""" Sign PDF files using a Belgian eID card. This module defines a very thin convenience wrapper around :mod:`.pyhanko.sign.pkcs11` to set up a PKCS#11 session with an eID card and read the appropriate certificates on the device. """ from pkcs11 import Session from . import pkcs11 as sign_pkcs11 __all__ = ['open_beid_session', 'BEIDSigner'] def open_beid_session(lib_location, slot_no=None) -> Session: """ Open a PKCS#11 session :param lib_location: Path to the shared library file containing the eID PKCS#11 module. Usually, the file is named ``libbeidpkcs11.so``, ``libbeidpkcs11.dylib`` or ``beidpkcs11.dll``, depending on your operating system. :param slot_no: Slot number to use. If not specified, the first slot containing a token labelled ``BELPIC`` will be used. :return: An open PKCS#11 session object. """ # the middleware will prompt for the user's PIN when we attempt # to sign later, so there's no need to specify it here return sign_pkcs11.open_pkcs11_session( lib_location, slot_no=slot_no, token_label='BELPIC' ) class BEIDSigner(sign_pkcs11.PKCS11Signer): """ Belgian eID-specific signer implementation that automatically populates the (trustless) certificate list with the relevant certificates stored on the card. This includes the government's (self-signed) root certificate and the certificate of the appropriate intermediate CA. """ def __init__( self, pkcs11_session: Session, use_auth_cert: bool = False, bulk_fetch: bool = False, embed_roots=True, ): super().__init__( pkcs11_session=pkcs11_session, cert_label='Authentication' if use_auth_cert else 'Signature', other_certs_to_pull=('Root', 'CA'), bulk_fetch=bulk_fetch, embed_roots=embed_roots, )