问题
When I try to sign a pdf using Aspose.PDF .net (net core 3.1 version 20.4) using a Belgian ID card I get an exception : error 2148532330 Access was denied because of a security violation.
On the id card there are 2 certificates. The first one is an Authentication certifificate. Using this one no issue. The second one is the Signature certificate (non repudiation). The issue appears when using this certificate.
I got more information about this error in the eid-middleware-dev google group : https://groups.google.com/forum/#!topic/eid-middleware-dev/mbYMN8MjtM4 1
here is a quote of their reply :
"The problem that you might be facing in your software is that the eID applet 1.7 (current eID cards) requires a validate PIN instruction just before signing with the key of the non-repudiation certificate. So if e.g. you do a ‘select algorithm’ instruction in between the ‘verifyPIN’ and the ‘compute digital signature’, the signing will fail with a security error (as you needed to validate the PIN just before trying to sign). For testing purposes: When using the authentication certificate, this restriction is not active, and thus should work if it is the above error you are facing. "
So i guess Aspose.PDF do this sequence : do a ‘select algorithm’ instruction in between the ‘verifyPIN’ and the ‘compute digital signature’. The “compute digital signature” should be right after “the verify pin”.
Regarding the legal point of view, we need to sign using the signature certificate to be law compliant.
FYI, there are no issue to sign using Adobe Acrobat Reader using the signature certificate.
Here is the call stack of the exception :
at Internal.Cryptography.CngCommon.SignHash(SafeNCryptKeyHandle keyHandle, ReadOnlySpan`1 hash, AsymmetricPaddingMode paddingMode, Void* pPaddingInfo, Int32 estimatedSize)
at System.Security.Cryptography.RSACng.SignHash(Byte[] hash, HashAlgorithmName hashAlgorithm, RSASignaturePadding padding)
at System.Security.Cryptography.RSAPKCS1SignatureFormatter.CreateSignature(Byte[] rgbHash)
at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z1OAEuWc=(Byte[] #=z$ZsYy4A=, #=zCCSibLhnfKyR126MVnj5KHDq8bHvqRrkDoAMMlc= #=zlY6OybY=, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, Boolean #=z3HvDH3A=, X509Certificate2 #=z4uLsm9wyH8oU)
at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, Boolean #=z3HvDH3A=)
at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd)
at #=zlaSAK7uTJjtE4VjZalzQB94SHxdu4PiTPA==.#=zNqv1k4Q=.#=z2l4cyFY=(Byte[] #=z$ZsYy4A=, X509Certificate2 #=z4uLsm9wyH8oU)
at #=zXTetUpDhf7g1ZnA1KQ9xcZzQhjEL.#=z2l4cyFY=(String #=zHdhAWIw=, #=ze2s3rNQpynjOrkTAOoZimclOXE4LQRQDlA== #=zeWEl_bg=, #=zjGBHsKzl9FzQmn3jdAjaV4WSgaAcdBVvxQ== #=zJTeabqg=, Stream #=zlY6OybY=, String #=zmEs3Y1c=, #=zM1kKFIS9ptxYWIixR8pRttiu7PpO #=zJulZcYykQoOP, TimestampSettings #=zbGfLV7WoQpgd, X509Certificate2 #=z4uLsm9wyH8oU)
at #=zXTetUpDhf7g1ZnA1KQ9xcZzQhjEL.#=z2l4cyFY=(String #=zHdhAWIw=, #=ze2s3rNQpynjOrkTAOoZimclOXE4LQRQDlA== #=zeWEl_bg=, #=zjGBHsKzl9FzQmn3jdAjaV4WSgaAcdBVvxQ== #=zJTeabqg=, X509Certificate2 #=z4uLsm9wyH8oU)
at Aspose.Pdf.Forms.Signature.#=z2l4cyFY=(String #=zHdhAWIw=, Stream #=zlY6OybY=, String #=zmEs3Y1c=)
at Aspose.Pdf.Forms.SignatureField.Sign(Signature signature, Stream pfx, String pass)
at Aspose.Pdf.Forms.SignatureField.Sign(Signature signature)
at Aspose.Pdf.Facades.PdfFileSignature.#=z4oJQIPrAGr1_(Stream #=zXnSxnB$Dzi64, Stream #=zykDMhKF5zYK4, String #=zhBw7Yrk=)
at Aspose.Pdf.Facades.PdfFileSignature.Save(Stream outputStream)
at Aspose.Pdf.Facades.PdfFileSignature.Save(String outputFile)
Is there any workaround on this ? Aspose support has logged this issue ( https://forum.aspose.com/t/pdf-signing-exception-access-was-denied-because-of-a-security-violation-when-using-belgian-eid-card/215681 ) but it is still open since July 2020...
来源:https://stackoverflow.com/questions/65580435/sign-a-pdf-with-aspose-pdf-using-belgian-identity-card-leads-to-an-securityexcep