pyhanko.config module

class pyhanko.config.StdLogOutput(value)

Bases: enum.Enum

An enumeration.

STDERR = 1
STDOUT = 2
class pyhanko.config.LogConfig(level: Union[int, str], output: Union[pyhanko.config.StdLogOutput, str])

Bases: object

level: Union[int, str]

Logging level, should be one of the levels defined in the logging module.

output: Union[pyhanko.config.StdLogOutput, str]

Name of the output file, or a standard one.

static parse_output_spec(spec) Union[pyhanko.config.StdLogOutput, str]
class pyhanko.config.CLIConfig(validation_contexts: Dict[str, dict], stamp_styles: Dict[str, dict], default_validation_context: str, default_stamp_style: str, time_tolerance: datetime.timedelta, retroactive_revinfo: bool, log_config: Dict[Union[str, NoneType], pyhanko.config.LogConfig], pemder_setups: Dict[str, dict], pkcs12_setups: Dict[str, dict], pkcs11_setups: Dict[str, dict], beid_module_path: Union[str, NoneType])

Bases: object

validation_contexts: Dict[str, dict]
stamp_styles: Dict[str, dict]
default_validation_context: str
default_stamp_style: str
time_tolerance: datetime.timedelta
retroactive_revinfo: bool
log_config: Dict[Optional[str], pyhanko.config.LogConfig]
pemder_setups: Dict[str, dict]
pkcs12_setups: Dict[str, dict]
pkcs11_setups: Dict[str, dict]
beid_module_path: Optional[str]
get_validation_context(name=None, as_dict=False)
get_signer_key_usages(name=None) pyhanko.sign.validation.settings.KeyUsageConstraints
get_stamp_style(name=None) pyhanko.stamp.TextStampStyle
get_pkcs11_config(name)
get_pkcs12_config(name)
get_pemder_config(name)
pyhanko.config.init_validation_context_kwargs(*, trust, trust_replace, other_certs, retroactive_revinfo=False, time_tolerance=None)
pyhanko.config.parse_trust_config(trust_config, time_tolerance, retroactive_revinfo) dict
pyhanko.config.parse_logging_config(log_config_spec) Dict[Optional[str], pyhanko.config.LogConfig]
class pyhanko.config.PKCS12SignatureConfig(pfx_file: str, other_certs: Optional[List[asn1crypto.x509.Certificate]] = None, pfx_passphrase: Optional[bytes] = None, prompt_passphrase: bool = True, prefer_pss: bool = False)

Bases: pyhanko.pdf_utils.config_utils.ConfigurableMixin

Configuration for a signature using key material on disk, contained in a PKCS#12 bundle.

pfx_file: str

Path to the PKCS#12 file.

other_certs: List[asn1crypto.x509.Certificate] = None

Other relevant certificates.

pfx_passphrase: bytes = None

PKCS#12 passphrase (if relevant).

prompt_passphrase: bool = True

Prompt for the PKCS#12 passphrase. Default is True.

Note

If key_passphrase is not None, this setting has no effect.

prefer_pss: bool = False

Prefer PSS to PKCS#1 v1.5 padding when creating RSA signatures.

classmethod process_entries(config_dict)

Hook method that can modify the configuration dictionary to overwrite or tweak some of their values (e.g. to convert string parameters into more complex Python objects)

Subclasses that override this method should call super().process_entries(), and leave keys that they do not recognise untouched.

Parameters

config_dict – A dictionary containing configuration values.

Raises

ConfigurationError – when there is a problem processing a relevant entry.

instantiate(provided_pfx_passphrase: Optional[bytes] = None) pyhanko.sign.signers.pdf_cms.SimpleSigner
class pyhanko.config.PemDerSignatureConfig(key_file: str, cert_file: str, other_certs: Optional[List[asn1crypto.x509.Certificate]] = None, key_passphrase: Optional[bytes] = None, prompt_passphrase: bool = True, prefer_pss: bool = False)

Bases: pyhanko.pdf_utils.config_utils.ConfigurableMixin

Configuration for a signature using PEM or DER-encoded key material on disk.

key_file: str

Signer’s private key.

cert_file: str

Signer’s certificate.

other_certs: List[asn1crypto.x509.Certificate] = None

Other relevant certificates.

key_passphrase: bytes = None

Signer’s key passphrase (if relevant).

prompt_passphrase: bool = True

Prompt for the key passphrase. Default is True.

