March 21, 2015 at 15:58Electronic digital signature (EDS) of documents in 1C for a couple of clicks using the Crypto-PRO PDF utility
On one of the major projects, an unusual task for 1C arose. It was necessary to organize the mass sending and signing of documents of counterparties using electronic digital signature. The search for information in the help system and on 1Snoy forums did not give the desired result. I had to deal with cryptography tools, electronic keys and third-party utilities. The solution found was simple and flexible enough for repetition in other projects, so I want to share with you.
Statement of the problem in numbers:
• The customer’s company employs almost 3,000 people in more than 50 branches throughout Russia.
• At the customer’s enterprise, SCP 1.3 is used (platform 8.2.19.76).
• More than 10,000 active counterparties.
• For most counterparties (buyers), once a month, you need to send documents in electronic form (Accounts, acts, invoices, RTU, etc.). In total, about 100,000 documents.
• 2 business days are allocated for sending documents.
• A minimum number of people should be involved in the sending procedure. Now their number has been reduced to 2 people.
• Documents should be sent via email as attached PDF files. Each PDF file must be signed with an electronic digital signature.
Two words, what is a digital signature in general? Two keys are used for signing and working with files: private and public. The private key is stored on your token and is used to sign or encrypt documents. The public key must be distributed to all users who must work with the document you signed. This usually happens automatically when signing the file. Next, there is a file that we need to sign. Using special software, a unique character sequence is created from the contents of the file and your private key, something like a checksum. This sequence is an electronic digital signature. EDS is always unique to this user and this document. The signature contains information about the date of signing the document, the signatory, the checksum for the signed document and the link or public key file itself. The signature can be added to the signed file or saved as a separate file. Of course, we are interested in the first option.
As always, the solution to the problem began with the study of what is already there. There were several cryptography and digital signature modules for 1C. But they did not fit. As a rule, they can sign either XML files or save the signature and public key in a separate file. And we needed to get a signed PDF document at the output, which could be easily and conveniently viewed using the same Adobe Acrobat Reader.
The second solution was to search for the so-called PDF printers - programs that can save any document as a PDF file. The most suitable solution was BullZip PDF Printer (http://www.bullzip.com/products/pdf/download.php), which in the paid version has the function of signing created documents. The solution, in principle, came up, but there were serious bureaucratic problems with the purchase, coordination and installation of new software in the enterprise. While the decision was being coordinated, I drew attention to the Crypto-PRO software suite, which, as a rule, is supplied and works with the digital signature key.
The vast majority of EDS keys are issued in the form of eToken or Rutoken USB modules. In my case there was an eToken. Who does not know, the main difference is that eToken has a built-in hardware cryptographic coprocessor. This means that when encrypting data, the private key does not leave the token. In our case, this difference does not matter.
I will not consider installing drivers for USB keys. They are usually supplied by the issuing certification authority along with the tokens themselves and installation does not cause problems. The license for CRYPTO-PRO and the utility CryptoPro CSP are usually supplied with tokens. I used the latest version 3.9 currently available.
Then everything is simple. We start CryptoPro CSP. The Service tab, the button View certificates in the container, click Browse to select a token with a crypto storage, and we need to select the storage. Usually on one token one store.
Click Next and get a window with information on the certificate to which the key is attached. We are waiting for the Install button and install the certificate in the Personal store for the local user. Usually, along with the CryptoPro CSP utility, the Start menu sets a shortcut for the Certificates snap-in. We start the snap-in, make sure that everything is done correctly and the certificate is really installed in the Personal section for the current user.
Next, Right-click on the installed certificate, All Tasks, Export. Be sure to refuse to export the private key and save the certificate somewhere to the local computer, for example, to the desktop, in the file format X.509 (.CER) encoded in DER. We will need the saved certificate further to complete the signature.
The last thing that remains for us is to download the CryptoPro PDF utility from the site www.cryptopro.ru/downloads , with the help of which we will execute the signing of PDF files.
The utility is extremely simple. We select the folder in which the PDF files are located, select the folder in which the files with the signature will be saved (if it is the same folder, in the additional settings you need to check the box “Overwrite files with the same name”), select the certificate from the container that we will use for signatures, enter the PIN from the key and, if everything is correct, in a few seconds signed PDF files will appear in the destination folder. In order for EDS to be recognized legally, by law, another time stamp must be set, but I did not need this for the task.
In principle, everything! If you have a small organization and a couple of dozen counterparties, you can do nothing more and leave everything in manual mode. In addition, we did not need 1C at all, PDF documents can be created in many ways, including from Microsoft Office.
For a long time I could not figure out why the signature does not pass and gives an error. It turned out that the successful operation of the CryptoPro PDF utility on your computer must have Adobe Acrobat Pro installed (not Reader, this is important! ). It is with its help that the utility modifies PDF files and adds a signature to them.
