def pkcs11_sign(self):
sbr = 'SIGNER 0 R'
dbr = '%-6d 0 R' % self.pkcs11annot
self.buffer = self.buffer.replace(sbr, dbr, 2)
buffer = self.buffer.encode('latin1')
zeros = self.pkcs11zeros.encode('latin1')
pdfbr1 = buffer.find(zeros)
pdfbr2 = pdfbr1 + len(zeros)
br = (0, pdfbr1 - 1, pdfbr2 + 1, len(buffer) - pdfbr2 - 1)
sbr = b'[0000000000 0000000000 0000000000 0000000000]'
dbr = b'[%010d %010d %010d %010d]' % br
buffer = buffer.replace(sbr, dbr, 1)
b1 = buffer[:br[1]]
b2 = buffer[br[2]:]
md = getattr(hashlib, self.pkcs11algomd)()
md.update(b1)
md.update(b2)
signed_md = md.digest()
contents = signer.sign(None, self.pkcs11key, self.pkcs11cert,
self.pkcs11certs, self.pkcs11algomd, True,
signed_md)
contents = self.pkcs11_aligned(contents)
buffer = buffer.replace(zeros, contents.encode('latin1'), 1)
self.buffer = buffer.decode('latin1')
def sign(self, datau, dct, key, cert, othercerts, algomd, hsm):
zeros = self.aligned(b'\0')
pdfdata2 = self.makepdf(datau, dct, zeros)
startxref = len(datau)
pdfbr1 = pdfdata2.find(zeros)
pdfbr2 = pdfbr1 + len(zeros)
br = [
0, startxref + pdfbr1 - 1, startxref + pdfbr2 + 1,
len(pdfdata2) - pdfbr2 - 1
]
brfrom = b'[0000000000 0000000000 0000000000 0000000000]'
brto = b'[%010d %010d %010d %010d]' % tuple(br)
pdfdata2 = pdfdata2.replace(brfrom, brto, 1)
md = getattr(hashlib, algomd)()
md.update(datau)
b1 = pdfdata2[:br[1] - startxref]
b2 = pdfdata2[br[2] - startxref:]
md.update(b1)
md.update(b2)
md = md.digest()
contents = signer.sign(None, key, cert, othercerts, algomd, True, md,
hsm)
contents = self.aligned(contents)
pdfdata2 = pdfdata2.replace(zeros, contents, 1)
return pdfdata2
def assina_xml2(self, xml_element, reference):
for element in xml_element.iter("*"):
if element.text is not None and not element.text.strip():
element.text = None
signer = signxml.XMLSigner(
method=signxml.methods.enveloped,
signature_algorithm="rsa-sha1",
digest_algorithm='sha1',
c14n_algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315')
ns = dict()
ns[None] = signer.namespaces['ds']
signer.namespaces = ns
ref_uri = ('#%s' % reference) if reference else None
signed_root = signer.sign(xml_element,
key=self.certificado.key,
cert=self.certificado.cert,
reference_uri=ref_uri)
if reference:
element_signed = signed_root.find(".//*[@Id='%s']" % reference)
signature = signed_root.find(
".//{http://www.w3.org/2000/09/xmldsig#}Signature")
if element_signed is not None and signature is not None:
parent = element_signed.getparent()
parent.append(signature)
return etree.tostring(signed_root, encoding=str)
def sign(self, md, algomd):
tspurl = "http://public-qlts.certum.pl/qts-17"
tspurl = None
with open("demo2_user1.p12", "rb") as fp:
p12 = pkcs12.load_key_and_certificates(fp.read(), b"1234",
backends.default_backend())
contents = signer.sign(None, p12[0], p12[1], p12[2], algomd, True, md,
None, False, tspurl)
return contents
def build(self, datau, key, cert, othercerts, hashalgo, attrs):
datau = datau.replace(b'\n', b'\r\n')
datas = signer.sign(datau, key, cert, othercerts, hashalgo, attrs)
datas = base64.encodebytes(datas)
if hashalgo == 'sha1':
hashalgo = b'sha1'
