Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow PKCS#11 token settings to be read from the configuration file

See original GitHub issue

Hi, Matthias. I am trying to sign a PDF but encountered the following: Command: pyhanko sign addsig --field Sig1 beid --lib /usr/lib/libaetpkss.so ii.pdf o.pdf

Error: (several lines eliminated…)

raise PKCS11Error(
pkcs11.exceptions.PKCS11Error: Could not find (unique) cert with label 'Root'.
Error: Generic processing error.

Perhaps the issue has to do with beid, but I don’t know what to put in place.

Also, It would be very good if you could point me towards a sample code the allows me to sign a PDF using the API instead of using the CLI.

Thank you.

Fernando Cabral

Issue Analytics

State:
Created 2 years ago
Comments:16 (9 by maintainers)

Top GitHub Comments

1reaction

FernandoJCabralcommented, Jun 11, 2021

I see. About putting it in the configuration: I agree that that would probably be fine in terms of information leaks, since you can (as you say) provide some extra protection by setting proper permissions on the config file. I was mostly thinking about setups where you would need to be able to switch between multiple different PKCS#11 setups.

That said, I could maybe add a pkcs11-env section to the configuration file, containing (possibly several) PKCS#11 token configurations, including a PIN if you so desire. You can already do that for validation contexts, so I guess it makes sense to extend the same courtesy to PKCS#11 settings. Would that work?

Yes, I think that would work nicely.

0reactions

MatthiasValvekenscommented, Jun 14, 2021

Hi, I’ve addressed this issue in commit f05b781. I haven’t added it to the CLI documentation yet, but in pyHanko 0.7.0 you’ll be able to put this in your config file:

pkcs11-setups:
  test-setup:
    module-path: /usr/lib/libsofthsm2.so
    token-label: testrsa
    cert-label: signer
    user-pin: 1234

and invoke it with

 pyhanko sign addsig pkcs11 --p11-setup test-setup input.pdf output.pdf

I’ll close this issue now. Feel free to reopen if you have other questions related to this particular item, but please open a new issue for any other questions you might have. Thanks!

PS: Last weekend, I also pushed the first “batch” of the appearance generation code overhaul I’ve been working on for the last couple of weeks or so. It’s not quite where I want it yet, but provided that I manage to expose enough of the new settings from the configuration file by the time 0.7.0 rolls around, you should get some more control over your signature appearances as well.