iOS PDFKit Cryptograhpic Signature - ios

How can you cryptographically sign (ECDSA) a PDF on iOS with Apple's PDFKit and save it in the PDF file? From the framework intro one would expect to find most of the PDF spec features implemented, but I struggle to find anything about cryptographic signatures (non-graphical). So, did I miss something, is there some undocumented functionality, or how would you approach this?
I've experience with manipulating and signing PDF documents in Java, but lack experience in iOS/Swift.

Related

Xcode / IOS Code visibility

How easy can it be for people to see the code / inner working mechanics of a published iOS app?
E.g if there was a certain algorithm or function/class, how easily could people be able to read that?
If it’s possible, is there any way to camouflage or encrypt it so the code can’t be read?
Cheers
A certain algorithm or function/class is not going to be visible to anyone just from having access to a published app. The apps executable has been compiled and optimised so the original source does not even exist inside it. The executables are also encrypted and while can be decrypted if you jail brake a device even then you won't get much info.
While a lot of information about how an app works can be deduced by examining how it works individual algorithms is not something to worry about.
Plus what makes you think anyone is even going to bother trying for your app.
EDIT
As there was some confusion here is a link which talks about the binaries being encrypted when producing universal and thinned ipa files:
https://developer.apple.com/library/content/qa/qa1795/_index.html#//apple_ref/doc/uid/DTS40014195-CH1-APP_STORE_CONSIDERATIONS

CMAC-AES on iOS

I'm converting an Android app to iOS. The Android version uses CMAC-AES cryptography, but I couldn't find CMAC for iOS. Does anyone know a library or could give a tip? I am not familiar with cryptography, so I am little messy.
CMAC stands for Cipher-based Message Authentication Code, that means it's a message authentication code (it is used to authenticate data and avoid any corruption of the data being authenticated) that uses ciphers to achieve its goals, in your particular case it uses the AES cipher to do so.
There are indeed some libraries that you could use, you may use OpenSSL (you may try others tutorials that links OpenSSL to your project) which is a well adopted library and heavily maintened.

using LEADTOOLS to convert doc to pdf

I am playing around with Leadtools to see how it might benefit me but i am a little frustrated with their documentation regarding how the process works. I am creating a library with methods that take an input file, convert it to pdf, add a qrcode to the file and save it and then reading the qrcode again.
Does a pdf have to be converted to an image before leadtools is
able to read the qrcode?
Does leadtools allow converting from
doc to pdf and then adding the qrcode or do i have to convert it to
an image as well?
Is there anywhere I could look at code
samples of how I can go about doing what I talked about other than
the leadtools site itself?
I am sorry to hear that you are having difficulties, but I will do my best to get you pointed in the right direction.
To answer your questions:
A1.) Yes, the PDF will need to be rasterized before the LEADTOOLS barcode engine can be used. Our barcode engine will only work with raw image data. Once the file is decompressed into raw data, we will not access the file any further.
A2.) Yes, you can rasterize Microsoft Word documents using either our file I/O methods or with the LEADTOOLS Virtual Printer. Once you have the raw image data, you can pass it to the barcode engine to write the QR code into the data. Once the barcode is written, you can then compress the image into any supported format, including (raster) PDF. You can also create a searchable PDF by running the resultant image through an OCR engine & outputting to PDF.
A3.) The LEADTOOLS SDK has a main barcode demo that should illustrate the ability of the SDK to handle the features you describe here. There are also tutorials in the help file, and various projects on our support forums. We have also created a couple different CodeProject articles here:
Multi-Platform Barcode with LEADTOOLS 18
How to Read Barcodes from Images using LEADTOOLS
You haven't mentioned here what programming language you are developing with or what the specific problem are that you have encountered. Without knowing either of those, it's difficult to get more specific into any methods or other resources to check out. For a simple raster conversion of a Microsoft Word Doc to PDF and writing a barcode, I think this would probably take between 10-15 lines of code.
If you have not already, I would highly recommend sending an email to Support#leadtools.com or open a live chat with the LEADTOOLS Support team from LEADTOOLS.com. We can get into more specifics there and help you more directly with any issues you are encountering.
Walter Bates
LEADTOOLS Developer Support
I tried adding this as a comment, but it is apparently too long for that. So I have added it as another answer.
Even if you are building a DLL, I would suggest starting out building a simple demo with a view of the image so you can see what exactly is happening to the image. Once you are comfortable that the image is being modified the way you want, then implement that code in your own library.
Also, I would recommend testing out the toolkit with the provided main demos. The demos are there to illustrate the different options you have access to in the code. If you can accomplish what your application or library will need to do through the demos, then it would be worth your time to begin coding specifically what you need. You might even need to use multiple demos to verify the tools can accomplish the goals that you have. You have all the toolkit code for the demos, so you can take them apart and use the specific pieces that you need in your application.
If you are having trouble identifying which demos to try out or whether the toolkit has the specific functionality that you need, your best bet is to contact Tech Support directly to ask. We are here to help get you pointed in the right direction.
To get down to brass tacks, the source of the image data is not all that important from the perspective of the barcode engine. It needs a RasterImage handle (raw image data) to write the specified barcode. Whether the image data is created on the fly, read from file, or generated from a scanner, it does not make a whole lot of difference.
To find the main .NET barcode demo, I would start out by going to the LEADTOOLS shortcuts. To get there, go to the Start menu -> LEADTOOLS -> Help and Demos. The shortcuts are broken down by programming language, feature, and then the base toolkit. You should be able to find the WinForms .NET barcode demo here:..\Shortcuts.NET Class Libraries.NET Framework\01 Imaging\07 Barcode
Our toolkit example is a .NET WinForms project, but it will work in ASP.NET also.
Here are some links to tutorials if you want to dig right into the code:
Loading and Displaying an Image in WinForms
Reading Barcodes
HOW TO: Load and Display an Image with WebImageViewer
There was also this recent code tip posted illustrating how to read and write UTF-8 characters in a QR barcode.
We provide both .NET 2.0 and .NET 4.0 DLLs for our barcode engine. Both of these work within Visual Studio 2012.

