LDAP/Active Directory PDF Encryption

Certificate based PDF encryption is the most secure way of PDF encryption. Unfortunatly for many users it is difficult to get hold of the public keys of the document recipient.

Since the PKI Infrastructure of Certification Authorities is usually LDAP or Activate Directory based public keys can simply looked up via LDAP requests. 

The Aloaha function encrypt_pdf_by_LDAP merges the functionality of the Aloaha LDAP Client and the PDF Encryption API into one simple API.

With Aloaha only one function call is required to look up the recipients certificates from the remote PKI and to encrypt the document.

Please find below the function call in pseudo syntax:

encrypt_pdf_by_LDAP(ByVal LDAP_ConnectionString As String, ByVal PathToFileToBeEncrypted As String, ByVal PathToEncryptedFile As String, ByVal LDAPSearchString As String, ByVal CertIntendedKeyUsage As Long, ByVal CertEnhancedKeyUsage As String, ByVal NoOverwrite As Boolean) As String

Variables:

• LDAP_ConnectionString
  This variable contains the connection string to the remote server.
  The syntax is: <server>/<container>
  For example:
  DC.domain.tld/CN=Users,DC=domain,DC=tld
• PathToFileToBeEncrypted
  Contains the path to the PDF document to be encrypted.
• PathToEncryptedFile
  Contains the path to the destination file.
• LDAPSearchString
  Contains a comma seperated list of keywords. The * wildcard is allowed as first or last characters of a keyword. A search string to encrypt the document for all johns, smith and test@domain.tld would look like:
  john*, *smith, test@domain.tld
• CertIntendedKeyUsage
  Technically it is possible to use any certificate to encrypt the document. But the Adobe Reader checks the key usage of the certificate before it starts decrypting. It would not open a PDF document which was encrypted with a signature only certificate. To make sure that Aloaha uses only correct certificates this variable can be set to the required key usage. If the variable is set to 0 Aloaha does not cross check the key usage of the certifiates. 
• CertEnhancedKeyUsage
  Aloaha can also filter the certicates by EnhancedKeyUsage (EKU) attributes. Like that it is possible to force the API to use only filesystem encryption certificates. If this variable is left as an empty string Aloaha will not check for the EKU attributes.
• NoOverwrite
  Defines if a possilbe existing target file can be overwritten or not.

The function returns a string value which either contains success and subject contents of the certifiates used for encryption or in case of an error it contains the error description.

Below you find a code sample. Please make sure that Aloaha is properly licensed. Should you require an evaluation license please do not hesitate to contact aloaha@wrocklage.de

VBS Code Sample:

Dim ldap
Dim pdf
Dim return
dim input
dim output
dim searchstring
dim KU
dim EKU

'minimumm Aloaha Build required
'3.0.137

input = "c:\input.pdf"
output = "c:\output.pdf"
searchstring = "john*, *smith, test@domain.tld, stefan*"

'create Aloaha object
Set pdf = CreateObject("aloahapdf.edit")

'define LDAP connection string
ldap = "dc.domain.tld/CN=Users,DC=domain,DC=tld"

'Use Only certificates
'with KeyUsage
'dataEncipherment enabled
'set 0 to use all certificates
KU=32


'Use only Certificates
'with EKU Encrypting File System
'enabled
'set empty string to use all
'certificates
EKU="1.3.6.1.4.1.311.10.3.4"


return = pdf.encrypt_pdf_by_LDAP(cstr(ldap), cstr(input), cstr(output), cstr(searchstring), clng(KU), cstr(EKU), False)
MsgBox return


Set pdf = Nothing