Signing PDF from P12 with chain and TS

[machobymb1]

Hi Matthias!
Help me please!
I want to sign PDFs. The certificate is in a P12 file (there are a root and an intermediate certificate in the chain),
I got as far as being able to sign the PDF. But when I click on the visual signature in the PDF, I get that the signature is not validated.

My first question: how will it be validated?
My second question: how can I get a timestamp if I connect to the server with a certificate in a signed p12?
Thx!

[MatthiasValvekens]

Hi,

Please show at least the relevant section of your code and the full stack trace for that error thrown during validation, it's impossible to tell what's going on with just the info you gave in your post ;).

Also, if I want to use a password protected certificate in P12 to access a timestamp server, I am not successful

This is not entirely unexpected, since authenticating to a timestamping service using mutual TLS is not (currently) supported natively in pyHanko. It wouldn't be particularly hard to implement yourself, though. But either way, this error is likely because the certificate presented by the server is not trusted on your system.

Either way, impossible to tell without seeing code/full stack trace.

[machobymb1]

`from pyhanko import stamp
from pyhanko.pdf_utils import text, images
from pyhanko.pdf_utils.font import opentype
from pyhanko.sign import fields, signers, general, timestamps
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter
import pyhanko_certvalidator

def sign_pdf_with_timestamp(pdf_path, p12_path, p12_password, output_path, ts_server, ts_cert_path, ts_cert_password):
signer = signers.SimpleSigner.load_pkcs12(pfx_file=p12_path, passphrase=p12_password)

# the timestamp server connection not working
tsper = timestamps.HTTPTimeStamper(url=ts_server, certificate=ts_cert_path, password=ts_cert_password, https=True)

root_cer = general.load_cert_from_pemder("ROOT CA file")
sub = general.load_cert_from_pemder("Intermediate CA file")

with open(pdf_path, "rb") as doc:
    w = IncrementalPdfFileWriter(doc, strict=False)
    meta = signers.PdfSignatureMetadata(
        field_name="SigField", md_algorithm="sha256", reason="", location="",
        subfilter=fields.SigSeedSubFilter.PADES,
        validation_context=pyhanko_certvalidator.ValidationContext(allow_fetching=True,
                                                                   trust_roots=[signer.signing_cert],
                                                                   extra_trust_roots=[root_cer, sub]),
        embed_validation_info=True, use_pades_lta=True
    )
    fields.append_signature_field(w,
                           sig_field_spec=fields.SigFieldSpec(sig_field_name="SigField", box=(10, 10, 210, 110),
                                                       visible_sig_settings=fields.VisibleSigSettings(rotate_with_page=True))
                           )
    pdf_signer = signers.PdfSigner(
        signature_meta=meta, signer=signer, stamp_style=stamp.TextStampStyle(
            stamp_text="Signed by: %(signer)s\nTimestamp: %(ts)s",
            text_box_style=text.TextBoxStyle(
                font=opentype.GlyphAccumulatorFactory("Arial.ttf")
            ), border_width=0
        ),
        #timestamper=tsper
    )

    with open(output_path, 'wb') as outf:
        pdf_signer.sign_pdf(
            w, output=outf
        )

Example usage:

sign_pdf_with_timestamp(
"input.pdf",
"P12 file to signing",
b"P12 password to signing",
"signed.pdf",
"TSA server URL",
"P12 file to TSA connection",
b"P12 password to TSA connection"
)`

[MatthiasValvekens]

The fact that the certs are ECC is not a problem, but as I said before, there is no built-in support for mTLS authentication towards timestamping servers currently. If you want/need that, you'll either have to roll it yourself, or wait for me to implement it (that could take a while because I need time to find tools to test that integration).

I'm confused by the parameters you are passing to HTTPTimeStamper, because not all of them are even defined in the library...

[machobymb1]

II also tried using requests-pkcs12 and rfc3161ng to retrieve the timestamp, but failed.
My code with requests-pkcs12:

    with requests.Session() as s:
        s.mount(ts_server,
                requests_pkcs12.Pkcs12Adapter(pkcs12_filename=ts_cert_path, pkcs12_password=ts_cert_password))
        r = s.get(ts_server)

The error is:
requests.exceptions.SSLError: HTTPSConnectionPool(host='tsa_server_url', port=443): Max retries exceeded with url: /ts (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))

[machobymb1]

I modified the code:

    data = 'example'
    with requests.Session() as s:
        s.mount(ts_server,
                requests_pkcs12.Pkcs12Adapter(pkcs12_filename=ts_cert_path, pkcs12_password=ts_cert_password))
        headers = {'Content-Type': 'application/timestamp-query', 'Accept': 'text/plain'}
        r = s.post(ts_server, verify='root.cer', headers=headers, data=data)
        print(r.content.decode('utf-8'))

In the last row return "0 0�������".