Lab 10: Digital Signatures in InfoPath 2003

  • Article

 

Microsoft Corporation

April 2004

Applies to:
    Microsoft® Office InfoPath™ 2003

Summary: Learn how to enable digital signatures for an entire form or just for parts of the form, and how to add and remove signatures when filling out a form. Define commands associated with sections or optional sections that display signatures directly in the form. Discover the difference between co-signatures and counter-signatures and learn how to work with the digital signature's object model. (12 printed pages)

Contents

Prerequisites
Scenario
Lab Objective
Setup
Level 300 Exercises
Level 400 Exercises
Conclusion

Prerequisites

  • A basic understanding of Microsoft® JScript® development software

Download the odc_INF03_Labs.exe sample file.

Scenario

The information technology (IT) department at Contoso Corporation is tasked with adding support for digitally signing data in all forms. This ensures that information in Microsoft® Office InfoPath™ 2003 forms is not tampered with after sales representatives have completed the forms, and signifies the approval of the form. This support allows users to sign specific sections of the form, or the entire form.

Lab Objective

In this lab you learn how to do the following:

Level 300

  • Enable digital signatures for an entire form
  • Enable digital signatures for parts of a form

Level 400

  • Work with the InfoPath object model for digital signatures

Setup

To sign InfoPath forms, users must have a digital certificate installed on their computer. Digital certificates can be requested from a certificate authority within the company's intranet or a commercial certificate authority.

To be used with InfoPath forms, digital certificates must have a private key. The Key Usage for a certificate must be of type signature, or both signature and exchange (it cannot be only exchange) and the type of certificate must be Client Authentication, Code Signing, or E-mail Protection. Depending on the Certificate Authority, users can receive the certificate through an e-mail message, with the instruction on how to download (if necessary) and install it.

Instead of requesting a digital certificate, you can create a self-signed certificate that is trusted on your machine. Such certificates, however, are not trusted on other computers, unless they are specifically added as trusted certificates. Therefore, this is not a recommended method of using digital signatures when deploying InfoPath forms. Creating a self-signed digital certificate is the first method of obtaining the certificate described in this article.

If a company has an internal certificate Web site, users can download and install certificates from that site. This is the second way to get digital certificates described in this article. This method will work for a built-in certification authority in Microsoft® Windows Server System™.

To create a self-signed digital certificate

Note   In order to complete this procedure, you need to have the makecert.exe tool and signer.dll library registered. In addition, if you have the .NET Framework 1.1 Software Development Kit installed, then you have makecert.exe and signer.dll installed.

  1. If the .NET Framework 1.1 Software Development Kit is not installed on your computer, you can download the Authenticode for Internet Explorer package that contains the makecert tool and install it at C:\inetsdk\bin.

  2. To create a trusted root certification authority, at the command prompt, type the following (if you paste the command instead of typing, it may not work), and then press ENTER:

    makecert –n "CN=TrustedRootCA" –r –cy authority –a sha1 -sky Signature
  –m 1 -sv certRoot.pvk certRoot.cer -ss ROOT

  3. In the Install Certificate Wizard that is started, click No password for this certificate, and then choose to add it to the root store. The certificate is added to the Trusted Root Certification Authorities store.

  4. To create a trusted certificate used for signing, type the following (if you paste the command instead of typing, it may not work), and then press ENTER.

    makecert –n  "CN=LabUserCertificate" -cy end -a sha1 –sky Signature -m  
1 –iv certRoot.pvk -ic certRoot.cer -ss MY

    The certificate LabUserCertificate is added to the Personal store, and can be used to sign forms.

  5. Create a digital certificate from a certificate authority installed on a computer running Windows 2003 Server. In Microsoft Internet Explorer, type the server path, followed by the text /certsrv, for example, http://server_name/certsrv.

  6. In the list of tasks, click Request a certificate.

  7. In Request a certificate section, click Advanced certificate request.

  8. In the Advanced certificate section, click Create and submit a request to this CA.

  9. On the next page, type the necessary personal information.

  10. From the list under Type of Certificate Needed, select Code Signing Certificate. Code signing certificates are used to sign both forms and form templates, while client authentication and e-mail protection certificates can sign only forms.

  11. Under Key Options, select Both or Signature as key usage attribute.

  12. Click Submit.

  13. Follow the instructions in the wizard to install the certificate and make the certificate authority trusted.

Note   These certificates are trusted only on computers that accept the issuer certificate authority as trusted. A signature using such a certificate is trusted only where the certificate is trusted.

Level 300 Exercises

Exercise 1: Sign the Entire Form

The following exercises show you how to add support to your form so that users can digitally sign the entire form.

