61 lines
1.9 KiB
Python

"""
Sign PDF files using a Belgian eID card.
This module defines a very thin convenience wrapper around
:mod:`.pyhanko.sign.pkcs11` to set up a PKCS#11 session with an eID card and
read the appropriate certificates on the device.
"""
from pkcs11 import Session
from . import pkcs11 as sign_pkcs11
__all__ = ['open_beid_session', 'BEIDSigner']
def open_beid_session(lib_location, slot_no=None) -> Session:
"""
Open a PKCS#11 session
:param lib_location:
Path to the shared library file containing the eID PKCS#11 module.
Usually, the file is named ``libbeidpkcs11.so``,
``libbeidpkcs11.dylib`` or ``beidpkcs11.dll``, depending on your
operating system.
:param slot_no:
Slot number to use. If not specified, the first slot containing a token
labelled ``BELPIC`` will be used.
:return:
An open PKCS#11 session object.
"""
# the middleware will prompt for the user's PIN when we attempt
# to sign later, so there's no need to specify it here
return sign_pkcs11.open_pkcs11_session(
lib_location, slot_no=slot_no, token_label='BELPIC'
)
class BEIDSigner(sign_pkcs11.PKCS11Signer):
"""
Belgian eID-specific signer implementation that automatically populates
the (trustless) certificate list with the relevant certificates stored
on the card.
This includes the government's (self-signed) root certificate and the
certificate of the appropriate intermediate CA.
"""
def __init__(
self,
pkcs11_session: Session,
use_auth_cert: bool = False,
bulk_fetch: bool = False,
embed_roots=True,
):
super().__init__(
pkcs11_session=pkcs11_session,
cert_label='Authentication' if use_auth_cert else 'Signature',
other_certs_to_pull=('Root', 'CA'),
bulk_fetch=bulk_fetch,
embed_roots=embed_roots,
)