PDF signing : Exception "Access was denied because of a security violation" when using Belgian eID card

Hello,

When I try to sign a pdf using Aspose.PDF .net (net core 3.1 version 20.4) using a Belgian ID card I get an exception :
error 2148532330 Access was denied because of a security violation.

On the id card there are 2 certificates.
The first one is an Authentication certifificate. Using this one no issue.
The second one is the Signature certificate (non repudiation). The issue appears when using this certificate.

I got more information about this error in the eid-middleware-dev google group :
https://groups.google.com/forum/#!topic/eid-middleware-dev/mbYMN8MjtM4

here is a quote of their reply :

"The problem that you might be facing in your software is that the eID applet 1.7 (current eID cards) requires a validate PIN instruction just before signing with the key of the non-repudiation certificate.
So if e.g. you do a ‘select algorithm’ instruction in between the ‘verifyPIN’ and the ‘compute digital signature’, the signing will fail with a security error (as you needed to validate the PIN just before trying to sign).
For testing purposes: When using the authentication certificate, this restriction is not active, and thus should work if it is the above error you are facing. "

So i guess Aspose.PDF do this sequence : do a ‘select algorithm’ instruction in between the ‘verifyPIN’ and the ‘compute digital signature’. The “compute digital signature” should be right after “the verify pin”.

Regarding the legal point of view, we need to sign using the signature certificate to be law compliant.

Please fix this annoying issue, i don’t know if it is the same for others nationality eID card but i guess it can be (as this is a security matter).

FYI, there are no issue to sign using Adobe Acrobat Reader using the signature certificate.

Here is the call stack of the exception :

at Internal.Cryptography.CngCommon.SignHash(SafeNCryptKeyHandle keyHandle, ReadOnlySpan`1 hash, AsymmetricPaddingMode paddingMode, Void* pPaddingInfo, Int32 estimatedSize)
   at System.Security.Cryptography.RSACng.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
   at System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash)
   at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z1OAEuWc=(Byte[] #=z$ZsYy4A=, #=zCCSibLhnfKyR126MVnj5KHDq8bHvqRrkDoAMMlc= #=zlY6OybY=, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, Boolean #=z3HvDH3A=, X509Certificate2 #=z4uLsm9wyH8oU)
   at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, Boolean #=z3HvDH3A=)
   at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd)
   at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU)
   at #=zXTetUpDhf7g1ZnA1KQ9xcZzQhjEL.#=z2l4cyFY=(String #=zHdhAWIw=, #=ze2s3rNQpynjOrkTAOoZimclOXE4LQRQDlA== #=zeWEl_bg=, #=zjGBHsKzl9FzQmn3jdAjaV4WSgaAcdBVvxQ== #=zJTeabqg=, Stream #=zlY6OybY=, String #=zmEs3Y1c=, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, X509Certificate2 #=z4uLsm9wyH8oU)
   at #=zXTetUpDhf7g1ZnA1KQ9xcZzQhjEL.#=z2l4cyFY=(String #=zHdhAWIw=, #=ze2s3rNQpynjOrkTAOoZimclOXE4LQRQDlA== #=zeWEl_bg=, #=zjGBHsKzl9FzQmn3jdAjaV4WSgaAcdBVvxQ== #=zJTeabqg=, X509Certificate2 #=z4uLsm9wyH8oU)
   at Aspose.Pdf.Forms.Signature.#=z2l4cyFY=(String #=zHdhAWIw=, Stream #=zlY6OybY=, String #=zmEs3Y1c=)
   at Aspose.Pdf.Forms.SignatureField.Sign(Signature signature, Stream pfx, String pass)
   at Aspose.Pdf.Forms.SignatureField.Sign(Signature signature)
   at Aspose.Pdf.Facades.PdfFileSignature.#=z4oJQIPrAGr1_(Stream #=zXnSxnB$Dzi64, Stream #=zykDMhKF5zYK4, String #=zhBw7Yrk=)
   at Aspose.Pdf.Facades.PdfFileSignature.Save(Stream outputStream)
   at Aspose.Pdf.Facades.PdfFileSignature.Save(String outputFile) 

EDIT : this is the same issue than this one but the signing hash certificate is sha1 on older idcards and sha256 on more recent one but with same error message :

Thanks

@tfipsrd

An investigation ticket as PDFNET-48541 has already been logged in our issue tracking sytsem for this scenario. We will further look into this issue and keep you informed about its resolution status. Please be patient and spare us some time.

