def pkcs11_sign(self): sbr = 'SIGNER 0 R' dbr = '%-6d 0 R' % self.pkcs11annot self.buffer = self.buffer.replace(sbr, dbr, 2) buffer = self.buffer.encode('latin1') zeros = self.pkcs11zeros.encode('latin1') pdfbr1 = buffer.find(zeros) pdfbr2 = pdfbr1 + len(zeros) br = (0, pdfbr1 - 1, pdfbr2 + 1, len(buffer) - pdfbr2 - 1) sbr = b'[0000000000 0000000000 0000000000 0000000000]' dbr = b'[%010d %010d %010d %010d]' % br buffer = buffer.replace(sbr, dbr, 1) b1 = buffer[:br[1]] b2 = buffer[br[2]:] md = getattr(hashlib, self.pkcs11algomd)() md.update(b1) md.update(b2) signed_md = md.digest() contents = signer.sign(None, self.pkcs11key, self.pkcs11cert, self.pkcs11certs, self.pkcs11algomd, True, signed_md) contents = self.pkcs11_aligned(contents) buffer = buffer.replace(zeros, contents.encode('latin1'), 1) self.buffer = buffer.decode('latin1')
def sign(self, datau, dct, key, cert, othercerts, algomd, hsm): zeros = self.aligned(b'\0') pdfdata2 = self.makepdf(datau, dct, zeros) startxref = len(datau) pdfbr1 = pdfdata2.find(zeros) pdfbr2 = pdfbr1 + len(zeros) br = [ 0, startxref + pdfbr1 - 1, startxref + pdfbr2 + 1, len(pdfdata2) - pdfbr2 - 1 ] brfrom = b'[0000000000 0000000000 0000000000 0000000000]' brto = b'[%010d %010d %010d %010d]' % tuple(br) pdfdata2 = pdfdata2.replace(brfrom, brto, 1) md = getattr(hashlib, algomd)() md.update(datau) b1 = pdfdata2[:br[1] - startxref] b2 = pdfdata2[br[2] - startxref:] md.update(b1) md.update(b2) md = md.digest() contents = signer.sign(None, key, cert, othercerts, algomd, True, md, hsm) contents = self.aligned(contents) pdfdata2 = pdfdata2.replace(zeros, contents, 1) return pdfdata2
def assina_xml2(self, xml_element, reference): for element in xml_element.iter("*"): if element.text is not None and not element.text.strip(): element.text = None signer = signxml.XMLSigner( method=signxml.methods.enveloped, signature_algorithm="rsa-sha1", digest_algorithm='sha1', c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315') ns = dict() ns[None] = signer.namespaces['ds'] signer.namespaces = ns ref_uri = ('#%s' % reference) if reference else None signed_root = signer.sign(xml_element, key=self.certificado.key, cert=self.certificado.cert, reference_uri=ref_uri) if reference: element_signed = signed_root.find(".//*[@Id='%s']" % reference) signature = signed_root.find( ".//{http://www.w3.org/2000/09/xmldsig#}Signature") if element_signed is not None and signature is not None: parent = element_signed.getparent() parent.append(signature) return etree.tostring(signed_root, encoding=str)
def sign(self, md, algomd): tspurl = "http://public-qlts.certum.pl/qts-17" tspurl = None with open("demo2_user1.p12", "rb") as fp: p12 = pkcs12.load_key_and_certificates(fp.read(), b"1234", backends.default_backend()) contents = signer.sign(None, p12[0], p12[1], p12[2], algomd, True, md, None, False, tspurl) return contents
def build(self, datau, key, cert, othercerts, hashalgo, attrs): datau = datau.replace(b'\n', b'\r\n') datas = signer.sign(datau, key, cert, othercerts, hashalgo, attrs) datas = base64.encodebytes(datas) if hashalgo == 'sha1': hashalgo = b'sha1' elif hashalgo == 'sha256': hashalgo = b'sha-256' data = self.email(hashalgo, datau, datas) return data
def build(self, datau, key, cert, othercerts, hashalgo, attrs, pss=False): datau = datau.replace(b'\n', b'\r\n') datas = signer.sign(datau, key, cert, othercerts, hashalgo, attrs, pss=pss) datas = base64.encodebytes(datas) if hashalgo == 'sha1': hashalgo = b'sha1' elif hashalgo == 'sha256': hashalgo = b'sha-256' elif hashalgo == 'sha512': hashalgo = b'sha-512' prefix = [b'x-', b''][pss] data = self.email(hashalgo, datau, datas, prefix) return data
def sign(self, datau, udct, key, cert, othercerts, algomd, hsm, timestampurl): startdata = len(datau) fi = io.BytesIO(datau) # read end decrypt prev = pdf.PdfFileReader(fi) if prev.isEncrypted: rc = prev.decrypt(udct["password"]) else: rc = 0 # digest method must remain unchanged from prevoius signatures obj = prev.trailer for k in ("/Root", "/Perms", "/DocMDP", "/Reference"): if k in obj: obj = obj[k] if isinstance(obj, po.ArrayObject): obj = obj[0] obj = obj.getObject() else: obj = None break if obj is not None: algomd = obj["/DigestMethod"][1:].lower() # produce smaller signatures, but must be signed twice aligned = udct.get("aligned", 0) if aligned: zeros = b"00" * aligned else: md = getattr(hashlib, algomd)().digest() contents = signer.sign(None, key, cert, othercerts, algomd, True, md, hsm, False, timestampurl) zeros = contents.hex().encode("utf-8") self.makepdf(prev, udct, algomd, zeros) # if document was encrypted, encrypt this version too if prev.isEncrypted: self.encrypt(prev, udct["password"], rc) else: self._encrypt_key = None # ID[0] is used in password protection, must be unchanged ID = prev.trailer.get("/ID", None) if ID is None: ID = hashlib.md5(repr(time.time()).encode()).digest() else: ID = ID[0] if isinstance(ID, str): ID = ID.encode() self._ID = po.ArrayObject([ po.ByteStringObject(ID), po.ByteStringObject( hashlib.md5(repr(random.random()).encode()).digest()), ]) fo = io.BytesIO() self.write(fo, prev, startdata) datas = fo.getvalue() br = [0, 0, 0, 0] bfrom = (b"[ " + b" ".join([WNumberObject.Format] * 4) + b" ]") % tuple(br) pdfbr1 = datas.find(zeros) pdfbr2 = pdfbr1 + len(zeros) br = [ 0, startdata + pdfbr1 - 1, startdata + pdfbr2 + 1, len(datas) - pdfbr2 - 1, ] bto = b"[%d %d %d %d]" % tuple(br) bto += b" " * (len(bfrom) - len(bto)) assert len(bfrom) == len(bto) datas = datas.replace(bfrom, bto, 1) md = getattr(hashlib, algomd)() md.update(datau) b1 = datas[:br[1] - startdata] b2 = datas[br[2] - startdata:] md.update(b1) md.update(b2) md = md.digest() contents = signer.sign(None, key, cert, othercerts, algomd, True, md, hsm, False, timestampurl) contents = contents.hex().encode("utf-8") if aligned: nb = len(zeros) - len(contents) contents += b"0" * nb assert len(zeros) == len(contents) datas = datas.replace(zeros, contents, 1) return datas
def sign(datau, key, cert, certs, hashalgo='sha1', attrs=True, pss=False): return signer.sign(datau, key, cert, certs, hashalgo, attrs, pss=pss)
def sign(datau, key, cert, certs, hashalgo='sha1', attrs=True): return signer.sign(datau, key, cert, certs, hashalgo, attrs)