Hi Jaroslav,
Thank you giving time to reply my question i would like to share you following cases need to clarify from your end
1.Slots not showin in below source code
/// <summary>
/// Initializes a new instance of the Pkcs11Signature class
/// </summary>
/// <param name="libraryPath">Path to the unmanaged PCKS#11 library</param>
/// <param name="tokenSerial">Serial number of the token (smartcard) that contains signing key. May be null if tokenLabel is specified.</param>
/// <param name="tokenLabel">Label of of the token (smartcard) that contains signing key. May be null if tokenSerial is specified.</param>
/// <param name="pin">PIN for the token (smartcard)</param>
/// <param name="ckaLabel">Label (value of CKA_LABEL attribute) of the private key used for signing. May be null if ckaId is specified.</param>
/// <param name="ckaId">Hex encoded string with identifier (value of CKA_ID attribute) of the private key used for signing. May be null if ckaLabel is specified.</param>
/// <param name="hashAlgorihtm">Hash algorihtm used for the signature creation</param>
public Pkcs11RsaSignature(string libraryPath, string tokenSerial, string tokenLabel, string pin, string ckaLabel, string ckaId, HashAlgorithm hashAlgorihtm)
{
byte[] pinValue = (pin == null) ? null : ConvertUtils.Utf8StringToBytes(pin);
byte[] ckaIdValue = (ckaId == null) ? null : ConvertUtils.HexStringToBytes(ckaId);
InitializePkcs11Signature(libraryPath, tokenSerial, tokenLabel, pinValue, ckaLabel, ckaIdValue, hashAlgorihtm);
}
/// <summary>
/// Initializes a new instance of the Pkcs11Signature class
/// </summary>
/// <param name="libraryPath">Path to the unmanaged PCKS#11 library</param>
/// <param name="tokenSerial">Serial number of the token (smartcard) that contains signing key. May be null if tokenLabel is specified.</param>
/// <param name="tokenLabel">Label of of the token (smartcard) that contains signing key. May be null if tokenSerial is specified.</param>
/// <param name="pin">PIN for the token (smartcard)</param>
/// <param name="ckaLabel">Label (value of CKA_LABEL attribute) of the private key used for signing. May be null if ckaId is specified.</param>
/// <param name="ckaId">Identifier (value of CKA_ID attribute) of the private key used for signing. May be null if ckaLabel is specified.</param>
/// <param name="hashAlgorihtm">Hash algorihtm used for the signature creation</param>
public Pkcs11RsaSignature(string libraryPath, string tokenSerial, string tokenLabel, byte[] pin, string ckaLabel, byte[] ckaId, HashAlgorithm hashAlgorihtm)
{
InitializePkcs11Signature(libraryPath, tokenSerial, tokenLabel, pin, ckaLabel, ckaId, hashAlgorihtm);
}
/// <summary>
/// Initializes a new instance of the Pkcs11Signature class
/// </summary>
/// <param name="libraryPath">Path to the unmanaged PCKS#11 library</param>
/// <param name="tokenSerial">Serial number of the token (smartcard) that contains signing key. May be null if tokenLabel is specified.</param>
/// <param name="tokenLabel">Label of of the token (smartcard) that contains signing key. May be null if tokenSerial is specified.</param>
/// <param name="pin">PIN for the token (smartcard)</param>
/// <param name="ckaLabel">Label (value of CKA_LABEL attribute) of the private key used for signing. May be null if ckaId is specified.</param>
/// <param name="ckaId">Identifier (value of CKA_ID attribute) of the private key used for signing. May be null if ckaLabel is specified.</param>
/// <param name="hashAlgorihtm">Hash algorihtm used for the signature creation</param>
private void InitializePkcs11Signature(string libraryPath, string tokenSerial, string tokenLabel, byte[] pin, string ckaLabel, byte[] ckaId, HashAlgorithm hashAlgorihtm)
{
try
{
if (string.IsNullOrEmpty(libraryPath))
throw new ArgumentNullException("libraryPath");
_pkcs11 = new Pkcs11(libraryPath, true);
_slot = GetUsableSlot(_pkcs11); //FindSlot(tokenSerial, tokenLabel); èFindSlot Function returning null value whether HSM having 1 slots.I had cread one methods which pass pkcs showing at below as
if (_slot == null)
throw new TokenNotFoundException(string.Format("Token with serial \"{0}\" and label \"{1}\" was not found", tokenSerial, tokenLabel));
_session = _slot.OpenSession(true);
_session.Login(CKU.CKU_USER, pin);
_privateKeyHandle = FindPrivateKey(ckaLabel, ckaId);
_ckaLabel = ckaLabel;
_ckaId = ckaId;
if (!Enum.IsDefined(typeof(HashAlgorithm), hashAlgorihtm))
throw new ArgumentException("Invalid hash algorithm specified");
_hashAlgorihtm = hashAlgorihtm;
}
catch
{
if (_session != null)
{
_session.Dispose();
_session = null;
}
