pyhanko.sign.validation module
- class pyhanko.sign.validation.SignatureCoverageLevel(value)
Bases:
pyhanko.pdf_utils.misc.OrderedEnum
Indicate the extent to which a PDF signature (cryptographically) covers a document. Note that this does not pass judgment on whether uncovered updates are legitimate or not, but as a general rule, a legitimate signature will satisfy at least
ENTIRE_REVISION
.- UNCLEAR = 0
The signature’s coverage is unclear and/or disconnected. In standard PDF signatures, this is usually a bad sign.
- CONTIGUOUS_BLOCK_FROM_START = 1
The signature covers a contiguous block in the PDF file stretching from the first byte of the file to the last byte in the indicated
/ByteRange
. In other words, the only interruption in the byte range is fully occupied by the signature data itself.
- ENTIRE_REVISION = 2
The signature covers the entire revision in which it occurs, but incremental updates may have been added later. This is not necessarily evidence of tampering. In particular, it is expected when a file contains multiple signatures. Nonetheless, caution is required.
- ENTIRE_FILE = 3
The entire file is covered by the signature.
- class pyhanko.sign.validation.PdfSignatureStatus(intact: bool, valid: bool, trusted: bool, revoked: bool, signing_cert: asn1crypto.x509.Certificate, pkcs7_signature_mechanism: str, md_algorithm: str, validation_path: pyhanko_certvalidator.path.ValidationPath, signer_reported_dt: Optional[datetime.datetime] = None, timestamp_validity: Optional[pyhanko.sign.timestamps.api.TimestampSignatureStatus] = None, content_timestamp_validity: Optional[pyhanko.sign.timestamps.api.TimestampSignatureStatus] = None, coverage: Optional[pyhanko.sign.validation.SignatureCoverageLevel] = None, diff_result: Optional[Union[pyhanko.sign.diff_analysis.DiffResult, pyhanko.sign.diff_analysis.SuspiciousModification]] = None, docmdp_ok: Optional[bool] = None, has_seed_values: bool = False, seed_value_constraint_error: Optional[pyhanko.sign.validation.SigSeedValueValidationError] = None)
Bases:
pyhanko.sign.validation.ModificationInfo
,pyhanko.sign.validation.StandardCMSSignatureStatus
Class to indicate the validation status of a PDF signature.
- docmdp_ok: Optional[bool] = None
Indicates whether the signature’s
modification_level
is in line with the document signature policy in force.If
None
, compliance could not be determined.
- has_seed_values: bool = False
Records whether the signature form field has seed values.
- seed_value_constraint_error: Optional[pyhanko.sign.validation.SigSeedValueValidationError] = None
Records the reason for failure if the signature field’s seed value constraints didn’t validate.
- property bottom_line: bool
Formulates a general judgment on the validity of this signature. This takes into account the cryptographic validity of the signature, the signature’s chain of trust, compliance with the document modification policy, seed value constraint compliance and the validity of the timestamp token (if present).
- Returns
True
if all constraints are satisfied,False
otherwise.
- property seed_value_ok: bool
Indicates whether the signature satisfies all mandatory constraints in the seed value dictionary of the associated form field.
Warning
Currently, not all seed value entries are recognised by the signer and/or the validator, so this judgment may not be entirely accurate in some cases.
See
SigSeedValueSpec
.
- summary_fields()
- pretty_print_sections()
- class pyhanko.sign.validation.DocumentTimestampStatus(intact: bool, valid: bool, trusted: bool, revoked: bool, signing_cert: asn1crypto.x509.Certificate, pkcs7_signature_mechanism: str, md_algorithm: str, validation_path: pyhanko_certvalidator.path.ValidationPath, timestamp: datetime.datetime, coverage: Optional[pyhanko.sign.validation.SignatureCoverageLevel] = None, diff_result: Optional[Union[pyhanko.sign.diff_analysis.DiffResult, pyhanko.sign.diff_analysis.SuspiciousModification]] = None)
Bases:
pyhanko.sign.validation.ModificationInfo
,pyhanko.sign.timestamps.api.TimestampSignatureStatus
Class to indicate the validation status of a PDF document timestamp.
