pyhanko.config module
- class pyhanko.config.LogConfig(level: Union[int, str], output: Union[pyhanko.config.StdLogOutput, str])
Bases:
object
- level: Union[int, str]
Logging level, should be one of the levels defined in the logging module.
- output: Union[StdLogOutput, str]
Name of the output file, or a standard one.
- static parse_output_spec(spec) Union[StdLogOutput, str]
- class pyhanko.config.CLIConfig(validation_contexts: Dict[str, dict], stamp_styles: Dict[str, dict], default_validation_context: str, default_stamp_style: str, time_tolerance: datetime.timedelta, retroactive_revinfo: bool, log_config: Dict[Union[str, NoneType], pyhanko.config.LogConfig], pemder_setups: Dict[str, dict], pkcs12_setups: Dict[str, dict], pkcs11_setups: Dict[str, dict], beid_module_path: Union[str, NoneType])
Bases:
object
- validation_contexts: Dict[str, dict]
- stamp_styles: Dict[str, dict]
- default_validation_context: str
- default_stamp_style: str
- time_tolerance: timedelta
- retroactive_revinfo: bool
- pemder_setups: Dict[str, dict]
- pkcs12_setups: Dict[str, dict]
- pkcs11_setups: Dict[str, dict]
- beid_module_path: Optional[str]
- get_validation_context(name=None, as_dict=False)
- get_signer_key_usages(name=None) KeyUsageConstraints
- get_stamp_style(name=None) TextStampStyle
- get_pkcs11_config(name)
- get_pkcs12_config(name)
- get_pemder_config(name)
- pyhanko.config.init_validation_context_kwargs(*, trust, trust_replace, other_certs, retroactive_revinfo=False, time_tolerance=None)
- pyhanko.config.parse_trust_config(trust_config, time_tolerance, retroactive_revinfo) dict
- class pyhanko.config.PKCS12SignatureConfig(pfx_file: str, other_certs: Optional[List[Certificate]] = None, pfx_passphrase: Optional[bytes] = None, prompt_passphrase: bool = True, prefer_pss: bool = False)
Bases:
ConfigurableMixin
Configuration for a signature using key material on disk, contained in a PKCS#12 bundle.
- pfx_file: str
Path to the PKCS#12 file.
- other_certs: List[Certificate] = None
Other relevant certificates.
- pfx_passphrase: bytes = None
PKCS#12 passphrase (if relevant).
- prompt_passphrase: bool = True
Prompt for the PKCS#12 passphrase. Default is
True
.Note
If
key_passphrase
is notNone
, this setting has no effect.
- prefer_pss: bool = False
Prefer PSS to PKCS#1 v1.5 padding when creating RSA signatures.
- classmethod process_entries(config_dict)
Hook method that can modify the configuration dictionary to overwrite or tweak some of their values (e.g. to convert string parameters into more complex Python objects)
Subclasses that override this method should call
super().process_entries()
, and leave keys that they do not recognise untouched.- Parameters
config_dict – A dictionary containing configuration values.
- Raises
ConfigurationError – when there is a problem processing a relevant entry.
- instantiate(provided_pfx_passphrase: Optional[bytes] = None) SimpleSigner
- class pyhanko.config.PemDerSignatureConfig(key_file: str, cert_file: str, other_certs: Optional[List[Certificate]] = None, key_passphrase: Optional[bytes] = None, prompt_passphrase: bool = True, prefer_pss: bool = False)
Bases:
ConfigurableMixin
Configuration for a signature using PEM or DER-encoded key material on disk.
- key_file: str
Signer’s private key.
- cert_file: str
Signer’s certificate.
- other_certs: List[Certificate] = None
Other relevant certificates.
- key_passphrase: bytes = None
Signer’s key passphrase (if relevant).
- prompt_passphrase: bool = True
Prompt for the key passphrase. Default is
True
.Note
If
key_passphrase
is notNone
, this setting has no effect.
- prefer_pss: bool = False
Prefer PSS to PKCS#1 v1.5 padding when creating RSA signatures.