An example of a signed file in the picture. It looks like a regular PDF, only on the Signatures tab appeared information about the signer. From the important, it is indicated who signed the documents (usually this is the name and name of the organization) and that since the signing the document has not changed. Information that a certificate is not reliable can be ignored. It only means that Adobe and its Acrobat Reader product do not know anything about your certificate.
As I wrote above, in my case, a manual solution did not fit. There are many contractors, for each month several dozen documents are created. All of them need to be saved in PDF, signed, sent in one letter. To solve the problem, it was thought to modify and use the standard for many configurations processing "Group processing of directories and documents." For the most popular configurations, this processing is either part of the configuration itself or it can be found as external on the ITS disk.
Processing already knows how to print selected documents. In the latest versions of the platform, a regular mechanism for saving printed forms as PDF files has appeared. It remains to combine these two mechanisms and save the documents selected by the user to a folder on the local computer, and then run the command line and run the CryptoPro PDF utility for signing.
The interface part was slightly modified. Work with directories was removed from processing. Left in the interface 4 types of documents that need to be sent. Changed the selection system. We created a new register of information. Digital signature settings. In it, for each user, information is stored on which path lies CryptoPro PDF on the local computer, folders for temporary storage of files, a certificate by which the signature will be executed. They also asked to keep the pin from the key, but we did not do this for security reasons.
To automate it completely, I had to revive the email module in 1C. Then everything is simple. Once a month, the operator selects a list of counterparties and the types of documents that should be sent, checks the selection result, clicks the Run button, enters a PIN code from the key and waits ... In my case, the formation of a package of documents can take several hours.
Processing groups selected documents by counterparts, then a cycle goes through each counterparty, selects all its documents, saves it as PDF files to disk, launches the CryptoPro PDF utility from the command line, signs the saved documents, creates a document E-mail with contact data from the counterparties directory , as an attachment, attaches signed documents from a folder on the disk, translates the letter into the status for sending, and moves on to the next counterparty. Letters are sent with a scheduled task once every 10 minutes. Processing can be left overnight. The problems that have arisen will be correctly processed, and in the morning the user will see an error log and a log of sent letters.
For convenience, I will give a piece of code that performs the signing procedure itself. All parameters are taken from the created information register.
Statement of the problem in numbers:
• The customer’s company employs almost 3,000 people in more than 50 branches throughout Russia.
• At the customer’s enterprise, SCP 1.3 is used (platform 8.2.19.76).
• More than 10,000 active counterparties.
• For most counterparties (buyers), once a month, you need to send documents in electronic form (Accounts, acts, invoices, RTU, etc.). In total, about 100,000 documents.
• 2 business days are allocated for sending documents.
• A minimum number of people should be involved in the sending procedure. Now their number has been reduced to 2 people.
• Documents should be sent via email as attached PDF files. Each PDF file must be signed with an electronic digital signature.
Two words, what is a digital signature in general? Two keys are used for signing and working with files: private and public. The private key is stored on your token and is used to sign or encrypt documents. The public key must be distributed to all users who must work with the document you signed. This usually happens automatically when signing the file. Next, there is a file that we need to sign. Using special software, a unique character sequence is created from the contents of the file and your private key, something like a checksum. This sequence is an electronic digital signature. EDS is always unique to this user and this document. The signature contains information about the date of signing the document, the signatory, the checksum for the signed document and the link or public key file itself. The signature can be added to the signed file or saved as a separate file. Of course, we are interested in the first option.
As always, the solution to the problem began with the study of what is already there. There were several cryptography and digital signature modules for 1C. But they did not fit. As a rule, they can sign either XML files or save the signature and public key in a separate file. And we needed to get a signed PDF document at the output, which could be easily and conveniently viewed using the same Adobe Acrobat Reader.
The second solution was to search for the so-called PDF printers - programs that can save any document as a PDF file. The most suitable solution was BullZip PDF Printer (http://www.bullzip.com/products/pdf/download.php), which in the paid version has the function of signing created documents. The solution, in principle, came up, but there were serious bureaucratic problems with the purchase, coordination and installation of new software in the enterprise. While the decision was being coordinated, I drew attention to the Crypto-PRO software suite, which, as a rule, is supplied and works with the digital signature key.
The first solution, semi-manual
The vast majority of EDS keys are issued in the form of eToken or Rutoken USB modules. In my case there was an eToken. Who does not know, the main difference is that eToken has a built-in hardware cryptographic coprocessor. This means that when encrypting data, the private key does not leave the token. In our case, this difference does not matter.
I will not consider installing drivers for USB keys. They are usually supplied by the issuing certification authority along with the tokens themselves and installation does not cause problems. The license for CRYPTO-PRO and the utility CryptoPro CSP are usually supplied with tokens. I used the latest version 3.9 currently available.
Then everything is simple. We start CryptoPro CSP. The Service tab, the button View certificates in the container, click Browse to select a token with a crypto storage, and we need to select the storage. Usually on one token one store.
