pyhanko.sign.validation module

Direct members

This package also exports a number of convenience functions at the package level. These are all synchronous wrappers around asynchronous functions. Some are deprecated and preserved only for compatibility reasons.

pyhanko.sign.validation.validate_pdf_signature(embedded_sig: pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature, signer_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ts_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, diff_policy: Optional[pyhanko.sign.diff_analysis.policy_api.DiffPolicy] = None, key_usage_settings: Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, skip_diff: bool = False) pyhanko.sign.validation.status.PdfSignatureStatus

Changed in version 0.9.0: Wrapper around async_validate_pdf_signature().

Validate a PDF signature.

Parameters
  • embedded_sig – Embedded signature to evaluate.

  • signer_validation_context – Validation context to use to validate the signature’s chain of trust.

  • ts_validation_context – Validation context to use to validate the timestamp’s chain of trust (defaults to signer_validation_context).

  • diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to DEFAULT_DIFF_POLICY.

  • key_usage_settings – A KeyUsageConstraints object specifying which key usages must or must not be present in the signer’s certificate.

  • skip_diff – If True, skip the difference analysis step entirely.

Returns

The status of the PDF signature in question.

pyhanko.sign.validation.validate_cms_signature(signed_data: asn1crypto.cms.SignedData, status_cls: typing.Type[pyhanko.sign.validation.StatusType] = <class 'pyhanko.sign.validation.status.SignatureStatus'>, raw_digest: typing.Optional[bytes] = None, validation_context: typing.Optional[pyhanko_certvalidator.context.ValidationContext] = None, status_kwargs: typing.Optional[dict] = None, key_usage_settings: typing.Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, encap_data_invalid=False)

Deprecated since version 0.9.0: Use async_validate_cms_signature() instead.

Changed in version 0.7.0: Now handles both detached and enveloping signatures.

Validate a CMS signature (i.e. a SignedData object).

Parameters
  • signed_data – The asn1crypto.cms.SignedData object to validate.

  • status_cls – Status class to use for the validation result.

  • raw_digest – Raw digest, computed from context.

  • validation_context – Validation context to validate the signer’s certificate.

  • status_kwargs – Other keyword arguments to pass to the status_class when reporting validation results.

  • key_usage_settings – A KeyUsageConstraints object specifying which key usages must or must not be present in the signer’s certificate.

  • encap_data_invalid

    If True, the encapsulated data inside the CMS is invalid, but the remaining validation logic still has to be run (e.g. a timestamp token, which requires validation of the embedded message imprint).

    This option is considered internal API, the semantics of which may change without notice in the future.

Returns

A SignatureStatus object (or an instance of a proper subclass)

pyhanko.sign.validation.validate_detached_cms(input_data: Union[bytes, IO, asn1crypto.cms.ContentInfo, asn1crypto.cms.EncapsulatedContentInfo], signed_data: asn1crypto.cms.SignedData, signer_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ts_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, key_usage_settings: Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, chunk_size=4096, max_read=None) pyhanko.sign.validation.status.StandardCMSSignatureStatus

Deprecated since version 0.9.0: Use generic_cms.async_validate_detached_cms() instead.

Validate a detached CMS signature.

Parameters
  • input_data

    The input data to sign. This can be either a bytes object, a file-like object or a cms.ContentInfo / cms.EncapsulatedContentInfo object.

    If a CMS content info object is passed in, the content field will be extracted.

  • signed_data – The cms.SignedData object containing the signature to verify.

  • signer_validation_context – Validation context to use to verify the signer certificate’s trust.

  • ts_validation_context – Validation context to use to verify the TSA certificate’s trust, if a timestamp token is present. By default, the same validation context as that of the signer is used.

  • key_usage_settings – Key usage parameters for the signer.

  • chunk_size – Chunk size to use when consuming input data.

  • max_read – Maximal number of bytes to read from the input stream.

Returns

A description of the signature’s status.

pyhanko.sign.validation.validate_pdf_timestamp(embedded_sig: pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature, validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, diff_policy: Optional[pyhanko.sign.diff_analysis.policy_api.DiffPolicy] = None, skip_diff: bool = False) pyhanko.sign.validation.status.DocumentTimestampStatus

Changed in version 0.9.0: Wrapper around async_validate_pdf_timestamp().

Validate a PDF document timestamp.

Parameters
  • embedded_sig – Embedded signature to evaluate.

  • validation_context – Validation context to use to validate the timestamp’s chain of trust.

  • diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to DEFAULT_DIFF_POLICY.

  • skip_diff – If True, skip the difference analysis step entirely.

Returns

The status of the PDF timestamp in question.

pyhanko.sign.validation.validate_pdf_ltv_signature(embedded_sig: pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature, validation_type: pyhanko.sign.validation.ltv.RevocationInfoValidationType, validation_context_kwargs=None, bootstrap_validation_context=None, force_revinfo=False, diff_policy: Optional[pyhanko.sign.diff_analysis.policy_api.DiffPolicy] = None, key_usage_settings: Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, skip_diff: bool = False) pyhanko.sign.validation.status.PdfSignatureStatus

Changed in version 0.9.0: Wrapper around async_validate_pdf_ltv_signature().

Validate a PDF LTV signature according to a particular profile.

Parameters
  • embedded_sig – Embedded signature to evaluate.

  • validation_type – Validation profile to use.

  • validation_context_kwargs – Keyword args to instantiate pyhanko_certvalidator.ValidationContext objects needed over the course of the validation.

  • bootstrap_validation_context – Validation context used to validate the current timestamp.

  • force_revinfo – Require all certificates encountered to have some form of live revocation checking provisions.

  • diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to DEFAULT_DIFF_POLICY.

  • key_usage_settings – A KeyUsageConstraints object specifying which key usages must or must not be present in the signer’s certificate.

  • skip_diff – If True, skip the difference analysis step entirely.

Returns

The status of the signature.

pyhanko.sign.validation.add_validation_info(embedded_sig: pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature, validation_context: pyhanko_certvalidator.context.ValidationContext, skip_timestamp=False, add_vri_entry=True, in_place=False, output=None, force_write=False, chunk_size=4096)

Changed in version 0.9.0: Wrapper around async_add_validation_info()

Add validation info (CRLs, OCSP responses, extra certificates) for a signature to the DSS of a document in an incremental update.

Parameters
  • embedded_sig – The signature for which the revocation information needs to be collected.

  • validation_context – The validation context to use.

  • skip_timestamp – If True, do not attempt to validate the timestamp attached to the signature, if one is present.

  • add_vri_entry – Add a /VRI entry for this signature to the document security store. Default is True.

  • output – Write the output to the specified output stream. If None, write to a new BytesIO object. Default is None.

  • in_place – Sign the original input stream in-place. This parameter overrides output.

  • chunk_size – Chunk size parameter to use when copying output to a new stream (irrelevant if in_place is True).

  • force_write – Force a new revision to be written, even if not necessary (i.e. when all data in the validation context is already present in the DSS).

Returns

The (file-like) output object to which the result was written.