def _open_for_signing(infile_path, signer_cert=None, signer_key=None): from pyhanko.pdf_utils import crypt infile = open(infile_path, 'rb') writer = IncrementalPdfFileWriter(infile) # TODO make this an option higher up the tree # TODO mention filename in prompt if writer.prev.encrypted: sh = writer.prev.security_handler if isinstance(sh, crypt.StandardSecurityHandler): pdf_pass = getpass.getpass( prompt='Password for encrypted file \'%s\': ' % infile_path) writer.encrypt(pdf_pass) elif isinstance(sh, crypt.PubKeySecurityHandler) \ and signer_key is not None: # attempt to decrypt using signer's credentials cred = SimpleEnvelopeKeyDecrypter(signer_cert, signer_key) logger.warning( "The file \'%s\' appears to be encrypted using public-key " "encryption. This is only partially supported in pyHanko's " "CLI. PyHanko will attempt to decrypt the document using the " "signer's public key, but be aware that using the same key " "for both signing and decryption is considered bad practice. " "Never use the same RSA key that you use to decrypt messages to" "sign hashes that you didn't compute yourself!" % infile_path) writer.encrypt_pubkey(cred) else: raise click.ClickException( "Input file appears to be encrypted, but appropriate " "credentials are not available.") return writer
def decrypt_with_pkcs12(infile, outfile, pfx, passfile, force): if passfile is None: passphrase = getpass.getpass(prompt='Key passphrase: ').encode('utf-8') else: passphrase = passfile.read() passfile.close() sedk = SimpleEnvelopeKeyDecrypter.load_pkcs12(pfx, passphrase=passphrase) _decrypt_pubkey(sedk, infile, outfile, force)
stream2 = generic.StreamObject( stream_data=stream_data(ascii_text, 100)) if compress: stream2.compress() contents = generic.ArrayObject( [pdf_out.add_object(stream), pdf_out.add_object(stream2)]) else: contents = pdf_out.add_object(stream) return writer.PageObject(contents=contents, media_box=media_box, resources=resources) PUBKEY_TEST_DECRYPTER = SimpleEnvelopeKeyDecrypter.load( f"{CRYPTO_DATA_DIR}/keys-rsa/signer.key.pem", f"{CRYPTO_DATA_DIR}/testing-ca/interm/decrypter1.cert.pem", b'secret') # no keyEncipherment bit on this one PUBKEY_SELFSIGNED_DECRYPTER = SimpleEnvelopeKeyDecrypter.load( "pyhanko_tests/data/crypto/selfsigned.key.pem", "pyhanko_tests/data/crypto/selfsigned.cert.pem", b'secret') CERTOMANCER_CONFIG_PATH = CRYPTO_DATA_DIR + '/certomancer.yml' def _configure_certomancer(): with open(CERTOMANCER_CONFIG_PATH, 'r') as inf: cfg_text = inf.read() cfg = yaml.safe_load(cfg_text)
generic.DictionaryObject({pdf_name('/F1'): get_courier()}) }) media_box = generic.ArrayObject(map(generic.NumberObject, (0, 0, 300, 144))) def stream_data(txt, y): return f'BT /F1 18 Tf 0 {y} Td ({txt}) Tj ET'.encode('ascii') stream = generic.StreamObject(stream_data=stream_data(ascii_text, 0)) if compress: stream.compress() if extra_stream: stream2 = generic.StreamObject( stream_data=stream_data(ascii_text, 100)) if compress: stream2.compress() contents = generic.ArrayObject( [pdf_out.add_object(stream), pdf_out.add_object(stream2)]) else: contents = pdf_out.add_object(stream) return writer.PageObject(contents=contents, media_box=media_box, resources=resources) PUBKEY_TEST_DECRYPTER = SimpleEnvelopeKeyDecrypter.load( "pyhanko_tests/data/crypto/selfsigned.key.pem", "pyhanko_tests/data/crypto/selfsigned.cert.pem", b'secret')
stream = generic.StreamObject(stream_data=stream_data(ascii_text, 0)) if compress: stream.compress() if extra_stream: stream2 = generic.StreamObject( stream_data=stream_data(ascii_text, 100)) if compress: stream2.compress() contents = generic.ArrayObject( [pdf_out.add_object(stream), pdf_out.add_object(stream2)]) else: contents = pdf_out.add_object(stream) return writer.PageObject(contents=contents, media_box=media_box, resources=resources) # These certs have the keyEncipherment extension active (yes, I know that # that isn't good key hygiene, esp. with RSA, but it's a testing setup) PUBKEY_TEST_DECRYPTER = SimpleEnvelopeKeyDecrypter.load( "pyhanko_tests/data/crypto/testing-ca/keys/signer.key.pem", "pyhanko_tests/data/crypto/testing-ca/intermediate/newcerts/signer.cert.pem", b'secret') # no keyEncipherment bit on this one PUBKEY_SELFSIGNED_DECRYPTER = SimpleEnvelopeKeyDecrypter.load( "pyhanko_tests/data/crypto/selfsigned.key.pem", "pyhanko_tests/data/crypto/selfsigned.cert.pem", b'secret')