pyhanko.sign.pkcs11 module

This module provides PKCS#11 integration for pyHanko, by providing a wrapper for python-pkcs11 that can be seamlessly plugged into a PdfSigner.

class pyhanko.sign.pkcs11.PKCS11Signer(pkcs11_session: pkcs11.types.Session, cert_label: str, ca_chain=None, key_label=None, prefer_pss=False, other_certs_to_pull=(), bulk_fetch=True)

Bases: pyhanko.sign.signers.Signer

Signer implementation for PKCS11 devices.

Parameters
  • pkcs11_session – The PKCS11 session object to use.

  • cert_label – The label of the certificate that will be used for signing.

  • ca_chain – Set of other relevant certificates (as asn1crypto.x509.Certificate objects).

  • key_label – The label of the key that will be used for signing. Defaults to the value of cert_label if left unspecified.

  • other_certs_to_pull – List labels of other certificates to pull from the PKCS#11 device. Defaults to the empty tuple. If None, pull all certificates.

  • bulk_fetch – Boolean indicating the fetching strategy. If True, fetch all certs and filter the unneeded ones. If False, fetch the requested certs one by one. Default value is True, unless other_certs_to_pull has one or fewer elements, in which case it is always False.

property cert_registry
property signing_cert
sign_raw(data: bytes, digest_algorithm: str, dry_run=False)bytes

Compute the raw cryptographic signature of the data provided, hashed using the digest algorithm provided.

Parameters
  • data – Data to sign.

  • digest_algorithm

    Digest algorithm to use.

    Warning

    If signature_mechanism also specifies a digest, they should match.

  • dry_run – Do not actually create a signature, but merely output placeholder bytes that would suffice to contain an actual signature.

Returns

Signature bytes.

pyhanko.sign.pkcs11.open_pkcs11_session(lib_location, slot_no=None, token_label=None, user_pin=None)pkcs11.types.Session

Open a PKCS#11 session

Parameters
  • lib_location – Path to the PKCS#11 module.

  • slot_no – Slot number to use. If not specified, the first slot containing a token labelled token_label will be used.

  • token_label – Label of the token to use. If None, there is no constraint.

  • user_pin

    User PIN to use.

    Note

    Some PKCS#11 implementations do not require PIN when the token is opened, but will prompt for it out-of-band when signing.

Returns

An open PKCS#11 session object.