pyhanko_certvalidator.errors.InvalidCertificateError: The X.509 certificate provided is self-signed - "Common Name: Free TSA Server, Organization: www.signfiles.com"

[nengxingxu]

Describe the bug
When I use interrupted_signing, using timestamps.HTTPTimeStamper('http://ca.signfiles.com/TSAServer.aspx'), crash occurs.
How to make it work correctly.

Environment (please complete the following information):

• windows
• pyHanko 0.13.2

Additional context
Traceback (most recent call last):
File "C:\Python38\lib\site-packages\pyhanko_certvalidator_init_.py", line 107, in _validate_path
paths = await self._context.certificate_registry.async_build_paths(
File "C:\Python38\lib\site-packages\pyhanko_certvalidator\registry.py", line 328, in async_build_paths
raise PathBuildingError(pretty_message(
pyhanko_certvalidator.errors.PathBuildingError: Unable to build a validation path for the certificate "Common Name: Free TSA Server, Organization: www.signfiles.com" - no issuer matching "Common Name:
Free TSA Server, Organization: www.signfiles.com" was found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File ".\interrupted_signing.py", line 150, in
outf.write(asyncio.run(full_procedure()).getvalue())
File "C:\Python38\lib\asyncio\runners.py", line 44, in run
return loop.run_until_complete(main)
File "C:\Python38\lib\asyncio\base_events.py", line 616, in run_until_complete
return future.result()
File ".\interrupted_signing.py", line 115, in full_procedure
prep_digest, signed_attrs, psi, output = await prep_doc()
File ".\interrupted_signing.py", line 56, in prep_doc
await pdf_signer.async_digest_doc_for_signing(w)
File "C:\Python38\lib\site-packages\pyhanko\sign\signers\pdf_signer.py", line 1182, in async_digest_doc_for_signing
= await signing_session.perform_presign_validation(pdf_out)
File "C:\Python38\lib\site-packages\pyhanko\sign\signers\pdf_signer.py", line 1468, in perform_presign_validation
async for ts_path in async_ts_paths:
File "C:\Python38\lib\site-packages\pyhanko\sign\timestamps\api.py", line 98, in validation_paths
yield await job
File "C:\Python38\lib\asyncio\tasks.py", line 619, in wait_for_one
return f.result() # May raise f.exception().
File "C:\Python38\lib\site-packages\pyhanko_certvalidator_init.py", line 263, in async_validate_usage
await self.validate_path()
File "C:\Python38\lib\site-packages\pyhanko_certvalidator_init.py", line 112, in _validate_path
raise InvalidCertificateError(pretty_message(
pyhanko_certvalidator.errors.InvalidCertificateError: The X.509 certificate provided is self-signed - "Common Name: Free TSA Server, Organization: www.signfiles.com"

[MatthiasValvekens]

(moved to discussions because this isn't a bug in pyHanko)

Hi @gudder,

As the error message says, the issue is that your TSA's certificate is self-signed, which means that it is by default not trusted by pyHanko (or any other serious validator, for that matter). There are very few situations in which it makes sense for TSAs to use self-signed certificates, and chances are that this isn't one of them. ;)

You have two options:

• Use a different, publicly trusted TSA. There are many such TSAs around that offer their services to the public at no cost. Entrust operates one at http://timestamp.entrust.net/TSS/RFC3161sha2TS.
• If you absolutely must use this specific TSA, you can add its certificate to the trust roots in your validation context, in the extra_trust_roots parameter. Only do this if you know what you're doing, though.

EDIT: FWIW, the reason why pyHanko validates the TSA certificate at all is because it's trying to embed the TSA cert's chain of trust into the PDF.