- class pyhanko.sign.validation.StandardCMSSignatureStatus(intact: bool, valid: bool, trusted: bool, revoked: bool, signing_cert: asn1crypto.x509.Certificate, pkcs7_signature_mechanism: str, md_algorithm: str, validation_path: pyhanko_certvalidator.path.ValidationPath, signer_reported_dt: Optional[datetime.datetime] = None, timestamp_validity: Optional[pyhanko.sign.timestamps.api.TimestampSignatureStatus] = None, content_timestamp_validity: Optional[pyhanko.sign.timestamps.api.TimestampSignatureStatus] = None)
Bases:
pyhanko.sign.general.SignatureStatus
Status of a standard “end-entity” CMS signature, potentially with timing information embedded inside.
- signer_reported_dt: Optional[datetime.datetime] = None
Signer-reported signing time, if present in the signature.
Generally speaking, this timestamp should not be taken as fact.
- timestamp_validity: Optional[pyhanko.sign.timestamps.api.TimestampSignatureStatus] = None
Validation status of the signature timestamp token embedded in this signature, if present.
- content_timestamp_validity: Optional[pyhanko.sign.timestamps.api.TimestampSignatureStatus] = None
Validation status of the content timestamp token embedded in this signature, if present.
- property bottom_line: bool
Formulates a general judgment on the validity of this signature. This takes into account the cryptographic validity of the signature, the signature’s chain of trust and the validity of the timestamp token (if present).
- Returns
True
if all constraints are satisfied,False
otherwise.
- summary_fields()
- pretty_print_details()
- pretty_print_sections()
- class pyhanko.sign.validation.ModificationInfo(coverage: pyhanko.sign.validation.SignatureCoverageLevel = None, diff_result: Union[pyhanko.sign.diff_analysis.DiffResult, pyhanko.sign.diff_analysis.SuspiciousModification, NoneType] = None)
Bases:
object
- coverage: pyhanko.sign.validation.SignatureCoverageLevel = None
Indicates how much of the document is covered by the signature.
- diff_result: Optional[Union[pyhanko.sign.diff_analysis.DiffResult, pyhanko.sign.diff_analysis.SuspiciousModification]] = None
Result of the difference analysis run on the file:
If
None
, no difference analysis was run.If the difference analysis was successful, this attribute will contain a
DiffResult
object.If the difference analysis failed due to unforeseen or suspicious modifications, the
SuspiciousModification
exception thrown by the difference policy will be stored in this attribute.
- property modification_level: Optional[pyhanko.sign.diff_analysis.ModificationLevel]
Indicates the degree to which the document was modified after the signature was applied.
Will be
None
if difference analysis results are not available; an instance ofModificationLevel
otherwise.
- class pyhanko.sign.validation.EmbeddedPdfSignature(reader: pyhanko.pdf_utils.reader.PdfFileReader, sig_field: pyhanko.pdf_utils.generic.DictionaryObject, fq_name: str)
Bases:
object
Class modelling a signature embedded in a PDF document.
- sig_object: pyhanko.pdf_utils.generic.DictionaryObject
The signature dictionary.
- sig_field: pyhanko.pdf_utils.generic.DictionaryObject
The field dictionary of the form field containing the signature.
- signed_data: asn1crypto.cms.SignedData
CMS signed data in the signature.
- signer_cert: asn1crypto.x509.Certificate
Certificate of the signer.
- property sig_object_type: pyhanko.pdf_utils.generic.NameObject
Returns the type of the embedded signature object. For ordinary signatures, this will be
/Sig
. In the case of a document timestamp,/DocTimeStamp
is returned.- Returns
A PDF name object describing the type of signature.
- property field_name
- Returns
Name of the signature field.
- property self_reported_timestamp: Optional[datetime.datetime]
- Returns
The signing time as reported by the signer, if embedded in the signature’s signed attributes.
- property attached_timestamp_data: Optional[asn1crypto.cms.SignedData]
- Returns
The signed data component of the timestamp token embedded in this signature, if present.
- compute_integrity_info(diff_policy=None, skip_diff=False)
Compute the various integrity indicators of this signature.
- Parameters
diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to
DEFAULT_DIFF_POLICY
.skip_diff – If
True
, skip the difference analysis step entirely.
- summarise_integrity_info() dict
Compile the integrity information for this signature into a dictionary that can later be passed to
PdfSignatureStatus
as kwargs.This method is only available after calling
EmbeddedPdfSignature.compute_integrity_info()
.
- property seed_value_spec: Optional[pyhanko.sign.fields.SigSeedValueSpec]
- property docmdp_level: Optional[pyhanko.sign.fields.MDPPerm]
- Returns
The document modification policy required by this signature or its Lock dictionary.