We are sorry for the inconvenience.

Hello,

Any news on this issue PDFNET-48541 ?

Thanks

@tfipsrd

Sadly, the earlier logged ticket is not yet resolved. Please note that we will surely fix it however, it will be fixed on first come first serve basis. We will surely inform you as soon as we have some definite updates regarding its resolution. Please have patience and give us some time.

We are sorry for the inconvenience.

For now we only have Free support. Is there any chance to go faster and fix this issue ASAP if we get a paid support plan ?
Thanks

@tfipsrd

In case the issue is updated to priority/paid support, the investigation against it will be expedited in terms of getting a reliable ETA as well as fix (depending upon the nature of the issue). Please also note that paid support does not guarantee any immediate solution, but it does escalate the things in favor of getting ETA and fix faster.

Hello @asad.ali,

I offer my help for this issue (because you need a Belgian electronic id card). This is business critical for us… Your competitors are able to do it.

I guess the problem will also occurs using Portugese electronic identity cards (as it was developed based on belgian eid).

Please escalate this issue and come back to me.

@tfipsrd

Thanks for getting back to us.

We have recorded your concerns and escalated the issue priority to the next level. We will surely let you know as soon as we have some news about its resolution. Please give us some time.

We apologize for your inconvenience.

Good morning,

I had the same problem and i found a solution.

And in fact, your card id has to be connetced to your pc. And when you choose your signature, you have to put your pin code on your connector.

The program says nothing but your connector ask your pin.

Nothing tells you to do that and it’s the problem but if you see the connector you will see that ask you the pin code.

Voila, how my problem “error code 2148532330” has been resolved.

Hello,

And you sign using your Signature certificate ? Because this error was triggered only on the Signature certificate. Everything is fine using Authentication certificate but the certificate is not intended for pdf signature.

And of course windows will bring the pin code windows when you sign

Thanks

@tfipsrd, @jomatt

Thanks for sharing your thoughts in this thread. We will surely consider this information while investigating the logged ticket and update this thread once we have some updates about its resolution.

Hello,

is there any update on this issue?

We currently have the same problem: we would like to sign a PDF based on a key that is stored on a smart card. We cannot export the private part of the key: the smartcard is responsible for the signing process and not the .NET process. So there should be some ‘callback’ API where Aspose.Pdf calls ‘our’ code that in turn communicates with the smartcard API.

In short, this should be the flow: our code receives the bytes (hash like SHA1, SHA384, …) to sign trough the Aspose.Pdf callback (or an interface to implement), then sends the bytes to the card, the smartcard driver pops up a pin code entry screen, the user fills in his/her pin code, then the card returns the signed bytes, which we return through the callback passed by Aspose.Pdf.

For your information, this also concerns a (Belgian) eID, but technically the problem is a generic one: it involves all systems where a smartcard or hardware device is used that does not expose the private part of a ‘signature’ certificate.

thank you,

PS: we have paid Aspose support, so if that can speed things up, that would be nice…

@david.urting

The ticket is currently under the phase of investigation and we have recorded your comments along with the ticket as well. We will try to provide an update on this matter as soon as the investigation is complete. We will also try to provide some ETA in case the issue is escalated to the paid support. Please give us some time.

We are sorry for the inconvenience.

Hello

I have the same problem using Aspose.PDF for Java to sign with SafeNet iKey4000 and iKey5110 USB Tokens.

I was able to find some documentation on How to add Smart Card signature to PDF for .NET, but it does not work with non exportable private keys. For Java, there is no documentation on such topic.

Is there any ETA for a functionality that will allow external signature computation?

@MarianC

We are afraid that the earlier logged ticket has not been yet resolved. Also, we have logged another ticket as PDFJAVA-41588 in our issue management system to address your concerns. We will surely work on resolving it and implementing the required feature and let you know once the ticket is resolved.

Another ticket as PDFNET-51749 has also been logged in our issue management system to add such examples in Aspose.PDF for Java Documentation. You will be informed once the ticket is resolved. Please spare us some time.

We apologize for your inconvenience.

Any update on this issue?

@Jeroen_Roefs

We are afraid that the earlier logged ticket(s) have not been yet resolved due to other issues in the queue logged prior to them. However, we have recorded your concerns and will surely inform you once we make some progress towards their resolution. Please be patient and spare us some time.

We are sorry for the inconvenience.