pyhanko.sign.validation.ltv module

class pyhanko.sign.validation.ltv.RevocationInfoValidationType(value)

Bases: enum.Enum

Indicates a validation profile to use when validating revocation info.

ADOBE_STYLE = 'adobe'

Retrieve validation information from the CMS object, using Adobe’s revocation info archival attribute.

PADES_LT = 'pades'

Retrieve validation information from the DSS, and require the signature’s embedded timestamp to still be valid.

PADES_LTA = 'pades-lta'

Retrieve validation information from the DSS, but read & validate the chain of document timestamps leading up to the signature to establish the integrity of the validation information at the time of signing.

classmethod as_tuple()
pyhanko.sign.validation.ltv.apply_adobe_revocation_info(signer_info: asn1crypto.cms.SignerInfo, validation_context_kwargs=None) pyhanko_certvalidator.context.ValidationContext

Read Adobe-style revocation information from a CMS object, and load it into a validation context.

Parameters
  • signer_info – Signer info CMS object.

  • validation_context_kwargs – Extra kwargs to pass to the __init__ function.

Returns

A validation context preloaded with the relevant revocation information.

pyhanko.sign.validation.ltv.retrieve_adobe_revocation_info(signer_info: asn1crypto.cms.SignerInfo)

Retrieve Adobe-style revocation information from a SignerInfo value, if present.

Internal API.

Parameters

signer_info – A SignerInfo value.

Returns

A tuple of two (potentially empty) lists, containing OCSP responses and CRLs, respectively.

pyhanko.sign.validation.ltv.get_timestamp_chain(reader: pyhanko.pdf_utils.reader.PdfFileReader) Iterator[pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature]

Get the document timestamp chain of the associated reader, ordered from new to old.

Parameters

reader – A PdfFileReader.

Returns

An iterable of EmbeddedPdfSignature objects representing document timestamps.

async pyhanko.sign.validation.ltv.async_validate_pdf_ltv_signature(embedded_sig: pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature, validation_type: pyhanko.sign.validation.ltv.RevocationInfoValidationType, validation_context_kwargs=None, bootstrap_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ac_validation_context_kwargs=None, force_revinfo=False, diff_policy: Optional[pyhanko.sign.diff_analysis.policy_api.DiffPolicy] = None, key_usage_settings: Optional[pyhanko.sign.validation.settings.KeyUsageConstraints] = None, skip_diff: bool = False) pyhanko.sign.validation.status.PdfSignatureStatus

New in version 0.9.0.

Validate a PDF LTV signature according to a particular profile.

Parameters
  • embedded_sig – Embedded signature to evaluate.

  • validation_type – Validation profile to use.

  • validation_context_kwargs – Keyword args to instantiate pyhanko_certvalidator.ValidationContext objects needed over the course of the validation.

  • ac_validation_context_kwargs

    Keyword arguments for the validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed.

    Note

    RFC 5755 requires attribute authority trust roots to be specified explicitly; hence why there’s no default.

  • bootstrap_validation_context – Validation context used to validate the current timestamp.

  • force_revinfo – Require all certificates encountered to have some form of live revocation checking provisions.

  • diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to DEFAULT_DIFF_POLICY.

  • key_usage_settings – A KeyUsageConstraints object specifying which key usages must or must not be present in the signer’s certificate.

  • skip_diff – If True, skip the difference analysis step entirely.

Returns

The status of the signature.

async pyhanko.sign.validation.ltv.establish_timestamp_trust(tst_signed_data: asn1crypto.cms.SignedData, validation_context: pyhanko_certvalidator.context.ValidationContext, expected_tst_imprint: bytes)

Wrapper around validate_tst_signed_data() for use when analysing timestamps for the purpose of establishing a timestamp chain. Its main purpose is throwing/logging an error if validation fails, since that amounts to lack of trust in the purported validation time.

This is internal API.

Parameters
  • tst_signed_data – The SignedData value to validate; must encapsulate a TSTInfo value.

  • validation_context – The validation context to apply to the timestamp.

  • expected_tst_imprint – The expected message imprint for the TSTInfo value.

Returns

A TimestampSignatureStatus if validation is successful.

Raises

SignatureValidationError if validation fails.