System.Security.Cryptography.CryptographicException: No TimeStampToken: PkiFailureInfo: 0x0

raedbenz · May 17, 2023, 8:53am

Hi,
When signing a pdf with PdES -T, we started seeing this error about timestamp token which runs in AWS ECS as docker containers.

Some of the findings:

if we run the same code on a local machine it seems to work.
when we change the TSA to https://freetsa.org/tsr it works locally and ECS.

I was wondering if there is a way to log requests get fired during singing by gembox library. as this request we dont have much control over it.

Full exception is here:

[14:11:48 ERR] Internal error occurred while performing cryptographic operation. See inner exception for details., TraceId:bc6211972461433cb5466dde549e660d 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 System.Security.Cryptography.CryptographicException: Internal error occurred while performing cryptographic operation. See inner exception for details. 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 —> System.Security.Cryptography.CryptographicException: No TimeStampToken: PkiFailureInfo: 0x0 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 — End of inner exception stack trace — 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at ..[T](Func`2 ) 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at ..( , Byte , String , String , Byte , Boolean , X509ExtensionCollection ) 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at GemBox.Pdf.Security.PdfTimestamper.(Byte ) 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at GemBox.Pdf.Security.PdfTimestamper.GetTimestampToken(Stream content) 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at GemBox.Pdf.Forms.PdfSigner.ComputeSignature(Stream pdfFileStream) 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at GemBox.Pdf.Forms.PdfSigner.n4fqvm9kg8vbg6mw7kd39av6xkw4urlh(Stream ) 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at .() 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at .() 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at .() 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at GemBox.Pdf.PdfDocument.( ) 8561677125c044569c084cccb0d27979
5/15/2023, 3:11:48 PM GMT+1 at GemBox.Pdf.PdfDocument.Save(Stream stream) 8561677125c044569c084cccb0d27979

mario.gembox · May 17, 2023, 3:19pm

Hi Raed,

Please try again with this bugfix:
https://www.gemboxsoftware.com/pdf/nightlybuilds/GBA17v1346.zip

Or this NuGet package:
Install-Package GemBox.Pdf -Version 17.0.1346-hotfix

This version should provide more information in the exception’s message, please focus on the following exception:

System.Security.Cryptography.CryptographicException: No TimeStampToken: PkiFailureInfo: 0x0

It will now appear in a different format with more information and on the following page you can find the meaning of that information:

Also, for the PkiFailureInfo value, please check the integer constants on the PKIFailureInfo class: bc-csharp/crypto/src/asn1/cmp/PKIFailureInfo.cs at master · bcgit/bc-csharp · GitHub

Regards,
Mario

raedbenz · May 17, 2023, 3:59pm

Thanks for your reply.
Here is the new error output:

[15:53:29 ERR] Internal error occurred while performing cryptographic operation. See inner exception for details.
System.Security.Cryptography.CryptographicException: Internal error occurred while performing cryptographic operation. See inner exception for details.
—> System.Security.Cryptography.CryptographicException: No TimeStampResp.timeStampToken. TimeStampResp.status.status = 2. TimeStampResp.status.statusString = . TimeStampResp.status.failInfo = PkiFailureInfo: 0x0.
— End of inner exception stack trace —
at ..[T](Func`2 )
at ..e( , Byte , String , String , Byte , Boolean , X509ExtensionCollection )
at GemBox.Pdf.Security.PdfTimestamper.(Byte )
at GemBox.Pdf.Security.PdfTimestamper.GetTimestampToken(Stream content)
at GemBox.Pdf.Forms.PdfSigner.ComputeSignature(Stream pdfFileStream)
at GemBox.Pdf.Forms.PdfSigner.n4fqvm9kg8vbg6mw7kd39av6xkw4urlhe(Stream )
at .()
at .e()
at .()
at GemBox.Pdf.PdfDocument.e( )
at GemBox.Pdf.PdfDocument.Save(Stream stream)

stipo.gembox · May 18, 2023, 7:32am

Hi Raed,

It seems that the TSP server returns status code 2 (rejection) without any additional information.

What TSA are you using?

If the issue doesn’t appear on your local machine, then it is not related to the code, but to the environment.

Please check with the TSA if they contain some kind of blacklist and check their documentation regarding configuration settings for TSP clients.

Regards,
Stipo