Unable to build a validation path for the certificate

[danytrih]

Hello Matthias,
i got a problem with this command
pyhanko sign addsig --field Sig1 --timestamp-url http://tsa.example.com
--with-validation-info --use-pades pemder
--key key.pem --cert cert.pem input.pdf output.pdf
the result
2021-07-29 13:51:42,948 - pyhanko.cli - ERROR - Error raised while producing signed file.
Traceback (most recent call last):
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/sign/signers/pdf_signer.py", line 959, in _perform_presign_signer_validation
signer_cert_validation_path = validator.validate_usage(key_usage)
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko_certvalidator/init.py", line 212, in validate_usage
self._validate_path()
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko_certvalidator/init.py", line 127, in _validate_path
paths = self._context.certificate_registry.build_paths(self._certificate)
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko_certvalidator/registry.py", line 314, in build_paths
raise PathBuildingError(pretty_message(
pyhanko_certvalidator.errors.PathBuildingError: Unable to build a validation path for the certificate "Common Name: Danny Jawa Timur; Country: ID" - no issuer matching "Common Name: iXXX CA G1, Organizational Unit: iXXXX, Organization: XXX, Country: ID" was found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/cli.py", line 75, in pyhanko_exception_manager
yield
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/cli.py", line 781, in addsig_simple_signer
generic_sign_pdf(
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/cli.py", line 791, in generic_sign_pdf
result = signers.PdfSigner(
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/sign/signers/pdf_signer.py", line 764, in sign_pdf
validation_info = signing_session.perform_presign_validation(pdf_out)
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/sign/signers/pdf_signer.py", line 904, in perform_presign_validation
signer_path = self._perform_presign_signer_validation(
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/sign/signers/pdf_signer.py", line 961, in _perform_presign_signer_validation
raise SigningError(
pyhanko.sign.general.SigningError: ("The signer's certificate could not be validated", PathBuildingError('Unable to build a validation path for the certificate "Common Name: XXXX; Organization: XXX; Country: ID" - no issuer matching "Common Name: iXXX CA G1, Organizational Unit: iXXXX, Organization: XXX, Country: ID" was found'))
Error: Error raised while producing signed file.
please help me solve this problem

[MatthiasValvekens]

Well, the error message means just that: the validator can't find a suitable certificate for the issuer of your signing cert :)

Since you didn't pass in any trust configuration options on the command line, pyHanko only has access to whatever's in your system trust. The certificates you need may not be in there, so you'll have to fetch them from somewhere else. The CA's website would be a good place to start looking. It's also possible that your signer's certificate tells you where you can download the issuer cert, this is not something that happens automatically right now.

Once you have the required certificates, you'll also need to make sure that the relevant root certificate is trusted. See here and here for information on how to do that.

Also: there's no actual time stamping service hosted at tsa.example.com, that's just a placeholder URL ;). That said, there are many (widely trusted) TSAs out there that expose a time stamping service to the general public. Someone put together a list here (but I can't vouch for its accuracy).

[danytrih]

Matthias thanks for your reply,

this code has successfully generated a pdf output
PAdES Signature Level: B-T
/home/dany/.local/bin/pyhanko sign addsig
--field Sig1 --timestamp-url http://tsa.govca.id
--use-pades pkcs12
cobaTTE.pdf cobaTTE-pyTSA-iO.pdf certifikat.pfx

but if i add --with-validation-info
/home/dany/.local/bin/pyhanko sign addsig
--field Sig1 --timestamp-url http://tsa.govca.id
--with-validation-info --use-pades pkcs12
cobaTTE.pdf cobaTTE-pyTSA-info.pdf certifikat.pfx

dany@papa:~/sign$ /home/dany/.local/bin/pyhanko sign addsig \

--field Sig1 --timestamp-url http://tsa.govca.id
--with-validation-info --use-pades pkcs12
cobaTTE.pdf cobaTTE-pyTSA-info.pdf certifikat.pfx
PKCS#12 passphrase:

