EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Luna HSM PDF signing issues

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 10/27/2015 16:06:02
by Peter Johnson (Standard support level)
Joined: 10/29/2014
Posts: 10


I was wondering if there was any sample code for signing a PDF using a certificate stored on a SafeNet Luna HSM. Using the TinySignerPKCS11 sample project, I have been able to successfully open the storage using the appropriate DLL, open a session and log in with my PIN, but the PKCS11CertStorage doesn't contain any certificates after logging in. It does contain two objects--a private and public key--but the certificate count is 0. Is there something I'm doing wrong?
Posted: 10/27/2015 17:03:39
by Eugene Mayevski (EldoS Corp.)

Thank you for the report.

There are two possible variants there -

1) there's no certificate in your device, but really just the keypair.
2) there exists a certificate in the device which can not be found for whatever reason.

A side note -- TElPKCS11CertStorage object can not contain key objects. It works only with certificates. So you should be talking about some other PKCS#11 class which lists objects.

So please first of all check (by other means) if there is a certificate on the device. Then we will be able to choose the strategy for further investigation and solving of your problem.

Sincerely yours
Eugene Mayevski
Posted: 11/18/2015 16:17:03
by Peter Johnson (Standard support level)
Joined: 10/29/2014
Posts: 10

Thank you Eugene,

After further analysis we did find that the certificate had not been properly installed into the storage and we have since gotten past that obstacle. However, I am now into signing a PDF and coming up with a chain validation error. I've successfully opened a session with the certificate storage and loaded the certificates. I followed the steps to produce an LTV-enabled signature: using a TElPDFAdvancedPublicKeySecurityHandler, turning on AutoCollectRevocationInfo, IncludeRevocationInfoToAdbeAttribute, ForceCompleteChainVAlidation and DeepValidation. If I check the certificates in the storage, they all appear to show up correctly (my signing certificate, the GlobalSign CA certificate, the GlobalSign Primary CA certificate) and my PKCS11CertStorage.ChainCount reads 1. However, I get an error on Document.Close stating Chain validation failed.

I followed the steps outlined in this article in order to log the events and determine where the validation error occurred:

In the results, I found that I'm getting an Invalid response on my signing certificate and GlobalSign CA certificate (Reason 16--Invalid Signature) and an OK response on the GlobalSign Primary CA certificate and Adobe Root CA. The overall validation returns a result of cvChainUnvalidated (Reason 32--Unknown CA). Is this an issue I may have to resolve with my usage of the storage, our CA, or my implementation of the handler and signing? I greatly appreciate the assistance.

Thank you!
Posted: 11/19/2015 03:01:41
by Vsevolod Ievgiienko (EldoS Corp.)


"Unknown CA" error means that root CA certificate is missing for some chain involved in the validation process. This could be a CA certificate that issued a certificate used to sign OCSP responses etc.

Please try to handle TElX509CertificateValidator.OnCACertificateNotFound event to determine what exact certificate chain is incomplete: https://www.eldos.com/documentation/sb...found.html
Posted: 11/19/2015 10:11:13
by Peter Johnson (Standard support level)
Joined: 10/29/2014
Posts: 10

I cannot find that event on my TElX509CertificateValidator object in C#; I'm using the latest version of the library and it appears to be deprecated, according to the documentation. Is there another means to get that information, or should I roll back to a previous version?
Posted: 11/19/2015 10:46:56
by Peter Johnson (Standard support level)
Joined: 10/29/2014
Posts: 10

If it helps, I've found that I can successfully validate the certificate chain and sign the document if I set the TElX509CertificateValidator.IgnoreCABasicConstrainst = true and I do not pass my PKCS11CertStorage into TElX509CertificateValidator.AddTrustedCertificates(). However, if I sign this way, it takes roughly 16 seconds per document to sign.
Posted: 11/19/2015 17:48:42
by Ken Ivanov (EldoS Corp.)

Hi Peter,

Thank you for the details.

First, it is not correct to assign the whole contents of your PKCS11CertStorage as trusted certificates. Normally, you should only trust the root certificate, and the trust for the rest of all the chains originating from it will be established implicitly. So please put your 'Adobe Root CA' certificate to a separate TElMemoryCertStorage object and only add it as trusted.

At the same time, I believe that in your particular case you can skip the step of providing the trusted certificates entirely, as 'Adobe Root CA' is very likely to be present in your system's trusted certificates store, which is used by the validator class implicitly.

The fact that setting IgnoreCABasicConstraints to true works means that one of the certificate in the chain contains a wrong value in its 'basic constraints' extension (which specifies whether a particular certificate can act as a CA or not). This happens sometimes, so you might wish to leave that property switched on if it works out for you.

However, if I sign this way, it takes roughly 16 seconds per document to sign.

It might. The production of an LTV-enabled signature involves a number of online requests to gather revocation information (OCSP responses, CRLs and timestamps). Therefore this process might take some time for extensive infrastructures, slow Internet connections, or where revocation elements are large.

Posted: 11/20/2015 09:05:45
by Peter Johnson (Standard support level)
Joined: 10/29/2014
Posts: 10

Hi Ken,

Thank you for your response. That does appear to be the case. There are a total of four certificates in the chain including the Adobe Root CA, and the number of requests is quite staggering. I see a total of 66 times that CertValidator_OnBeforeCertificateValidation is called and a number of CRL retrievals and OCSP calls in one signing. Is there perhaps a way to cache some degree of the information to reuse for multiple signings, or a safe way to run the operation on multiple threads to sign several documents at the same time? I did attempt to create an asynchronous method, but I'm getting a null reference exception on SBPublicKeyCrypto.TElPublicKeyMaterial.Destroy when I try to call Document.Close.
Posted: 11/20/2015 13:55:53
by Ken Ivanov (EldoS Corp.)


66 certificate validations (per signing operation?) is definitely way too many. Normally you would have four certificates in your chain, probably another 4-5 for online revocation sources, and another 3-4 for the timestamp. Could you please capture your validation trace (it is available in string form via TElX509CertificateValidator.InternalLogger.Log.Text property) and share that with us?

Sharing is more secure and confident if made via Helpdesk, so I've created a ticket for you with the same title (#28807). Please post the trace there, only you and me will see it.

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.



Topic viewed 3197 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!