How to embed chain of trust in PDF

[Trefex]

Hi,

I am able to sign PDFs using a PKCS#11 YubiKey device. So far so good.

However, when I open the PDF in Acrobat, I get a warning, because the certificate is not trusted, and upon inspection, it seems the issuance chain is not embedded into the PDF.

This is the command I used:

pyhanko --verbose sign addsig --field  1/100,100,400,200/Sig1 --with-validation-info --validation-context setup-a --timestamp-url https://freetsa.org/tsr pkcs11 --p11-setup test-setup input.pdf signed.pdf

cat pyhanko.yml
pkcs11-setups:
   test-setup:
       module-path: /usr/local/lib/libykcs11.dylib
       token-criteria:
           label: 'YubiKey PIV #xxxxxx'
       cert-id: 02
       key-id: 02
       user-pin: xxxxx
validation-contexts:
    setup-a:
        trust: 'CA.pem'
        trust-replace: true
        other-certs: 'interim.pem'
        signer-key-usage: ["digital_signature"]

Running validation with pyhanko however works

Bottom line
-----------
The signature is judged VALID

Would I have missed something?

Many thanks for any pointers.
T

[meaglerick]

Hi Trefex. Sorry I can't answer your question, but was wondering if you had any insight on how you were able to get your Yubikey to work with the pkcs#11 setup in pyHanko? I've been working for a while to get pyHanko to use the pkcs module I have at /usr/local/lib/libykcs11.dylib, but nothing happens. Did you perform any special considerations to facilitate? I've been trying on macOS as well as Windows 10 with no success.

[MatthiasValvekens]

I have successfully used pyHanko to sign using YubiKey PIV through libyks11. Please open a separate thread if this is still an issue :)

[MatthiasValvekens]

Hello @Trefex,

Sorry, this thread got drowned out by other notifications. Allow me to correct you on one point:

it seems the issuance chain is not embedded into the PDF.

This may be the case, but note that this is not sufficient for your signature to be trusted. Are you using self-signed certificates, or do your PIV certs actually chain up to a root in the public trust (AATL / EUTL / ...)? If not, no amount of certificate embedding is going to change anything. If you want Acrobat to trust other roots, you need to import them into Acrobat's trust store out-of-band.

(If you know all this, please disregard.)

Anyway, if you know the relevant intermediate certs are stored on the YubiKey, you can use other_certs_to_pull to have pyHanko request additional certs from the PKCS#11 interface. If you pass in None, it should pull them all.

EDIT: forgot the link to the API docs: https://pyhanko.readthedocs.io/en/0.5.1/api-docs/pyhanko.sign.pkcs11.html#pyhanko.sign.pkcs11.PKCS11Signer. There are also options you can pass to pyhanko sign addsig pkcs11 to pull more certs.