To enable support for signing the entire form

  1. Start InfoPath.

  2. In the Fill Out a Form dialog box, click Design a Form.

  3. In the Design a Form task pane, click On My Computer.

  4. In the Open in Design Mode dialog box, locate the folder that you installed the training files in, and double-click the Lab 10 folder.

  5. Select Lab10Template.xsn, and then click Open.

    The Contoso sales report form opens in design mode.

  6. On the Tools menu, click Form Options.

  7. In the Form Options dialog box, click the Digital Signatures tab, and then click Enable digital signatures for the entire form.

  8. On the File menu, click Save.

  9. Save the form as SignEntireSalesReport.xsn.

Once you enable support for signing a form, you can add your signature.

To sign the form

  1. On the File menu, click Fill Out a Form.
  2. In the Fill Out a Form dialog box, under Open a form, click Open.
  3. In the Open dialog box, locate the SignEntireSalesReport.xsn form that you just saved, and double-click the file to open it.
  4. On the Standard toolbar, click Digital Signatures.
  5. In the Digital Signatures dialog box, click Add.
  6. In the Digital Signature Wizard, click Entire_form, and then click Next.
  7. On the next page of the wizard, click the LabUserCertificate certificate in the Select the certificate that you want to use to sign the form list, and then click Next.
  8. On the next page of the wizard, type any comments that you want to save with the signature (for example "I verified and approved all data that will be added with my signature"), and then click Finish.
  9. Review the content that you are about to sign, and then select the I have verified this content before signing check box
  10. Click Sign.

The form is signed and users cannot change any data in it without invalidating the signature.

To add more signatures to the form

  1. Follow the preceding steps to add more digital signatures to this form.
  2. Save the form as SignedForm1.xml.

Any subsequent signatures that sign the entire form are treated as counter-signatures, which indicates that the first signature signs the data in the form and each subsequent signature signs the preceding signature. You can only remove counter-signed signatures one at a time, beginning with the most recently added signature.

To remove signatures

  1. With the form still open, on the Standard toolbar, click Digital Signatures.
  2. In the Digital Signatures dialog box, click the last signature in the list, and then click Remove.
  3. To remove all of the signatures in the form, repeat the previous step for the rest of the signatures.

Exercise 2: Prompt Users to Sign the Form on Submit

In the following exercise, you learn how to display a dialog box alert asking users to sign the form, when a form is submitted without a digital signature (this feature exists only for signatures that sign the entire form).

To display a dialog box when a form is submitted without a digital signature

  1. In the designer view, open SignEntireSalesReport.xsn.

  2. On the Tools menu, click Form Options.

  3. In the Form Options dialog box, click the Digital Signatures tab, and then select the Prompt user to sign the form if it is submitted without a signature check box.

  4. In the Submitting Forms dialog box, click Enable Submit commands and buttons.

  5. In the Submit to box, click Custom submit using form code. You specify a basic custom submit using the default submit event handler that only sets a value indicating that submit has succeeded.

  6. Select the Edit Form Code check box, and then click OK.

  7. If prompted, install Microsoft Script Editor.

  8. Remove the forward slashes (//) from the following line of code in the OnSubmitRequest function:

    // eventObj.ReturnStatus = true;

    The resulting line should look like this:

    eventObj.ReturnStatus = true;

    Note   This modification changes the line of code from a comment to executable code; the code allows you to click Submit and run the function without actually submitting the form.

  9. Close Microsoft Script Editor, and if prompted, save any changes.

  10. In the Digital Signatures tab, click OK.

  11. Preview the form and try to submit it. You should receive a dialog box alert asking you to sign the form before submitting it.

Exercise 3: Sign Parts of the Form

In this exercise, you learn how to create a form that enables digital signatures for specific sections in the form. You also learn how to enable signature commands so that users can sign by clicking a command directly in the form.

To enable digital signatures for part of the form

  1. Open Lab10Template.xsn in Design mode (it does not have any signatures defined).
  2. On the Tools menu, click Form Options.
  3. In the Form Options dialog box, click the Digital Signatures tab, and then click Enable digital signatures for specific data in the form.
  4. Click Add.
  5. In the Set of Signable Data dialog box, type MySignature1.
  6. Click Select XPath after the Fields and groups to be signed box.
  7. In the Select a Field or Group dialog box, select group4 (the group assigned to Customer information), and then click OK.
  8. In the Set of Signable Data dialog box, under Signature options , click Allow only one signature.
  9. In the Signature confirmation message box, type I verified and approved all data that will be added with my signature, and then click OK.

Digital signatures can be enabled for the section or optional section that you want to sign from either the Form Options dialog box (as seen in the preceding procedure) or the Section Properties dialog box. When the signatures are enabled through the Form Options dialog box, they can be associated with groups (that can be sections or not) or with standalone fields (as specified by XPath expression in Set of Signable Data dialog box).

