Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

verify https://autenti.com/ signed pdf by pyhanko

See original GitHub issue

pyHanko-0.9.0 on linux Python 3.7.3

pdf signed on https://autenti.com/ after

./.local/bin/pyhanko sign validate --pretty-print PDF_sign_test.pdf

I got:

2021-11-13 20:09:13,402 - pyhanko.sign.diff_analysis - WARNING - Error in diff operation between revision 1 and 5
Traceback (most recent call last):
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/diff_analysis.py", line 2240, in review_file
    field_mdp_spec=field_mdp_spec, doc_mdp=doc_mdp
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/diff_analysis.py", line 2131, in apply
    for level, fu in form_changes:
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/diff_analysis.py", line 1304, in apply
    yield from rule.apply(context)
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/diff_analysis.py", line 981, in apply
    yield from self.check_form_field(fq_name, spec, context)
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/diff_analysis.py", line 1046, in check_form_field
    valid_when_locked = self.compare_fields(spec)
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/diff_analysis.py", line 971, in compare_fields
    old_field, new_field, self.value_update_keys
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/diff_analysis.py", line 1806, in _compare_dicts
    f"Dict keys differ: {new_dict_keys} vs. "
pyhanko.sign.diff_analysis.SuspiciousModification: Dict keys differ: {'/Lock', '/P', '/Rect', '/FT', '/Subtype', '/T'} vs. {'/P', '/Rect', '/FT', '/Subtype', '/T'}.
2021-11-13 20:09:13,412 - pyhanko.sign.general - WARNING - Unable to build a validation path for the certificate "Organization Identifier: VATPL-5170359458, Common Name: Certum QTST 2017, Organization: Asseco Data Systems S.A., Country: PL" - no issuer matching "Organization Identifier: VATPL-5250008198, Common Name: Narodowe Centrum Certyfikacji, Organization: Narodowy Bank Polski, Country: PL" was found
2021-11-13 20:09:13,412 - pyhanko.sign.general - WARNING - Chain of trust validation for Organization Identifier: VATPL-5170359458, Common Name: Certum QTST 2017, Organization: Asseco Data Systems S.A., Country: PL failed.
2021-11-13 20:09:13,436 - pyhanko.cli - ERROR - Generic processing error.
Traceback (most recent call last):
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/common_utils.py", line 139, in queue_fetch_task
    wait_event: asyncio.Event = running_jobs[tag]
KeyError: 'http://elektronicznypodpis.pl/certyfikaty/ozk62.der'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/cli.py", line 80, in pyhanko_exception_manager
    yield
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/cli.py", line 518, in validate_signatures
    pretty_print=pretty_print, executive_summary=executive_summary
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/cli.py", line 386, in _signature_status_str
    status = status_callback()
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/cli.py", line 516, in <lambda>
    embedded_sig=embedded_sig
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/cli.py", line 352, in _signature_status
    signer_validation_context=vc
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/validation.py", line 1569, in validate_pdf_signature
    return asyncio.run(coro)
  File "/usr/lib/python3.7/asyncio/runners.py", line 43, in run
    return loop.run_until_complete(main)
  File "/usr/lib/python3.7/asyncio/base_events.py", line 584, in run_until_complete
    return future.result()
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/validation.py", line 1639, in async_validate_pdf_signature
    status_kwargs=status_kwargs, key_usage_settings=key_usage_settings
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/validation.py", line 266, in _validate_cms_signature
    validator, key_usage_settings=key_usage_settings
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko/sign/general.py", line 373, in validate_cert_usage
    path = await validator.async_validate_usage(key_usage=set())
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/__init__.py", line 283, in async_validate_usage
    await self._validate_path()
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/__init__.py", line 128, in _validate_path
    self._certificate
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/registry.py", line 426, in async_build_paths
    await self._walk_issuers(path, paths, failed_paths)
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/registry.py", line 478, in _walk_issuers
    async for issuer in self.fetcher.fetch_cert_issuers(path.first):
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.py", line 70, in fetch_cert_issuers
    url, url_origin_type='certificate'
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.py", line 56, in fetch_certs
    return await self._perform_fetch(url, task)
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/requests_fetchers/util.py", line 38, in _perform_fetch
    self.__results, self.__result_events, tag, fetch_fun
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/common_utils.py", line 170, in queue_fetch_task
    return _return_or_raise(result)
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/common_utils.py", line 175, in _return_or_raise
    raise result
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/common_utils.py", line 157, in queue_fetch_task
    result = await async_fun()
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/requests_fetchers/cert_fetch_client.py", line 55, in task
    return list(results)
  File "/home/eod/.local/lib/python3.7/site-packages/pyhanko_certvalidator/fetchers/common_utils.py", line 46, in unpack_cert_content
    "Expected PEM data when extracting certs from "
ValueError: Expected PEM data when extracting certs from application/x-x509-ca-cert payload. Source URL: http://elektronicznypodpis.pl/certyfikaty/ozk62.der.
Error: Generic processing error.

what I did wrong ?

PDF_sign_test.pdf ?

Issue Analytics

State:
Created 2 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

areqqcommented, Jan 29, 2022

with extra_trust_roots works, thanks again and next time I will use discussions 😉

0reactions

MatthiasValvekenscommented, Jan 29, 2022

Hi there,

You’ll need to put the trust root in the trust_roots or extra_trust_roots parameters to ValidationContext; other_certs is for (a priori) untrusted certificates that the path building logic needs to know about, e.g. intermediate CAs and the like.

Whether you need to use trust_roots or extra_trust_roots depends on your use case: if you want to include all trust roots on the system trust list (as reported by oscrypto), then extra_trust_roots is the way to go. If you specifically want to rely only on one trust root, then use the trust_roots parameter.

Does that help?

While I have your attention, I’d also like to point out that we have a discussion forum now for this kind of support-type questions: https://github.com/MatthiasValvekens/pyHanko/discussions 😃