Electronic digital signature (EDS) documents in 1C for a couple of clicks using the utility CRYPTO-PRO PDF
On one of the large projects, an unusual task arose for 1C. It was necessary to organize the mass sending and signing of documents of counterparties using an electronic digital signature. The search for information in the help system and on the 1C forums did not give the desired result. I had to deal with cryptographic tools, electronic keys and third-party utilities. The solution found was simple and flexible enough to be repeated in other projects, so I want to share with you.
Task setting in numbers:
• The customer’s enterprise employs nearly 3,000 people in more than 50 branches throughout Russia.
• The customer’s enterprise uses SCP 1.3 (platform 8.2.19.76).
• More than 10,000 active counterparties.
• For most of the counterparties (buyers) once a month, you need to send documents electronically (bills, acts, invoices, MOUTH, etc.). In total, about 100,000 documents.
• For sending documents allocated 2 working days.
• The dispatch procedure should involve a minimum number of people. Now their number was reduced to 2 people.
• Documents must be emailed as attached PDF files. Each PDF file must be signed with EDS.
Two words that generally represents a digital signature. Two keys are used for signing and working with files: closed and open. The private key is stored on your token and is used to sign or encrypt documents. The public key should be distributed to all users who should work with the document you have signed. This usually happens automatically when a file is signed. Next, there is a file that we need to sign. Using a special software from the contents of the file and your private key creates a unique character sequence, something like a checksum. This sequence is the digital signature. EDS is always unique to this user and this document. The signature contains information on the date the document was signed, the signer, the checksum for the signed document, and the link or the public key file itself. The signature can be added to the signed file or saved as a separate file. Of course, we are interested in the first option.
As always, the solution to the problem began by studying what is already there. There were several cryptography modules and EDS for 1C. But they did not fit. As a rule, they can sign either XML files, or save the signature and public key in a separate file. And we needed to get a signed PDF-document at the output, which can be easily and conveniently viewed using the same Adobe Acrobat Reader.
The second solution was to search for so-called PDF printers — programs that can save any document as a PDF file. The most suitable solution turned out to be the BullZip PDF Printer (http://www.bullzip.com/products/pdf/download.php), which in the paid version has the function of signing the created documents. The decision, in principle, came up, but there were serious bureaucratic problems with the purchase, coordination and installation of new software on the territory of the enterprise. While the decision was being negotiated, I paid attention to the set of CRIPTO-PRO programs, which, as a rule, is supplied and works together with the EDS key.
')
The vast majority of EDS keys are issued in the form of eToken or Rutoken USB modules. In my case was eToken. Who does not know, the main difference is that eToken has a built-in hardware cryptographic co-processor. This means that when encrypting data, the private key does not leave the token. In our case, this difference does not matter.
I will not consider installing USB dongle drivers. They, as a rule, are supplied by the issuing certifying center along with the tokens themselves and the installation does not cause problems. More tokens are usually supplied with a license for CRYPTO-PRO and the CryptoPro CSP utility. I used the latest currently available version 3.9.
Then everything is simple. Launch CryptoPro CSP. The Service tab, the View certificates button in the container, click Browse to select the token with the crypto-storage, and choose the repository we need. Usually on one token one repository.
Click Next and get a window with information on the certificate to which the key is attached. We are waiting for the Install button and install the certificate in the Personal store for a local user. Usually, together with the CryptoPro CSP utility, a shortcut to the Certificates snap-in is installed in the Start menu. We start equipment, we are convinced that everything is correctly made and the certificate was really established in the section Personal for the current user.
Next, right click on the installed certificate, All tasks, Export. Be sure to refuse to export the private key and save the certificate somewhere on the local computer, for example, on the desktop, in the X.509 file format (.CER) in the DER encoding. We will need the saved certificate further to perform the signature.
The last thing left for us is to download the CryptoPro PDF utility from www.cryptopro.ru/downloads , with which we will execute the signature of PDF files.
The work of the utility is extremely simple. Select the folder in which the PDF-files are located, select the folder where the signed files will be saved (if this is one and the same folder, in the advanced settings you need to check the "Overwrite files with the same name" checkbox) select the certificate from the container that we will use for signatures, enter the pin from the key and, if everything is correct, after a few seconds, signed PDF files will appear in the destination folder. In order for an EDS to be recognized legally, by law, a time stamp must also be set, but I did not need this for the task.
In principle, everything! If you have a small organization and a couple dozen counterparties, then you can do nothing else at all and leave everything in manual mode. In addition, we didn’t need 1C at all; you can create PDF documents in many ways, including from Microsoft Office.
Long could not figure out why the signature does not pass and gives an error. It turned out that the successful operation of the CryptoPro PDF utility should have Adobe Acrobat Pro installed on the computer (not Reader, this is important! ). It is with its help that the utility modifies PDF files and adds a signature to them.
