Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
LTV non-repudiation error
See original GitHub issueHello Matthias,
First of all great work you have done with pyHanko.
Describe the bug
We are planning on using pyHanko on a large scale for signed pdf docs for the Greek public sector. For that we need
the signed documents to be LTV enabled. I have tried to make an initial implementation but when I use the param embed_validation_info I get an pyhanko.sign.general.SigningError: ("The signer's certificate could not be validated", InvalidCertificateError('The X.509 certificate provided is not valid for the purpose of non repudiation')) error.
To Reproduce The code I have written so far looks like this
cms_signer = signers.SimpleSigner.load_pkcs12(
certificate_filename, passphrase=password.encode('utf-8'))
w = IncrementalPdfFileWriter(pdf_buffer)
tst_client = timestamps.HTTPTimeStamper('https://timestamp.aped.gov.gr/qtss')
sv = fields.SigSeedValueSpec(
reasons=[],
digest_methods=[],
flags=3,
)
sp = fields.SigFieldSpec('Signature', seed_value_dict=sv, box=(15, 705, 175, 798))
image = PdfImage(image=settings.STAMP_IMAGE)
style = TextStampStyle(background=image, border_width=0)
vc = ValidationContext(trust_roots=[cms_signer.signing_cert])
out = signers.PdfSigner(signature_meta=signers.PdfSignatureMetadata(
field_name='Signature',
reason='My reason',
location='My location',
use_pades_lta=True,
subfilter=fields.SigSeedSubFilter.PADES,
embed_validation_info=True,
validation_context=vc
),
signer=cms_signer,
timestamper=tst_client,
stamp_style=style,
new_field_spec=sp
).sign_pdf(w)
Where the certificate_filename is a p12 signing certificate and pdf_buffer is the document I want to sign in BytesIO
Expected behavior In the end I expect a signed document that when opened with Adobe Acrobat Reader it is listed as “LTV enabled”
Screenshots
Environment (please complete the following information):
- Docker with python:3.7 image
- MacOS 11.2.2
Additional context The same issue exists in both 0.4.0 as well as 0.5.0-dev1
I have contaced HARICA which is the Hellenic Academic & Research Institutions Certification Authority and they told me that non-repudiaton has nothing to do with LTV and it shouldn’t be needed to LTV enable a document.
Issue Analytics
- State:
- Created 3 years ago
- Comments:14 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @inui-sdt2 !
You need to tell the validator to accept the
digital_signaturekey usage as well. Right now, pyHanko takes a conservative default position by rejecting all signer certificates that don’t have the nonRepudiation/contentCommitment key usage bit set.You can change that behaviour using the
key_usage_settingsargument tovalidate_pdf_signature. See here:In your case, you probably want to pass in
KeyUsageConstraints(key_usage={'digital_signature'}).I should probably add a few words to the library usage guide to make this part of the API a bit easier to find.
PS: If you have any follow-up questions, could you please create a thread in the discussion space instead? That makes it easier to keep the issue tracker somewhat organised 😃.
Finally, this worked. Matthias thank you very much for your patience and for your help. I learned a lot. Cheers.