- classmethod process_entries(config_dict)
Hook method that can modify the configuration dictionary to overwrite or tweak some of their values (e.g. to convert string parameters into more complex Python objects)
Subclasses that override this method should call
super().process_entries()
, and leave keys that they do not recognise untouched.- Parameters
config_dict – A dictionary containing configuration values.
- Raises
ConfigurationError – when there is a problem processing a relevant entry.
- instantiate(provided_key_passphrase: Optional[bytes] = None) SimpleSigner
- class pyhanko.config.PKCS11SignatureConfig(module_path: str, cert_label: Optional[str] = None, cert_id: Optional[bytes] = None, signing_certificate: Optional[Certificate] = None, token_label: Optional[str] = None, other_certs: Optional[List[Certificate]] = None, key_label: Optional[str] = None, key_id: Optional[bytes] = None, slot_no: Optional[int] = None, user_pin: Optional[str] = None, prompt_pin: bool = True, other_certs_to_pull: Optional[Iterable[str]] = (), bulk_fetch: bool = True, prefer_pss: bool = False, raw_mechanism: bool = False)
Bases:
ConfigurableMixin
Configuration for a PKCS#11 signature.
This class is used to load PKCS#11 setup information from YAML configuration.
- module_path: str
Path to the PKCS#11 module shared object.
- cert_label: Optional[str] = None
PKCS#11 label of the signer’s certificate.
- cert_id: Optional[bytes] = None
PKCS#11 ID of the signer’s certificate.
- signing_certificate: Optional[Certificate] = None
The signer’s certificate. If present,
cert_id
andcert_label
will not be used to obtain the signer’s certificate from the PKCS#11 token.Note
This can be useful in case the signer’s certificate is not available on the token, or if you would like to present a different certificate than the one provided on the token.
- token_label: Optional[str] = None
PKCS#11 token name
- other_certs: List[Certificate] = None
Other relevant certificates.
- key_label: Optional[str] = None
PKCS#11 label of the signer’s private key. Defaults to
cert_label
if the latter is specified andkey_id
is not.
- key_id: Optional[bytes] = None
PKCS#11 key ID.
- slot_no: Optional[int] = None
Slot number of the PKCS#11 slot to use.
- user_pin: Optional[str] = None
The user’s PIN. If unspecified, the user will be prompted for a PIN if
prompt_pin
isTrue
.Warning
Some PKCS#11 tokens do not allow the PIN code to be communicated in this way, but manage their own authentication instead (the Belgian eID middleware is one such example). For such tokens, leave this setting set to
None
and additionally setprompt_pin
toFalse
.
- prompt_pin: bool = True
Prompt for the user’s PIN. Default is
True
.Note
If
user_pin
is notNone
, this setting has no effect.
- other_certs_to_pull: Optional[Iterable[str]] = ()
List labels of other certificates to pull from the PKCS#11 device. Defaults to the empty tuple. If
None
, pull all certificates.
- bulk_fetch: bool = True
Boolean indicating the fetching strategy. If
True
, fetch all certs and filter the unneeded ones. IfFalse
, fetch the requested certs one by one. Default value isTrue
, unlessother_certs_to_pull
has one or fewer elements, in which case it is always treated asFalse
.
- prefer_pss: bool = False
Prefer PSS to PKCS#1 v1.5 padding when creating RSA signatures.
- raw_mechanism: bool = False
Invoke the raw variant of the PKCS#11 signing operation.
Note
This is currently only supported for ECDSA signatures.
- classmethod process_entries(config_dict)
Hook method that can modify the configuration dictionary to overwrite or tweak some of their values (e.g. to convert string parameters into more complex Python objects)
Subclasses that override this method should call
super().process_entries()
, and leave keys that they do not recognise untouched.- Parameters
config_dict – A dictionary containing configuration values.
- Raises
ConfigurationError – when there is a problem processing a relevant entry.
- pyhanko.config.process_config_dict(config_dict: dict) dict