0

I am new to the site so please correct me if I do something wrong.

I have been trying to digitally sign PDF documents from a smart card (never tried or done it before). So far I haven't had much luck but I've tried exporting the certificates from my smart card and use them that way. Problem is on the smart card, there are 2 separate certificates where one of them is used for authentication and has a private key and the other is almost the same only without the key. My goal is to build an application that will sign pdf files in batches. I am completely lost on this one so I would really appreciate some help

I tried implementing this but had no luck so far. Adding a Digital signature to a PDF with iTextSharp

Also tried this example but the pfx file I get from exporting the certificate is invalid somehow E-signing PDF documents with iTextSharp

Edit: The code I am currently trying to use is from this answer. The error I am getting is "Invalid flags specified". Below is a command line export from the command CertUtil -ScInfo

================ Certificate 1 ================
--- Reader: Generic EMV Smartcard Reader 0
---   Card: SmartCafe Expert v7.0 with NetSeT PKI
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = ed70b1d1fbcb443ab1bb3bb40******

Serial Number: *********
Issuer: CN=********, O=********, OU=********, OID********, L=********, C=********
 NotBefore: 10.05.2022 07:42
 NotAfter: 10.05.2027 07:42
Subject: CN=******** ******** Sign, G=********, SN=********, SERIALNUMBER=CA:********, SERIALNUMBER=********, C=********
Non-root Certificate
Cert Hash(sha1): e30749b119fba55f6a8242d72d7e5e********

Performing AT_SIGNATURE public key matching test...
Public key matching test succeeded
  Key Container = ed70b1d1fbcb443ab1bb3bb40******
  Provider = Microsoft Base Smart Card Crypto Provider
  ProviderType = 1
  Flags = 1
    0x1 (1)
  KeySpec = 2 -- AT_SIGNATURE
Private key verifies

Performing cert chain verification...
Chain validates
Smart Card Logon: Chain validates
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.4.1.311.20.2.2 Smart Card Logon
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 167 Days, 1 Minutes, 7 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 167 Days, 1 Minutes, 7 Seconds

I am using the following input parameters in the app:

ProviderName="Microsoft Base Smart Card Crypto Provider"
KeyContainerName = "ed70b1d1fbcb443ab1bb3bb40******"

CodeJunkie
  • 263
  • 2
  • 11
  • There are different encryption modes. Read the certificates with Notepad and check which encryption mode is being used. – jdweng May 09 '22 at 12:14
  • Signing PDFs essentially is a combined task of 1) preparing the PDF for signing, 2) creating a CMS signature container signing the to-be-signed byte ranges of the prepared PDF, and 3) inserting the CMS container into the prepared PDF. For steps 1 and 3 you need iText (or some similar PDF library), But step 2 is independent from iText but very dependent on your signing device. Thus, have you already an implementation of "creating a CMS signature container signing some given byte stream or array"? – mkl May 09 '22 at 14:37
  • @mkl I have updated my post. I have added additional information on the code used as well as output from CertUtil – CodeJunkie May 10 '22 at 09:50
  • "Invalid flags specified" appears not to be a message from iText but from the other code. Thus, you should focus on an *implementation of "creating a CMS signature container signing some given byte stream or array"*. – mkl May 10 '22 at 15:21

1 Answers1

0

What is the end goal? web, console, or desktop app? Web is a little more complicated because it seems to only work with Java, unless you use an external certificate and private key to sign on the back end and put the users signature info from their smart card in the signature field. Java is the only client software that can talk to the smartcard middleware to challenge the private key on the smart card that I know of. If it's a desktop or console app, then it should be easy. I'm using iText 7 with smartcard digital signatures. I'm doing the web one at the moment. We can't use Java anymore, so it is signed by the web server certificate but puts the smartcard info of the user in the digital signature field, if that makes sense. I can probably assist you in the right direction depending on your end goal.

Joe Crane
  • 1
  • Haven't really given this much thought ever since posting this question. I decided to use a third party app to sign my generated PDF documents as this was more time efficient at that time. – CodeJunkie Aug 19 '22 at 08:08
  • This could use more details. It is mostly opinion without any substance towards an answer. – JerodG Aug 21 '22 at 16:19
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Aug 21 '22 at 16:19