EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Failed to acquire key context error when using local root certificate

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#23734
Posted: 02/26/2013 09:02:09
by Ari Urkullu (Basic support level)
Joined: 11/26/2012
Posts: 26

Hello,

Any idea given for the next issue would be really helpfull. I am getting the next error "Signing failed: Failed to acquire key context". This happens when a I run a modified version that I made of your example "VB.NET\PDFBlackbox\PAdES". The version of SecureBlackBox is 10.0.227 and it is the .NET edition. I am working with Windows XP and 32-bit architecture. I am using the same components as the example to accomplish the signing. In my code, if I replace the next part:


...
oCertificadosRoot = New TElWinCertStorage
oCertificadosRoot.SystemStores.BeginUpdate()
Try
oCertificadosRoot.SystemStores.Add("ROOT")
Catch ex As Exception
Finally
oCertificadosRoot.SystemStores.EndUpdate()
End Try
oCertificadosRoot.Certificates(iFilaElegida).Clone(m_Cert, True)
...


with the next one:


...
m_Cert.LoadFromFileAuto("ThePath", "ThePassword")
...


Then the signature gets done correctly. But if I use the first part mentioned (The certificate I am trying to get is stored in Trusted Root Certificate Authorities storage in local computer), when I try to close the pdf document saving the changes, through the next code, I get an error.


Try
If Not (m_CurrDoc Is Nothing) Then
Try
m_CurrDoc.Close(saveChanges)
Finally
m_CurrDoc = Nothing
End Try
End If
Catch ex As Exception
End Try


The exception message is "Signing failed: Failed to acquire key context" and the stackTrace I get is:

" at SBCryptoProvWin32.TElWin32CryptoProvider.SignFinal(TElCustomCryptoContext Context, Byte[]& Buffer, Int32 StartIndex, Int32& Size, TElCPParameters Params, TSBProgressFunc ProgressFunc, Object ProgressData) at SBPublicKeyCrypto.TElRSAPublicKeyCrypto.SignFinal() at SBPublicKeyCrypto.TElPublicKeyCrypto.InternalSignDetached() at SBPublicKeyCrypto.TElPublicKeyCrypto.SignDetached(Byte[] InBuffer, Int32 InIndex, Int32 InSize, Byte[]& OutBuffer, Int32 OutIndex, Int32& OutSize) at SBCMS.TElCMSSignature.SignSubject(TElX509Certificate Cert, Boolean AsyncOperation, TElDCAsyncState& State) at SBCMS.TElCMSSignature.Sign(TElX509Certificate Cert, TElCustomCertStorage Chain) at SBPAdES.TElPDFAdvancedPublicKeySecurityHandler.SignHash(Byte[] Hash, Int32 StartIndex, Int32 Count) at SBPDF.TElPDFDocument.InsertActualSignatureInformation(Boolean IncrementalUpdate) at SBPDF.TElPDFDocument.Close(Boolean Save) at Fullstep.PMPortalWeb.OfertasPDF.CloseCurrentDocument(Boolean saveChanges) in D:\FULLSTEP PORTAL\Version_31900_8\NET\PMPortalWeb\script\ofertas\OfertasPDF.aspx.vb:line 320"

I think that this could be because I missed something about the configuration of the components which I am using to sign. I am searching for what I am missing, but I just have no idea yet from what is happening.

Thanks,
Ari.
#23735
Posted: 02/26/2013 09:11:29
by Eugene Mayevski (EldoS Corp.)

You need to have a private key with your certificate in order to do signing. Unless you have explicitly added the certificate with the private key to Trusted Roots storage, those certificates don't contain the private key. Is it your case?


Sincerely yours
Eugene Mayevski
#23736
Posted: 02/26/2013 09:14:59
by Ari Urkullu (Basic support level)
Joined: 11/26/2012
Posts: 26

I will uninstall the certificate from the root an I will install it again, but I think that I marked the check to add it with his private key. I will post again after the try.
#23745
Posted: 02/26/2013 10:03:17
by Ari Urkullu (Basic support level)
Joined: 11/26/2012
Posts: 26

Hi,

I uninstalled the certificate from the root storage and I installed it again. This time I ensured to add the certificate with the private key. But I still get the same error. Anyway now I think that I know what is happening, because of the nex two things:

- I have an intermediate program between the one I mentioned in earlier posts and your example PAdES for VB.NET. Running it I can sign correctly. This intermediate program is almost equal to the one with which I am having problems with the signature. One of the few differences is that the user is not the same.