Simplified Crypto Libraries for iOS

I've worked with Java cryptography for many years. Now, we have a requirement to write an iOS application that will send encrypted payloads from the mobile device to a Java service. I've begun working with the iOS crypto support (CommonCrypto, etc.) and have found it a bit more difficult. The JCE has a very clean, concise API, so I've clearly gotten spoiled. In contrast, iOS cryptography is a far more difficult API to work with.
Are there any simplified crypto libraries or wrappers around CommonCrypto that provide a more concise API? In particular, we need:
Key generation (both symmetric and asymmetric)
Encryption/decryption of data
Digital signatures (SHA1withRSA, for example)
Hashing
RSA, 3DES, and AES support
I know I've seen a sample class or two that wraps AES encryption, for example. I'm looking for something a bit richer and more full-featured. Anyone have any suggestions?
You can use openSSL inside your iOS app, for ease of use you can use the SSCrypto library by septicus.
From the septicus site:
SSCrypto.framework provides a simple wrapper around OpenSSL library
functions for encryption, decryption (both symmetric and RSA) and
checksums. It also encodes and decodes base64 data and can generate
both private and public RSA keys. A test tool is included in the
project. Click here to see the main.m file that comes with SSCrypto
for examples of it's use.

Accepting PDF documents and executable scripts

If I allow users to upload PDF documents (and only PDFs) is there any way a malicious user could include some executable script within or attached to the doc? What about standard word documents? What are some best practices if this is a requirement? (sorry that's totally 3 questions I know - but they all apply! ;))
I am using thoughtbot's paperclip plugin and I believe you can restrict by file type.
Whether or not something is "executable" matters less than whether or not you try to execute it. A file is just a sequence of bytes. Code is only dangerous if it's actually executed - the mere act of transferring a file, as long as the destination of that file is safe, is not something that can really cause harm. What could cause harm is if you are somehow invoking the uploaded file as a command, or passing it through some form of rendering engine that would accept directives from the file to execute actions.
Who are you trying to protect?
If it's yourself - you'll be fine, as per Dav's answer. The danger comes from trying to execute or open code on the server. So unless your server automates opening the file in Adobe you're cool.
If it's you're users then you're in trouble. Adobe Acrobat is a hive of 0-day pdf exploits (as explained in the comments on Dav's answer). Most to All can be mitigated by using an alternate pdf viewer like Foxit but you can't control that. If you wanted to protect your users from PDF exploits and Word Macros you've got a serious challenge. Virus Scanners can detect Word macros; but not Adobe exploits (not all of them anyway).

Resources