pyhanko.sign.validation.generic_cms module

pyhanko.sign.validation.generic_cms.validate_sig_integrity(signer_info: SignerInfo, cert: Certificate, expected_content_type: str, actual_digest: bytes, weak_hash_algorithms=frozenset({'md2', 'md5', 'sha1'})) Tuple[bool, bool]

Validate the integrity of a signature for a particular signerInfo object inside a CMS signed data container.


This function does not do any trust checks, and is considered “dangerous” API because it is easy to misuse.

  • signer_info – A cms.SignerInfo object.

  • cert

    The signer’s certificate.


    This function will not attempt to extract certificates from the signed data.

  • expected_content_type – The expected value for the content type attribute (as a Python string, see cms.ContentType).

  • actual_digest – The actual digest to be matched to the message digest attribute.

  • weak_hash_algorithms – List, tuple or set of weak hashing algorithms.


A tuple of two booleans. The first indicates whether the provided digest matches the value in the signed attributes. The second indicates whether the signature of the digest is valid.

async pyhanko.sign.validation.generic_cms.async_validate_cms_signature(signed_data: ~asn1crypto.cms.SignedData, status_cls: ~typing.Type[~pyhanko.sign.validation.generic_cms.StatusType] = <class 'pyhanko.sign.validation.status.SignatureStatus'>, raw_digest: ~typing.Optional[bytes] = None, validation_context: ~typing.Optional[~pyhanko_certvalidator.context.ValidationContext] = None, status_kwargs: ~typing.Optional[dict] = None, key_usage_settings: ~typing.Optional[~pyhanko.sign.validation.settings.KeyUsageConstraints] = None, encap_data_invalid=False)

Validate a CMS signature (i.e. a SignedData object).

  • signed_data – The asn1crypto.cms.SignedData object to validate.

  • status_cls – Status class to use for the validation result.

  • raw_digest – Raw digest, computed from context.

  • validation_context – Validation context to validate the signer’s certificate.

  • status_kwargs – Other keyword arguments to pass to the status_class when reporting validation results.

  • key_usage_settings – A KeyUsageConstraints object specifying which key usages must or must not be present in the signer’s certificate.

  • encap_data_invalid

    If True, the encapsulated data inside the CMS is invalid, but the remaining validation logic still has to be run (e.g. a timestamp token, which requires validation of the embedded message imprint).

    This option is considered internal API, the semantics of which may change without notice in the future.


A SignatureStatus object (or an instance of a proper subclass)

async pyhanko.sign.validation.generic_cms.collect_timing_info(signer_info: SignerInfo, ts_validation_context: ValidationContext, raw_digest: bytes)

Collect and validate timing information in a SignerInfo value. This includes the signingTime attribute, content timestamp information and signature timestamp information.

  • signer_info – A SignerInfo value.

  • ts_validation_context – The timestamp validation context to validate against.

  • raw_digest – The raw external message digest bytes (only relevant for the validation of the content timestamp token, if there is one)

async pyhanko.sign.validation.generic_cms.validate_tst_signed_data(tst_signed_data: SignedData, validation_context: ValidationContext, expected_tst_imprint: bytes)

Validate the SignedData of a time stamp token.

  • tst_signed_data – The SignedData value to validate; must encapsulate a TSTInfo value.

  • validation_context – The validation context to validate against.

  • expected_tst_imprint – The expected message imprint value that should be contained in the encapsulated TSTInfo.


Keyword arguments for a TimeStampSignatureStatus.

async pyhanko.sign.validation.generic_cms.async_validate_detached_cms(input_data: Union[bytes, IO, ContentInfo, EncapsulatedContentInfo], signed_data: SignedData, signer_validation_context: Optional[ValidationContext] = None, ts_validation_context: Optional[ValidationContext] = None, ac_validation_context: Optional[ValidationContext] = None, key_usage_settings: Optional[KeyUsageConstraints] = None, chunk_size=4096, max_read=None) StandardCMSSignatureStatus

Validate a detached CMS signature.

  • input_data

    The input data to sign. This can be either a bytes object, a file-like object or a cms.ContentInfo / cms.EncapsulatedContentInfo object.

    If a CMS content info object is passed in, the content field will be extracted.

  • signed_data – The cms.SignedData object containing the signature to verify.

  • signer_validation_context – Validation context to use to verify the signer certificate’s trust.

  • ts_validation_context – Validation context to use to verify the TSA certificate’s trust, if a timestamp token is present. By default, the same validation context as that of the signer is used.

  • ac_validation_context

    Validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed.


    RFC 5755 requires attribute authority trust roots to be specified explicitly; hence why there’s no default.

  • key_usage_settings – Key usage parameters for the signer.

  • chunk_size – Chunk size to use when consuming input data.

  • max_read – Maximal number of bytes to read from the input stream.


A description of the signature’s status.

async pyhanko.sign.validation.generic_cms.cms_basic_validation(signed_data: ~asn1crypto.cms.SignedData, status_cls: ~typing.Type[~pyhanko.sign.validation.generic_cms.StatusType] = <class 'pyhanko.sign.validation.status.SignatureStatus'>, raw_digest: ~typing.Optional[bytes] = None, validation_context: ~typing.Optional[~pyhanko_certvalidator.context.ValidationContext] = None, status_kwargs: ~typing.Optional[dict] = None, key_usage_settings: ~typing.Optional[~pyhanko.sign.validation.settings.KeyUsageConstraints] = None, encap_data_invalid=False)

Perform basic validation of CMS and PKCS#7 signatures in isolation (i.e. integrity and trust checks).

Internal API.

pyhanko.sign.validation.generic_cms.compute_signature_tst_digest(signer_info: SignerInfo) Optional[bytes]

Compute the digest of the signature according to the message imprint algorithm information in a signature timestamp token.

Internal API.


signer_info – A SignerInfo value.


The computed digest, or None if there is no signature timestamp.

pyhanko.sign.validation.generic_cms.extract_tst_data(signer_info, signed=False) Optional[SignedData]

Extract signed data associated with a timestamp token.

Internal API.

  • signer_info – A SignerInfo value.

  • signed – If True, look for a content timestamp (among the signed attributes), else look for a signature timestamp (among the unsigned attributes).


The SignedData value found, or None.

pyhanko.sign.validation.generic_cms.extract_self_reported_ts(signer_info: SignerInfo) Optional[datetime]

Extract self-reported timestamp (from the signingTime attribute)

Internal API.


signer_info – A SignerInfo value.


The value of the signingTime attribute as a datetime, or None.

pyhanko.sign.validation.generic_cms.extract_certs_for_validation(signed_data: SignedData) SignedDataCerts

Extract certificates from a CMS signed data object for validation purposes, identifying the signer’s certificate in accordance with ETSI EN 319 102-1,


signed_data – The CMS payload.


The extracted certificates.

async pyhanko.sign.validation.generic_cms.collect_signer_attr_status(sd_attr_certificates: Iterable[AttributeCertificateV2], signer_cert: Certificate, validation_context: Optional[ValidationContext], sd_signed_attrs: CMSAttributes)
pyhanko.sign.validation.generic_cms.validate_algorithm_protection(attrs: CMSAttributes, claimed_digest_algorithm_obj: DigestAlgorithm, claimed_signature_algorithm_obj: SignedDigestAlgorithm)

Internal API to validate the CMS algorithm protection attribute defined in RFC 6211, if present.

  • attrs – A CMS attribute list.

  • claimed_digest_algorithm_obj – The claimed (i.e. unprotected) digest algorithm value.

  • claimed_signature_algorithm_obj – The claimed (i.e. unprotected) signature algorithm value.