The following exercise shows you how to enable digital signatures for parts of a form using the Section Properties dialog box. It also shows you how to assign a set of signable data with a signature starting from the same dialog box. The advantage to using this approach is that users can easily sign the form using commands directly in the form.

To enable co-signatures within a section

  1. With the form still open, double-click the Section label for the section in the form that contains the General comments box (group7).
  2. In the Section Properties dialog box, click the Digital Signatures tab, and then select the Allow users to digitally sign this section check box.
  3. In the Sign the following data in the form when this section is signed drop-down box, select Add data that can be signed.
  4. In the Set of Signable Data dialog box, in the Type a name for the data that can be signed box, type MySignature2.
  5. Under Signature options, click All the signatures are independent (co-sign), and then click OK.
  6. In the Digital Signatures tab, the Show signatures in this section check box should be selected. When the check box is selected, all of the signatures added to this section are displayed in a list below the section with the Click here to sign this section button. If this check box is not checked, only the Click here to sign this section button is displayed in the view.
  7. Ensure that the When signed, make controls read-only check box is selected, so that all of the controls in the section are not editable when the section is signed.

All co-signatures added to a set of signable data are independent, signing only the data.

In addition to co-signatures, you can also enable counter-signatures for parts of a form. The first signature of counter type added to the data signs only the data, the rest of counter-signatures signs only the preceding signature.

To enable counter-signatures within a section

  1. With the form still open, on the Tools menu, click Form Options.
  2. In the Form Options dialog box, click the Digital Signatures tab, and then ensure that Enable digital signatures for specific data in the form is selected.
  3. In the Data in the form that can be signed list, click MySignature2, and then click Modify.
  4. In the Set of Signable Data dialog box, under Signature options, click Each signature signs the preceding signatures (counter-sign).

To associate an existing set of signable data with an existing section

  1. With the form still open, double-click the Section label for the section in the form that contains Customer information (group4).
  2. In the Section Properties dialog box, click the Digital Signatures tab, and then select the Allow users to digitally sign this section check box.
  3. In the Sign the following data in the form when this section is signed list, ensure that MySignature1 is selected, and then click Modify.
  4. In the Set of Signable Data dialog box, click All the signatures are independent (co-sign), and then click OK.
  5. On the Digital Signatures tab, clear the When signed, make controls read-only check box. Controls in this section are editable, but the value of those controls cannot be changed while it is signed.
  6. Save the form as PartSignSalesReport.xsn.

The form now contains two sets of signable data, both of which are associated with sections. One section can have multiple signatures that are independent of each other (co-signatures), and the other section can have multiple signatures that sign each other (counter-signatures). Both display signatures directly in the form. Now users can sign sections of the form.

To sign the form

  1. Start InfoPath.

  2. In the Fill Out a Form dialog box, under Open a Form, click Open.

  3. In the Open dialog box, locate the folder that you installed the training files in, and double-click the Lab 10 folder.

  4. Select PartSignSalesReport, and then click Open.

    The Contoso sales report form opens in InfoPath.

  5. Under the Customer information section, click Click here to add a signature.

  6. Follow the steps in the wizard to add a signature. The signature signs the MySignature1 set of data as specified in the previous exercise.

  7. Repeat steps 5 and 6 to sign the same set of data again.

  8. Under the General comments section, click Click here to add a signature.

  9. Follow the steps in the wizard to add a signature. The signature signs the MySignature2 set of data as specified in the previous exercise.

  10. Repeat steps 8 and 9 to sign the same set of data two more times.

The form now contains co-signatures (for the first set of signable data) and counter-signatures (for the second set of signable data). In the next procedure, you learn how to remove digital signatures from each set of data.

When signing parts of the form, signatures can be added also through the Digital Signatures dialog box, by selecting the specific set of signable data in the first page of the wizard.

To remove digital signatures from a signed section in a form

  1. With the form still open, on the Tools menu, click Digital Signatures.
  2. In the Digital Signatures dialog box, click the first signature added to the MySignature1 set of signable data, and then click Remove. Note that it can be removed because is a co-signature.
  3. Click the first signature added to the MySignature2 set of signable data, and note that it cannot be removed because it is a counter-signature.
  4. Click the third signature added to the MySignature2 set of signable data, and then click Remove. Note that it can be removed because it is the most recently added signature.

Level 400 Exercises

Exercise 1: Work with the Digital Signature's Object Model

In the following exercise, learn how to work with the digital signature's object model in InfoPath. In this exercise, you create a form that includes a task pane that displays all of the digital signatures in the form.

To add a task pane for digital signatures

  1. Start InfoPath.

  2. In the Fill Out a Form dialog box, click Design a Form.

  3. In the Design a Form task pane, click On My Computer.

  4. In the Open in Design Mode dialog box, locate the folder that you installed the training files in, and double-click the Lab 10 folder.

