def _open_for_signing(infile_path, signer_cert=None, signer_key=None): from pyhanko.pdf_utils import crypt infile = open(infile_path, 'rb') writer = IncrementalPdfFileWriter(infile) # TODO make this an option higher up the tree # TODO mention filename in prompt if writer.prev.encrypted: sh = writer.prev.security_handler if isinstance(sh, crypt.StandardSecurityHandler): pdf_pass = getpass.getpass( prompt='Password for encrypted file \'%s\': ' % infile_path) writer.encrypt(pdf_pass) elif isinstance(sh, crypt.PubKeySecurityHandler) \ and signer_key is not None: # attempt to decrypt using signer's credentials cred = SimpleEnvelopeKeyDecrypter(signer_cert, signer_key) logger.warning( "The file \'%s\' appears to be encrypted using public-key " "encryption. This is only partially supported in pyHanko's " "CLI. PyHanko will attempt to decrypt the document using the " "signer's public key, but be aware that using the same key " "for both signing and decryption is considered bad practice. " "Never use the same RSA key that you use to decrypt messages to" "sign hashes that you didn't compute yourself!" % infile_path) writer.encrypt_pubkey(cred) else: raise click.ClickException( "Input file appears to be encrypted, but appropriate " "credentials are not available.") return writer
def test_sign_crypt_aes256(password): w = IncrementalPdfFileWriter(BytesIO(MINIMAL_ONE_FIELD_AES256)) w.encrypt(password) out = signers.sign_pdf(w, signers.PdfSignatureMetadata(), signer=FROM_CA, existing_fields_only=True) r = PdfFileReader(out) r.decrypt(password) s = r.embedded_signatures[0] val_trusted(s)
def test_sign_crypt_rc4_new(password, file): w = IncrementalPdfFileWriter(BytesIO(sign_crypt_rc4_files[file])) w.encrypt(password) out = signers.sign_pdf( w, signers.PdfSignatureMetadata(field_name='SigNew'), signer=FROM_CA, ) out.seek(0) r = PdfFileReader(out) r.decrypt(password) s = r.embedded_signatures[0] val_trusted(s)
def addsig_simple_signer(signer: signers.SimpleSigner, infile, outfile, timestamp_url, signature_meta, existing_fields_only, style, stamp_url, new_field_spec): with pyhanko_exception_manager(): if timestamp_url is not None: timestamper = HTTPTimeStamper(timestamp_url) else: timestamper = None writer = IncrementalPdfFileWriter(infile) # TODO make this an option higher up the tree # TODO mention filename in prompt if writer.prev.encrypted: pdf_pass = getpass.getpass( prompt='Password for encrypted file: ').encode('utf-8') writer.encrypt(pdf_pass) text_params = None if stamp_url is not None: text_params = {'url': stamp_url} result = signers.PdfSigner( signature_meta, signer=signer, timestamper=timestamper, stamp_style=style, new_field_spec=new_field_spec).sign_pdf( writer, existing_fields_only=existing_fields_only, appearance_text_params=text_params) buf = result.getbuffer() outfile.write(buf) buf.release() infile.close() outfile.close()