Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Parse error in fetched certificate propagates to CLI

See original GitHub issue

pyhanko sign addsig --field signature1 --with-validation-info --use-pades pkcs12 output.pdf signed.pdf emudhra.pfx --passfile password.txt

this above is the whole command.

which produces the following error.

`2021-12-04 18:54:37,804 - pyhanko.cli - ERROR - Generic processing error. Traceback (most recent call last): File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/common_utils.py”, line 145, in queue_fetch_task wait_event: asyncio.Event = running_jobs[tag] KeyError: ‘http://www.e-mudhra.com/repository/cacerts/doccl2.crt

During handling of the above exception, another exception occurred:

Traceback (most recent call last): File “/usr/local/lib/python3.9/site-packages/pyhanko/cli.py”, line 80, in pyhanko_exception_manager yield File “/usr/local/lib/python3.9/site-packages/pyhanko/cli.py”, line 831, in addsig_simple_signer generic_sign_pdf( File “/usr/local/lib/python3.9/site-packages/pyhanko/cli.py”, line 841, in generic_sign_pdf result = signers.PdfSigner( File “/usr/local/lib/python3.9/site-packages/pyhanko/sign/signers/pdf_signer.py”, line 1220, in sign_pdf result = asyncio.run( File “/usr/local/Cellar/python@3.9/3.9.7_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/runners.py”, line 44, in run return loop.run_until_complete(main) File “/usr/local/Cellar/python@3.9/3.9.7_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/base_events.py”, line 642, in run_until_complete return future.result() File “/usr/local/lib/python3.9/site-packages/pyhanko/sign/signers/pdf_signer.py”, line 1272, in async_sign_pdf await signing_session.perform_presign_validation(pdf_out) File “/usr/local/lib/python3.9/site-packages/pyhanko/sign/signers/pdf_signer.py”, line 1419, in perform_presign_validation signer_path = await self._perform_presign_signer_validation( File “/usr/local/lib/python3.9/site-packages/pyhanko/sign/signers/pdf_signer.py”, line 1476, in _perform_presign_signer_validation await validator.async_validate_usage(key_usage) File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/init.py”, line 283, in async_validate_usage await self._validate_path() File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/init.py”, line 127, in _validate_path paths = await self._context.certificate_registry.async_build_paths( File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/registry.py”, line 425, in async_build_paths await self._walk_issuers(path, paths, failed_paths) File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/registry.py”, line 477, in _walk_issuers async for issuer in self.fetcher.fetch_cert_issuers(path.first): File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.py”, line 69, in fetch_cert_issuers fetched_certs = await self.fetch_certs( File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.py”, line 56, in fetch_certs return await self._perform_fetch(url, task) File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/requests_fetchers/util.py”, line 37, in _perform_fetch return await queue_fetch_task( File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/common_utils.py”, line 176, in queue_fetch_task return _return_or_raise(result) File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/common_utils.py”, line 181, in _return_or_raise raise result File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/common_utils.py”, line 163, in queue_fetch_task result = await async_fun() File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.py”, line 55, in task return list(results) File “/usr/local/lib/python3.9/site-packages/pyhanko_certvalidator/fetchers/common_utils.py”, line 38, in unpack_cert_content yield x509.Certificate.load(response_data) File “/usr/local/lib/python3.9/site-packages/asn1crypto/core.py”, line 230, in load value, _ = _parse_build(encoded_data, spec=spec, spec_params=kwargs, strict=strict) File “/usr/local/lib/python3.9/site-packages/asn1crypto/core.py”, line 5672, in _parse_build return (_build(*info, spec=spec, spec_params=spec_params), new_pointer) File “/usr/local/lib/python3.9/site-packages/asn1crypto/core.py”, line 5568, in _build raise ValueError(unwrap( ValueError: Error parsing asn1crypto.x509.Certificate - tag should have been 16, but 13 was found Error: Generic processing error.`

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:10 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
MatthiasValvekenscommented, Dec 4, 2021

Hi @ghoshpushpendu, thanks for your interest in this project!

The issue is that the server hosting http://www.e-mudhra.com/repository/cacerts/doccl2.crt serves a PEM-wrapped certificate instead of a DER-encoded one, and announces it as application/x-x509-ca-cert. This is wrong for two reasons:

  • Certificate links in an AIA extension must point to DER-encoded certificates.
  • The MIME definition of application/x-x509-ca-cert also requires raw DER.

pyhanko-certvalidator is currently lenient w.r.t. the first requirement in that it also accepts PEM if the Content-Type header is text/plain or application/x-pem-file, but if the server gets both the encoding and the MIME type wrong, then you get a parse error. That’s mostly intentional, but the fact that the parse error propagates to the CLI is a bug indeed. I’ll look into addressing that.

In the meantime, you can manually download the certificate at http://www.e-mudhra.com/repository/cacerts/doccl2.crt and pass in the file using the --other-certs flag (or add it to other-certs in your validation context in the config file). From a validation logic point of view, those are equivalent.

Hope that helps 😃

0reactions
ghoshpushpenducommented, Dec 6, 2021

Adobe Acrobat Reader DC, MAC OS

Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshoot SSL certificates | Load Balancing - Google Cloud
Certificate cannot be parsed​​ If OpenSSL is unable to parse your certificate: Contact your CA for help. Create a new private key and...
Read more >
Google cloud ssl certificate "The SSL certificate could not be ...
The error received is possibly indicative of 1.wrong file type, 2 wrong file path, or 3 the file itself. Did you check with...
Read more >
PKI - Secrets Engines - HTTP API | Vault - HashiCorp Developer
Generate Certificate and Key. This endpoint generates a new set of credentials (private key and certificate) based on the role named in the...
Read more >
K75106155: Configuring OCSP stapling (13.x - 16.x) - AskF5
Revocation monitoring works by querying the OCSP server after the cached OCSP response has expired to determine the SSL certificates revocation ...
Read more >
Common SSL Certificate Errors and How to Fix Them
If your certificate is not issued by a valid root CA Certificate, it will be subject to cancellation and/or revocation. This error message ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Getting java.lang.ClassNotFoundException while trying to init the library

Next page

verify https://autenti.com/ signed pdf by pyhanko