  5. Select PartSignSalesReport, and then click Open.

    The Contoso sales report form opens in design mode.

  6. On the Tools menu, click Form Options.

  7. In the Form Options dialog box, click the Advanced tab, and then select the Enable custom task pane check box.

  8. Click Resource Files.

  9. In the Resource Files dialog box, click Add.

  10. In the Add File dialog box, locate the folder that you installed the training files in, double-click the Lab 10 folder, and then add the DigSigTP.htm file from the lab folder.

  11. Repeat step 10 to add the signatureerror.gif file and the signaturevalid.gif file as resources, and then click OK.

  12. In the Form Options dialog box, on the Advanced tab, in the Task pane name box, type Digital Signatures.

  13. In the Task pane location box, select DigSigTP.htm.

To inspect the digital signatures object model code sample (JScript)

When you add the DigSigTP.htm file, you can use a text editor or code editor to open the DigSigTP.htm file so you can review the source code in the file. When the form is opened, the code in the DigSigTP.htm file searches for all of the signatures that are added to the sets of signable data in the form, and displays them in the task pane. Browsing the sets of signable data and displaying signature information is done using the signatures object model.

To add code to update the task pane when digital signatures are added or removed

  1. With the form still open, click Data Source on the View menu.

  2. In the Data Source task pane, double-click the signatures1 group (it should be the last group in the data source pane), and then click the Validation and Event Handlers tab.

  3. In the Events box, select OnAfterChange, and then click Edit.

  4. In Microsoft Script Editor, type the following code at the beginning of the OnAfterChange event handler:

    XDocument.View.Window.TaskPanes(0).Navigate("DigSigTP.htm");

  5. Close Microsoft Script Editor. If prompted, save any changes to the code.

Each time the signatures group is changed, this additional line in the onAfterChange event handler refreshes the information in the task pane that displays the digital signatures that are attached to the form.

To edit the OnSign event handler

  1. With the form still open, on Tools menu, point to Programming, and then click On Sign Event.

    In Microsoft Script Editor, modify the OnSign event handler 
by typing the following lines immediately before the 
varSignature=eventObj.SignedDataBlock.Signatures.Create(); 

line of code:

var nSig1 = 0, nSig2 = 0;
for(var i=0; i<XDocument.SignedDataBlocks.Count; i++)
{
nSig1 = nSig1 + XDocument.SignedDataBlocks(i).Signatures.Count;
}

  2. After the eventObj.ReturnStatus=true line of code, copy and paste the following code:

    for(var i = 0; i<XDocument.SignedDataBlocks.Count; i++)
{
   nSig2 = nSig2 + XDocument.SignedDataBlocks(i).Signatures.Count;
}
if(nSig1<nSig2)
{
   XDocument.UI.Alert("Sign operation ended with success.");
}
else    
{
XDocument.UI.Alert("No signature was added.");
}

  3. Close Microsoft Script Editor. If prompted, save any changes to the code.

  4. Save the form as OMSignSalesReport.xsn.

In order for the OnSign event handler to run when the form is signed, the form must be fully trusted. There are two ways to create a fully trusted form:

  • Save the form and install it using the regform.exe tool.
  • Mark the form as fully trusted, and then sign it.

In this exercise, you learn how to create a fully trusted form using the second method.

To make a form fully trusted

  1. With the form still open, on Tools menu, click Form Options.
  2. In the Form Options dialog box, click the Security tab.
  3. Clear the Automatically determine security level based on form's design check box, and then click Full Trust.
  4. Select the Sign this form check box, and then click Select Certificate.
  5. In the Select a Certificate dialog box, click LabUserCertificate.
  6. Save the form as OMSignSalesReport.xsn.

When you set up your form as fully trusted, you should test the form to verify that the digital signatures feature is working as expected.

To test the form

  1. Start InfoPath.

  2. In the Fill Out a Form dialog box, under Open a form, click Open.

  3. In the Open dialog box, locate the folder that you installed the training files in, and double-click the Lab 10 folder.

  4. Select OMSignSalesReport, and then click Open.

    The Contoso sales report form opens in InfoPath.

  5. On the Tools menu, click Digital Signatures, and verify that you can add a signature.

  6. In the form, click Click here to sign this section, and then verify that you can add a signature.

  7. On the Tools menu, click Digital Signatures, and verify that you can remove a digital signature.

**Note   **Each time that a signature is added or removed from the form, the Digital Signatures task pane should update the list of signatures.

Conclusion

After completing this lab, you should know how to do the following:

  • Enable digital signatures for the entire form.
  • Enable digital signatures for parts of the form.
  • Define commands associated with sections or optional sections that display signatures directly in the form.
  • Understand the difference between co-signatures and counter-signatures.
  • Add and remove signatures when filling out a form.
  • Work with the digital signature's object model.