PDF Validation

[anderson.deda]

Hi Folks, I'm new here, so sorry if this isn't the best place to ask.

I'll let you know my goal and what I'm doing to try to reach it, if I'm doing it the wrong way, I accept suggestions.

I'm talking about Brazil and here we have some forms of payment that are only from here, that would be boleto and pix.

Here at the company we customize the invoice, we managed to perfectly add a dynamic qrcode and the barcode inside the PDF, so the customer can pay the invoice directly through the PDF in any bank in Brazil.
So far everything is ok.

We want to add additional protection to the PDFs, at this moment we are digitally signing the PDFs, that is, we are certifying that these PDFs were issued in our whmcs.
My concern now is to provide a place where the customer can validate whether the PDF was actually issued by us, without having to log in to their customer area.
A good way to do this would be to check the MD5 of the PDF file?
If so, I need to register the file's MD5 in the bank every time the PDF was issued, now my question arises, how will I be able to collect this information?
Is there another better way to prove that we issued the invoice?

Guys, this is necessary because some customers have people who only receive the invoice in the email, these people who will make the payment at the bank, they do not have access to the customer area, another problem is that sometimes, some customers call us asking if we sent the invoice.

[Kian]

 My 2 cent. Put a QR code in the invoice that people can scan with their phones to visit a page where you validate your md5. Personally I would use openssl random pseudo bytes instead of md5 and set the URL to be memorable like follows:

/verify/1b022aad8fed98556b724eb79aaa26fb

As for hash generation, I would use InvoiceCreationPreEmail hook point so that before the email is being sent I generate the hash to store it in a custom table that contains pairs of invoice ID and their respective hashes. Once done, include your QR somewhere (email? PDF? different attachment? you choose).

As for verification, simply read the incoming hash from your query string to verify that it exists in the above table. If there's a result the invoice is legit otherwise it's not.

Keep in mind the only reason I would store invoice ID & hash pair is that it lets me know what is the currently verified invoice. This way I could show more informative messages and interactions like "Dear Mark, the invoice is fine! Total due is: 100 euro." Bold parts can be retrieved from tblclients and tbclients table using invoice ID.

p.s. this community doesn't let me post example URLs and full names of PHP functions... bah 🤦‍♂️

Edited January 25, 2023 by Kian

[anderson.deda]

Hi Kian thanks for your time in replying, I really appreciate it!

What I said about the QRCode on the invoice was just to inform you that our PDF contains information for dynamic payments, for this reason we have concerns with file authentication.

We're cooking up some pretty cool stuff in that regard and one of them would be this file check.

One of those cool things is that we are digitally signing the file with our company certificate, see, it's not a domain SSL certificate, it's a business certificate issued by companies licensed by the government of my country. This will bring more security to our customers.

About MD5 or another method, the problem in my point of view currently would be if the customer enters the customer area, download another invoice for example, in this example I am not calling the email hook.

Currently this would be my challenge