Warning
This does not take into account the DocMDP requirements of earlier signatures (if present).
The specification forbids signing with a more lenient DocMDP than the one currently in force, so this should not happen in a compliant document. That being said, any potential violations will still invalidate the earlier signature with the stricter DocMDP policy.
- property fieldmdp: Optional[pyhanko.sign.fields.FieldMDPSpec]
- Returns
Read the field locking policy of this signature, if applicable. See also
FieldMDPSpec
.
- compute_digest() bytes
Compute the
/ByteRange
digest of this signature. The result will be cached.- Returns
The digest value.
- compute_tst_digest() Optional[bytes]
Compute the digest of the signature needed to validate its timestamp token (if present).
Warning
This computation is only relevant for timestamp tokens embedded inside a regular signature. If the signature in question is a document timestamp (where the entire signature object is a timestamp token), this method does not apply.
- Returns
The digest value, or
None
if there is no timestamp token.
- evaluate_signature_coverage() pyhanko.sign.validation.SignatureCoverageLevel
Internal method used to evaluate the coverage level of a signature.
- Returns
The coverage level of the signature.
- evaluate_modifications(diff_policy: pyhanko.sign.diff_analysis.DiffPolicy) Union[pyhanko.sign.diff_analysis.DiffResult, pyhanko.sign.diff_analysis.SuspiciousModification]
Internal method used to evaluate the modification level of a signature.
- class pyhanko.sign.validation.DocMDPInfo(permission, author_sig)
Bases:
tuple
Encodes certification information for a signed document, consisting of a reference to the author signature, together with the associated DocMDP policy.
- property author_sig
Alias for field number 1
- property permission
Alias for field number 0
- class pyhanko.sign.validation.RevocationInfoValidationType(value)
Bases:
enum.Enum
Indicates a validation profile to use when validating revocation info.
- ADOBE_STYLE = 'adobe'
Retrieve validation information from the CMS object, using Adobe’s revocation info archival attribute.
- PADES_LT = 'pades'
Retrieve validation information from the DSS, and require the signature’s embedded timestamp to still be valid.
- PADES_LTA = 'pades-lta'
Retrieve validation information from the DSS, but read & validate the chain of document timestamps leading up to the signature to establish the integrity of the validation information at the time of signing.
- classmethod as_tuple()
- class pyhanko.sign.validation.VRI(certs: set = <factory>, ocsps: set = <factory>, crls: set = <factory>)
Bases:
object
VRI dictionary as defined in PAdES / ISO 32000-2. These dictionaries collect data that may be relevant for the validation of a specific signature.
Note
The data are stored as PDF indirect objects, not asn1crypto values. In particular, values are tied to a specific PDF handler.
- certs: set
Relevant certificates.
- ocsps: set
Relevant OCSP responses.
- crls: set
Relevant CRLs.
- as_pdf_object() pyhanko.pdf_utils.generic.DictionaryObject
- Returns
A PDF dictionary representing this VRI entry.
- class pyhanko.sign.validation.DocumentSecurityStore(writer: pyhanko.pdf_utils.writer.BasePdfFileWriter, certs=None, ocsps=None, crls=None, vri_entries=None, backing_pdf_object=None)
Bases:
object
Representation of a DSS in Python.
- property modified
- static sig_content_identifier(contents) pyhanko.pdf_utils.generic.NameObject
Hash the contents of a signature object to get the corresponding VRI identifier.
This is internal API.
- Parameters
contents – Signature contents.
- Returns
A name object to put into the DSS.
- register_vri(identifier, *, certs=(), ocsps=(), crls=())
Register validation information for a set of signing certificates associated with a particular signature.
- Parameters
identifier – Identifier of the signature object (see sig_content_identifier). If
None
, only embed the data into the DSS without associating it with any VRI.certs – Certificates to add.
ocsps – OCSP responses to add.
crls – CRLs to add.
- as_pdf_object()
Convert the
DocumentSecurityStore
object to a python dictionary. This method also handles DSS updates.- Returns
A PDF object representing this DSS.
- as_validation_context(validation_context_kwargs, include_revinfo=True) pyhanko_certvalidator.context.ValidationContext
Construct a validation context from the data in this DSS.
- Parameters
validation_context_kwargs – Extra kwargs to pass to the
__init__
function.include_revinfo – If
False
, revocation info is skipped.