- Time ago, with the program which gives me problems with the signature, in my first tries to sign using the part:

m_Cert.LoadFromFileAuto("ThePath", "ThePassword")

I also got error when I tried to sign. I had to allow the user NETWORK SERVICE to use the certificate file.

So I think that it is a user problem this time again. I think that I only have to give permissions to the user NETWORK SERVICE to that root certificate, and then the signature will success.

Thanks,
Ari.
#23751
Posted: 02/26/2013 10:20:50
by Eugene Mayevski (EldoS Corp.)

If you imported the certificate to trusted root, most likely you imported it to Current user certificate store, which is not accessible from under other user account. So you need to import to Local Machine and setup the WinCertStorage accordingly (see AccessType property)


Sincerely yours
Eugene Mayevski
#23755
Posted: 02/26/2013 11:12:30
by Ari Urkullu (Basic support level)
Joined: 11/26/2012
Posts: 26

Hi,

I think that I got confused. I imported the certificate to the Trusted Root Certification Authorities storage. I thought that this storage was the Local Machine root storage and that the next code:

oCertificadosRoot.SystemStores.Add("ROOT")

Added to the object oCertificadosRoot the local machine root certificates storage. So reading your answer I realize that those two beliefs of mine, were wrong.

Thanks,
Ari.
#23778
Posted: 02/27/2013 05:56:45
by Ari Urkullu (Basic support level)
Joined: 11/26/2012
Posts: 26

Hello,

Now I am getting the next error:

Message:
Failed to open storage

StackTrace:
at SBWinCertStorage.TElWinCertStorage.Open()
at SBWinCertStorage.TElWinCertStorage.HandleStoresChange(Object Sender)
at SBWinCertStorage.TElWinCertStorage.SetAccessType(TSBStorageAccessType Value)
at SBWinCertStorage.TElWinCertStorage.set_AccessType(TSBStorageAccessType value)
at Fullstep.PMPortalWeb.OfertasPDF.Page_Load(Object sender, EventArgs e) in D:\FULLSTEP PORTAL\Version_31900_8\NET\PMPortalWeb\script\ofertas\OfertasPDF.aspx.vb:line 85

This error happens in the next part of code:

...
oCertificadosRoot = New TElWinCertStorage
oCertificadosRoot.StorageType = TSBStorageType.stSystem
oCertificadosRoot.SystemStores.BeginUpdate()
Try
oCertificadosRoot.SystemStores.Add("ROOT")
Catch ex As Exception
Finally
oCertificadosRoot.SystemStores.EndUpdate()
End Try
oCertificadosRoot.AccessType = TSBStorageAccessType.atLocalMachine
...

Exactly it happens in the las row I have paste. I read the next thread:

http://www.eldos.com/forum/read.php?FID=7&TID=810

So that is why I put the AccessType modification there. But it keeps throwing me this error. The object oCertificadosRoot has certificates before trying to change the access type, and with mmc I have checked that I have certificates on
Console Root -> Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates.

So at the moment I have no idea of what I am doing wrong. Any idea given about this issue will be really helpful.

Thanks,
Ari.
#23780
Posted: 02/27/2013 06:58:39
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

TElWinCertStorage fails to open ROOT store for some reason. Its possible that the application doesn't have access rights to do this.
#23785
Posted: 02/27/2013 09:15:31
by Ari Urkullu (Basic support level)
Joined: 11/26/2012
Posts: 26

Hello,

I have give access in RegistryEditor -> My Computer -> HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> SystemCertificates, access to the user Network Service. But the error still persist. I will post as I progress with this issue.

Thanks,
Ari.
#23787
Posted: 02/27/2013 09:45:27
by Ken Ivanov (EldoS Corp.)

First, AccessType should be set before setting the storage name(s). Second, please try setting ReadOnly to true as well before opening the storage.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 6217 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!