And thank you for the update. --Mark Storer Senior Software Engineer Cardiff.com import legalese.Disclaimer; Disclaimer<Cardiff> DisCard = null;
> -----Original Message----- > From: Mike Chynoweth [mailto:[email protected]] > Sent: Monday, September 27, 2010 12:01 PM > To: Post all your questions about iText here > Subject: Re: [iText-questions] Luna SA (HSM) Integration with > iTextSharp > > For the sake of closure and perhaps saving someone else from > running off on the same wild goose chase in the future, I > thought I would post an update here. > > The issue was related to my own lack of understanding of the > Luna SA HSM. The setup instructions with the device included > generation of a client certificate that was then installed on > the HSM. I took this to mean that the client certificate > that was generated as part of that process was in fact the > certificate I would be using for signing. > > After speaking with SafeNet support, I discovered that the > client certificate referred to in the documentation was not > for general use and was related to establishing the secure > trusted relationship between the HSM and my computer. > > Once I realized this, I was able to generate a test > self-signed certificate using makecert and just specifying > the correct parameters: > > makecert -sk keyContainerName -sp "Luna Cryptographic > Services for Microsoft Windows" -sy 1, -r -n "CN=issuer" -ss > my test.cer > > Once this was done, I had a certificate in the "My" store > that essentially contained pointers to the keys stored on the > HSM. I was then able to use the example code to quickly have > success in signing the PDF. > > Another case of an early misunderstanding leading to > over-thinking and over-engineering (that in this case still > didn't end up working). In reality, this integration is > pretty straight forward. I'm including the sample C# code > that I have working for signing a PDF using the Luna HSM > below. Thanks to all of you that responded. > > Mike > > > static void SignPdf() > { > X509Store store = new X509Store(StoreName.My, > StoreLocation.CurrentUser); > store.Open(OpenFlags.MaxAllowed); > > X509Certificate2 cert = null; > int i = 0; > while ((i < store.Certificates.Count) && (cert == null)) > { > if (store.Certificates[i].Subject == "CN=name") > cert = store.Certificates[i]; > else > i++; > } > > Org.BouncyCastle.X509.X509CertificateParser cp = > new Org.BouncyCastle.X509.X509CertificateParser(); > Org.BouncyCastle.X509.X509Certificate[] chain = > new Org.BouncyCastle.X509.X509Certificate[]{ > cp.ReadCertificate(cert.RawData) }; > > PdfReader reader = new PdfReader(@"C:\file.pdf"); > PdfStamper stp = > PdfStamper.CreateSignature(reader, new > FileStream("c:\\file_signed.pdf", FileMode.Create), '\0'); > stp.FormFlattening = true; > > PdfSignatureAppearance sap = stp.SignatureAppearance; > sap.SignDate = DateTime.Now; > sap.SetCrypto(null, chain, null, null); > sap.Reason = "PDF Signing"; > sap.Location = "My Location"; > sap.Acro6Layers = true; > sap.Render = > PdfSignatureAppearance.SignatureRender.NameAndDescription; > > PdfSignature dic = new > PdfSignature(PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_SHA1); > dic.Date = new PdfDate(sap.SignDate); > dic.Name = > PdfPKCS7.GetSubjectFields(chain[0]).GetField("CN"); > if (sap.Reason != null) > dic.Reason = sap.Reason; > if (sap.Location != null) > dic.Location = sap.Location; > sap.CryptoDictionary = dic; > > int csize = 4000; > Hashtable exc = new Hashtable(); > exc[PdfName.CONTENTS] = csize * 2 + 2; > sap.PreClose(exc); > > HashAlgorithm sha = new SHA1CryptoServiceProvider(); > > Stream s = sap.RangeStream; > int read = 0; > byte[] buff = new byte[8192]; > while ((read = s.Read(buff, 0, 8192)) > 0) > sha.TransformBlock(buff, 0, read, buff, 0); > sha.TransformFinalBlock(buff, 0, 0); > > byte[] pk = SignMsg(sha.Hash, cert, false); > byte[] outc = new byte[csize]; > Array.Copy(pk, 0, outc, 0, pk.Length); > > PdfDictionary dic2 = new PdfDictionary(); > dic2.Put(PdfName.CONTENTS, new > PdfString(outc).SetHexWriting(true)); > sap.Close(dic2); > } > static public byte[] SignMsg(Byte[] msg, > X509Certificate2 signerCert, bool detached) > { > // Place message in a ContentInfo object. > // This is required to build a SignedCms object. > ContentInfo contentInfo = new ContentInfo(msg); > > // Instantiate SignedCms object with the > ContentInfo above. > // Has default SubjectIdentifierType > IssuerAndSerialNumber. > SignedCms signedCms = new SignedCms(contentInfo, > detached); > > // Formulate a CmsSigner object for the signer. > CmsSigner cmsSigner = new CmsSigner(signerCert); > > // Include the following