Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Disambiguating certificates in a PCKS#11 token
See original GitHub issueIt is more like a help building code for sign a pdf document using my USB token (self signed certificate).
The signature on output file is corrupted. Im using the test code bellow with your pdf template (minimal-with-field_signed.pdf):
from pyhanko.sign import signers, pkcs11
from pyhanko.sign import timestamps
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter
PKCS11LIB='C:\\Windows\\System32\\eTPKCS11.dll'
SERIALTOKEN=b'xxxxxxxx'
LABEL='xxxxxxxxxxx'
PIN='xxxxxxxxxx'
EXTENSION=".pdf"
DOCUMENT='C:\\Users\\vinicius\\Desktop\\minimal-with-field'
DOCUMENT_EXT=DOCUMENT+EXTENSION
SIGNED_FILE = DOCUMENT+"_signed.pdf"
cms_session = pkcs11.open_pkcs11_session(PKCS11LIB,user_pin=PIN,token_label=LABEL)
cms_signer = pkcs11.PKCS11Signer(cms_session,'')
with open(DOCUMENT_EXT, 'rb') as doc:
w = IncrementalPdfFileWriter(doc)
print(w.document_id)
with open(SIGNED_FILE, 'wb+') as file_out:
signers.PdfSigner(signers.PdfSignatureMetadata(field_name='Sig1'),signer=cms_signer).sign_pdf(w,output=file_out)
The code is able to get my certificate data, as the signature (visible text) shows without any trouble, but the signature comes corrupted as shown bellow:
btw, nice job with this library! tks in advance
Issue Analytics
- State:
- Created 2 years ago
- Comments:7 (4 by maintainers)
Top Results From Across the Web
RACF and z/OS PKCS #11 tokens - IBM
Tokens are containers that hold digital certificates and keys. z/OS® supports both clear and secure keys in the PKCS #11 tokens that are...
Read more >PKCS #11 Cryptographic Token Interface Base Specification ...
This document describes the basic PKCS#11 token interface and token behavior. ... Certificate A signed message binding a subject name and a public...
Read more >Current master breaks key access on the token via reader #109
Keychain Access (on Mac OS X) is able to lock and unlock the Yubikey token when it's on Gemalto reader - but does...
Read more >PKCS#11 Reference Guide - Oracle Help Center
After authentication, the application would acquire its principal and credentials information (certificate and private key) from the keystore. By using this ...
Read more >Chapter 6. Configuring applications to use cryptographic ...
A PKCS #11 token can store various object types including a certificate; a data object; and a public, private, or secret key. These...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I added a by-ID selection mechanism in the commit linked above, which should fix this issue in the public API as well. Thanks for reporting back on what made it work for you!
PS: I learned that even IDs don’t necessarily uniquely identify an object in PKCS#11. For example, on the YubiKey that I experimented with, every key generated on-device has two certificates associated with it with the same ID (a “regular” cert, and an attestation cert). So in some situations you might indeed have to pass both the label and the ID.
I was able to get it working using
get_objects()withAttribute.ID(had to passlabelas ‘’ too)! Tks for your help.