An example of a signed file in the picture. It looks like a regular PDF, only on the Signatures tab there was information about the subscriber. Of the important, it is indicated who signed the documents (usually the name and the name of the organization) and that the document has not been changed since the moment of signing. The information that the certificate is unreliable can be ignored. It only says that Adobe and its Acrobat Reader product do not know anything about your certificate.
As I wrote above, in my case the manual solution did not fit. There are a lot of counterparties, several dozens of documents are created for each month. They all need to save to PDF, sign, send in one letter. To solve the problem, they invented to modify and use the “Group processing of directories and documents” standard for many configurations. For the most popular configurations, this processing is either included in the configuration itself or can be found as external on the ITS disk.
Processing is already able to print selected documents. In the latest versions of the platform, a regular mechanism for saving print forms in the form of PDF files has appeared. It remains to combine these two mechanisms and save the documents selected by the user to a folder on the local computer, and then launch the command line and launch the CryptoPro PDF utility to perform the signature.
A little finalized the interface part. Work with reference books was removed from processing. Left in the interface 4 types of documents that need to be sent. Changed the selection system. Created a new information register of the EDS Settings. For each user, it stores information on the path that CryptoPro PDF lies on the local computer, the folders for temporary storage of files, and the certificate to be signed. We also asked to keep the pin from the key, but we did not do this for security reasons.
So that the automation was completely complete, I had to revive the email module in 1C. Then everything is simple. Once a month, the operator selects the list of contractors and the types of documents to be sent, checks the result of selection, presses the Execute button, enters the PIN code from the key and waits ... In my case, the formation of a package of documents may take several hours.
Processing groups selected documents by counterparties, then goes through a cycle for each counterparty, selects all of its documents, saves them as PDF files to disk, launches the CryptoPro PDF utility from the command line, signs the saved documents, creates an Email document with contact data from the counterparty directory , as an attachment, attaches signed documents from a folder on a disk, transfers the letter to the status to be sent and proceeds to the next counterparty. Letters are sent by the routine task once every 10 minutes. Processing can be left overnight. The problems that have arisen will be processed correctly, and in the morning the user will see the log of errors and the log of sent letters.
For convenience, I will give a piece of code that performs the signing procedure itself. All parameters are taken from the created register information.
Task setting in numbers:
• The customer’s enterprise employs nearly 3,000 people in more than 50 branches throughout Russia.
• The customer’s enterprise uses SCP 1.3 (platform 8.2.19.76).
• More than 10,000 active counterparties.
• For most of the counterparties (buyers) once a month, you need to send documents electronically (bills, acts, invoices, MOUTH, etc.). In total, about 100,000 documents.
• For sending documents allocated 2 working days.
• The dispatch procedure should involve a minimum number of people. Now their number was reduced to 2 people.
• Documents must be emailed as attached PDF files. Each PDF file must be signed with EDS.
Two words that generally represents a digital signature. Two keys are used for signing and working with files: closed and open. The private key is stored on your token and is used to sign or encrypt documents. The public key should be distributed to all users who should work with the document you have signed. This usually happens automatically when a file is signed. Next, there is a file that we need to sign. Using a special software from the contents of the file and your private key creates a unique character sequence, something like a checksum. This sequence is the digital signature. EDS is always unique to this user and this document. The signature contains information on the date the document was signed, the signer, the checksum for the signed document, and the link or the public key file itself. The signature can be added to the signed file or saved as a separate file. Of course, we are interested in the first option.
As always, the solution to the problem began by studying what is already there. There were several cryptography modules and EDS for 1C. But they did not fit. As a rule, they can sign either XML files, or save the signature and public key in a separate file. And we needed to get a signed PDF-document at the output, which can be easily and conveniently viewed using the same Adobe Acrobat Reader.
The second solution was to search for so-called PDF printers — programs that can save any document as a PDF file. The most suitable solution turned out to be the BullZip PDF Printer (http://www.bullzip.com/products/pdf/download.php), which in the paid version has the function of signing the created documents. The decision, in principle, came up, but there were serious bureaucratic problems with the purchase, coordination and installation of new software on the territory of the enterprise. While the decision was being negotiated, I paid attention to the set of CRIPTO-PRO programs, which, as a rule, is supplied and works together with the EDS key.
')
Solution one, semi-manual
The vast majority of EDS keys are issued in the form of eToken or Rutoken USB modules. In my case was eToken. Who does not know, the main difference is that eToken has a built-in hardware cryptographic co-processor. This means that when encrypting data, the private key does not leave the token. In our case, this difference does not matter.