if (_pkcs11 != null)
{
_pkcs11.Dispose();
_pkcs11 = null;
}
throw;
}
}
#endregion
//NILESH
private Slot GetUsableSlot(Pkcs11 pkcs11)
{
// Get list of available slots
List<Slot> slots = pkcs11.GetSlotList(true);
// Let's use first slot with token present
return slots[0];
}
#region Private methods
/// <summary>
/// Finds slot containing the token that matches specified criteria
/// </summary>
/// <param name="tokenSerial">Serial number of token that should be found</param>
/// <param name="tokenLabel">Label of token that should be found</param>
/// <returns>Slot containing the token that matches specified criteria</returns>
private Slot FindSlot(string tokenSerial, string tokenLabel)
{
if (this._disposed)
throw new ObjectDisposedException(this.GetType().FullName);
if (string.IsNullOrEmpty(tokenSerial) && string.IsNullOrEmpty(tokenLabel))
throw new ArgumentException("Token serial and/or label has to be specified");
List<Slot> slots = _pkcs11.GetSlotList(true);
foreach (Slot slot in slots)
{
TokenInfo tokenInfo = null;
try
{
tokenInfo = slot.GetTokenInfo();
}
catch (Pkcs11Exception ex)
{
if (ex.RV != CKR.CKR_TOKEN_NOT_RECOGNIZED && ex.RV != CKR.CKR_TOKEN_NOT_PRESENT)
throw;
}
if (tokenInfo == null)
continue;
if (!string.IsNullOrEmpty(tokenSerial))
if (0 != String.Compare(tokenSerial, tokenInfo.SerialNumber, StringComparison.InvariantCultureIgnoreCase))
continue;
if (!string.IsNullOrEmpty(tokenLabel))
if (0 != String.Compare(tokenLabel, tokenInfo.Label, StringComparison.InvariantCultureIgnoreCase))
continue;
return slot;
}
return null;
}
//NILESH
private Slot GetUsableSlot(Pkcs11 pkcs11)
{
// Get list of available slots
List<Slot> slots = pkcs11.GetSlotList(true);
// Let's use first slot with token present
return slots[0];
}
/// <summary>
/// Finds slot containing the token that matches specified criteria
/// </summary>
/// <param name="tokenSerial">Serial number of token that should be found</param>
/// <param name="tokenLabel">Label of token that should be found</param>
/// <returns>Slot containing the token that matches specified criteria</returns>
private Slot FindSlot(string tokenSerial, string tokenLabel)
{
if (this._disposed)
throw new ObjectDisposedException(this.GetType().FullName);
if (string.IsNullOrEmpty(tokenSerial) && string.IsNullOrEmpty(tokenLabel))
throw new ArgumentException("Token serial and/or label has to be specified");
List<Slot> slots = _pkcs11.GetSlotList(true);
foreach (Slot slot in slots)
{
TokenInfo tokenInfo = null;
try
{
tokenInfo = slot.GetTokenInfo();
}
catch (Pkcs11Exception ex)
{
if (ex.RV != CKR.CKR_TOKEN_NOT_RECOGNIZED && ex.RV != CKR.CKR_TOKEN_NOT_PRESENT)
throw;
}
if (tokenInfo == null)
continue;
if (!string.IsNullOrEmpty(tokenSerial))
if (0 != String.Compare(tokenSerial, tokenInfo.SerialNumber, StringComparison.InvariantCultureIgnoreCase))
continue;
if (!string.IsNullOrEmpty(tokenLabel))
if (0 != String.Compare(tokenLabel, tokenInfo.Label, StringComparison.InvariantCultureIgnoreCase)) /// returning -1
continue;
return slot;
}
return null;
}
In above case I had tried lot of time for your source code but failed.I want to clear from your end whether I have created only 1 slots in HSM that’s the problem or any other please clear me I want to know String.Compare(tokenLabel, tokenInfo.Label, StringComparison.InvariantCultureIgnoreCase) why the comparision is required to check
2.issue related to digital certificate not sign to pdf I had refered all the code from Pkcs11Interop.PDF-master
I got another error on ICollection<Org.BouncyCastle.X509.X509Certificate> certPath = CertUtils.BuildCertPath(signingCertificate, otherCertificates);
“Provided certificates do not contain self-signed root certificate"
at Net.Pkcs11Interop.PDF.CertUtils.BuildCertPath(Byte[] signingCertificate, List`1 otherCertificates) in c:\Users\INT3401\Desktop\HSMBySify\Pkcs11Interop.PDF-master\Pkcs11Interop.PDF-master\src\Pkcs11Interop.PDF\CertUtils.cs:line 182
at HSMCOMM.Form1.SignPdfDocument() in c:\Users\INT3401\Desktop\HSMBySify\Practise\HSMCOMM\HSMCOMM\Form1.cs:line 252
at HSMCOMM.Form1.button2_Click(Object sender, EventArgs e) in c:\Users\INT3401\Desktop\HSMBySify\Practise\HSMCOMM\HSMCOMM\Form1.cs:line 179
error raise on below your source code
foreach (byte[] otherCertificate in otherCertificates)
{
BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate);
otherCerts.Add(ToBouncyCastleObject(otherCertificate));
if (IsSelfSigned(otherCert))
trustAnchors.Add(new TrustAnchor(otherCert, null)); //error come at that line
}
I request to please go with HSM details that shared from HSM vendor and certificate is attached.
