Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

The Selected certificate has errors: Not valid for usage.

See original GitHub issue

These are the cases i have tested.

pdf.cms.sign works well with .p12 created from example/cert-make.py
pdf.cms.sign + pdf.verify also works with the same .p12 and CA.crt.pem from example/cert-make.py
pdf.cms.sign with my another .p12 not working. At leas one signature is invalid. And shows as “the selected certificate has errors: Not valid for usage” while my p12 is working with other signer

Please help me what is the problem? This is my code

        with open(fixture(keyname+'.p12'), 'rb') as fh:
            p12 = load_pkcs12(fh.read(), keypwd)

        date = datetime.now()
        strdate1 = date.strftime('%Y.%m.%d')
        subject = p12.get_certificate().get_subject()
        location = str(subject.C)
        signature = signature_string(subject.CN, strdate1, subject.C, reason)
        signature_img = self.makeSignature.create_signature_img(subject.CN, strdate1, location, reason)
        strdate2 = date.strftime('%Y%m%d%H%M%S')

        # print(subject)

        dct = {
            b'sigbutton':b'mysignbutton',
            b'signature' : signature.encode(),
            b'signaturebox':(off_x, off_y, off_x+rr_w, off_y+rr_h),
            b'sigpage': 0,
            b'sigflags': 3,
            b'contact': b'darwinquintana@sidesoft.ec',
            b'location': location.encode(),
            # b'signingdate': b'20200331082642+02\'00\'',
            b'signingdate': strdate2.encode(),
            b'reason': reason.encode(),
            b'fontsize': 8,
            b'signature_img': signature_img.encode(),
        }
        with open(pdfname, 'rb') as fh:
            datau = fh.read()
        datas = pdf.cms.sign(datau, dct,
            p12.get_privatekey().to_cryptography_key(),
            p12.get_certificate().to_cryptography(),
            [],
            'sha256'
        )
        pdfname = pdfname.replace('.pdf', '-signed.pdf')
        with open(pdfname, 'wb') as fp:
            fp.write(datau)
            fp.write(datas)


        # with open(fixture(verifyname+'.crt.pem'), 'rt') as fh:
        #     trusted_cert_pems = (fh.read(),)
        # print(trusted_cert_pems)
        # with open(pdfname, 'rb') as fh:
        #     data = fh.read()
        
        # (hashok, signatureok, certok) = pdf.verify(data, trusted_cert_pems)
        # assert signatureok and hashok and certok

Issue Analytics

State:
Created 4 years ago
Comments:14 (6 by maintainers)

Top GitHub Comments

1reaction

m32commented, Mar 11, 2020

.Pfx and .p12 files are intended for secure transport of keys between devices. I used them as an example - it was more convenient for me than in the case of .pem files. The https://github.com/pyca/cryptography library that I use probably only loads the first key - I’ve never had to store more than one key and certificate in the .p12 file. I would import .p12 content into the browser and export only the used part.

0reactions

fspidercommented, Mar 11, 2020

Yes. That’s right. So i solved that problem by dividing p12 store to individual .p12 files using openssl. And then selected one with signature permission. Finally it works well. Thank you.

Top Results From Across the Web

Verification of Digital Signature "The selected certificate has ...

When signing a document with a valid certificate the verification of the validity of digital signature states that the "The selected certificate has...

Digital Signature verfication,The selected certificate has errors ...

The certificate whose associated private key has been used for signing your PDF, has a Key Usage entry indicating that it is not...

Can't validate signature on PDF - adobe reader - Super User

Check your system time. Frequently when I first install Windows the BIOS time (and hence Windows time) is set to some incorrect value....

[MSIX/AppInstaller] The selected certificate is not valid for ...

TLDR; If you are not using a self-signed certificate, you must put a Basic Constraint, Subject Type = End Entity to your code...

"The Signing Certificate has not been configured" error using ...

"The Signing Certificate has not been configured" error using certificates with EDI/AS2 · 1. Open BizTalk Administration. · 2. Select the BizTalk group....