Hello
my question concerns a .NET MVC5 app deployed on IIS7. I've tried to digitally sign PDF documents by iTextSharp API, and it's OK when debugging in Visual studio (VS2013), but on IIS the program throws an exception:
System.Security.Cryptography.CryptographicException: Une erreur interne s’est produite.
à System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
à System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
à System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
à System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
à System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
à ma.metl.reclamation.Service.Signature.PDFSignHelper.PDFSignDoc(String SrcPath, String DestPath) dans c:\Users\Jamal eddine\Desktop\Evolution SGI\SGI.RECLAMATION\SGI.RECLAMATION\ma.metl.reclamation.Service\Signature\PDFSignHelper.cs:ligne 186
à ma.metl.reclamation.Service.ProcesVerbalService.GetFilePvSigne(String urlFilePv) dans c:\Users\Jamal eddine\Desktop\Evolution SGI\SGI.RECLAMATION\SGI.RECLAMATION\ma.metl.reclamation.Service\ProcesVerbalService.cs:ligne 267
My code:
var store = new X509Store(StoreName.My);
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadOnly);
_logger.Info("Nobre certif: " + store.Certificates.Count);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByIssuerName, CertName, false);
if (col.Count == 0)
throw new Exception();
if (col.Count > 1)
{
currentCert = col[1];
}
else
{
currentCert = col[0];
}
Org.BouncyCastle.X509.X509CertificateParser cp = new Org.BouncyCastle.X509.X509CertificateParser();
Org.BouncyCastle.X509.X509Certificate[] chain = new Org.BouncyCastle.X509.X509Certificate[]
{
cp.ReadCertificate(currentCert.RawData)
};
var reader = new PdfReader(SrcPath);
var os = new FileStream(DestPath, FileMode.Create);
var stamper = PdfStamper.CreateSignature(reader, os, '\0');
var appearance = stamper.SignatureAppearance;
appearance.Reason = ConstantManager.SigningReason;
appearance.Location = ConstantManager.SigningLocation;
appearance.SetVisibleSignature(new Rectangle(100, 100, 250, 150), 1, "sig");
if (currentCert.HasPrivateKey)
{
var a = currentCert.PrivateKey;
}
IExternalSignature externalSignature = new X509Certificate2Signature(currentCert, "SHA-1");
MakeSignature.SignDetached(appearance, externalSignature, chain, null, null, null, 0, CryptoStandard.CMS);
stamper.Close();
PS: My certificate is not exportable so i can't even find the famous "manage Private Key" in MMC to grant my user access to the PK.
Thank you
What I have tried:
Change the user of IIS appPool to my administrator.
Give permissions to the folder machineKeys on Windows to grant IIS access to my privateKey.
Submit an article or tip