HSM Appliance
Login : admin
pwd : P@ssw0rd
Partition Name : partition1 / Slot1
P@ssw0rd
handle=14 label=Nilesh Chaudhari : Certificate
handle=18 label=Nilesh Chaudhari : Public Key
handle=19 label=Nilesh Chaudhari : Private Key
id = 111111
...
I got another error on ICollection<Org.BouncyCastle.X509.X509Certificate> certPath = CertUtils.BuildCertPath(signingCertificate, otherCertificates);
“Provided certificates do not contain self-signed root certificate"
at Net.Pkcs11Interop.PDF.CertUtils.BuildCertPath(Byte[] signingCertificate, List`1 otherCertificates) in c:\Users\INT3401\Desktop\HSMBySify\Pkcs11Interop.PDF-master\Pkcs11Interop.PDF-master\src\Pkcs11Interop.PDF\CertUtils.cs:line 182
at HSMCOMM.Form1.SignPdfDocument() in c:\Users\INT3401\Desktop\HSMBySify\Practise\HSMCOMM\HSMCOMM\Form1.cs:line 252
at HSMCOMM.Form1.button2_Click(Object sender, EventArgs e) in c:\Users\INT3401\Desktop\HSMBySify\Practise\HSMCOMM\HSMCOMM\Form1.cs:line 179
error raise on below your source code
foreach (byte[] otherCertificate in otherCertificates)
{
BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate);
otherCerts.Add(ToBouncyCastleObject(otherCertificate));
if (IsSelfSigned(otherCert))
trustAnchors.Add(new TrustAnchor(otherCert, null)); //error come at that line
}
I request to please go with HSM
details that i had already shared you and certificate is attached also
...
Thank you jaroslave can I pass null value to outer certicate.if
possible then let me know
...
...
C:\Users\INT3401\Desktop\HSMBySify\Pkcs11Interop.PDF-master\Pkcs11Interop.PDF-master\src\Pkcs11Interop.PDF.Demo\bin\Release>pkcs11Interop.PDF.Demo.exe --pkcs11-library "cryptoki.dll" "--sign" "--token-serial" "454186010" "--token-label" "partition1" "--key-label" "Nilesh Chaudhari" "--pin" "P@ssw0rd" "--input-pdf" "C\temp\unsigned.pdf" "--output-pdf" "C\tem\Signed.pdf"
Signing PDF document "C\temp\unsigned.pdf" using private key with ID "" and label "Nilesh Chaudhari" stored on token with serial "454186010" and label "partition1"
Operation error: Org.BouncyCastle.Pkix.PkixCertPathBuilderException - Provided certificates do not contain self-signed root certificate
at Net.Pkcs11Interop.PDF.CertUtils.BuildCertPath(Byte[] signingCertificate, List`1 otherCertificates) in c:\Users\INT3401\Desktop\HSMBySify\Pkcs11Interop.PDF-master\Pkcs11Interop.PDF-master\src\Pkcs11Interop.PDF\CertUtils.cs:line 182
at Net.Pkcs11Interop.PDF.DemoApp.Main(String[] args) in c:\Users\INT3401\Desktop\HSMBySify\Pkcs11Interop.PDF-master\Pkcs11Interop.PDF-master\src\Pkcs11Interop.PDF.Demo\DemoApp.cs:line 377
...
...
...
I want some clarification from your side.every time i need to pass root certificate through path why that need to pass.
...
I want to sign in bulk i.e unsigned PDF call from folder and sign all the PDF through Pkcs11Interop.PDF library.
tell me how i show PDF sign notation inside PDF.
--
You received this message because you are subscribed to a topic in the Google Groups "Pkcs11Interop" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pkcs11interop/zcajK5RQh9g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pkcs11intero...@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at https://groups.google.com/group/pkcs11interop.
