- Home
- Forum
- ASP.NET Web Forms
- Digital signature from HSW with no exportable private key
Digital signature from HSW with no exportable private key
I need to handle error like this (user cancelled on HSW operation, or fails reading cert, or so), but I can't handle it with try catch.
Attachment: syncfusionPDF1_1cd33092.zip
Hello,
I'm here again with one more issue:
This code works ok on my development environment.
When I try to run my web app on production server, I cannot reach cert on my client HSM, never ask me for PIN.
Please tell me if I need to pay attention to something on the production environment to works.
regards
Martin
Once you confirmed your availability, we can create a new incident and share the meeting invites.
Thanks for your promptly answer,
Before web meeting, that will be great (I'm in GMT-3), I can expose info that you request.
Regards availability, no problem at all. Any light time (GMT-3) is ok
Server: Azure VM Windows 2016
Culture settings: OS (english), WebApp (Spanish)
Syncfusion version: 19.2.0.56
Code:
Public Function TokenDisponibleparaFirma() As Boolean Dim document As PdfDocument = New PdfDocument() document.Pages.Add() Dim signature As PdfSignature = New PdfSignature(document, document.Pages(0), Nothing, "DigitalSignature") AddHandler signature.ComputeHash, AddressOf Signature_ComputeHash Dim stream As MemoryStream = New MemoryStream() document.Save(stream) document.Close(True) Return DigitalSignatureSuccess End Function
Private Function RecuperarCertificadoArgentino() As X509Certificate2 Dim FirmaDigitalEmisorArgentino As String = "Autoridad Certificante de Firma Digital" Dim certEncontrado As X509Certificate2 = Nothing Dim store As X509Store = New X509Store("MY", StoreLocation.CurrentUser) store.Open(OpenFlags.[ReadOnly] Or OpenFlags.OpenExistingOnly) For Each cert As X509Certificate2 In store.Certificates If Mid(cert.Issuer, 4, 39) = FirmaDigitalEmisorArgentino Then certEncontrado = cert Exit For End If Next Return certEncontrado End Function
Private Sub Signature_ComputeHash(ByVal sender As Object, ByVal ars As PdfSignatureEventArgs) Dim documentBytes As Byte() = ars.Data Dim signedCms As SignedCms = New SignedCms(New ContentInfo(documentBytes), detached:=True) Try Dim Certificado As X509Certificate2 = RecuperarCertificadoArgentino() If Certificado Is Nothing Then DigitalSignatureSuccess = False DigitalSignatureResultMessage = "No se encuentra un token con certificado válido.<br /><br />Debe contar con Token, certificado válido e instalar el software del token.<br />" & MensajeDescargaDriver() Exit Sub End If DigitalSignatureSuccess = True DigitalSignatureResultMessage = Certificado.Thumbprint DigitalSignatureValidTo = Certificado.GetExpirationDateString Dim cmsSigner As CmsSigner = New CmsSigner(Certificado) cmsSigner.DigestAlgorithm = New Oid("2.16.840.1.101.3.4.2.1") signedCms.ComputeSignature(cmsSigner) ars.SignedData = signedCms.Encode() Catch ex As Exception DigitalSignatureSuccess = False DigitalSignatureResultMessage = "error: " + ex.Message If DigitalSignatureResultMessage = "error: El conjunto de claves no está definido" Then DigitalSignatureResultMessage = MensajeDescargaDriver() End Try End Sub
|
Dim x509 As X509Certificate2 = New X509Certificate2("cert", "password123", X509KeyStorageFlags.MachineKeySet Or X509KeyStorageFlags.PersistKeySet Or X509KeyStorageFlags.Exportable) |
UPDATE
Hello, I just run you posted sample in this thread.
Here the code for your reference:
namespace PDFSample { public partial class _Default : Page { protected void Page_Load(object sender, EventArgs e) { LoadCerts(); } protected void OnButtonClicked(object sender, EventArgs e) { string docPath = Server.MapPath("/App_Data/Barcode.pdf"); PdfLoadedDocument document = new PdfLoadedDocument(docPath); //Create a revision 2 signature with loaded digital ID. PdfSignature signature = new PdfSignature(document, document.Pages[0], null, "DigitalSignature"); signature.ComputeHash += Signature_ComputeHash; //Open the document in browser after saving it document.Save("Output.pdf", HttpContext.Current.Response, HttpReadType.Save); document.Close(true); } private void Signature_ComputeHash(object sender, PdfSignatureEventArgs ars) { //Get the document bytes. byte[] documentBytes = ars.Data; SignedCms signedCms = new SignedCms(new ContentInfo(documentBytes), detached: true); X509Store store = new X509Store("MY", StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates; //load your smart card certificate X509Certificate2 certificate = new X509Certificate2(collection[1]); CmsSigner cmsSigner = new CmsSigner(certificate); //Set the digest algorithm SHA256. cmsSigner.DigestAlgorithm = new Oid("2.16.840.1.101.3.4.2.1"); signedCms.ComputeSignature(cmsSigner); //Embed the encoded digital signature to the PDF document. ars.SignedData = signedCms.Encode(); } protected void LoadCerts() { X509Store store = new X509Store("MY", StoreLocation.CurrentUser); store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly); X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates; foreach (var c in collection) { X509Certificate2 certificate = new X509Certificate2(c); ListBox1.Items.Add(new ListItem(c.Issuer.ToString())); } } protected void ListBox1_SelectedIndexChanged(object sender, EventArgs e) { } } }
If I debug this code on my Visual Studio with HSM connected, it recovers cert on it and shows them in listbox.