- Returns
A validation context preloaded with information from this DSS.
- classmethod read_dss(handler: pyhanko.pdf_utils.rw_common.PdfHandler) pyhanko.sign.validation.DocumentSecurityStore
Read a DSS record from a file and add the data to a validation context.
- Parameters
handler – PDF handler from which to read the DSS.
- Returns
A DocumentSecurityStore object describing the current state of the DSS.
- classmethod supply_dss_in_writer(pdf_out: pyhanko.pdf_utils.writer.BasePdfFileWriter, sig_contents, *, certs=None, ocsps=None, crls=None, paths=None, validation_context=None, embed_roots: bool = True) pyhanko.sign.validation.DocumentSecurityStore
Add or update a DSS, and optionally associate the new information with a VRI entry tied to a signature object.
You can either specify the CMS objects to include directly, or pass them in as output from pyhanko_certvalidator.
- Parameters
pdf_out – PDF writer to write to.
sig_contents – Contents of the new signature (used to compute the VRI hash), as as a hexadecimal string, including any padding. If
None
, the information will not be added to any VRI dictionary.certs – Certificates to include in the VRI entry.
ocsps – OCSP responses to include in the VRI entry.
crls – CRLs to include in the VRI entry.
paths – Validation paths that have been established, and need to be added to the DSS.
validation_context – Validation context from which to draw OCSP responses and CRLs.
embed_roots –
New in version 0.9.0.
Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is
True
.Note
Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes.
Warning
This only applies to paths, not the
certs
parameter.
- Returns
a
DocumentSecurityStore
object containing both the new and existing contents of the DSS (if any).
- classmethod add_dss(output_stream, sig_contents, *, certs=None, ocsps=None, crls=None, paths=None, validation_context=None, force_write: bool = False, embed_roots: bool = True)
Wrapper around
supply_dss_in_writer()
.The result is applied to the output stream as an incremental update.
- Parameters
output_stream – Output stream to write to.
sig_contents – Contents of the new signature (used to compute the VRI hash), as as a hexadecimal string, including any padding. If
None
, the information will not be added to any VRI dictionary.certs – Certificates to include in the VRI entry.
ocsps – OCSP responses to include in the VRI entry.
crls – CRLs to include in the VRI entry.
paths – Validation paths that have been established, and need to be added to the DSS.
force_write – Force a write even if the DSS doesn’t have any new content.
validation_context – Validation context from which to draw OCSP responses and CRLs.
embed_roots –
New in version 0.9.0.
Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is
True
.Note
Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes.
Warning
This only applies to paths, not the
certs
parameter.
- pyhanko.sign.validation.apply_adobe_revocation_info(signer_info: asn1crypto.cms.SignerInfo, validation_context_kwargs=None) pyhanko_certvalidator.context.ValidationContext
Read Adobe-style revocation information from a CMS object, and load it into a validation context.
- Parameters
signer_info – Signer info CMS object.
validation_context_kwargs – Extra kwargs to pass to the
__init__
function.
- Returns
A validation context preloaded with the relevant revocation information.
- pyhanko.sign.validation.get_timestamp_chain(reader: pyhanko.pdf_utils.reader.PdfFileReader) Iterator[pyhanko.sign.validation.EmbeddedPdfSignature]
Get the document timestamp chain of the associated reader, ordered from new to old.
- Parameters
reader – A
PdfFileReader
.- Returns
An iterable of
EmbeddedPdfSignature
objects representing document timestamps.
- pyhanko.sign.validation.read_certification_data(reader: pyhanko.pdf_utils.reader.PdfFileReader) Optional[pyhanko.sign.validation.DocMDPInfo]
Read the certification information for a PDF document, if present.
- Parameters
reader – Reader representing the input document.
- Returns
A
DocMDPInfo
object containing the relevant data, orNone
.
- pyhanko.sign.validation.validate_pdf_ltv_signature(embedded_sig: pyhanko.sign.validation.EmbeddedPdfSignature, validation_type: pyhanko.sign.validation.RevocationInfoValidationType, validation_context_kwargs=None, bootstrap_validation_context=None, force_revinfo=False, diff_policy: Optional[pyhanko.sign.diff_analysis.DiffPolicy] = None, key_usage_settings: Optional[pyhanko.sign.general.KeyUsageConstraints] = None, skip_diff: bool = False) pyhanko.sign.validation.PdfSignatureStatus
Changed in version 0.9.0: Wrapper around
async_validate_pdf_ltv_signature()
.Validate a PDF LTV signature according to a particular profile.
