Closed msetina closed 4 months ago
Hi @msetina,
Thank you for your contribution, but as-is I don't think I can merge this... The two main reasons are (a) I can't maintain nor test this since I don't have the relevant hardware, and (b) as pyHanko established itself in the Python space a bit, I've made a conscious effort not to add vendor-specific code.
To point (b): you could argue that the code specific to the Belgian eID violates that rule (and you'd be right). That's also why I moved it out of the tree with the 0.23.0
release today (it now lives here: https://github.com/MatthiasValvekens/pyhanko-beid-plugin). The reason why it stuck around for so long is purely because of history/inertia: if you go back far enough in the commit history, you'll find that it got added some time in the first week or so (because pyHanko was a simple CLI tool at the time, and that was what I used it for). That code was later generalised to work with generic PKCS#11 implementations, but I didn't remove the BeID code at the time because it would've broken the CLI.
A few releases ago, I added plugin support to the CLI specifically to serve this use case: seamless integration of vendor-specific signing implementations in pyHanko's CLI. Part of the end goal was always to leverage that to "spin off" the BeID code into a plugin, but I didn't get around to it until today.
So, my proposal is that you either release your own plugin / companion lib with this code (feel free to use the pyhanko-beid-plugin
repo as an example), or rework it as a contribution to the "advanced examples" section of the documentation. How's that sound?
Hi @MatthiasValvekens,
in the meantime I have found the solution you are describing. I had also done some work to be able to use the CLI as addition to this, so separate plugin is the way I will go. It is equivalent to the pyhanko-beid-plugin
, so it has to live like that.
I find you project as an excelent example to show how singing is done. The code was a delight to folow and simple to extend as most of the work was already done.
I hope we can cross link our work to show the extent of your solution.
At this point I would like to ask you if you know the state of python-pksc11
project this depends on. Is it still alive? OpenSC has moved on, but it is lagging.
Hi @msetina, thank you for your understanding :)
python-pkcs11
has not seen much maintenance recently, that's for sure... I currently can't really afford to take on the burden of forking it since I don't have the resources (esp. time-wise) to test a Cython project the "proper" way (i.e. on multiple platforms, with multiple PKCS#11 implementations). But if there's an actively-maintained alternative that supports the same features with the same (or better) performance characteristics, I could be convinced to switch as well :).
Description of the changes
Slovenian eID was added to OpenSC 0.24.0 which allows to extend the PKCS11Signer to enable simple path to sign PDF with signature key/certificate on the card.
Caveats
Official driver based on IDProtect is not supported (yet)