Batch ECDSA signing of multiple documents

3/21/2022 5:05:36 PM
Total Posts 1

Batch ECDSA signing of multiple documents


we are currently investigating the use of NCryptoki, in combination with iText, for digital signing of PDF documents with a Belgian eID card in a .NET application. Currently we have an issue when using the ECDSA mechanism. We also have a question about batch signing (see below). 


We first create a Cryptoki object this way:

Cryptoki ki = new Cryptoki(@"C:\Windows\System32\beidpkcs11.dll");

Afterwards we start a session, log in, read certificates, etc... 

We retrieve the private key:

var template = new CryptokiCollection();
template.Add(new ObjectAttribute(ObjectAttribute.CKA_CLASS, CryptokiObject.CKO_PRIVATE_KEY));
template.Add(new ObjectAttribute(ObjectAttribute.CKA_ID, 3));
PrivateKey pk = (PrivateKey)_session.Objects.Find(template, 1)[0];

Then, with an older eID card, that supports SHA1RSA we are able to sign a byte array in this way:

if (session.SignInit(Mechanism.SHA1_RSA_PKCS, pk) == 0) { byte[] signed = session.Sign(bytesToSign); }

But with a newer eID card, that supports ECDSA, we get a 'GENERAL ERROR' (n.5) when calling the Sing() method:

if (session.SignInit(Mechanism.ECDSA, pk) == 0) { byte[] signed = session.Sign(bytesToSign); }

Note that the call to SignInit(Mechanism.ECDSA) returns 0, which means that the card should be able to use that mechanism.

Can anyone help me with this issue?


Is is possible to sign multiple documents in batch so that the user only has to insert his/her pin code once?

I thought this was possible if there is a Login(Session.CKU_CONTEXT_SPECIFIC) between the SignInit() and Sign() calls. But this gives me a CKR_USER_TYPE_INVALID.

In a previous version of our software we are using low level APDU commands to accomplish this, but I was wondering if there is another, more high level, way of doing that through NCryptoki?

Thanks for your input,