elif hashalgo == 'sha256':
hashalgo = b'sha-256'
data = self.email(hashalgo, datau, datas)
return data
def build(self, datau, key, cert, othercerts, hashalgo, attrs, pss=False):
datau = datau.replace(b'\n', b'\r\n')
datas = signer.sign(datau,
key,
cert,
othercerts,
hashalgo,
attrs,
pss=pss)
datas = base64.encodebytes(datas)
if hashalgo == 'sha1':
hashalgo = b'sha1'
elif hashalgo == 'sha256':
hashalgo = b'sha-256'
elif hashalgo == 'sha512':
hashalgo = b'sha-512'
prefix = [b'x-', b''][pss]
data = self.email(hashalgo, datau, datas, prefix)
return data
def sign(self, datau, udct, key, cert, othercerts, algomd, hsm,
timestampurl):
startdata = len(datau)
fi = io.BytesIO(datau)
# read end decrypt
prev = pdf.PdfFileReader(fi)
if prev.isEncrypted:
rc = prev.decrypt(udct["password"])
else:
rc = 0
# digest method must remain unchanged from prevoius signatures
obj = prev.trailer
for k in ("/Root", "/Perms", "/DocMDP", "/Reference"):
if k in obj:
obj = obj[k]
if isinstance(obj, po.ArrayObject):
obj = obj[0]
obj = obj.getObject()
else:
obj = None
break
if obj is not None:
algomd = obj["/DigestMethod"][1:].lower()
# produce smaller signatures, but must be signed twice
aligned = udct.get("aligned", 0)
if aligned:
zeros = b"00" * aligned
else:
md = getattr(hashlib, algomd)().digest()
contents = signer.sign(None, key, cert, othercerts, algomd, True,
md, hsm, False, timestampurl)
zeros = contents.hex().encode("utf-8")
self.makepdf(prev, udct, algomd, zeros)
# if document was encrypted, encrypt this version too
if prev.isEncrypted:
self.encrypt(prev, udct["password"], rc)
else:
self._encrypt_key = None
# ID[0] is used in password protection, must be unchanged
ID = prev.trailer.get("/ID", None)
if ID is None:
ID = hashlib.md5(repr(time.time()).encode()).digest()
else:
ID = ID[0]
if isinstance(ID, str):
ID = ID.encode()
self._ID = po.ArrayObject([
po.ByteStringObject(ID),
po.ByteStringObject(
hashlib.md5(repr(random.random()).encode()).digest()),
])
fo = io.BytesIO()
self.write(fo, prev, startdata)
datas = fo.getvalue()
br = [0, 0, 0, 0]
bfrom = (b"[ " + b" ".join([WNumberObject.Format] * 4) +
b" ]") % tuple(br)
pdfbr1 = datas.find(zeros)
pdfbr2 = pdfbr1 + len(zeros)
br = [
0,
startdata + pdfbr1 - 1,
startdata + pdfbr2 + 1,
len(datas) - pdfbr2 - 1,
]
bto = b"[%d %d %d %d]" % tuple(br)
bto += b" " * (len(bfrom) - len(bto))
assert len(bfrom) == len(bto)
datas = datas.replace(bfrom, bto, 1)
md = getattr(hashlib, algomd)()
md.update(datau)
b1 = datas[:br[1] - startdata]
b2 = datas[br[2] - startdata:]
md.update(b1)
md.update(b2)
md = md.digest()
contents = signer.sign(None, key, cert, othercerts, algomd, True, md,
hsm, False, timestampurl)
contents = contents.hex().encode("utf-8")
if aligned:
nb = len(zeros) - len(contents)
contents += b"0" * nb
assert len(zeros) == len(contents)
datas = datas.replace(zeros, contents, 1)
return datas
def sign(datau, key, cert, certs, hashalgo='sha1', attrs=True, pss=False):
return signer.sign(datau, key, cert, certs, hashalgo, attrs, pss=pss)
def sign(datau, key, cert, certs, hashalgo='sha1', attrs=True):
return signer.sign(datau, key, cert, certs, hashalgo, attrs)
