Chilkat 10-Dec-2021 – Brasilian Tax Server problems?

Chilkat is going to try to blog daily notes on issues we’re handling for customers. So… starting for today..

  • Suddenly SOAP XML posts to the Brasilian tax server  stop working with a 415 response code having error “The server cannot service the request because the media type is unsupported.”.    The error “media type is unsupported” generally means the server doesn’t like the Content-Type.  The Chilkat PostXml method uses the “application/xml” Content-Type by default.  Perhaps the server wants “text/xml”.  (An intelligent server would accept either application/xml or text/xml)   The solution might be to explicitly set the Content-Type header to “text/xml” prior to calling PostXml.
  • Problems occur when trying to sign a PDF using a cert issued by e-Mudhra Sub CA for Class 3 Individual 2014.  When Chilkat signs a PDF, the certificate used for signing is validated — meaning the cert’s signature is verified using the public key of the issuer cert, and so on, up to the root CA cert.  Somehow the customer had 2 e-Mudhra Sub CA for Class 3 Individual 2014 certs installed on his system, one with an invalid signature, and one with a valid signature.  Both certs were otherwise identical in all other aspects.  The valid e-Mudhra Sub CA for Class 3 Individual 2014 cert can be downloaded from
  • Helping a customer with the Utimaco HSM.  Apparently Utimaco provides PKCS11 support for Windows/Linux (and Mac?), and Microsoft CSP/CNG support on Windows.  We’ve found the CNG route to be non-working.  Cannot get past the simple task of establishing a CNG provider handle by calling NCryptOpenStorageProvider.For Microsoft CNG, we know the CSP name, which is “Utimaco CryptoServer Key Storage Provider”.
    The 1st thing a program must do (i.e. what Chilkat must do) is to get a provider handle by calling NCryptOpenStorageProvider.
    Here’s the Microsoft documentation for that function:
    You can see there’s only one input to the function, which is the provider name, and we are passing it correctly. The dwFags argument is always 0
    When we call NCryptOpenStorageProvider, it returns 0x80090011 (NTE_NOT_FOUND)The alternative solution is to use Chilkat’s PKCS11 API to access the certs on the HSM directly. For that, we must know the location and name of the Utimaco PKCS11 driver (.dll, .so, or .dylib depending on the operating system). Chilkat’s PKCS11 API runs on Windows, Linux, and Mac.Also… Utimaco fails when trying to access via SCard. Don’t know what’s up with that!
  • Created a DSA C++ example to help more fully understand the details of DSA signatures:

Validating PDF Signatures with

Chilkat 13-Dec-2021 — PDF Signature not Visible in Chrome or Microsoft Edge