EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Error 8219 (=0x201B) signing PDF document

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
Posted: 07/09/2013 08:13:51
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172


I'm trying to figure out what is happening at one of my customer's site. They are signing PDF document and, since they changed their certificate (and the smartcard it's stored on), they receive an error while siging. Now I tried it with tinySigner and I get the same error: 8219 (which is 201B in hex).

If I follow the code, it more or less means "SignRSA returned false" without any more detail and, when I look in SignRSA, I see this:

result := true;
(RSA signing code goes here)
  result := false;

In other word: the low-level error that happens in there is completely suppressed and there is no way to trace it back.

How can I work around this ? I'm unsure of what would happen if I just remove the try...except and I have trouble reproducing the error outside of my customer's production environment so it is difficult to test.
Posted: 07/09/2013 08:21:27
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Could you please remove try/except and catch the exception call stack. Then please post it here.
Posted: 07/09/2013 10:01:29
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172

Thank you for the quick answer. It took me a little while to get that stack trace, I'm afraid but here it is:

  1.1 Start Date      : Tue, 9 Jul 2013 16:43:07 +0200
  1.2 Name/Description: TinySigner.exe
  1.3 Version Number  :
  1.4 Parameters      :
  1.5 Compilation Date: Tue, 9 Jul 2013 15:34:38 +0200
  1.6 Up Time         : 51 seconds

  5.1 Name          : XXXXXXXXX
  5.2 Total Memory  : 5120 Mb
  5.3 Free Memory   : 1849 Mb
  5.4 Total Disk    : 119.9 Gb
  5.5 Free Disk     : 88.68 Gb
  5.6 System Up Time: 27 days, 23 hours, 23 minutes, 12 seconds
  5.7 Processor     : Intel® Xeon® CPU           E5440  @ 2.83GHz
  5.8 Display Mode  : 1920 x 1058, 16 bit
  5.9 Display DPI   : 96
  5.10 Video Card   : Citrix Systems Inc. Display Driver (driver )
  5.11 Printer      : PCL6 Driver for Universal Print (driver

Operating System:
  6.1 Type    : Microsoft Windows Server 2008 R2 (64 bit)
  6.2 Build # : 7600
  6.3 Update  :
  6.4 Language: French
  6.5 Charset : 0

  2.1 Date          : Tue, 9 Jul 2013 16:43:59 +0200
  2.2 Address       : 00567388
  2.3 Module Name   : TinySigner.exe
  2.4 Module Version:
  2.5 Type          : EElWin32CryptoProviderError
  2.6 Message       : Signing failed: Failed to acquire key context.
  2.7 ID            : D032
  2.8 Count         : 1
  2.9 Status        : New
  2.10 Note         :