line if the top > certificate in the > // smartcard is not in the trusted list. > cmsSigner.IncludeOption = X509IncludeOption.EndCertOnly; > > // Sign the CMS/PKCS #7 message. The second argument is > // needed to ask for the pin. > signedCms.ComputeSignature(cmsSigner, false); > > // Encode the CMS/PKCS #7 message. > return signedCms.Encode(); > } > > -----Original Message----- > From: Mike Chynoweth [mailto:[email protected]] > Sent: Friday, September 24, 2010 8:22 AM > To: Post all your questions about iText here > Subject: Re: [iText-questions] Luna SA (HSM) Integration with > iTextSharp > > Not that I've been able to see - although it is always > possible that I'm just missing something. > > I can gain indirect access to the device using CspParameters > to reference the Luna Cryptographic Service Provider. This > essentially gives me a handle I can use for signing/verifying > etc. As an example, the following works fine: > > CspParameters csp = new CspParameters(1, "Luna > Cryptographic Services for Microsoft Windows"); > csp.KeyContainerName = "containerName"; > > using (RSACryptoServiceProvider rsa = new > RSACryptoServiceProvider(csp)) > { > string originalString = "test"; > byte[] originalData = > Encoding.UTF8.GetBytes(originalString); > > byte[] signedData = rsa.SignData(originalData, > new SHA1CryptoServiceProvider()); > > bool isValid = rsa.VerifyData(originalData, new > SHA1CryptoServiceProvider(), signedData); > > Debug.Assert(isValid); > } > > I've tried to use the .NET CmsSigner overload that accepts > CspParameters as an overload (instead of passing a > certificate reference): > > static public byte[] SignContent(Byte[] content, > CspParameters cspParameters, bool detached) > { > ContentInfo contentInfo = new ContentInfo(content); > SignedCms signedCms = new > SignedCms(contentInfo, detached); > CmsSigner cmsSigner = new CmsSigner(cspParameters); > > signedCms.ComputeSignature(cmsSigner, false); > > return signedCms.Encode(); > } > > But when I do, I run into a "Bad Key" exception: > > Exception: > System.Security.Cryptography.CryptographicException > > Message: > Bad Key. > > Stack Trace: > at > System.Security.Cryptography.Pkcs.PkcsUtils.CreateDummyCertifi > cate(CspParameters parameters) > at > System.Security.Cryptography.Pkcs.CmsSigner..ctor(CspParameter > s parameters) > at > ConsoleApplication5.Program.SignContent(Byte[] content, > CspParameters cspParameters, Boolean detached) in > C:\dev\ConsoleApplication5\Program.cs:line 193 > at ConsoleApplication5.Program.Main(String[] args) > at > System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args) > at > Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly() > at > System.Threading.ExecutionContext.Run(ExecutionContext > executionContext, ContextCallback callback, Object state) > at System.Threading.ThreadHelper.ThreadStart() > > This makes it seem like there is something unsupported in the > way I'm trying to call it. I've dug into the issue further > by making the CAPI calls directly, and I've narrowed the > issue down to the point in the internal .NET > 'CreateDummyCertificate' method where the call to the CAPI > method 'CertCreateSelfSignCertificate' is made (which is > where the 'Bad Key' exception occurs). > > Given that others have gotten this to work on Java, I know > the device supports this type of use-case, and I know it's > not an issue with iText/iTextSharp. So at this point, I'm > just trying to figure out the missing pieces with how it > should be implemented in .NET. > > Mike > > -----Original Message----- > From: Paulo Soares [mailto:[email protected]] > Sent: Friday, September 24, 2010 7:28 AM > To: Post all your questions about iText here > Subject: Re: [iText-questions] Luna SA (HSM) Integration with > iTextSharp > > The example > http://itextpdf.sourceforge.net/howtosign.html#signextitextsha > rp2 should be able to sign with anything present in the > windows certificate store, including smartcards. Doesn't the > Luna also appear in the certificate store? > > Paulo > > -----Original Message----- > From: Mike Chynoweth [mailto:[email protected]] > Sent: Friday, September 24, 2010 12:18 PM > To: Post all your questions about iText here > Subject: Re: [iText-questions] Luna SA (HSM) Integration with > iTextSharp > > Thanks for the responses - I appreciate the help. I've been > able to apply local certificates without an issue, but the > difficulty I've been having is with how to fit the Luna SA > (HSM) piece into the puzzle. I've seen some great resources > and examples out there for doing this in Java, but I haven't > found how to do this in C#. > > I've done a lot of