pyhanko.sign.pkcs11 module

This module provides PKCS#11 integration for pyHanko, by providing a wrapper for python-pkcs11 that can be seamlessly plugged into a PdfSigner.

class pyhanko.sign.pkcs11.PKCS11Signer(pkcs11_session: pkcs11.types.Session, cert_label: Optional[str] = None, signing_cert: Optional[asn1crypto.x509.Certificate] = None, ca_chain=None, key_label=None, prefer_pss=False, other_certs_to_pull=(), bulk_fetch=True)

Bases: pyhanko.sign.signers.pdf_cms.Signer

Signer implementation for PKCS11 devices.

  • pkcs11_session – The PKCS11 session object to use.

  • cert_label – The label of the certificate that will be used for signing, to be pulled from the PKCS#11 token.

  • signing_cert

    The signer’s certificate. If the signer’s certificate is provided, the cert_label parameter will not be used to retrieve the signer’s certificate.


    When using this parameter instead of cert_label, key_label becomes mandatory.

  • ca_chain – Set of other relevant certificates (as asn1crypto.x509.Certificate objects).

  • key_label – The label of the key that will be used for signing. Defaults to the value of cert_label if left unspecified.

  • other_certs_to_pull – List labels of other certificates to pull from the PKCS#11 device. Defaults to the empty tuple. If None, pull all certificates.

  • bulk_fetch – Boolean indicating the fetching strategy. If True, fetch all certs and filter the unneeded ones. If False, fetch the requested certs one by one. Default value is True, unless other_certs_to_pull has one or fewer elements, in which case it is always treated as False.

property cert_registry
property signing_cert
sign_raw(data: bytes, digest_algorithm: str, dry_run=False) bytes

Compute the raw cryptographic signature of the data provided, hashed using the digest algorithm provided.

  • data – Data to sign.

  • digest_algorithm

    Digest algorithm to use.


    If signature_mechanism also specifies a digest, they should match.

  • dry_run – Do not actually create a signature, but merely output placeholder bytes that would suffice to contain an actual signature.


Signature bytes.

pyhanko.sign.pkcs11.open_pkcs11_session(lib_location, slot_no=None, token_label=None, user_pin=None) pkcs11.types.Session

Open a PKCS#11 session

  • lib_location – Path to the PKCS#11 module.

  • slot_no – Slot number to use. If not specified, the first slot containing a token labelled token_label will be used.

  • token_label – Label of the token to use. If None, there is no constraint.

  • user_pin

    User PIN to use.


    Some PKCS#11 implementations do not require PIN when the token is opened, but will prompt for it out-of-band when signing.


An open PKCS#11 session object.

class pyhanko.sign.pkcs11.PKCS11SigningContext(config: pyhanko.config.PKCS11SignatureConfig)

Bases: object

Context manager for PKCS#11 configurations.