Hi, this is Gergely Kota, a developer on the InfoPath team. Digitally signing data when filling out a form makes the data tamper-proof, authenticates its signer, and is a key component of trusting form data. In this post, I’d like to share the improvements that have been made to digital signature support in InfoPath 2010. InfoPath 2010 allows you to make more secure signatures with improved cryptographic algorithms and makes long-term storage of signed forms more robust by supporting 3rd-party time stamping. This post describes these improvements and shows you how to strengthen any signature created in InfoPath 2010 Filler. For a primer on digital signatures, read an Introduction to Digital Signatures in InfoPath.
Note - Data signing should not be confused with code/template signing, which remains unchanged.
Digital signatures are only as secure as the cryptographic algorithms they use to ensure signed data hasn't been tampered with. InfoPath 2007 and 2003 support RSA or DSA for signing and SHA1 for hashing. Though a combination of RSA and SHA1 is considered secure for now, algorithms become exposed to attack over time and are eventually rendered obsolete. If either the signing or hashing algorithm is cracked or compromised, the integrity of the signature can no longer be verified. InfoPath 2010 enables you to address these concerns by supporting newer, more secure, ECC signing and SHA-2 family of hashing algorithms.
When creating a signature, a user may sign with one of potentially many certificates installed on their machine. The signature algorithm is determined by the chosen digital certificate. To determine the algorithm:
By default, InfoPath 2010 hashes signature data using SHA1. This is done to maintain backwards compatibility with InfoPath 2007 and InfoPath 2003. InfoPath 2010 also supports the SHA2 family of hashing algorithms. If backwards compatibility is not a concern, an administrator can set the hashing algorithm in the registry.
The following table shows which versions of InfoPath are able to sign and/or verify signatures with the given combinations of signing and hashing algorithms:
Certificates guarantee the identity of the signer, but expire after a while. This is to reduce the time attackers have to deduce an associated private key (which would allow them to impersonate a signer) and to limit the shelf-life of a compromised certificate. Certificates may also be revoked if they are taken out of commission before their expiration date. If the certificate used to create a signature is now expired or revoked, we should be cautious of whether the signed data is valid or not unless we can verify that the data was signed while the certificate was still valid. This poses an impending problem because all certificates expire (often in a year!), and we would require a trusted timestamp to confirm when the signature was created. Without such a trusted timestamp, InfoPath will show the signature as invalid, with the reason in the Signature Details dialog:
This can be especially problematic, for example, for a printed copy of the form which would show an invalid signature, and there would be no way to verify why. InfoPath 2010 adds support for XML Advanced Electronic Signature (XAdES), which allows for adding a trusted timestamp that can be used to resolve when the signature was added relative to the signing certificate's expiration and/or revocation time (see a detailed discussion of XAdES in Microsoft Office for details and level options). If such a timestamp exists and confirms that the signature was made when the signing certificate was valid, InfoPath can safely conclude that the signature is entirely valid:
InfoPath 2010 Forms Services signs forms using RSA and SHA1, and is able to verify any signature created in the InfoPath 2010 client. XAdES is a client-only feature.
By leveraging the security improvements and time-stamping support described in this post, you are increasing the strength and longevity of your signatures. Happy signing!
Gergely, InfoPath dev
Very useful post there. Would like to ask, how about browser forms that are uploaded to SharePoint? Is it still possible to sign?
Signing is supported in the browser as well, however the enhancements for 2010 are for client only. Forms signed with other algorithms in the client and opened in the browser will be validated properly, but you can only apply a signature using RSA+SHA1 in the browser.
Thanks Gergely for your prompt response. Would you be able to point me to any guides or more details on dig sig in SharePoint browser forms (or maybe as one of your blog topic?)? Since CAPI is already not supported, we hope to find an updated solution. Thanks!
We have a lab that covers creating a form template and signing it in a web browser: msdn.microsoft.com/.../bb251748(office.12).aspx
If you are looking to sign using signing/hashing algorithms other than RSA and SHA1, you have 2 options:
1. you can open the same forms from SharePoint using InfoPath client, apply the signature and save the form back to SharePoint. When you open the same form in the future in the browser, these signatures will be properly validated.