To view this discussion on the web visit https://groups.google.com/d/msgid/pkcs11interop/7e3ccae9-268d-4afe-896f-0f5d0c2c8f49%40googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Pkcs11Interop" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pkcs11interop/zcajK5RQh9g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pkcs11intero...@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at https://groups.google.com/group/pkcs11interop.
To view this discussion on the web visit https://groups.google.com/d/msgid/pkcs11interop/11af648b-d106-45fd-87ab-79d2315c3e9b%40googlegroups.com.
string signedPdfPath = @"C:\pdfcertificates\signed\sn.pdf";
string libraryPath = @"C:\Windows\System32\SignatureP11.dll";
// Do something interesting with unsigned PDF document
FileInfo unsignedPdfInfo = new FileInfo(unsignedPdfPath);
// Assert.IsTrue(unsignedPdfInfo.Length > 0);
// Specify label of of the token that contains signing key. May be null if tokenSerial is specified
string tokenLabel = null;
// Specify PIN for the token
string pin = "987654";
// Specify label (value of CKA_LABEL attribute) of the private key used for signing. May be null if ckaId is specified.
string ckaLabel = null;
// Specify hex encoded string with identifier (value of CKA_ID attribute) of the private key used for signing. May be null if ckaLabel is specified.
string ckaId = "686a9f35e1eb104ae05e9c65df715481b38ced40";
// Specify hash algorihtm used for the signature creation
HashAlgorithm hashAlgorithm = HashAlgorithm.SHA256;
string certsDir = @"C:\Program Files (x86)\Watchdata\WD PROXKey\Cert";
// Create instance of Pkcs11Signature class that allows iText to create PKCS#1 v1.5 RSA signature with the private key stored on PKCS#11 compatible device
using (Pkcs11RsaSignature pkcs11RsaSignature = new Pkcs11RsaSignature(libraryPath, tokenSerial, tokenLabel, pin, ckaLabel, ckaId, hashAlgorithm))
{
// When signing certificate is stored on the token it can be usually read with GetSigningCertificate() method
byte[] signingCertificate = pkcs11RsaSignature.GetSigningCertificate();
// All certificates stored on the token can be usually read with GetAllCertificates() method
List<byte[]> otherCertificates = pkcs11RsaSignature.GetAllCertificates();
// Read additional certificates from directory
if (!string.IsNullOrEmpty(certsDir))
foreach (string file in Directory.GetFiles(certsDir))
otherCertificates.Add(File.ReadAllBytes(file));
// Build certification path for the signing certificate
ICollection<Org.BouncyCastle.X509.X509Certificate> certPath = CertUtils.BuildCertPath(signingCertificate, otherCertificates);
// Read unsigned PDF document
using (PdfReader pdfReader = new PdfReader(unsignedPdfPath))
{
// Create output stream for signed PDF document
using (FileStream outputStream = new FileStream(signedPdfPath, FileMode.Create))
{
// Create PdfStamper that applies extra content to the PDF document
using (PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfReader, outputStream, '\0', Path.GetTempFileName(), true))
{
// Sign PDF document
MakeSignature.SignDetached(pdfStamper.SignatureAppearance, pkcs11RsaSignature, certPath, null, null, null, 0, CryptoStandard.CADES);
}
}
}
}
--
You received this message because you are subscribed to a topic in the Google Groups "Pkcs11Interop" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pkcs11interop/zcajK5RQh9g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pkcs11intero...@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at https://groups.google.com/group/pkcs11interop.
To view this discussion on the web visit https://groups.google.com/d/msgid/pkcs11interop/9218bb67-9e60-4547-b9ec-116230a22174%40googlegroups.com.
To unsubscribe from this group and all its topics, send an email to pkcs11intero...@googlegroups.com.
To post to this group, send email to pkcs11...@googlegroups.com.
Visit this group at https://groups.google.com/group/pkcs11interop.
To view this discussion on the web visit https://groups.google.com/d/msgid/pkcs11interop/860e91d0-7072-46ca-ba17-8adf321154fd%40googlegroups.com.
using (PdfStamper pdfStamper = PdfStamper.CreateSignature(pdfReader, outputStream, '\0', Path.GetTempFileName(), true))
{
// Sign PDF document
PdfSignatureAppearance signapp= pdfStamper.SignatureAppearance;
signapp.Reason=reason;
signapp.Location=location;
signapp.SignDate=DateTime.Now;
signapp.SetVisibleSignature(new iTextSharp.text.Rectangle(340, 80, 550,160), 1, "signatureName");
// Sign PDF document
MakeSignature.SignDetached(signapp, pkcs11RsaSignature, certPath, null, null, null, 0, CryptoStandard.CADES);
}