- Parameters
embedded_sig – Embedded signature to evaluate.
validation_type – Validation profile to use.
validation_context_kwargs – Keyword args to instantiate
pyhanko_certvalidator.ValidationContext
objects needed over the course of the validation.bootstrap_validation_context – Validation context used to validate the current timestamp.
force_revinfo – Require all certificates encountered to have some form of live revocation checking provisions.
diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to
DEFAULT_DIFF_POLICY
.key_usage_settings – A
KeyUsageConstraints
object specifying which key usage extensions must or must not be present in the signer’s certificate.skip_diff – If
True
, skip the difference analysis step entirely.
- Returns
The status of the signature.
- async pyhanko.sign.validation.async_validate_pdf_ltv_signature(embedded_sig: pyhanko.sign.validation.EmbeddedPdfSignature, validation_type: pyhanko.sign.validation.RevocationInfoValidationType, validation_context_kwargs=None, bootstrap_validation_context=None, force_revinfo=False, diff_policy: Optional[pyhanko.sign.diff_analysis.DiffPolicy] = None, key_usage_settings: Optional[pyhanko.sign.general.KeyUsageConstraints] = None, skip_diff: bool = False) pyhanko.sign.validation.PdfSignatureStatus
New in version 0.9.0.
Validate a PDF LTV signature according to a particular profile.
- Parameters
embedded_sig – Embedded signature to evaluate.
validation_type – Validation profile to use.
validation_context_kwargs – Keyword args to instantiate
pyhanko_certvalidator.ValidationContext
objects needed over the course of the validation.bootstrap_validation_context – Validation context used to validate the current timestamp.
force_revinfo – Require all certificates encountered to have some form of live revocation checking provisions.
diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to
DEFAULT_DIFF_POLICY
.key_usage_settings – A
KeyUsageConstraints
object specifying which key usage extensions must or must not be present in the signer’s certificate.skip_diff – If
True
, skip the difference analysis step entirely.
- Returns
The status of the signature.
- pyhanko.sign.validation.validate_pdf_signature(embedded_sig: pyhanko.sign.validation.EmbeddedPdfSignature, signer_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ts_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, diff_policy: Optional[pyhanko.sign.diff_analysis.DiffPolicy] = None, key_usage_settings: Optional[pyhanko.sign.general.KeyUsageConstraints] = None, skip_diff: bool = False) pyhanko.sign.validation.PdfSignatureStatus
Validate a PDF signature.
- Parameters
embedded_sig – Embedded signature to evaluate.
signer_validation_context – Validation context to use to validate the signature’s chain of trust.
ts_validation_context – Validation context to use to validate the timestamp’s chain of trust (defaults to
signer_validation_context
).diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to
DEFAULT_DIFF_POLICY
.key_usage_settings – A
KeyUsageConstraints
object specifying which key usage extensions must or must not be present in the signer’s certificate.skip_diff – If
True
, skip the difference analysis step entirely.
- Returns
The status of the PDF signature in question.
- async pyhanko.sign.validation.async_validate_pdf_signature(embedded_sig: pyhanko.sign.validation.EmbeddedPdfSignature, signer_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ts_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, diff_policy: Optional[pyhanko.sign.diff_analysis.DiffPolicy] = None, key_usage_settings: Optional[pyhanko.sign.general.KeyUsageConstraints] = None, skip_diff: bool = False) pyhanko.sign.validation.PdfSignatureStatus
New in version 0.9.0.
Validate a PDF signature.
- Parameters
embedded_sig – Embedded signature to evaluate.
signer_validation_context – Validation context to use to validate the signature’s chain of trust.
ts_validation_context – Validation context to use to validate the timestamp’s chain of trust (defaults to
signer_validation_context
).diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to
DEFAULT_DIFF_POLICY
.key_usage_settings – A
KeyUsageConstraints
object specifying which key usage extensions must or must not be present in the signer’s certificate.skip_diff – If
True
, skip the difference analysis step entirely.
- Returns
The status of the PDF signature in question.