2. if you don't have InfoPath client, you could download the form from SharePoint, apply the signature using whatever solution you come up with, then upload the form back to SharePoint. As in , the signature will be validated when someone later opens the form in the browser as long as supported algorithms were used (see Signing and Hashing Algorithm Compatibility earlier in this post). However, you will need to exactly mimic the format of the signature applied by InfoPath.
Your post is really a knowledge enhancer.
I have developed an infopath 2010 form with some digital signature fields using optional section control. When I preview the form and click on "Click here to insert" it shows a pop up wherein I can select an image from my local drives. But the problem is when I publish the form and open in IE 8, and click on "Click here to insert" it does not give me an option to select image.
Let me know if anybody is having any knowledge about this problem.
I look forward to hearing from you.
Signing with an inserted image is a client-only feature. IPFS is limited to text in the signature.
Very interesting post. I would like to ask, why do I have to click on <sign> twice in order to sign my form? The first click prompt me that the data has been tamper with. And only successfully digital sign upon the second click. However, I did not make any changes to any fields in the form.
I have two questions that I would love to have answered
1. Attached documents, are they ecrypted also, or just the link to the document
2. what does the digital signature do to the size of the signed document ?
File attachments are included inline in Base64, so as long as they are part of your signed section, their content is included in the signed data.
The signature data is dominated by the nonrepudiation image, which is a Base64 encoded png of your InfoPath window. In the worst case, this is a full-screen on a high resolution and in my experience runs 2-300 kbytes. The rest of the signature is a few kilobytes.
Thanks for your post. I have a question that I hope you can help with. We've been using InfoPath 2007 forms with digital signatures for a while now. The forms are stored as XML in a Forms library but we've found that when we create a new form template and deploy that to the library or when we move the forms to a new library (which we need to do as part of our 2010 upgrade), all digital signatures are invalidated which is a big problem for compliance reasons. Is there a way that we can either:
a) store all form data including the digital signature in a list so that we don't need a form per se to access the form data
b) store the form in a read only type format (like .pdf or .xsf) so that we don't need a template to view the forms (for the auditors)
I really appreciate your help.
I submitted this bug report about InfoPath 2010 custom digital signatures to connect.microsoft site a while ago:
Is there any hope for getting a hotfix for this? Our customers are starting to migrate from IP 2007 to 2010, and the custom digital signature support not being all there is a bit of a problem for us.
Why is this digital certificate crap forced on us? I can understand why it's needed in some cases, but I am just trying to use some infopath forms as an easy way to put data in databases so I can retrieve and work with the data within my 30 person organization. I spend 100x the amount of time screwing around with the certificate crap than everyone uses the forms combined. Certificate problems just popped up on the form and I've already spent 2 hours on trying to get the form to work, which so far I can't and I just don't have the time to waste on this crap. Why can't simple options be available to us that don't need all this security? I just want to be able to go and do my work, not fight with garbage programs.
An InfoPath template on Form Services opened and signed using the browser still shows me the "There is a problem with this signature" error... The certificate has expired but the time and date of the signature is valid.
How come this verification is not working? Am I missing something. I have SharePoint 2010 Entreprise with InfoPath Form Services installed.
Your scenario is a fuzzy area of signature validation and InfoPath has chosen to go with the more strict version. The issue largely boils down to the fact that there is no trusted timestamp in the signature (which XAdES addresses, but only the client can apply, and the server does not validate). Since the timestamp can be trivially spoofed and the cert's expiration time has passed, there's "some chance" that an attacker has reverse-engineered the signer's private key and created a document to look like it has a valid signature.
I am writing to get some help on the digital signatures used in InfoPath 2007. We have a local CA issuing certificates for users to digital sign browser enabled forms.
The timestamp information etc. is all in place, but considered valid only until the certificate has not expired. Once expired, Infopath browser forms mark them as "There is a problem with this signature" and the pop-up window shows Expired Certificate.
What can I do to resolve this issue since we have over 5000 forms signed and my boss is about to slit me apart!!
I also tried the hotfix below, but it works only for the desktop environment. The browser enabled forms still show an error:
Is there something I can do!! Please help me out.