experimentation with the built-in .NET > classes as well as taking a more direct approach and working > directly with CAPI, etc. Unfortunately, I still seem to be > missing something with how the whole process should work in a > .NET (C#) environment. > > Any further guidance that can be offered would be greatly > appreciated. Thanks. > > Mike > > -----Original Message----- > From: msinatl [mailto:[email protected]] > Sent: Thursday, September 23, 2010 1:16 PM > To: [email protected] > Subject: Re: [iText-questions] Luna SA (HSM) Integration with > iTextSharp > > > Hi Mike, > > Here is another example: > http://geekcredential.wordpress.com/2010/09/13/signing-a-pdf-w ith-itext-and-a-luna-hsm/ > > Thanks to Cristophe; I borrowed his solution for building the > certificate chain. > -- > View this message in context: > http://itext-general.2136553.n4.nabble.com/Luna-SA-HSM-Integra tion-with-iTextSharp-tp2552278p2552414.html > Sent from the iText - General mailing list archive at Nabble.com. > > -------------------------------------------------------------- > ---------------- > Nokia and AT&T present the 2010 Calling All Innovators-North > America contest Create new apps & games for the Nokia N8 for > consumers in U.S. and Canada $10 million total in prizes - > $4M cash, 500 devices, nearly $6M in marketing Develop with > Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > iText-questions mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/itext-questions > > Buy the iText book: http://www.itextpdf.com/book/ Check the > site with examples before you ask questions: > http://www.1t3xt.info/examples/ You can also search the > keywords list: http://1t3xt.info/tutorials/keywords/ > > -------------------------------------------------------------- > ---------------- > Nokia and AT&T present the 2010 Calling All Innovators-North > America contest Create new apps & games for the Nokia N8 for > consumers in U.S. and Canada $10 million total in prizes - > $4M cash, 500 devices, nearly $6M in marketing Develop with > Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > iText-questions mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/itext-questions > > Buy the iText book: http://www.itextpdf.com/book/ Check the > site with examples before you ask questions: > http://www.1t3xt.info/examples/ You can also search the > keywords list: http://1t3xt.info/tutorials/keywords/ > > > Aviso Legal: > > Esta mensagem ? destinada exclusivamente ao destinat?rio. > Pode conter informa??o confidencial ou legalmente protegida. > A incorrecta transmiss?o desta mensagem n?o significa a perca > de confidencialidade. Se esta mensagem for recebida por > engano, por favor envie-a de volta para o remetente e > apague-a do seu sistema de imediato. ? proibido a qualquer > pessoa que n?o o destinat?rio de usar, revelar ou distribuir > qualquer parte desta mensagem. > > > > Disclaimer: > > This message is destined exclusively to the intended > receiver. It may contain confidential or legally protected > information. The incorrect transmission of this message does > not mean the loss of its confidentiality. If this message is > received by mistake, please send it back to the sender and > delete it from your system immediately. It is forbidden to > any person who is not the intended receiver to use, > distribute or copy any part of this message. > > > > > -------------------------------------------------------------- > ---------------- > Nokia and AT&T present the 2010 Calling All Innovators-North > America contest Create new apps & games for the Nokia N8 for > consumers in U.S. and Canada $10 million total in prizes - > $4M cash, 500 devices, nearly $6M in marketing Develop with > Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > iText-questions mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/itext-questions > > Buy the iText book: http://www.itextpdf.com/book/ Check the > site with examples before you ask questions: > http://www.1t3xt.info/examples/ You can also search the > keywords list: http://1t3xt.info/tutorials/keywords/ > > -------------------------------------------------------------- > ---------------- > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ > iText-questions mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/itext-questions > > Buy the iText book: http://www.itextpdf.com/book/ Check the > site with examples before you ask questions: > http://www.1t3xt.info/examples/ You can also search the > keywords list: http://1t3xt.info/tutorials/keywords/ > > ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.itextpdf.com/book/ Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