If I publish and deploy it to my server, when I browse it from my machine with HSM connected, no one cert showed in listbox, no one cert is read from server
UPDATE 2
listing all certs on all stores with this:
protected void allcerts() { foreach (StoreLocation storeLocation in (StoreLocation[]) Enum.GetValues(typeof(StoreLocation))) { string tt = ""; foreach (StoreName storeName in (StoreName[]) Enum.GetValues(typeof(StoreName))) { X509Store store = new X509Store(storeName, storeLocation); try { store.Open(OpenFlags.ReadOnly); X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates; foreach (var c in collection) { X509Certificate2 certificate = new X509Certificate2(c); tt = store.Name + " - " + store.Location + ": " + c.Issuer; ListBox2.Items.Add(new ListItem(tt)); } } catch (CryptographicException) { tt = "No - " + store.Name + " - " + store.Location; } } ListBox2.Items.Add(new ListItem(tt)); } }
running it on visual studio, it gets my cert on hsm in "My - Current user" store
running it on server, it lists no one cert from "My - Current user" store
thanks for answer.
I'm not sure to understand you.
Let me overview the issue:
- This is a NET framework 4.8 Web App, running on IIS.
- Web App is accessible via browser from client Windows PC.
- Client connect his HSM (USB token with embedded cert) on his Windows PC, cert is accessible via SafeNet Authentication Client software.
- Cert in HSM is not exportable, it is impossible to extract from the device.
- Obviously it is not on server, it is on client computer.
Regards your answer:
- What user may access to what location store/cert?
- HSM not allow export certs at all. How is suppose to do that?
Kind regards,
Martin
Regards,
Thanks for answer.
Let me say that I am quite upset and disagree with the development of this thread.
From the beginning, yourself have made it clear that this was possible (read above).
Now it happens that it is not possible to do it?
Syncfusion ensures that this component works with HSM in a webapp, which seems not to be true ...
Please, how can we solve this?
What solution do you propose? I create an app on the client, how would it be?
I have researched and there are other solutions that capture the cert via javascript, do you think it is possible to do something like this, thus completing your product and really doing what Syncfusion say it does?
Please, I await a slightly more satisfactory answer.
Kind regards,
Martin
Thank you for your update.
We use “X509Store” to get the certificate from HSM connected in that machine. We cannot access the client certificate store from server using “X509Store” API. This is the default behavior of “X509Store” API. We suggest you to sign the PDF document in client side using console or Win forms application with the same code or you can upload your secret key in azure vault and you can sign the PDF document
Please refer the documentation for more information.
https://www.syncfusion.com/kb/11601/how-to-sign-pdf-document-using-azure-key-vault
Regards,
Gowthamraj K
Thanks for update.
I understand.
You should understand too, Syncfusion signing from web solution is completely unusable. It has no sense...
Your proposed solution exporting cert to Azure Key Vault is interesting but remember that it's impossible export or extract cert from HSM hardware token. Nobody can get pfx or p12 file from it. Due that design limitation it cannot be stated like a solution.
Certainly so sad because I worked hard to implement it and after deploy it, discover that doesn't work.
I expected a little more.
Martin
Can I sign PDF using syncfusion on javascript or blazor?
Hi guys. I'm back to check updates on the component.
Please, may you tell me if still it's not possible to sign with HSM on browser client for a .net web app? (WASM) on the client side.
Regards
Hi, regarding the conversation above I wanna ask if I can sign the pdf document using Blazor server.
Scenario: User access our blazor app at www.ourapp.com and inserting the usb and select a part of pdf and a pop appears where he can enter the pin code.
So with this in mind I wanna ask if the user can select a rectangle on the pdf (using syncfusion pdf preview server) where the signature will appear.
Thank you!
Yes, we can sign the pdf document on blazor server. We have attached the sample for your reference.
Sample:https://www.syncfusion.com/downloads/support/directtrac/general/ze/ServerSideApplication-432711007
Please find the below link for invisible signing the PDF document using the Blazor PdfViewer component:
https://blazor.syncfusion.com/demos/pdf-viewer/invisible-digital-signature?theme=fluent
Please note that the act of signing a PDF document with a USB token or a Windows certificate store is limited to server-oriented applications due to the need to access locally installed Windows certificates. If you attempt to sign a document using a USB token installed on your own machine while hosting an application on the web, this will not be successful. Instead, a deferred signing procedure is recommended in this scenario. This involves locally signing the PDF document and sending the resulting hash to the server to be applied to the PDF document.
Kindly refer to the below link for more information,
Thank you! We have manage to create a windows application that sign the document and send it to the web.
My question is how can I add a button to the "SfPdfViewerServer" Toolbar with a label "My signature", and when the user click on it it will be able to draw a rectangle on a pdf page and after that an event will fired like "mouseup", and retrieve the x,y,w,h of the rectangle.
We have created something custom but in this context does not work.
Thank you!
We have branched a new forum for the last reported query,
please follow up on this forum id- https://forumassist.syncfusion.com/181771 for further updates.
- 28 Replies
- 5 Participants
- Marked answer
-
MD Martin de los Rios
- Nov 19, 2020 03:55 PM UTC
- Apr 13, 2023 05:55 AM UTC