2021-07-31 12:37:05,334 - pyhanko.cli - ERROR - Error raised while producing signed file.
Traceback (most recent call last):
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/sign/signers/pdf_signer.py", line 959, in _perform_presign_signer_validation
signer_cert_validation_path = validator.validate_usage(key_usage)
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko_certvalidator/init.py", line 212, in validate_usage
self._validate_path()
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko_certvalidator/init.py", line 127, in _validate_path
paths = self._context.certificate_registry.build_paths(self._certificate)
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko_certvalidator/registry.py", line 314, in build_paths
raise PathBuildingError(pretty_message(
pyhanko_certvalidator.errors.PathBuildingError: Unable to build a validation path for the certificate "Common Name: dany, S.Sos., M.Si.; Title: Kepala Dinas; Organizational Unit: Dinas Pekerjaan; Organization: Pemerintah Kabupaten; Locality: Malang; State/Province: Jawa Timur; Country: ID" - no issuer matching "Common Name: Root CA iOTENTIK, Organizational Unit: iOTENTIK, Organization: Badan Pengkajian dan Penerapan Teknologi, Country: ID" was found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/cli.py", line 75, in pyhanko_exception_manager
yield
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/cli.py", line 781, in addsig_simple_signer
generic_sign_pdf(
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/cli.py", line 791, in generic_sign_pdf
result = signers.PdfSigner(
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/sign/signers/pdf_signer.py", line 764, in sign_pdf
validation_info = signing_session.perform_presign_validation(pdf_out)
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/sign/signers/pdf_signer.py", line 904, in perform_presign_validation
signer_path = self._perform_presign_signer_validation(
File "/home/dany/.local/lib/python3.8/site-packages/pyhanko/sign/signers/pdf_signer.py", line 961, in _perform_presign_signer_validation
raise SigningError(
pyhanko.sign.general.SigningError: ("The signer's certificate could not be validated", PathBuildingError('Unable to build a validation path for the certificate "Common Name: Dany, S.Sos., M.Si.; Title: Kepala Dinas; Organizational Unit: Dinas Pekerjaan; Organization: Pemerintah Kabupaten; Locality: Malang; State/Province: Jawa Timur; Country: ID" - no issuer matching "Common Name: Root CA iOTENTIK, Organizational Unit: iOTENTIK, Organization: Badan Pengkajian dan Penerapan Teknologi, Country: ID" was found'))
Error: Error raised while producing signed file.
dany@papa:~/sign$

[MatthiasValvekens]

Yes, that's still the same issue. The root cert for

Common Name: Root CA iOTENTIK, Organizational Unit: iOTENTIK, Organization: Badan Pengkajian dan Penerapan Teknologi, Country: ID

is not being found. It's probably just not available in your system trust. You'll want to add that Root CA cert to pyHanko's trust store, otherwise there's no path to validate, and no validation info to be included in the PDF file). My previous comment has a link to the relevant section in the documentation for how to do that.

As for where to find the root certificate, a Google search got me here: https://repository.govca.id/WaOnEmperoR/pdfverification/-/tree/79e9275a6cf7875fd9f5948c30acae413b4946e0/src/main/resources/static/certs.

[danytrih]

thanks
I will try your instructions

[danytrih]

Hello Matthias,

I have a new problem here
CLI has successfully generated pdf result
PAdES Signature Level: B-LT

But document has been corrupted

what configuration i missed ?

pyhanko.cfg
logging:
root-level: ERROR
root-output: stderr
by-module:
pyhanko_certvalidator:
level: DEBUG
output: pyhanko_certvalidator.log
pyhanko.sign:
level: DEBUG

stamp-styles:
mystyle:
type: text

validation-contexts:
pupr-setup:
trust: rootIO.pem
trust-replace: true
other-certs: g1IO.pem

dany@papa:~/sign$ /home/dany/.local/bin/pyhanko --verbose --config pyhanko.cfg sign addsig \

--style-name mystyle
--field Signature2 --timestamp-url http://tsa.govca.id
--with-validation-info
--validation-context pupr-setup
--use-pades pkcs12
cobaTTE.pdf cobaTTE-TSA-embed.pdf certifikat.pfx
2021-08-01 12:13:02,192 - root - DEBUG - Running with --verbose
2021-08-01 12:13:02,193 - root - DEBUG - Finished reading configuration from <_io.TextIOWrapper name='pyhanko.cfg' mode='r' encoding='UTF-8'>.
PKCS#12 passphrase:
2021-08-01 12:13:11,793 - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): tsa.govca.id:80
2021-08-01 12:13:11,901 - urllib3.connectionpool - DEBUG - http://tsa.govca.id:80 "POST / HTTP/1.1" 200 5778
2021-08-01 12:13:11,992 - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): iocsp.govca.id:80
2021-08-01 12:13:12,140 - urllib3.connectionpool - DEBUG - http://iocsp.govca.id:80 "POST / HTTP/1.1" 200 2248
2021-08-01 12:13:12,167 - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): iocsp.govca.id:80
2021-08-01 12:13:12,359 - urllib3.connectionpool - DEBUG - http://iocsp.govca.id:80 "POST / HTTP/1.1" 200 2560
2021-08-01 12:13:12,402 - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): iocsp.govca.id:80
2021-08-01 12:13:12,633 - urllib3.connectionpool - DEBUG - http://iocsp.govca.id:80 "POST / HTTP/1.1" 200 2560
2021-08-01 12:13:12,746 - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): tsa.govca.id:80
2021-08-01 12:13:12,856 - urllib3.connectionpool - DEBUG - http://tsa.govca.id:80 "POST / HTTP/1.1" 200 5778
dany@papa:~/sign$

[MatthiasValvekens]

Hi,

This looks like it could be a bug, but I can't reproduce the behaviour you're seeing with my own test PDFs. Could you send both the input and output PDF to pyhanko.samples@mvalvekens.be, please? Chances are that this is a quirk in the input file's form structure that isn't being processed correctly, but either way I need to see the input and output PDFs to figure out what's happening.

Also, could you try signing this test file and see if the problem persists? The signature field is named Sig1.

[danytrih]

Hello Matthias,

I have sent an email to pyhanko.samples@mvalvekens.be
in the meantime I want to ask about prompted for a passphrase
I tried using the --passfile option, but I don't know the format of the contents of the password file
thank you for all your support.