Call Stack Information:
|Address |Module        |Unit                 |Class                         |Procedure/Method                |Line     |
|*Exception Thread: ID=13868; Priority=0; Class=; [Main]                                                                |
|00567388|TinySigner.exe|SBCryptoProvWin32.pas|TElWin32CryptoProvider        |SignFinal                       |4585[47] |
|0054C633|TinySigner.exe|SBPublicKeyCrypto.pas|TElRSAPublicKeyCrypto         |SignFinal                       |6188[11] |
|0054720C|TinySigner.exe|SBPublicKeyCrypto.pas|TElPublicKeyCrypto            |InternalSignDetached            |2868[9]  |
|00547188|TinySigner.exe|SBPublicKeyCrypto.pas|TElPublicKeyCrypto            |InternalSignDetached            |2859[0]  |
|00547416|TinySigner.exe|SBPublicKeyCrypto.pas|TElPublicKeyCrypto            |SignDetached                    |2929[35] |
|005472C4|TinySigner.exe|SBPublicKeyCrypto.pas|TElPublicKeyCrypto            |SignDetached                    |2894[0]  |
|005CEF7A|TinySigner.exe|SBMessages.pas       |TElMessageProcessor           |SignRSA                         |2104[17] |
|005CEE90|TinySigner.exe|SBMessages.pas       |TElMessageProcessor           |SignRSA                         |2087[0]  |
|005D6C49|TinySigner.exe|SBMessages.pas       |TElMessageSigner              |FillSigner                      |6390[30] |
|005D6A20|TinySigner.exe|SBMessages.pas       |TElMessageSigner              |FillSigner                      |6360[0]  |
|005D5557|TinySigner.exe|SBMessages.pas       |TElMessageSigner              |SignPublicKey                   |5714[209]|
|005D4D60|TinySigner.exe|SBMessages.pas       |TElMessageSigner              |SignPublicKey                   |5505[0]  |
|005D615E|TinySigner.exe|SBMessages.pas       |TElMessageSigner              |Sign                            |6075[8]  |
|005E0091|TinySigner.exe|SBPDFSecurity.pas    |TElPDFPublicKeySecurityHandler|SignHashPKCS7                   |2179[75] |
|005DFCEC|TinySigner.exe|SBPDFSecurity.pas    |TElPDFPublicKeySecurityHandler|SignHashPKCS7                   |2104[0]  |
|005DF429|TinySigner.exe|SBPDFSecurity.pas    |TElPDFPublicKeySecurityHandler|SignHash                        |1910[4]  |
|005BEB7D|TinySigner.exe|SBPDF.pas            |TElPDFDocument                |InsertActualSignatureInformation|6355[214]|
|005BE2CC|TinySigner.exe|SBPDF.pas            |TElPDFDocument                |InsertActualSignatureInformation|6141[0]  |
|005B6BE5|TinySigner.exe|SBPDF.pas            |TElPDFDocument                |Close                           |3402[240]|
|005B64EC|TinySigner.exe|SBPDF.pas            |TElPDFDocument                |Close                           |3162[0]  |
|00636DCB|TinySigner.exe|MainForm.pas         |TfrmMain                      |btnOKClick                      |619[165] |
|763C730E|USER32.dll    |                     |                              |ReleaseDC                       |         |
|763D22D4|USER32.dll    |                     |                              |NotifyWinEvent                  |         |
|763D22C3|USER32.dll    |                     |                              |NotifyWinEvent                  |         |
|763D0AD1|USER32.dll    |                     |                              |CallWindowProcW                 |         |
|74FB9388|comctl32.dll  |                     |                              |DefSubclassProc                 |         |
|74FB9347|comctl32.dll  |                     |                              |DefSubclassProc                 |         |
|763CCD7C|USER32.dll    |                     |                              |SendMessageW                    |         |
|763CCD35|USER32.dll    |                     |                              |SendMessageW                    |         |
|763D7B0A|USER32.dll    |                     |                              |CallWindowProcA                 |         |
|763D7AF4|USER32.dll    |                     |                              |CallWindowProcA                 |         |
|763C8E9A|USER32.dll    |                     |                              |PostThreadMessageW              |         |
|763D2DCD|USER32.dll    |                     |                              |GetCapture                      |         |
|763D2DBD|USER32.dll    |                     |                              |GetCapture                      |         |
|763C810D|USER32.dll    |                     |                              |DispatchMessageA                |         |
|763C8103|USER32.dll    |                     |                              |DispatchMessageA                |         |
|0063807B|TinySigner.exe|TinySigner.dpr       |                              |                                |13[3]    |
|760D3675|kernel32.dll  |                     |                              |BaseThreadInitThunk             |         |
Posted: 07/09/2013 12:42:46
by Ken Ivanov (EldoS Corp.)

Hello Stephane,

Error 8219 is returned if an RSA signing operation delegated to Windows cryptographic provider fails. There can be plenty of reasons for it, including incorrectly configured permissions, badly imported certificate or unauthenticated token state.

Did your customer have a chance to check if signing at all works with that particular certificate and token (with some third-party or token vendor software)?
Posted: 07/10/2013 02:02:45
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 172

Hello and thanks for coming back to me.

Well, if I look into the code, there are a number of contitions that can result in error 8219. However, in my specific case, the issue has nothing to do with SBB itself

My users are signing using smartcard-stored certificates on a Citrix server. One of these users had her smartcard replaced (it's still not clear if it's only the smartcard or the whole USB reader that was replaced but I'm working on getting all the details).

It seems that something is not working in the smartcard relocation system for her: she can sign locally and the certificate is listed in the remote windows store as having a private key attached, but whenever something tries to access that smartcard, the operation fails (before even the user is prompted for a PIN).

The part of my question related to SBB was mostly that it was rather hard to find out exactly what happened and what failed due to the fact that exceptions are being hidden and error handling is done by storing error code in local variables that are simply not part of any trace and out of reach of any postmortem.

It's important for me to be able to get the specific calls that fail because the next step is talking to the drivers and hardware provider and they often fail to listen unless you can provide the specific windows call that fails and what were the parameters used.

I've modified the SBB source code to make that information available from an exception but since using an exception error handling model is very different from using return values, I can't put it in general production since it might have unknown effect in other programs.

Isn't there an easier way to get access to these error values ? I saw nothing in the source code but it wouldn't be the first time I missed something obvious.

Thank you again,
Posted: 07/10/2013 02:53:35
by Ken Ivanov (EldoS Corp.)

Hello Stephane,

I see your point, thank you. Indeed there is currently no way to distinguish what exactly led to an RSA signing failure (which 0x201B code stands for). What we possibly can do is promote the underlying exception details from the lower-level signing classes up to the higher level (e.g. PDFBlackbox) classes via object properties. I am afraid there is no way for the SBMessages classes to re-throw the original exception, as all the higher-level classes do not expect them to, and this might lead to code breakdown.
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.



Topic viewed 2966 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!