pyhanko.sign.validation.generic_cms module
- pyhanko.sign.validation.generic_cms.validate_sig_integrity(signer_info: asn1crypto.cms.SignerInfo, cert: asn1crypto.x509.Certificate, expected_content_type: str, actual_digest: bytes, weak_hash_algorithms=frozenset({'md2', 'md5', 'sha1'})) Tuple[bool, bool]
Validate the integrity of a signature for a particular signerInfo object inside a CMS signed data container.
Warning
This function does not do any trust checks, and is considered “dangerous” API because it is easy to misuse.
- Parameters
signer_info – A
cms.SignerInfo
object.cert –
The signer’s certificate.
Note
This function will not attempt to extract certificates from the signed data.
expected_content_type – The expected value for the content type attribute (as a Python string, see
cms.ContentType
).actual_digest – The actual digest to be matched to the message digest attribute.
weak_hash_algorithms – List, tuple or set of weak hashing algorithms.
- Returns
A tuple of two booleans. The first indicates whether the provided digest matches the value in the signed attributes. The second indicates whether the signature of the digest is valid.
- async pyhanko.sign.validation.generic_cms.async_validate_cms_signature(signed_data: asn1crypto.cms.SignedData, status_cls: typing.Type[pyhanko.sign.validation.generic_cms.StatusType] = <class 'pyhanko.sign.validation.status.SignatureStatus'>, raw_digest: typing.Optional[bytes] = None, validation_context: typing.Optional[pyhanko_certvalidator.context.ValidationContext] = None, status_kwargs: typing.Optional[dict] = None, key_usage_settings: typing.Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, encap_data_invalid=False)
Validate a CMS signature (i.e. a
SignedData
object).- Parameters
signed_data – The
asn1crypto.cms.SignedData
object to validate.status_cls – Status class to use for the validation result.
raw_digest – Raw digest, computed from context.
validation_context – Validation context to validate the signer’s certificate.
status_kwargs – Other keyword arguments to pass to the
status_class
when reporting validation results.key_usage_settings – A
KeyUsageConstraints
object specifying which key usages must or must not be present in the signer’s certificate.encap_data_invalid –
If
True
, the encapsulated data inside the CMS is invalid, but the remaining validation logic still has to be run (e.g. a timestamp token, which requires validation of the embedded message imprint).This option is considered internal API, the semantics of which may change without notice in the future.
- Returns
A
SignatureStatus
object (or an instance of a proper subclass)
- async pyhanko.sign.validation.generic_cms.collect_timing_info(signer_info: asn1crypto.cms.SignerInfo, ts_validation_context: pyhanko_certvalidator.context.ValidationContext, raw_digest: bytes)
Collect and validate timing information in a
SignerInfo
value. This includes thesigningTime
attribute, content timestamp information and signature timestamp information.- Parameters
signer_info – A
SignerInfo
value.ts_validation_context – The timestamp validation context to validate against.
raw_digest – The raw external message digest bytes (only relevant for the validation of the content timestamp token, if there is one)
- async pyhanko.sign.validation.generic_cms.validate_tst_signed_data(tst_signed_data: asn1crypto.cms.SignedData, validation_context: pyhanko_certvalidator.context.ValidationContext, expected_tst_imprint: bytes)
Validate the
SignedData
of a time stamp token.- Parameters
tst_signed_data – The
SignedData
value to validate; must encapsulate aTSTInfo
value.validation_context – The validation context to validate against.
expected_tst_imprint – The expected message imprint value that should be contained in the encapsulated
TSTInfo
.
- Returns
Keyword arguments for a
TimeStampSignatureStatus
.
- async pyhanko.sign.validation.generic_cms.async_validate_detached_cms(input_data: Union[bytes, IO, asn1crypto.cms.ContentInfo, asn1crypto.cms.EncapsulatedContentInfo], signed_data: asn1crypto.cms.SignedData, signer_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ts_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ac_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, key_usage_settings: Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, chunk_size=4096, max_read=None) pyhanko.sign.validation.status.StandardCMSSignatureStatus
Validate a detached CMS signature.
- Parameters
input_data –
The input data to sign. This can be either a
bytes
object, a file-like object or acms.ContentInfo
/cms.EncapsulatedContentInfo
object.If a CMS content info object is passed in, the content field will be extracted.
signed_data – The
cms.SignedData
object containing the signature to verify.signer_validation_context – Validation context to use to verify the signer certificate’s trust.
ts_validation_context – Validation context to use to verify the TSA certificate’s trust, if a timestamp token is present. By default, the same validation context as that of the signer is used.
ac_validation_context –
Validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed.
Note
RFC 5755 requires attribute authority trust roots to be specified explicitly; hence why there’s no default.
key_usage_settings – Key usage parameters for the signer.
chunk_size – Chunk size to use when consuming input data.
max_read – Maximal number of bytes to read from the input stream.
- Returns
A description of the signature’s status.
- async pyhanko.sign.validation.generic_cms.cms_basic_validation(signed_data: asn1crypto.cms.SignedData, status_cls: typing.Type[pyhanko.sign.validation.generic_cms.StatusType] = <class 'pyhanko.sign.validation.status.SignatureStatus'>, raw_digest: typing.Optional[bytes] = None, validation_context: typing.Optional[pyhanko_certvalidator.context.ValidationContext] = None, status_kwargs: typing.Optional[dict] = None, key_usage_settings: typing.Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, encap_data_invalid=False)
Perform basic validation of CMS and PKCS#7 signatures in isolation (i.e. integrity and trust checks).
Internal API.
- pyhanko.sign.validation.generic_cms.compute_signature_tst_digest(signer_info: asn1crypto.cms.SignerInfo) Optional[bytes]
Compute the digest of the signature according to the message imprint algorithm information in a signature timestamp token.
Internal API.
- Parameters
signer_info – A
SignerInfo
value.- Returns
The computed digest, or
None
if there is no signature timestamp.
- pyhanko.sign.validation.generic_cms.extract_tst_data(signer_info, signed=False) Optional[asn1crypto.cms.SignedData]
Extract signed data associated with a timestamp token.
Internal API.
- Parameters
signer_info – A
SignerInfo
value.signed – If
True
, look for a content timestamp (among the signed attributes), else look for a signature timestamp (among the unsigned attributes).
- Returns
The
SignedData
value found, orNone
.
- pyhanko.sign.validation.generic_cms.extract_self_reported_ts(signer_info: asn1crypto.cms.SignerInfo) Optional[datetime.datetime]
Extract self-reported timestamp (from the
signingTime
attribute)Internal API.
- Parameters
signer_info – A
SignerInfo
value.- Returns
The value of the
signingTime
attribute as adatetime
, orNone
.
- pyhanko.sign.validation.generic_cms.extract_certs_for_validation(signed_data: asn1crypto.cms.SignedData) pyhanko.sign.general.SignedDataCerts
Extract certificates from a CMS signed data object for validation purposes, identifying the signer’s certificate in accordance with ETSI EN 319 102-1, 5.2.3.4.
- Parameters
signed_data – The CMS payload.
- Returns
The extracted certificates.
- async pyhanko.sign.validation.generic_cms.collect_signer_attr_status(sd_attr_certificates: Iterable[asn1crypto.cms.AttributeCertificateV2], signer_cert: asn1crypto.x509.Certificate, validation_context: Optional[pyhanko_certvalidator.context.ValidationContext], sd_signed_attrs: asn1crypto.cms.CMSAttributes)