for these purposes.

The relevant parts are the following variables

$certificate
needs to point to a certificate file in PEM-Format. Thats a plaintext-file with —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– and some base64 encoded stuff in between.
$privateKey
needs to point to a private key file in binary PKCS7-Format. Those files normally end in something like ‘.p12′ or ‘.pfx’. To open this file you normally need a passphrase which you have to provide as third parameter to $pdf->setSignature.

Using that certificate and private key you can now sign your PDF-file.

Babylonic Apache SetEnv

The Mission

The other day I had a PHP-project based on the ZendFramework where I had to display different logos whether the project was viewd on the preview or on the live system.

Until now I always exchanged the images after puling the live data from the repository. Of course this was one step that sometimes was forgotten, sometimes the correct images where already in the repository so ther was no need to do it – -all in all it was rather anoying. Yes, you could say: “Automate processes that are always the same” but that is not the point today.

I had something different in mind.

For the ZendFramework I already set an environment variable “APPLICATION_ENV” that defined whether the server hosts a development or a production environment.

Why not use that information to display a logo according to the environment?

So I had either the option to call the logo via a PHP-Script that checks the environment variable and returns the correct image.

Or I could use the – already for ZendFramework available – mod_rewrite to do some rewriting voodoo.

The first option would have meant to write a complete PHP-Script and call that every time the logo is asked for. Somewhat much to do for a simple rewriting I thought.

The Quest

So I went for the second option. And it took me some time to get it up and running.

What happened: I took the documentation for mod_rewrite and went through it. I already had the following section in my VirtualHost-Config

SetEnv APPLICATION_ENV development

So for the directory with the logos in I created the following .htaccess-file (Yes, I could also put it into the servers config file…)

RewriteEngine on
RewriteCond %{ENV:APPLICATION_ENV} development [NC]
RewriteRule ^logo(?!-preview)(.*)\.png$   logo-preview$1.png [NC]

Fine I thought and tried that!

No Luck.

Didn’t work

Not after hours of debugging, reading blogposts and forum-entries and rewriting the code one or the other way.

No Luck at all

During these hours of searching the net I found that I wasn’t the only one having that problem, but mostly the solution was to set the environment variable in the Rewrite Engine as well as via SetEnv. But there had to be a different way.

And there was.

The Happy End

After hours I finaly found http://httpd.apache.org/docs/2.0/env.html and there was a paragraph headed “Some Caveats”.
Bingo! Thats It.

SetEnv is called after the mod_rewrite-calls. SetEnvIf before!

So thats the solution. Use SetEnvIf instead of SetEnv.

So I changed my VirtualHost-Config the following way

-  SetEnv APPPLICATION_ENV development
+  SetEnfIf HTTP "HTTP.*" APPLICATION_ENV=development

Yes It takes some performance, because APPLICATION_ENV is now set on every Request, but as long as static Environment variables are set after dynamic ones, that is an SEP to me.

The ZendFramework-Projects behavior does not change as the change is completely transparent to it. But reloading the log now suddenly showed the correct result!

The Polish

Well I thought, fine. But why not set the APPLICATION_ENV according to the called host-name? And therefore moving the SetEnfIf-call from the virtualServer to the projects htaccess-file? At least that’s where I think it belongs to, as it’s a project-specific setting.

So I removed the SetEnvIf-Line from the VirtualHost-Config and placed the following into the projects .htaccess-file.

<IfModule setenvif_module>
    SetEnvIf Host "\.?(preview|stage|staging|development|dev|local)\.?" APPLICATION_ENV=development
</IfModule>

As soon as one of preview, stage, staging, dev, development or local is a part of the hostname the APPLICATION_ENV-variable will be set to “development”.

One could now change that to the local environment by adding other names as well, but for me it is sufficient.

Barcamp Darmstadt

This weekend I will be attending my first BarCamp ever!

On the 20th and 21th of November Darmstadt hosts the second BarCamp at the Rhine-Main-Region. And I will be one of the about 300 people attending.

And to make that BarCamp more interesting to the PHP-Community, we try to coordinate a complete track on PHP-related sessions. Being a novice to the BarCamp I want to give a session and choose to introduce Zend_Form as it is one of the components of the ZendFramework that makes my life as Developer easier every day.

So let’s see what the weekend brings!

Social and Ethical Responsibilities

This morning I was attending Zeev Suraskis keynote at the International PHPConference in Mainz/Germany.

He spoke not so much about PHP or new technologies but what happens when technology fails. He gave us an insight into the things that happened around his last holiday in the south of Italy starting with a lost Internet-connection through a malfunctioning lens, a dead GPS-Display and his troubles getting mobile internet-access up to the dead fridge back home.

Besides the strange accumulation of bad luck it again showed me how much we depend on technology.
Continue reading