Hello,
When I try to sign a pdf using Aspose.PDF .net (net core 3.1 version 20.4) using a Belgian ID card I get an exception :
error 2148532330 Access was denied because of a security violation.
On the id card there are 2 certificates.
The first one is an Authentication certifificate. Using this one no issue.
The second one is the Signature certificate (non repudiation). The issue appears when using this certificate.
I got more information about this error in the eid-middleware-dev google group :
https://groups.google.com/forum/#!topic/eid-middleware-dev/mbYMN8MjtM4
here is a quote of their reply :
"The problem that you might be facing in your software is that the eID applet 1.7 (current eID cards) requires a validate PIN instruction just before signing with the key of the non-repudiation certificate.
So if e.g. you do a ‘select algorithm’ instruction in between the ‘verifyPIN’ and the ‘compute digital signature’, the signing will fail with a security error (as you needed to validate the PIN just before trying to sign).
For testing purposes: When using the authentication certificate, this restriction is not active, and thus should work if it is the above error you are facing. "
So i guess Aspose.PDF do this sequence : do a ‘select algorithm’ instruction in between the ‘verifyPIN’ and the ‘compute digital signature’. The “compute digital signature” should be right after “the verify pin”.
Regarding the legal point of view, we need to sign using the signature certificate to be law compliant.
Please fix this annoying issue, i don’t know if it is the same for others nationality eID card but i guess it can be (as this is a security matter).
FYI, there are no issue to sign using Adobe Acrobat Reader using the signature certificate.
Here is the call stack of the exception :
at Internal.Cryptography.CngCommon.SignHash(SafeNCryptKeyHandle keyHandle, ReadOnlySpan`1 hash, AsymmetricPaddingMode paddingMode, Void* pPaddingInfo, Int32 estimatedSize) at System.Security.Cryptography.RSACng.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding) at System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash) at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z1OAEuWc=(Byte[] #=z$ZsYy4A=, #=zCCSibLhnfKyR126MVnj5KHDq8bHvqRrkDoAMMlc= #=zlY6OybY=, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, Boolean #=z3HvDH3A=, X509Certificate2 #=z4uLsm9wyH8oU) at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, Boolean #=z3HvDH3A=) at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd) at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU) at #=zXTetUpDhf7g1ZnA1KQ9xcZzQhjEL.#=z2l4cyFY=(String #=zHdhAWIw=, #=ze2s3rNQpynjOrkTAOoZimclOXE4LQRQDlA== #=zeWEl_bg=, #=zjGBHsKzl9FzQmn3jdAjaV4WSgaAcdBVvxQ== #=zJTeabqg=, Stream #=zlY6OybY=, String #=zmEs3Y1c=, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, X509Certificate2 #=z4uLsm9wyH8oU) at #=zXTetUpDhf7g1ZnA1KQ9xcZzQhjEL.#=z2l4cyFY=(String #=zHdhAWIw=, #=ze2s3rNQpynjOrkTAOoZimclOXE4LQRQDlA== #=zeWEl_bg=, #=zjGBHsKzl9FzQmn3jdAjaV4WSgaAcdBVvxQ== #=zJTeabqg=, X509Certificate2 #=z4uLsm9wyH8oU) at Aspose.Pdf.Forms.Signature.#=z2l4cyFY=(String #=zHdhAWIw=, Stream #=zlY6OybY=, String #=zmEs3Y1c=) at Aspose.Pdf.Forms.SignatureField.Sign(Signature signature, Stream pfx, String pass) at Aspose.Pdf.Forms.SignatureField.Sign(Signature signature) at Aspose.Pdf.Facades.PdfFileSignature.#=z4oJQIPrAGr1_(Stream #=zXnSxnB$Dzi64, Stream #=zykDMhKF5zYK4, String #=zhBw7Yrk=) at Aspose.Pdf.Facades.PdfFileSignature.Save(Stream outputStream) at Aspose.Pdf.Facades.PdfFileSignature.Save(String outputFile)
EDIT : this is the same issue than this one but the signing hash certificate is sha1 on older idcards and sha256 on more recent one but with same error message :
Thanks