LTV Enabled Pdf Signing (Certificate Chain?)

[danielscoggins]

Hi,

I am signing pdfs using a USB Certificate Token. I noticed some threads regarding including the private key and LTV Enabled pdf signing, but with a usb certificate token I cannot load the private key the same way as with a PFX or certificate store certificate with private key.

How do I generate a LTV Enabled certificate using a USB Certificate Token?

Using the below code, I get a signed PDF but it is not LTV enabled:

Signature is not LTV enabled and will expire after 2010/07/15 09:23:41 -01'00'

I am instead looking for:

Signature is LTV enabled

Code: Select all

PdfDocument doc = new PdfDocument("Test.pdf");
PdfPageBase page = doc.Pages[0];

X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, "My USB Token Cert", true);
X509Certificate2 cert = certs[0];

PdfCertificate pdfcert = new PdfCertificate(cert);

PdfSignature signature = new PdfSignature(doc, page, pdfcert, "signature");

signature.DocumentPermissions = PdfCertificationFlags.ForbidChanges;
signature.GraphicsMode = GraphicMode.SignDetail;

document.FileInfo.IncrementalUpdate = false;
document.CompressionLevel = PdfCompressionLevel.Best;

doc.SaveToFile("Signed_Test.pdf");
doc.Close();

[rachel.lei]

Hello,

Thanks for your inquiry.
Please refer to the following code snippet and download the latest Spire.PDF Pack(Hot Fix) Version:6.7.6 for testing. If there is any question, please get back to us ASAP.

Code: Select all

        //...
        PdfSignature signature = new PdfSignature(doc, page, pdfcert, "signature");
        signature.DocumentPermissions = PdfCertificationFlags.ForbidChanges;
        signature.GraphicsMode = GraphicMode.SignDetail;

        //!!!Configure OCSP which must conform to RFC 2560
        signature.ConfigureHttpOCSP(null, null);

        //...

Sincerely,
Rachel
E-iceblue support team

[danielscoggins]

Hi Rachel,

I added the suggested line and now I get the error below.

export private key failed.

at spr⣗.ᜀ(Byte[][] A_0)
at spr⣪.ᜀ(Byte[][] A_0)
at spr⣪.ᜀ()
at spr⣪.ᜂ(spr᜶ A_0)
at spr⣪.ᜀ(Object A_0, spr᝞ A_1)
at spr᝜.ᜀ(spr᝞ A_0)
at spr᝜.ᜀ(spr᜶ A_0, Boolean A_1)
at spr᝜.ᜅ(spr᜶ A_0)
at spr៞.ᜀ(spr᜴ A_0, sprᝣ A_1, spr៧ A_2)
at spr៞.ᜀ(spr᜴ A_0, spr៧ A_1)
at spr៞.ᜄ(spr៧ A_0)
at spr៞.ᜅ(spr៧ A_0)
at sprᢋ.ᜁ(spr៧ A_0)
at sprᢋ.ᜁ(Stream A_0)
at Spire.Pdf.PdfDocument.SaveToStream(Stream stream)

I tried two different ways, with null in both values, and also, with the certificate chain defined.

Thanks,
Daniel

[rachel.lei]

Hello,

Thanks for your feedback.
I tested the code with a USB Certificate Token and indeed got the same error. I have posted this issue to our Dev team with the ticket SPIREPDF-3426 for further investigation. We will let you know if there is any update. Apologize for the inconvenience caused.

Sincerely,
Rachel
E-iceblue support team

[danielscoggins]

Hi Rachel,

Any update or resolution timeline for this item?

Thanks,
Daniel

[rachel.lei]

Hi Daniel,

Thanks for your following up.
I got news from our Dev team that this issue has been fixed. It is now in the testing phase. If it passes the test, we will prepare a hotfix for you ASAP. Thanks for you patience.

Sincerely,
Rachel
E-iuceblue support team

[rachel.lei]

Hi Daniel,

Hope you are doing well.
I just got news from our Test team that your issue has resolved. Now they are doing more testing on the new version. Once the new version is released, we will inform you ASAP.

Sincerely,
Rachel
E-iceblue support team

[danielscoggins]

Hi Rachel,

How is the testing going?

Thanks,
Daniel

[rachel.lei]

Hi Daniel,

I got news from our Test team that they plan to release a new version within this week. When the new version is released, I will inform you immediately.

Sincerely,
Rachel
E-iceblue support team

[rachel.lei]

Hi Daniel,

Hope you are doing well.
The new version is available now, please download it from the following links.
Our Website: https://www.e-iceblue.com/Download/down ... t-now.html
Nuget: https://www.nuget.org/packages/Spire.PDF/6.8.1

Sincerely,
Rachel
E-iceblue support team

[danielscoggins]

Hi Rachel,

Thank you. The hotfix fixed this issue!

[rachel.lei]

Hello,

Glad to hear that!
If you encounter any issues related to our product in the future, just feel free to contact us.
Wish you all the best!

Sincerely,
Rachel
E-iceblue support team

[danielscoggins]

Hi Rachel,

I have a follow up issues/question. I've moved my code to windows server 2016 and now get the below error only when signing with the method "ConfigureHttpOCSP". When I sign the document with out ConfigureHttpOCSP, the document signs OK, it's just not LTV enabled. FYI, it fails when calling "document.SaveToStream(ms)".

Message: The system cannot find the file specified.
Stack Trace:
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash, Int32 cbHash, ObjectHandleOnStack retSignature)
at System.Security.Cryptography.Utils.SignValue(SafeKeyHandle hKey, Int32 keyNumber, Int32 calgKey, Int32 calgHash, Byte[] hash)
at System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[] rgbHash, Int32 calgHash)
at System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash)
at spr⤚.ᜃ()
at sprⰍ.ᜀ()
at sprⳬ.ᜀ.ᜀ(sprⶻ A_0, spr⳥ A_1, spr⨄ A_2)
at sprⳬ.ᜀ(String A_0, spr⳥ A_1, Boolean A_2)
at spr⤘.ᜀ(Byte[][] A_0)
at spr⤭.ᜀ(Byte[][] A_0)
at spr⤭.ᜀ()
at spr⤭.ᜂ(sprᝮ A_0)
at spr⤭.ᜀ(Object A_0, sprព A_1)
at sprប.ᜀ(sprព A_0)
at sprប.ᜀ(sprᝮ A_0, Boolean A_1)
at sprប.ᜅ(sprᝮ A_0)
at spr᠖.ᜀ(sprᝬ A_0, sprល A_1, spr᠟ A_2)
at spr᠖.ᜀ(sprᝬ A_0, spr᠟ A_1)
at spr᠖.ᜄ(spr᠟ A_0)
at spr᠖.ᜅ(spr᠟ A_0)
at sprᣃ.ᜁ(spr᠟ A_0)
at sprᣃ.ᜁ(Stream A_0)
at Spire.Pdf.PdfDocument.SaveToStream(Stream stream)

[rachel.lei]

Hello,

Sorry for the late reply as weekend.
I tested your case on Windows Server 2016, but did not encounter any issue. This is my test project, you can try it with your own certificate. If the issue still occurs, please provide your test file, your certificate file and password. You could send them to us (support@e-iceblue.com) via email. Don’t worry, we promise to keep your files confidential and we will not use them for any other purpose.

Sincerely,
Rachel
E-iceblue support team

[danielscoggins]

Hi Rachel,

Was the certificate in your test a USB Certificate Token?

Thanks for the reply,

Daniel