- pyhanko.sign.validation.validate_cms_signature(signed_data: asn1crypto.cms.SignedData, status_cls: Type[pyhanko.sign.validation.StatusType] = <class 'pyhanko.sign.general.SignatureStatus'>, raw_digest: Optional[bytes] = None, validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, status_kwargs: Optional[dict] = None, key_usage_settings: Optional[pyhanko.sign.general.KeyUsageConstraints] = None, encap_data_invalid=False)
Deprecated since version 0.9.0: Use
async_validate_cms_signature()
instead.Changed in version 0.7.0: Now handles both detached and enveloping signatures.
Validate a CMS signature (i.e. a
SignedData
object).- Parameters
signed_data – The
asn1crypto.cms.SignedData
object to validate.status_cls – Status class to use for the validation result.
raw_digest – Raw digest, computed from context.
validation_context – Validation context to validate the signer’s certificate.
status_kwargs – Other keyword arguments to pass to the
status_class
when reporting validation results.key_usage_settings – A
KeyUsageConstraints
object specifying which key usage extensions must or must not be present in the signer’s certificate.encap_data_invalid –
If
True
, the encapsulated data inside the CMS is invalid, but the remaining validation logic still has to be run (e.g. a timestamp token, which requires validation of the embedded message imprint).This option is considered internal API, the semantics of which may change without notice in the future.
- Returns
A
SignatureStatus
object (or an instance of a proper subclass)
- async pyhanko.sign.validation.async_validate_cms_signature(signed_data: asn1crypto.cms.SignedData, status_cls: Type[pyhanko.sign.validation.StatusType] = <class 'pyhanko.sign.general.SignatureStatus'>, raw_digest: Optional[bytes] = None, validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, status_kwargs: Optional[dict] = None, key_usage_settings: Optional[pyhanko.sign.general.KeyUsageConstraints] = None, encap_data_invalid=False)
Validate a CMS signature (i.e. a
SignedData
object).- Parameters
signed_data – The
asn1crypto.cms.SignedData
object to validate.status_cls – Status class to use for the validation result.
raw_digest – Raw digest, computed from context.
validation_context – Validation context to validate the signer’s certificate.
status_kwargs – Other keyword arguments to pass to the
status_class
when reporting validation results.key_usage_settings – A
KeyUsageConstraints
object specifying which key usage extensions must or must not be present in the signer’s certificate.encap_data_invalid –
If
True
, the encapsulated data inside the CMS is invalid, but the remaining validation logic still has to be run (e.g. a timestamp token, which requires validation of the embedded message imprint).This option is considered internal API, the semantics of which may change without notice in the future.
- Returns
A
SignatureStatus
object (or an instance of a proper subclass)
- pyhanko.sign.validation.validate_detached_cms(input_data: Union[bytes, IO, asn1crypto.cms.ContentInfo, asn1crypto.cms.EncapsulatedContentInfo], signed_data: asn1crypto.cms.SignedData, signer_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ts_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, key_usage_settings: Optional[pyhanko.sign.general.KeyUsageConstraints] = None, chunk_size=4096, max_read=None) pyhanko.sign.validation.StandardCMSSignatureStatus
Deprecated since version 0.9.0: Use
async_validate_detached_cms()
instead.Validate a detached CMS signature.
- Parameters
input_data –
The input data to sign. This can be either a
bytes
object, a file-like object or acms.ContentInfo
/cms.EncapsulatedContentInfo
object.If a CMS content info object is passed in, the content field will be extracted.
signed_data – The
cms.SignedData
object containing the signature to verify.signer_validation_context – Validation context to use to verify the signer certificate’s trust.
ts_validation_context – Validation context to use to verify the TSA certificate’s trust, if a timestamp token is present. By default, the same validation context as that of the signer is used.
key_usage_settings – Key usage parameters for the signer.
chunk_size – Chunk size to use when consuming input data.
max_read – Maximal number of bytes to read from the input stream.
- Returns
A description of the signature’s status.
- async pyhanko.sign.validation.async_validate_detached_cms(input_data: Union[bytes, IO, asn1crypto.cms.ContentInfo, asn1crypto.cms.EncapsulatedContentInfo], signed_data: asn1crypto.cms.SignedData, signer_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, ts_validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, key_usage_settings: Optional[pyhanko.sign.general.KeyUsageConstraints] = None, chunk_size=4096, max_read=None) pyhanko.sign.validation.StandardCMSSignatureStatus
Validate a detached CMS signature.