Click Next and get a window with information on the certificate to which the key is attached. We are waiting for the Install button and install the certificate in the Personal store for the local user. Usually, along with the CryptoPro CSP utility, the Start menu sets a shortcut for the Certificates snap-in. We start the snap-in, make sure that everything is done correctly and the certificate is really installed in the Personal section for the current user.
Next, Right-click on the installed certificate, All Tasks, Export. Be sure to refuse to export the private key and save the certificate somewhere to the local computer, for example, to the desktop, in the file format X.509 (.CER) encoded in DER. We will need the saved certificate further to complete the signature.
The last thing that remains for us is to download the CryptoPro PDF utility from the site www.cryptopro.ru/downloads , with the help of which we will execute the signing of PDF files.
The utility is extremely simple. We select the folder in which the PDF files are located, select the folder in which the files with the signature will be saved (if it is the same folder, in the additional settings you need to check the box “Overwrite files with the same name”), select the certificate from the container that we will use for signatures, enter the PIN from the key and, if everything is correct, in a few seconds signed PDF files will appear in the destination folder. In order for EDS to be recognized legally, by law, another time stamp must be set, but I did not need this for the task.
In principle, everything! If you have a small organization and a couple of dozen counterparties, you can do nothing more and leave everything in manual mode. In addition, we did not need 1C at all, PDF documents can be created in many ways, including from Microsoft Office.
For a long time I could not figure out why the signature does not pass and gives an error. It turned out that the successful operation of the CryptoPro PDF utility on your computer must have Adobe Acrobat Pro installed (not Reader, this is important! ). It is with its help that the utility modifies PDF files and adds a signature to them.
An example of a signed file in the picture. It looks like a regular PDF, only on the Signatures tab appeared information about the signer. From the important, it is indicated who signed the documents (usually this is the name and name of the organization) and that since the signing the document has not changed. Information that a certificate is not reliable can be ignored. It only means that Adobe and its Acrobat Reader product do not know anything about your certificate.
The second solution, automatic
As I wrote above, in my case, a manual solution did not fit. There are many contractors, for each month several dozen documents are created. All of them need to be saved in PDF, signed, sent in one letter. To solve the problem, it was thought to modify and use the standard for many configurations processing "Group processing of directories and documents." For the most popular configurations, this processing is either part of the configuration itself or it can be found as external on the ITS disk.
Processing already knows how to print selected documents. In the latest versions of the platform, a regular mechanism for saving printed forms as PDF files has appeared. It remains to combine these two mechanisms and save the documents selected by the user to a folder on the local computer, and then run the command line and run the CryptoPro PDF utility for signing.
The interface part was slightly modified. Work with directories was removed from processing. Left in the interface 4 types of documents that need to be sent. Changed the selection system. We created a new register of information. Digital signature settings. In it, for each user, information is stored on which path lies CryptoPro PDF on the local computer, folders for temporary storage of files, a certificate by which the signature will be executed. They also asked to keep the pin from the key, but we did not do this for security reasons.
To automate it completely, I had to revive the email module in 1C. Then everything is simple. Once a month, the operator selects a list of counterparties and the types of documents that should be sent, checks the selection result, clicks the Run button, enters a PIN code from the key and waits ... In my case, the formation of a package of documents can take several hours.
Processing groups selected documents by counterparts, then a cycle goes through each counterparty, selects all its documents, saves it as PDF files to disk, launches the CryptoPro PDF utility from the command line, signs the saved documents, creates a document E-mail with contact data from the counterparties directory , as an attachment, attaches signed documents from a folder on the disk, translates the letter into the status for sending, and moves on to the next counterparty. Letters are sent with a scheduled task once every 10 minutes. Processing can be left overnight. The problems that have arisen will be correctly processed, and in the morning the user will see an error log and a log of sent letters.
For convenience, I will give a piece of code that performs the signing procedure itself. All parameters are taken from the created information register.
МассивВходящих = НайтиФайлы(КаталогВходящие, "*.pdf", Ложь);
КоличествоФайловВходящие = МассивВходящих.Количество();
Сообщить("Обнаружено " + КоличествоФайловВходящие + " файлов для подписи.");
КоманднаяСтрока = ИмяФайлаКриптоПро + " sign" +
" --in-dir=""" + КаталогВходящие + """" +
" --out-dir=""" + КаталогИсходящие + """" +
" --report-dir=""" + КаталогЛоги + """" +
" --err-dir=""" + КаталогОшибки + """" +
" --certificate=""" + ИмяФайлаСертификата + """" +
" --pin=""" + ПинКод + """" +
" --overwrite-files";
ЗапуститьПриложение(КоманднаяСтрока, "", истина);
МассивИсходящих = НайтиФайлы(КаталогИсходящие, "*.pdf", Ложь);
КоличествоФайловИсходящие = МассивИсходящих.Количество();
Сообщить("Подписано " + КоличествоФайловИсходящие + " файлов.");