Validation with all trusted root certificates

[spapas]

Hello friends, I'm trying to understand how validation is supposed to work. In the examples it seems to want to read a root certificate from a file like root_cert = load_cert_from_pemder('path/to/certfile') and then use that to validate the signature with vc = ValidationContext(trust_roots=[root_cert]).

The thing is that this will only work if I know a priori the root certifiactes that I trust. How could I validate with all certificates thata re universally trusted (i.e by my operating system)? For example, in Adobe Acrobat you don't need to define which root certificates to trust, it just knows which are trusted (I guess by the operating system).

Is there a way for me to achive a similar functionaltiy with pyhanko validation? This way of using the validation functionality seems too obvious to me unless I don't understand or miss something :|

Thank you

[spapas]

Hey friends, I didn't get any answers on that. Is what I'm asking viable? Can it be done somehow ?

[MatthiasValvekens]

Hi @spapas, that's the default behaviour if you don't specify trust_roots ;).

This is documented in the docstring for ValidationContext.__init__, but apparently that is not picked up by the documentation generator. I should do something about that (holdover from certvalidator prior to me forking it, so I didn't notice).

Background notes: Fetching/describing the system trust is of course a very platform-dependent operation. In the background, pyHanko uses oscrypto to abstract that away, but beware that depending on what kind of validation you are performing, the system trust could contain a bunch of certs that you don't actually want to trust for document signing purposes--most of those roots are intended for website authentication only. You could try to filter the list, but in practice that's (again) a platform-dependent operation, and even then it's far from fool-proof. FYI: Acrobat manages its own trust list. Similarly, the EU also maintains a list of all "accredited" CAs for document signing (and other) purposes. As with all things in this space, whether or not you want to "blindly" adopt the system trust depends on your use case.

[spapas]

Thank you for the asnwer! I actually tried it wihout the trust_roots, i.e used something like this

vc = ValidationContext()

with open(r"C:\progr\test.pdf", "rb") as doc:
    r = PdfFileReader(doc)
    sig = r.embedded_signatures[0]
    status = validate_pdf_signature(sig, vc)
    print(status.pretty_print_details())

but it told me that The signature is judged INVALID.

My problem was that I was using a proper EU signed certificate so I expected it to be valid; however the trick is that (as you mention)

Acrobat manages its own trust list

so although adobe acrobat reader says that my document is valid, when opening the certificate with windows it doesn't trust it.

So, the ideal would be to have a way to trust the same certificates that adobe actobat trusts (since this program is a de facto document validity checker) but I understand that this probably is too difficult or impossible.

So for now I'll trust the root certificate of the issuing authority and see how it goes from there.

Thank you!

[MatthiasValvekens]

Ah right, if you are using a certificate on the EUTL, you can get those trust roots online if you know how to parse that kind of file: https://ec.europa.eu/tools/lotl/eu-lotl.xml (this one has pointers to all national trust lists). I don't know of a practical way to get access to the AATL (Adobe's trust list) in a systematic way.

There's some very experimental code to parse EU trust lists on this branch, by the way: https://github.com/MatthiasValvekens/pyHanko/tree/feature/qualified-certs (but it doesn't support list-of-lists like the one I linked above, yet).

EDIT: actually, that branch is overdue for a rebase, lemme fix that.

[spapas]

Hey @MatthiasValvekens this is very useful, thank you! Being able to parse and trust the greece trust list would be enough for my needs. I took a peek at the branch but was a little lost because there was a lot of stuff there! If you could give me some hints on how to use this I'd be grateful.

TIA,
Serafeim

[MatthiasValvekens]

Hi,

It's experimental so somewhat janky and subject to change, but the idea is that you instantiate a TSPRegistry and populate it with the output of read_qualified_certificate_authorities. Then you create a TSPTrustManager from your TSPRegistry, which can be used by a ValidationContext to get trust roots.

Part of the "jank factor" is that the code currently only supports getting qualified CAs, but it disregards things like qualified timestamp providers and the like, which can mess with your validation depending on various factors. But perhaps you can leverage what's already there to get something that works for you.