I will not consider installing USB dongle drivers. They, as a rule, are supplied by the issuing certifying center along with the tokens themselves and the installation does not cause problems. More tokens are usually supplied with a license for CRYPTO-PRO and the CryptoPro CSP utility. I used the latest currently available version 3.9.
Then everything is simple. Launch CryptoPro CSP. The Service tab, the View certificates button in the container, click Browse to select the token with the crypto-storage, and choose the repository we need. Usually on one token one repository.
Click Next and get a window with information on the certificate to which the key is attached. We are waiting for the Install button and install the certificate in the Personal store for a local user. Usually, together with the CryptoPro CSP utility, a shortcut to the Certificates snap-in is installed in the Start menu. We start equipment, we are convinced that everything is correctly made and the certificate was really established in the section Personal for the current user.
Next, right click on the installed certificate, All tasks, Export. Be sure to refuse to export the private key and save the certificate somewhere on the local computer, for example, on the desktop, in the X.509 file format (.CER) in the DER encoding. We will need the saved certificate further to perform the signature.
The last thing left for us is to download the CryptoPro PDF utility from www.cryptopro.ru/downloads , with which we will execute the signature of PDF files.
The work of the utility is extremely simple. Select the folder in which the PDF-files are located, select the folder where the signed files will be saved (if this is one and the same folder, in the advanced settings you need to check the "Overwrite files with the same name" checkbox) select the certificate from the container that we will use for signatures, enter the pin from the key and, if everything is correct, after a few seconds, signed PDF files will appear in the destination folder. In order for an EDS to be recognized legally, by law, a time stamp must also be set, but I did not need this for the task.
In principle, everything! If you have a small organization and a couple dozen counterparties, then you can do nothing else at all and leave everything in manual mode. In addition, we didn’t need 1C at all; you can create PDF documents in many ways, including from Microsoft Office.
Long could not figure out why the signature does not pass and gives an error. It turned out that the successful operation of the CryptoPro PDF utility should have Adobe Acrobat Pro installed on the computer (not Reader, this is important! ). It is with its help that the utility modifies PDF files and adds a signature to them.
An example of a signed file in the picture. It looks like a regular PDF, only on the Signatures tab there was information about the subscriber. Of the important, it is indicated who signed the documents (usually the name and the name of the organization) and that the document has not been changed since the moment of signing. The information that the certificate is unreliable can be ignored. It only says that Adobe and its Acrobat Reader product do not know anything about your certificate.
Solution two, automatic
As I wrote above, in my case the manual solution did not fit. There are a lot of counterparties, several dozens of documents are created for each month. They all need to save to PDF, sign, send in one letter. To solve the problem, they invented to modify and use the “Group processing of directories and documents” standard for many configurations. For the most popular configurations, this processing is either included in the configuration itself or can be found as external on the ITS disk.
Processing is already able to print selected documents. In the latest versions of the platform, a regular mechanism for saving print forms in the form of PDF files has appeared. It remains to combine these two mechanisms and save the documents selected by the user to a folder on the local computer, and then launch the command line and launch the CryptoPro PDF utility to perform the signature.
A little finalized the interface part. Work with reference books was removed from processing. Left in the interface 4 types of documents that need to be sent. Changed the selection system. Created a new information register of the EDS Settings. For each user, it stores information on the path that CryptoPro PDF lies on the local computer, the folders for temporary storage of files, and the certificate to be signed. We also asked to keep the pin from the key, but we did not do this for security reasons.
So that the automation was completely complete, I had to revive the email module in 1C. Then everything is simple. Once a month, the operator selects the list of contractors and the types of documents to be sent, checks the result of selection, presses the Execute button, enters the PIN code from the key and waits ... In my case, the formation of a package of documents may take several hours.
Processing groups selected documents by counterparties, then goes through a cycle for each counterparty, selects all of its documents, saves them as PDF files to disk, launches the CryptoPro PDF utility from the command line, signs the saved documents, creates an Email document with contact data from the counterparty directory , as an attachment, attaches signed documents from a folder on a disk, transfers the letter to the status to be sent and proceeds to the next counterparty. Letters are sent by the routine task once every 10 minutes. Processing can be left overnight. The problems that have arisen will be processed correctly, and in the morning the user will see the log of errors and the log of sent letters.
For convenience, I will give a piece of code that performs the signing procedure itself. All parameters are taken from the created register information.
= (, "*.pdf", ); = .(); (" " + + " ."); = + " sign" + " --in-dir=""" + + """" + " --out-dir=""" + + """" + " --report-dir=""" + + """" + " --err-dir=""" + + """" + " --certificate=""" + + """" + " --pin=""" + + """" + " --overwrite-files"; (, "", ); = (, "*.pdf", ); = .(); (" " + + " ."); Source: https://habr.com/ru/post/253681/
All Articles