Support for Slovenian eID

[msetina]

Description of the changes

Slovenian eID was added to OpenSC 0.24.0 which allows to extend the PKCS11Signer to enable simple path to sign PDF with signature key/certificate on the card.

Caveats

Official driver based on IDProtect is not supported (yet)

[MatthiasValvekens]

Hi @msetina,

Thank you for your contribution, but as-is I don't think I can merge this... The two main reasons are (a) I can't maintain nor test this since I don't have the relevant hardware, and (b) as pyHanko established itself in the Python space a bit, I've made a conscious effort not to add vendor-specific code.

To point (b): you could argue that the code specific to the Belgian eID violates that rule (and you'd be right). That's also why I moved it out of the tree with the 0.23.0 release today (it now lives here: https://github.com/MatthiasValvekens/pyhanko-beid-plugin). The reason why it stuck around for so long is purely because of history/inertia: if you go back far enough in the commit history, you'll find that it got added some time in the first week or so (because pyHanko was a simple CLI tool at the time, and that was what I used it for). That code was later generalised to work with generic PKCS#11 implementations, but I didn't remove the BeID code at the time because it would've broken the CLI.

A few releases ago, I added plugin support to the CLI specifically to serve this use case: seamless integration of vendor-specific signing implementations in pyHanko's CLI. Part of the end goal was always to leverage that to "spin off" the BeID code into a plugin, but I didn't get around to it until today.

So, my proposal is that you either release your own plugin / companion lib with this code (feel free to use the pyhanko-beid-plugin repo as an example), or rework it as a contribution to the "advanced examples" section of the documentation. How's that sound?

[msetina]

Hi @MatthiasValvekens, in the meantime I have found the solution you are describing. I had also done some work to be able to use the CLI as addition to this, so separate plugin is the way I will go. It is equivalent to the pyhanko-beid-plugin, so it has to live like that. I find you project as an excelent example to show how singing is done. The code was a delight to folow and simple to extend as most of the work was already done. I hope we can cross link our work to show the extent of your solution. At this point I would like to ask you if you know the state of python-pksc11 project this depends on. Is it still alive? OpenSC has moved on, but it is lagging.

[MatthiasValvekens]

Hi @msetina, thank you for your understanding :)

python-pkcs11 has not seen much maintenance recently, that's for sure... I currently can't really afford to take on the burden of forking it since I don't have the resources (esp. time-wise) to test a Cython project the "proper" way (i.e. on multiple platforms, with multiple PKCS#11 implementations). But if there's an actively-maintained alternative that supports the same features with the same (or better) performance characteristics, I could be convinced to switch as well :).