Digital signature problem using CSP without SHA1 support

darius.borkiewicz · March 14, 2022, 12:47pm

Is there any way to force Aspose.Pdf to create external signature using SHA256 hash? We have problem signing documents with Aspose.Pdf using cloud hosted signing service (CryptoTech CloudSigner with mSzafir provider). The same problem has been already reported to you two years ago: (Problem with signing PDF file when using cert with privatekey stored on external card)
The call to the SignHash method of RSACryptoServiceProvider seems to be using SHA1 algorithm and there is no way to force SHA256 here (data provided by Aspose.Pdf to this method is incompatible with SHA256). Unfortunatelly SHA1 algorithm is no longer supported by CSP due to security concerns.

We’re using Aspose.Pdf latest 22.2 version

Exception message: ‘One or more of the supplied parameters could not be properly interpreted’

Stack trace:

w System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
w System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
w System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
w System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
w PdfAsposeTest.VulcanCryptoServiceProvider.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) w C:\WORK\PdfAspose\PdfAsposeTest\VulcanCryptoServiceProvider.cs:wiersz 73
w System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash)
w #=zTg6_Hdjaf3SiPtI$wnmd0hqR$jC_cQUoJQ==.#=zmwjQ$nU=.#=zHYIzMTs=(Byte[] #=zmy1MFow=, #=zm1ec9qZqkEgyj0L3OgoQQS8M_L5iYq2HdInZ8hg= #=zk0PKLEc=, OcspSettings #=zcMgUJst1cvcB, TimestampSettings #=zL5AFIUO5TqJQ, Boolean #=z0T0VkD0=, X509Certificate2 #=zx2e$J0qbBvTy)
w #=zTg6_Hdjaf3SiPtI$wnmd0hqR$jC_cQUoJQ==.#=zmwjQ$nU=.#=zsw6uCpM=(Byte[] #=zmy1MFow=, X509Certificate2 #=zx2e$J0qbBvTy, OcspSettings #=zcMgUJst1cvcB, TimestampSettings #=zL5AFIUO5TqJQ, Boolean #=z0T0VkD0=)
w #=zTg6_Hdjaf3SiPtI$wnmd0hqR$jC_cQUoJQ==.#=zmwjQ$nU=.#=zsw6uCpM=(Byte[] #=zmy1MFow=, X509Certificate2 #=zx2e$J0qbBvTy, OcspSettings #=zcMgUJst1cvcB, TimestampSettings #=zL5AFIUO5TqJQ)
w #=zTg6_Hdjaf3SiPtI$wnmd0hqR$jC_cQUoJQ==.#=zmwjQ$nU=.#=zsw6uCpM=(Byte[] #=zmy1MFow=, X509Certificate2 #=zx2e$J0qbBvTy)
w #=zrecUuf4Mea8RNCMZBiiD7$0WI_Mt.#=zsw6uCpM=(#=zklR7lxUuz8iQbde7HzYawJdEKEqGdG$4pRlD7YNWQJlL #=zy3$g_gj3PQ7z, Boolean #=zmWMzbnDYbnC4, #=z9SgYabW0TLL$mgFSEuqJ0lv_LkZzPJdhCQ== #=z92nYEoQ=, #=zM$ku6EoeSHU5Kf0ithn7ZLhJRejCpd$RWw== #=zYyZSylk=, #=zKogmA92ENCsIFT2Gn5jaeF$v3apo7Rdskg== #=zaXCrDOo=, Stream #=zk0PKLEc=, String #=zv2xHVB8=, X509Certificate2 #=zx2e$J0qbBvTy, String& #=zDWpqUWY=, Int32& #=zje8ZSvgT6Cde)
w #=zrecUuf4Mea8RNCMZBiiD7$0WI_Mt.#=zsw6uCpM=(String #=zqZGIh$U=, #=zM$ku6EoeSHU5Kf0ithn7ZLhJRejCpd$RWw== #=zYyZSylk=, #=zKogmA92ENCsIFT2Gn5jaeF$v3apo7Rdskg== #=zaXCrDOo=, Stream #=zk0PKLEc=, String #=zv2xHVB8=, X509Certificate2 #=zx2e$J0qbBvTy)
w #=zrecUuf4Mea8RNCMZBiiD7$0WI_Mt.#=zsw6uCpM=(String #=zqZGIh$U=, #=zM$ku6EoeSHU5Kf0ithn7ZLhJRejCpd$RWw== #=zYyZSylk=, #=zKogmA92ENCsIFT2Gn5jaeF$v3apo7Rdskg== #=zaXCrDOo=, X509Certificate2 #=zx2e$J0qbBvTy)
w Aspose.Pdf.Forms.Signature.#=zsw6uCpM=(String #=zqZGIh$U=, Stream #=zk0PKLEc=, String #=zv2xHVB8=)
w Aspose.Pdf.Forms.SignatureField.Sign(Signature signature, Stream pfx, String pass)
w Aspose.Pdf.Forms.SignatureField.Sign(Signature signature)

