pyhanko.sign.validation.ltv module
- class pyhanko.sign.validation.ltv.RevocationInfoValidationType(value)
Bases:
enum.Enum
Indicates a validation profile to use when validating revocation info.
- ADOBE_STYLE = 'adobe'
Retrieve validation information from the CMS object, using Adobe’s revocation info archival attribute.
- PADES_LT = 'pades'
Retrieve validation information from the DSS, and require the signature’s embedded timestamp to still be valid.
- PADES_LTA = 'pades-lta'
Retrieve validation information from the DSS, but read & validate the chain of document timestamps leading up to the signature to establish the integrity of the validation information at the time of signing.
- classmethod as_tuple()
- pyhanko.sign.validation.ltv.apply_adobe_revocation_info(signer_info: asn1crypto.cms.SignerInfo, validation_context_kwargs=None) pyhanko_certvalidator.context.ValidationContext
Read Adobe-style revocation information from a CMS object, and load it into a validation context.
- Parameters
signer_info – Signer info CMS object.
validation_context_kwargs – Extra kwargs to pass to the
__init__
function.
- Returns
A validation context preloaded with the relevant revocation information.
- pyhanko.sign.validation.ltv.retrieve_adobe_revocation_info(signer_info: asn1crypto.cms.SignerInfo)
Retrieve Adobe-style revocation information from a
SignerInfo
value, if present.Internal API.
- Parameters
signer_info – A
SignerInfo
value.- Returns
A tuple of two (potentially empty) lists, containing OCSP responses and CRLs, respectively.
- pyhanko.sign.validation.ltv.get_timestamp_chain(reader: pyhanko.pdf_utils.reader.PdfFileReader) Iterator[pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature]
Get the document timestamp chain of the associated reader, ordered from new to old.
- Parameters
reader – A
PdfFileReader
.- Returns
An iterable of
EmbeddedPdfSignature
objects representing document timestamps.
- async pyhanko.sign.validation.ltv.async_validate_pdf_ltv_signature(embedded_sig: pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature, validation_type: pyhanko.sign.validation.ltv.RevocationInfoValidationType, validation_context_kwargs=None, bootstrap_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ac_validation_context_kwargs=None, force_revinfo=False, diff_policy: Optional[pyhanko.sign.diff_analysis.policy_api.DiffPolicy] = None, key_usage_settings: Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, skip_diff: bool = False) pyhanko.sign.validation.status.PdfSignatureStatus
New in version 0.9.0.
Validate a PDF LTV signature according to a particular profile.
- Parameters
embedded_sig – Embedded signature to evaluate.
validation_type – Validation profile to use.
validation_context_kwargs – Keyword args to instantiate
pyhanko_certvalidator.ValidationContext
objects needed over the course of the validation.ac_validation_context_kwargs –
Keyword arguments for the validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed.
Note
RFC 5755 requires attribute authority trust roots to be specified explicitly; hence why there’s no default.
bootstrap_validation_context – Validation context used to validate the current timestamp.
force_revinfo – Require all certificates encountered to have some form of live revocation checking provisions.
diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to
DEFAULT_DIFF_POLICY
.key_usage_settings – A
KeyUsageConstraints
object specifying which key usages must or must not be present in the signer’s certificate.skip_diff – If
True
, skip the difference analysis step entirely.
- Returns
The status of the signature.
- async pyhanko.sign.validation.ltv.establish_timestamp_trust(tst_signed_data: asn1crypto.cms.SignedData, validation_context: pyhanko_certvalidator.context.ValidationContext, expected_tst_imprint: bytes)
Wrapper around
validate_tst_signed_data()
for use when analysing timestamps for the purpose of establishing a timestamp chain. Its main purpose is throwing/logging an error if validation fails, since that amounts to lack of trust in the purported validation time.This is internal API.
- Parameters
tst_signed_data – The
SignedData
value to validate; must encapsulate aTSTInfo
value.validation_context – The validation context to apply to the timestamp.
expected_tst_imprint – The expected message imprint for the
TSTInfo
value.
- Returns
A
TimestampSignatureStatus
if validation is successful.- Raises
SignatureValidationError
if validation fails.