Note

If key_passphrase is not None, this setting has no effect.

prefer_pss: bool = False

Prefer PSS to PKCS#1 v1.5 padding when creating RSA signatures.

classmethod process_entries(config_dict)

Hook method that can modify the configuration dictionary to overwrite or tweak some of their values (e.g. to convert string parameters into more complex Python objects)

Subclasses that override this method should call super().process_entries(), and leave keys that they do not recognise untouched.

Parameters

config_dict – A dictionary containing configuration values.

Raises

ConfigurationError – when there is a problem processing a relevant entry.

instantiate(provided_key_passphrase: Optional[bytes] = None) pyhanko.sign.signers.pdf_cms.SimpleSigner
class pyhanko.config.PKCS11SignatureConfig(module_path: str, cert_label: Optional[str] = None, cert_id: Optional[bytes] = None, signing_certificate: Optional[asn1crypto.x509.Certificate] = None, token_label: Optional[str] = None, other_certs: Optional[List[asn1crypto.x509.Certificate]] = None, key_label: Optional[str] = None, key_id: Optional[bytes] = None, slot_no: Optional[int] = None, user_pin: Optional[str] = None, prompt_pin: bool = True, other_certs_to_pull: Optional[Iterable[str]] = (), bulk_fetch: bool = True, prefer_pss: bool = False, raw_mechanism: bool = False)

Bases: pyhanko.pdf_utils.config_utils.ConfigurableMixin

Configuration for a PKCS#11 signature.

This class is used to load PKCS#11 setup information from YAML configuration.

module_path: str

Path to the PKCS#11 module shared object.

cert_label: Optional[str] = None

PKCS#11 label of the signer’s certificate.

cert_id: Optional[bytes] = None

PKCS#11 ID of the signer’s certificate.

signing_certificate: Optional[asn1crypto.x509.Certificate] = None

The signer’s certificate. If present, cert_id and cert_label will not be used to obtain the signer’s certificate from the PKCS#11 token.

Note

This can be useful in case the signer’s certificate is not available on the token, or if you would like to present a different certificate than the one provided on the token.

token_label: Optional[str] = None

PKCS#11 token name

other_certs: List[asn1crypto.x509.Certificate] = None

Other relevant certificates.

key_label: Optional[str] = None

PKCS#11 label of the signer’s private key. Defaults to cert_label if the latter is specified and key_id is not.

key_id: Optional[bytes] = None

PKCS#11 key ID.

slot_no: Optional[int] = None

Slot number of the PKCS#11 slot to use.

user_pin: Optional[str] = None

The user’s PIN. If unspecified, the user will be prompted for a PIN if prompt_pin is True.

Warning

Some PKCS#11 tokens do not allow the PIN code to be communicated in this way, but manage their own authentication instead (the Belgian eID middleware is one such example). For such tokens, leave this setting set to None and additionally set prompt_pin to False.

prompt_pin: bool = True

Prompt for the user’s PIN. Default is True.

Note

If user_pin is not None, this setting has no effect.

other_certs_to_pull: Optional[Iterable[str]] = ()

List labels of other certificates to pull from the PKCS#11 device. Defaults to the empty tuple. If None, pull all certificates.

bulk_fetch: bool = True

Boolean indicating the fetching strategy. If True, fetch all certs and filter the unneeded ones. If False, fetch the requested certs one by one. Default value is True, unless other_certs_to_pull has one or fewer elements, in which case it is always treated as False.

prefer_pss: bool = False

Prefer PSS to PKCS#1 v1.5 padding when creating RSA signatures.

raw_mechanism: bool = False

Invoke the raw variant of the PKCS#11 signing operation.

Note

This is currently only supported for ECDSA signatures.

classmethod process_entries(config_dict)

Hook method that can modify the configuration dictionary to overwrite or tweak some of their values (e.g. to convert string parameters into more complex Python objects)

Subclasses that override this method should call super().process_entries(), and leave keys that they do not recognise untouched.

Parameters

config_dict – A dictionary containing configuration values.

Raises

ConfigurationError – when there is a problem processing a relevant entry.

pyhanko.config.parse_cli_config(yaml_str) pyhanko.config.CLIConfig
pyhanko.config.process_config_dict(config_dict: dict) dict