tahir.manzoor · March 14, 2022, 3:12pm

@darius.borkiewicz

Could you please attach the following resources here for testing:

Your input files.
Please create a standalone console application (source code without compilation errors) that helps us to reproduce your problem on our end and attach it here for testing.

As soon as you get these pieces of information ready, we will start investigation into your issue and provide you more information. Thanks for your cooperation.

PS: To attach these resources, please zip and upload them.

darius.borkiewicz · March 16, 2022, 7:54am

You can use the code from your samples. The only way to reproduce this error is to use RSACryptoServiceProvider/RSACng without RSA-SHA1 support. We have 2022 now, right? Nowadays RSA-SHA1 is long deprecated, many crypto solution vendors no longer allow the use of SHA1 (in Poland we have KIR mSzafir and Asseco SimplySign at least). The one and only cause of our problems is the lack of RSA-SHA256+ support in your product. It renders Aspose.Pdf completely usless for us. We’ve been using Aspose for many years but unfortunatelly the inability to set a different signature scheme will force us to use one of the competing solutions. So we would like to ask if you have any plans to add RSA-SHA256 support for external signatures in Aspose.Pdf?

tahir.manzoor · March 16, 2022, 11:45am

@darius.borkiewicz

Could you please share the sample code or article link that you are using? Please also share your input PDF. To ensure a timely and accurate response, please attach the requested resources here for testing. Thanks for your cooperation.

darius.borkiewicz · March 16, 2022, 12:48pm

Here is the code. I’ve uploaded a solution (with sample PDF attached) also:aspose.pdf.sln.zip (668.7 KB)

    public void Test()
    {
        File.Copy("sample.pdf", "signed.pdf", true);

        var store = new X509Store(StoreLocation.CurrentUser);
        store.Open(OpenFlags.ReadOnly);

        // Notice that to reproduce exception a certificate whose crypto provider supports only rsa-sha256 has to be chosen
        var sel = X509Certificate2UI.SelectFromCollection(store.Certificates, null, null, X509SelectionFlag.SingleSelection);

        if (sel.Count > 0)
        {
            using (FileStream fs = File.Open("signed.pdf", FileMode.Open, FileAccess.ReadWrite))
            using (Document doc = new Document(fs))
            {
                SignatureField sf = new SignatureField(doc.Pages[1], new Aspose.Pdf.Rectangle(100, 400, 10, 10));

                ExternalSignature externalSignature = new ExternalSignature(sel[0])
                {
                    Authority = "Me",
                    Reason = "Reason",
                    ContactInfo = "Contact",
                };

                sf.PartialName = "signature";
                doc.Form.Add(sf, 1);
                sf.Sign(externalSignature); // That call throws the CryptographicException...
                doc.Save();
            }
        }
    }

tahir.manzoor · March 16, 2022, 7:01pm

@darius.borkiewicz

We have logged this problem in our issue tracking system as PDFNET-51521. You will be notified via this forum thread once this issue is resolved.

We apologize for your inconvenience.