Loading certificate file and key from inputstream or bytearray instead of file name

[lombaardcj007]

Is it possible to call SimpleSigner.load() with a bytearray or string that represents the contents of the key_file and cert_file

SimpleSigner load method
class method load(key_file, cert_file, ca_chain_files=None, key_passphrase=None, other_certs=None, signature_mechanism=None, prefer_pss=False)

I want to keep the keys in a database instead of stored onto disk.

Sample code to sign PDF document:

from pyhanko.pdf_utils import text, images
from pyhanko.pdf_utils.font import opentype
from pyhanko.pdf_utils.incremental_writer import IncrementalPdfFileWriter
from pyhanko.sign import fields, signers

SELF_SIGN = signers.SimpleSigner.load(
    'cert/example.key',
    'cert/example.crt',
)

# define signature field
meta = signers.PdfSignatureMetadata(field_name='Signature')
pdf_signer = signers.PdfSigner(
    meta, signer=SELF_SIGN
)

with open('source/SCRIPT_unsigned.pdf', 'rb') as inf:
    w = IncrementalPdfFileWriter(inf)

    # generate output file
    with open('out/output.pdf', 'wb') as outf:
        pdf_signer.sign_pdf(w, output=outf)

[MatthiasValvekens]

Hi @lombaardcj007

Sure, that's possible, you just have to do what SimpleSigner.load(...) does, which is calling SimpleSigner(...) with the correct parameters ;).

All joking aside, precisely what you have to do depends on how you intend to store the certificates and keys in your database, mainly whether you're storing the raw (binary) DER representation or its PEM-armored textual form.

If you're working from raw bytes, then e.g. a certificate can be loaded like this:

from asn1crypto import x509


cert_der_bytes = fetch_from_database(...)

my_cert = x509.Certificate.load(cert_der_bytes)

If it's PEM-encoded, then you'll want to use something like this:

def _enum_certs(pem_bytes):
        if pem.detect(pem_bytes):
            pems = pem.unarmor(pem_bytes, multiple=True)   # allow more than 1 cert
            for type_name, _, der in pems:
                if type_name is None or type_name.lower() == 'certificate':
                    yield x509.Certificate.load(der)

Admittedly keys are a little more complicated, since they can be encoded in a variety of ways (depending on encryption settings and whatnot). If you're capable of retrieving a raw PrivateKeyInfo representation from your DB, then PrivateKeyInfo.load(...) is all you need. If you're using PKCS#8 as a storage format for your keys then you need an intermediate step.

...while I was typing this I planned to post a link to the convenience wrappers around pyca/cryptography in pyHanko that hide all this complexity from the user, but then I realised that those wrappers also expect file names. Silly me. 🤦‍♂️

Long story short, here's code that you can (more or less) trivially copy-paste and tweak to do what you want:

pyHanko/pyhanko/sign/general.py

Lines 393 to 482 in 768959d

	def load_certs_from_pemder(cert_files):
	"""
	A convenience function to load PEM/DER-encoded certificates from files.
	:param cert_files:
	An iterable of file names.
	:return:
	A generator producing :class:`.asn1crypto.x509.Certificate` objects.
	"""
	for ca_chain_file in cert_files:
	with open(ca_chain_file, 'rb') as f:
	ca_chain_bytes = f.read()
	# use the pattern from the asn1crypto docs
	# to distinguish PEM/DER and read multiple certs
	# from one PEM file (if necessary)
	if pem.detect(ca_chain_bytes):
	pems = pem.unarmor(ca_chain_bytes, multiple=True)
	for type_name, _, der in pems:
	if type_name is None or type_name.lower() == 'certificate':
	yield x509.Certificate.load(der)
	else: # pragma: nocover
	logger.debug(
	f'Skipping PEM block of type {type_name} in '
	f'CA chain file.'
	)
	else:
	# no need to unarmor, just try to load it immediately
	yield x509.Certificate.load(ca_chain_bytes)
	def load_cert_from_pemder(cert_file):
	"""
	A convenience function to load a single PEM/DER-encoded certificate
	from a file.
	:param cert_file:
	A file name.
	:return:
	An :class:`.asn1crypto.x509.Certificate` object.
	"""
	certs = list(load_certs_from_pemder([cert_file]))
	if len(certs) != 1:
	raise ValueError(
	f"Number of certs in {cert_file} should be exactly 1"
	)
	return certs[0]
	def load_private_key_from_pemder(key_file, passphrase: Optional[bytes]) \
	-> keys.PrivateKeyInfo:
	"""
	A convenience function to load PEM/DER-encoded keys from files.
	:param key_file:
	File to read the key from.
	:param passphrase:
	Key passphrase.
	:return:
	A private key encoded as an unencrypted PKCS#8 PrivateKeyInfo object.
	"""
	with open(key_file, 'rb') as f:
	key_bytes = f.read()
	load_fun = (
	serialization.load_pem_private_key if pem.detect(key_bytes)
	else serialization.load_der_private_key
	)
	return _translate_pyca_cryptography_key_to_asn1(
	load_fun(key_bytes, password=passphrase)
	)
	def _translate_pyca_cryptography_key_to_asn1(private_key) \
	-> keys.PrivateKeyInfo:
	# Store the cert and key as generic ASN.1 structures for more
	# "standardised" introspection. This comes at the cost of some encoding/
	# decoding operations, but those should be fairly insignificant in the
	# grand scheme of things.
	#
	# Note: we're not losing any memory protections here:
	# (https://cryptography.io/en/latest/limitations.html)
	# Arguably, memory safety is nigh impossible to obtain in a Python
	# context anyhow, and people with that kind of Serious (TM) security
	# requirements should be using HSMs to manage keys.
	return keys.PrivateKeyInfo.load(
	private_key.private_bytes(
	serialization.Encoding.DER, serialization.PrivateFormat.PKCS8,
	serialization.NoEncryption()
	)
	)

.

In the next release, I'll provide a version that accepts an arbitrary binary IO handle.

[MatthiasValvekens]

Filed as #160.