- Parameters
input_data –
The input data to sign. This can be either a
bytes
object, a file-like object or acms.ContentInfo
/cms.EncapsulatedContentInfo
object.If a CMS content info object is passed in, the content field will be extracted.
signed_data – The
cms.SignedData
object containing the signature to verify.signer_validation_context – Validation context to use to verify the signer certificate’s trust.
ts_validation_context – Validation context to use to verify the TSA certificate’s trust, if a timestamp token is present. By default, the same validation context as that of the signer is used.
key_usage_settings – Key usage parameters for the signer.
chunk_size – Chunk size to use when consuming input data.
max_read – Maximal number of bytes to read from the input stream.
- Returns
A description of the signature’s status.
- pyhanko.sign.validation.validate_pdf_timestamp(embedded_sig: pyhanko.sign.validation.EmbeddedPdfSignature, validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, diff_policy: Optional[pyhanko.sign.diff_analysis.DiffPolicy] = None, skip_diff: bool = False) pyhanko.sign.validation.DocumentTimestampStatus
Changed in version 0.9.0: Wrapper around
async_validate_pdf_timestamp()
.Validate a PDF document timestamp.
- Parameters
embedded_sig – Embedded signature to evaluate.
validation_context – Validation context to use to validate the timestamp’s chain of trust.
diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to
DEFAULT_DIFF_POLICY
.skip_diff – If
True
, skip the difference analysis step entirely.
- Returns
The status of the PDF timestamp in question.
- async pyhanko.sign.validation.async_validate_pdf_timestamp(embedded_sig: pyhanko.sign.validation.EmbeddedPdfSignature, validation_context: Optional[pyhanko_certvalidator.context.ValidationContext] = None, diff_policy: Optional[pyhanko.sign.diff_analysis.DiffPolicy] = None, skip_diff: bool = False) pyhanko.sign.validation.DocumentTimestampStatus
New in version 0.9.0.
Validate a PDF document timestamp.
- Parameters
embedded_sig – Embedded signature to evaluate.
validation_context – Validation context to use to validate the timestamp’s chain of trust.
diff_policy – Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to
DEFAULT_DIFF_POLICY
.skip_diff – If
True
, skip the difference analysis step entirely.
- Returns
The status of the PDF timestamp in question.
- async pyhanko.sign.validation.collect_validation_info(embedded_sig: pyhanko.sign.validation.EmbeddedPdfSignature, validation_context: pyhanko_certvalidator.context.ValidationContext, skip_timestamp=False)
Query revocation info for a PDF signature using a validation context, and store the results in a validation context.
This works by validating the signer’s certificate against the provided validation context, which causes revocation info to be cached for later retrieval.
Warning
This function does not actually validate the signature, but merely checks the signer certificate’s chain of trust.
- Parameters
embedded_sig – Embedded PDF signature to operate on.
validation_context – Validation context to use.
skip_timestamp – If the signature has a time stamp token attached to it, also collect revocation information for the timestamp.
- Returns
A list of validation paths.
- pyhanko.sign.validation.add_validation_info(embedded_sig: pyhanko.sign.validation.EmbeddedPdfSignature, validation_context: pyhanko_certvalidator.context.ValidationContext, skip_timestamp=False, add_vri_entry=True, in_place=False, output=None, force_write=False, chunk_size=4096)
Changed in version 0.9.0: Wrapper around
async_add_validation_info()
Add validation info (CRLs, OCSP responses, extra certificates) for a signature to the DSS of a document in an incremental update.
- Parameters
embedded_sig – The signature for which the revocation information needs to be collected.
validation_context – The validation context to use.
skip_timestamp – If
True
, do not attempt to validate the timestamp attached to the signature, if one is present.add_vri_entry – Add a
/VRI
entry for this signature to the document security store. Default isTrue
.output – Write the output to the specified output stream. If
None
, write to a newBytesIO
object. Default isNone
.in_place – Sign the original input stream in-place. This parameter overrides
output
.chunk_size – Chunk size parameter to use when copying output to a new stream (irrelevant if
in_place
isTrue
).force_write – Force a new revision to be written, even if not necessary (i.e. when all data in the validation context is already present in the DSS).
- Returns
The (file-like) output object to which the result was written.
- exception pyhanko.sign.validation.ValidationInfoReadingError
Bases:
ValueError
Error reading validation info.
- exception pyhanko.sign.validation.SigSeedValueValidationError(failure_message)
Bases:
pyhanko.sign.general.SignatureValidationError
Error validating a signature’s seed value constraints.