def _open_for_signing(infile_path, signer_cert=None, signer_key=None):
from pyhanko.pdf_utils import crypt
infile = open(infile_path, 'rb')
writer = IncrementalPdfFileWriter(infile)
# TODO make this an option higher up the tree
# TODO mention filename in prompt
if writer.prev.encrypted:
sh = writer.prev.security_handler
if isinstance(sh, crypt.StandardSecurityHandler):
pdf_pass = getpass.getpass(
prompt='Password for encrypted file \'%s\': ' % infile_path)
writer.encrypt(pdf_pass)
elif isinstance(sh, crypt.PubKeySecurityHandler) \
and signer_key is not None:
# attempt to decrypt using signer's credentials
cred = SimpleEnvelopeKeyDecrypter(signer_cert, signer_key)
logger.warning(
"The file \'%s\' appears to be encrypted using public-key "
"encryption. This is only partially supported in pyHanko's "
"CLI. PyHanko will attempt to decrypt the document using the "
"signer's public key, but be aware that using the same key "
"for both signing and decryption is considered bad practice. "
"Never use the same RSA key that you use to decrypt messages to"
"sign hashes that you didn't compute yourself!" % infile_path)
writer.encrypt_pubkey(cred)
else:
raise click.ClickException(
"Input file appears to be encrypted, but appropriate "
"credentials are not available.")
return writer
def test_sign_crypt_aes256(password):
w = IncrementalPdfFileWriter(BytesIO(MINIMAL_ONE_FIELD_AES256))
w.encrypt(password)
out = signers.sign_pdf(w,
signers.PdfSignatureMetadata(),
signer=FROM_CA,
existing_fields_only=True)
r = PdfFileReader(out)
r.decrypt(password)
s = r.embedded_signatures[0]
val_trusted(s)
def test_sign_crypt_rc4_new(password, file):
w = IncrementalPdfFileWriter(BytesIO(sign_crypt_rc4_files[file]))
w.encrypt(password)
out = signers.sign_pdf(
w,
signers.PdfSignatureMetadata(field_name='SigNew'),
signer=FROM_CA,
)
out.seek(0)
r = PdfFileReader(out)
r.decrypt(password)
s = r.embedded_signatures[0]
val_trusted(s)
def addsig_simple_signer(signer: signers.SimpleSigner, infile, outfile,
timestamp_url, signature_meta, existing_fields_only,
style, stamp_url, new_field_spec):
with pyhanko_exception_manager():
if timestamp_url is not None:
timestamper = HTTPTimeStamper(timestamp_url)
else:
timestamper = None
writer = IncrementalPdfFileWriter(infile)
# TODO make this an option higher up the tree
# TODO mention filename in prompt
if writer.prev.encrypted:
pdf_pass = getpass.getpass(
prompt='Password for encrypted file: ').encode('utf-8')
writer.encrypt(pdf_pass)
text_params = None
if stamp_url is not None:
text_params = {'url': stamp_url}
result = signers.PdfSigner(
signature_meta,
signer=signer,
timestamper=timestamper,
stamp_style=style,
new_field_spec=new_field_spec).sign_pdf(
writer,
existing_fields_only=existing_fields_only,
appearance_text_params=text_params)
buf = result.getbuffer()
outfile.write(buf)
buf.release()
infile.close()
outfile.close()
