pyhanko.config module

class pyhanko.config.StdLogOutput(value)

Bases: enum.Enum

An enumeration.

class pyhanko.config.LogConfig(level: Union[int, str], output: Union[pyhanko.config.StdLogOutput, str])

Bases: object

level: Union[int, str]

Logging level, should be one of the levels defined in the logging module.

output: Union[pyhanko.config.StdLogOutput, str]

Name of the output file, or a standard one.

static parse_output_spec(spec) Union[pyhanko.config.StdLogOutput, str]
class pyhanko.config.CLIConfig(validation_contexts: Dict[str, dict], stamp_styles: Dict[str, dict], default_validation_context: str, default_stamp_style: str, time_tolerance: datetime.timedelta, retroactive_revinfo: bool, log_config: Dict[Union[str, NoneType], pyhanko.config.LogConfig], pcks11_setups: Dict[str, dict])

Bases: object

validation_contexts: Dict[str, dict]
stamp_styles: Dict[str, dict]
default_validation_context: str
default_stamp_style: str
time_tolerance: datetime.timedelta
retroactive_revinfo: bool
log_config: Dict[Optional[str], pyhanko.config.LogConfig]
pcks11_setups: Dict[str, dict]
get_validation_context(name=None, as_dict=False)
get_signer_key_usages(name=None) pyhanko.sign.general.KeyUsageConstraints
get_stamp_style(name=None) pyhanko.stamp.TextStampStyle
pyhanko.config.init_validation_context_kwargs(*, trust, trust_replace, other_certs, retroactive_revinfo=False, time_tolerance=None)
pyhanko.config.parse_trust_config(trust_config, time_tolerance, retroactive_revinfo) dict
pyhanko.config.parse_logging_config(log_config_spec) Dict[Optional[str], pyhanko.config.LogConfig]
class pyhanko.config.PKCS11SignatureConfig(module_path: str, token_label: str, cert_label: str, other_certs: Optional[List[asn1crypto.x509.Certificate]] = None, key_label: Optional[str] = None, slot_no: Optional[int] = None, user_pin: Optional[str] = None, prompt_pin: bool = True, other_certs_to_pull: Optional[Iterable[str]] = (), bulk_fetch: bool = True, prefer_pss: bool = False)

Bases: pyhanko.pdf_utils.config_utils.ConfigurableMixin

Configuration for a PKCS#11 signature.

This class is used to load PKCS#11 setup information from YAML configuration.

module_path: str

Path to the PKCS#11 module shared object.

token_label: str

PKCS#11 token name

cert_label: str

PKCS#11 label of the signer’s certificate.

other_certs: List[asn1crypto.x509.Certificate] = None

Other relevant certificates.

key_label: Optional[str] = None

PKCS#11 label of the signer’s private key, if different from cert_label.

slot_no: Optional[int] = None

Slot number of the PKCS#11 slot to use.

user_pin: Optional[str] = None

The user’s PIN. If unspecified, the user will be prompted for a PIN if prompt_pin is True.


Some PKCS#11 tokens do not allow the PIN code to be communicated in this way, but manage their own authentication instead (the Belgian eID middleware is one such example). For such tokens, leave this setting set to None and additionally set prompt_pin to False.

prompt_pin: bool = True

Prompt for the user’s PIN. Default is True.


If user_pin is not None, this setting has no effect.

other_certs_to_pull: Optional[Iterable[str]] = ()

List labels of other certificates to pull from the PKCS#11 device. Defaults to the empty tuple. If None, pull all certificates.

bulk_fetch: bool = True

Boolean indicating the fetching strategy. If True, fetch all certs and filter the unneeded ones. If False, fetch the requested certs one by one. Default value is True, unless other_certs_to_pull has one or fewer elements, in which case it is always treated as False.

prefer_pss: bool = False

Prefer PSS to PKCS#1 v1.5 padding when creating RSA signatures.

classmethod process_entries(config_dict)

Hook method that can modify the configuration dictionary to overwrite or tweak some of their values (e.g. to convert string parameters into more complex Python objects)

Subclasses that override this method should call super().process_entries(), and leave keys that they do not recognise untouched.


config_dict – A dictionary containing configuration values.


ConfigurationError – when there is a problem processing a relevant entry.