EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDF signing problem

Posted: 07/19/2006 05:47:50
by Igor Sever (Standard support level)
Joined: 07/19/2006
Posts: 4

I don't know if you could help me with following problem:
I developed application for signing PDF docs using your component for .NET, and on my PC with certificates from my local store everything worked fine, but when I installed application on server which uses ncipher HSM form cryptographic operations, it started producing documents which Acrobat Reader cannot verify.
Error is: "Error encountered while BER decoding".
It seems it can find certificate in store, but it can't use it. Why it doesn't throw error, I don't know.
Posted: 07/19/2006 06:20:55
by Eugene Mayevski (Team)

1) please dont crosspost the questions to forum and helpdesk.
2) the issue is Acrobat specific. Unfortunately, their support is next to absent, and this means that if something doesn't work, there will be no fixes or workarounds.

Let's try to find out, what exactly causes Acrobat to fail. First of all, the everything seems to work if the certificate is in the local store, right?
What happens if you use *the same* certificate on the server (with hardware module)?

Sincerely yours
Eugene Mayevski
Posted: 07/19/2006 06:22:13
by Igor Sever (Standard support level)
Joined: 07/19/2006
Posts: 4

just to let you know that I discovered that I can correctly sign PDF with certificate from current user store but not from Local System store.
My code for using Local System store is:
SystemStore.AccessType = TSBStorageAccessType.atLocalMachine;
When I removed: SystemStore.AccessType = TSBStorageAccessType.atLocalMachine
then I correctly signed pdf with certificate from user store.
Can you help me to use Local System store?
Posted: 07/19/2006 09:51:17
by Eugene Mayevski (Team)

Please check that your key is exportable. If the key is not exportable, and your application is a service, then CryptoAPI will give a warning window (saying that someone accesses the private key), which is not visible to the client, and signing won't work. The same goes for Web Applications.

Similar topic has been discussed just a couple of days ago in this forum.

Sincerely yours
Eugene Mayevski
Posted: 07/19/2006 10:00:43
by Eugene Mayevski (Team)

This is the topic I referred to:


Sincerely yours
Eugene Mayevski
Posted: 08/01/2006 08:37:08
by Ram Cohen (Standard support level)
Joined: 06/28/2006
Posts: 26

I have an identical problem and having the private key in the local machine store exportable did solve the issue.
However, sometimes the key can't be made exportable (for example if it is stored in an HSM).
Why does the private key needs to be exportable ?
Posted: 08/01/2006 09:55:45
by Eugene Mayevski (Team)

The problem only happens when the non-exportable key is accessed from the service application. This is because Windows wants the user to confirm his use of the key.

If you are working with a desktop application (not a service or web application), than having non-exportable keys is not a problem at all.

We have 3 different hardware tokens, and we check all signing/decryption operations with those tookens from time to time. Everything works perfectly for us and for our customers.

Sincerely yours
Eugene Mayevski
Posted: 08/01/2006 13:29:49
by Ram Cohen (Standard support level)
Joined: 06/28/2006
Posts: 26

The situation that I have is that a non service application uses a machine private key stored in the regular microsoft capi provider.
Although signing seems OK acrobat complains about 'invalid ber...'
If the problem is getting access to the private key then shouldn't I see a dialog pop up asking for access to the key or at least get an exception from the signing operation ?
Posted: 08/01/2006 13:31:51
by Ram Cohen (Standard support level)
Joined: 06/28/2006
Posts: 26

Just want to add that the very same machine stored private key is used by c++ code in a service application that uses it (through capi) to perform s/mime signatures (CryptSignMessage etc.) so that key does not require user authorization
Posted: 08/01/2006 14:03:37
by Eugene Mayevski (Team)

What you are talking about is a completely different problem.
Acrobat is dumb when it comes to error messages and their meanings. The "Invalid BER encoding" error can mean anything, from the signature Acrobat can't parse, to certificate extension that Acrobat doesn't understand. Please try signing with some other certificate or with the same certificate but with exportable key.

Also you might want to try different signature types - pkcs1 and pkcs7 (pstX509RSASHA1 and pstPKCS7SHA1 values for TElPDFPublicKeySecurityHandler.SignatureType property).

The difference in the signing process with exportable and non-exportable keys is that with exportable keys, SecureBlackbox performs all cryptographic operations. With non-exportable keys, SecureBlackbox asks CryptoAPI (or PKCS#11 driver) to perform SignHash operation. The result can be different, for example when some library puts the leading zero when it's not needed (or vice versa).

Sincerely yours
Eugene Mayevski



Topic viewed 26046 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!