0

I want to Sign the PDF when user upload the File using USB Token which is in Client Machine in asp.net Web application.

I am following earlier SO Post Sign PDF with iTextSharp 5.3.3 and USB token

It works well,when I do locally when I publish it to Web Server it gives exception of The current session is not interactive.

Stack Trace:

[InvalidOperationException: The current session is not interactive.]

System.Security.Cryptography.CAPI.CryptUIDlgSelectCertificateW(CRYPTUI_SELECTCERTIFICATE_STRUCTW csc) +345679
System.Security.Cryptography.X509Certificates.X509Certificate2UI.SelectFromStore(SafeCertStoreHandle safeSourceStoreHandle, String title, String message, X509SelectionFlag selectionFlags, IntPtr hwndParent) +314
System.Security.Cryptography.X509Certificates.X509Certificate2UI.SelectFromCollectionHelper(X509Certificate2Collection certificates, String title, String message, X509SelectionFlag selectionFlag, IntPtr hwndParent) +176
System.Security.Cryptography.X509Certificates.X509Certificate2UI.SelectFromCollection(X509Certificate2Collection certificates, String title, String message, X509SelectionFlag selectionFlag) +17 test.WebForm1.Upload_Click(Object sender, EventArgs e) in E:\manishtest\test\test\WebForm1.aspx.cs:74
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +138
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +150 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6047

I am doing digital Signing of PDF First time. Kindly suggest what is the way to sign PDF in web application while Uploading.

Community
  • 1
  • 1
Manish Goswami
  • 863
  • 10
  • 27

1 Answers1

3

It seems that this line is causing the problem:

System.Security.Cryptography.X509Certificates.X509Certificate2UI.SelectFromCollectionHelper(X509Certificate2Collection certificates, String title, String message, X509SelectionFlag selectionFlag, IntPtr hwndParent)

This shows UI to select a certificate. So you need to find another way to get a certificate to make it work.

You may try the code in an answer quoted by you in question to use certificate file instead of file to pick certificate.

X509Certificate2 cert = new X509Certificate2("C:\\mycert.p12");

EDIT: as commented by @Bruno Lowagie, signing by USB stick means it is done by the software on the stick and not sending the private key anywhere. His second comment has more detail about how this can be accomplished. But getting that error is still the same. Code running on the server cannot open dialog to choose certificate on client's system.

Community
  • 1
  • 1
TheVillageIdiot
  • 40,053
  • 20
  • 133
  • 188
  • I don't want to use certificate file by giving the Path, I want to read the same using USB which user plugged in his system. – Manish Goswami Sep 28 '16 at 06:10
  • Well, Manish you mean the end user has plugged into his system? Hmmm, then you need to get file from their system to the server via file upload and then use it there. – TheVillageIdiot Sep 28 '16 at 06:18
  • Yes.. exactly. You mean to say that user had to upload certificate to the server and from their i should take the path and signed the PDF. IS there any other way, where I can read the USB certificate without uploading to the server ? any 3rd party dll – Manish Goswami Sep 28 '16 at 06:24
  • Well, no and I won't upload my certificate to any website to sign a silly PDF. Okay maybe that PDF may be a contract to sell my kidney but still not advised. Why don't you have a small utility that user can download and sign the PDF on their system and upload or keep singed coppy? – TheVillageIdiot Sep 28 '16 at 06:30
  • yup! true.. what you said is the last option which we had planned to do.I was trying to see whether it is possible or not , that's why i am trying to do so.Thanks mate :) if there is someway then please let me know. – Manish Goswami Sep 28 '16 at 06:35
  • This answer overlooks the fact that you want to sign using a USB stick. When you use a USB stick, the private key can't be exported (or it would be a very insecure USB stick). This means that you have to send the bytes you want to sign to the USB stick and the USB stick will return the signed bytes. The technology to do this is called PKCS#11 and, whereas this answer is talking about PKCS12 (which makes the answer besides the point). – Bruno Lowagie Sep 29 '16 at 12:21
  • thanks for commenting @BrunoLowagie. Well if that is the case then either approach being used by OP is wrong (as you can deduce from points) or they want the user to sign in the document. But even in this case code running on the server can't open a dialogue for the user to pick cert. I will edit the answer. – TheVillageIdiot Sep 29 '16 at 12:23
  • 1
    What you need, is **software on the server** to prepare the PDF (using a blank signature) and to send the hash that needs signing to the client, but you also need **software in the client** that accepts the hash and that communicates with the USB stick to sign the hash. That client software then sends the signed hash to the server where it's embedded in the PDF using the `signDeferred()` method. See http://stackoverflow.com/questions/29210451/itext-generating-pdf-hash-without-certificate-chain – Bruno Lowagie Sep 29 '16 at 12:25
  • 1
    The edit deserves an up-vote. It should be clear that one can't open an interactive dialog box on the server that shows the certificates available on the client system. (1.) that would be ridiculous: someone should have to set near the server choosing a certificate every time someone wants to sign a document, and (2.) it would be a serious breach of privacy. The private key is on the client side. The code that creates the `KeyStore` should also be on the client side. – Bruno Lowagie Sep 29 '16 at 12:53