EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Cannot populate system certificates under IIS 7.5

Posted: 02/20/2013 06:50:45
by Ken Ivanov (Team)

Wonderful - and thank you very much for the ASP.NET configuration sample!
Posted: 02/20/2013 07:01:27
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

You're welcome and I also thank you for rapid responses, I see the passion at EldoS...
Posted: 02/20/2013 08:59:52
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

I could populate the certificates but I couldn't sign the PDF. I hit the 8219 error below:


When I set the project as x86 as mentioned here http://www.eldos.com/security/articles/7165.php I got another error:


I'll try commandline .exe workaround.
Posted: 02/20/2013 10:43:13
by Ken Ivanov (Team)

There is no image attached, sorry. Could you re-post it please?

I assume that signing works fine if run from a desktop application, doesn't it?
Posted: 02/20/2013 15:33:06
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

Yes, desktop application (Tiny Signer) and asp.net web site under Visual Studio debugger run perfectly.
Posted: 02/20/2013 16:26:42
by Ken Ivanov (Team)

Thank you for the answer. I just wished to clarify that the issue is specific to the IIS-driven ASP.NET environment.

Error 8219 (0x201B, SB_MESSAGE_ERROR_KEYOP_FAILED_RSA) is returned if an RSA private key operation fails, for whatever reason. The reason described in the FAQ article you've found is indeed the most popular one, so let's finish it up and either confirm or reject it. Could you try to compile your *desktop* application explicitly for x86 and x64 targets and check whether it works in both modes? This will be sufficient to find out whether 64 bit mode is the reason.

Now, if the application works in both 32 and 64 bit modes, then the problem has nothing to do with the target. A quick guess - does the smart card driver ask you for a PIN when you do the signing from the desktop application?
Posted: 02/21/2013 07:38:58
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

I choose external console utility to sign PDF and call it from asp.net (running as user) page:

            ProcessStartInfo signer = new ProcessStartInfo(getAppSetting("console_location"));
            signer.UseShellExecute = false;
            signer.RedirectStandardInput = true;
            signer.RedirectStandardError = true;
            signer.RedirectStandardOutput = true;

            signer.Arguments = "file=faaliyet-2013-02-20_04-11-18-.pdf";

            using (Process sign = Process.Start(signer))
                string output = sign.StandardOutput.ReadToEnd();
                Response.Write("<hr>sign.ExitCode: " + sign.ExitCode);

However I cannot run the exe properly under IIS environment:

signer.exe code snippet:
        public Signer()


I expect exit code as 1. But it's -532462766 when I comment out any line above.
Posted: 02/21/2013 07:40:59
by Eugene Mayevski (Team)

Looks like .NET Framework can't find or load one or more SecureBlackbox assemblies when you start the EXE from under your web application. The possible reasons are numerous but they are local to your environment - we can only guess without seeing the local system.

Sincerely yours
Eugene Mayevski
Posted: 02/22/2013 04:02:44
by Nime Cloud (Basic support level)
Joined: 02/12/2013
Posts: 20

I made a folder monitoring application and run it from my personal Windows account. I'm monitoring the .generated folder. ASP.NET page generates the pdf at .generated and waits for newly signed PDF at ./signed folder for a specific time. This is my best & only working workaround.

Monitoring app code snippet:

        private void eventRaised(object sender, System.IO.FileSystemEventArgs e)
            switch (e.ChangeType)
                case WatcherChangeTypes.Changed:
                    TS_AddLogText(string.Format("File {0} has been modified\r\n", e.FullPath));
                    Signer signer = new Signer();

I also want to share an experience here for future reference. I've listed smartcard details in it's management window then made a remote desktop connection then I noticed card details disappeared in a moment when I saw the screen first time.

Local login:


Posted: 02/22/2013 04:20:25
by Ken Ivanov (Team)

Thank you for sharing the solution with us. It is fairly tricky, yet sometimes being tricky is the only way to overcome limitations of various environments.

Regarding remote desktop, was the PC with a smart card an originator or a target of an RDC connection?



Topic viewed 6220 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!