Preserve strictness in post-signing instructions

See #466
MatthiasValvekens · Nov 11, 2024 · ffbb3ff · ffbb3ff
1 parent 4deaf2a
commit ffbb3ff
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/pyhanko/sign/signers/pdf_signer.py b/pyhanko/sign/signers/pdf_signer.py
@@ -838,6 +838,9 @@ async def async_timestamp_pdf(
                 credential = pdf_out.security_handler.extract_credential()
                 if credential:
                     credential_ser = credential.serialise()
+            strict = True
+            if isinstance(pdf_out, IncrementalPdfFileWriter):
+                strict = pdf_out.prev.strict
             validation.DocumentSecurityStore.add_dss(
                 output_stream=res_output,
                 sig_contents=sig_contents,
@@ -846,6 +849,7 @@ async def async_timestamp_pdf(
                 force_write=not dss_settings.skip_if_unneeded,
                 embed_roots=embed_roots,
                 file_credential=credential_ser,
+                strict=strict,
             )
 
         return misc.finalise_output(output, res_output)
@@ -2308,6 +2312,12 @@ def prepare_tbs_document(
                 credential = security_handler.extract_credential()
                 if credential is not None:
                     credential_ser = credential.serialise()
+            # Preserve strict mode setting if we're doing
+            # an incremental signature
+            strict = True
+            if isinstance(self.pdf_out, IncrementalPdfFileWriter):
+                strict = self.pdf_out.prev.strict
+
             post_signing_instr = PostSignInstructions(
                 validation_info=validation_info,
                 # use the same algorithm
@@ -2322,6 +2332,7 @@ def prepare_tbs_document(
                 tight_size_estimates=signature_meta.tight_size_estimates,
                 embed_roots=embed_roots,
                 file_credential=credential_ser,
+                strict=strict,
             )
         return PdfTBSDocument(
             cms_writer=self.cms_writer,
@@ -2413,6 +2424,14 @@ class PostSignInstructions:
     Serialised file credential, to update encrypted files.
     """
 
+    strict: bool = True
+    """
+    .. versionadded:: 0.25.2
+
+    Controls whether to open the signed document in strict mode before applying
+    post-signing instructions.
+    """
+
 
 class PdfMacAttrProvider(attributes.CMSAttributeProvider):
     attribute_type = 'pdf_mac_data'
@@ -2851,10 +2870,11 @@ async def post_signature_processing(
                 output_stream=output,
                 **dss_op_kwargs,
                 file_credential=instr.file_credential,
+                strict=instr.strict,
             )
         if timestamper is not None:
             # append a document timestamp after the DSS update
-            w = IncrementalPdfFileWriter(output)
+            w = IncrementalPdfFileWriter(output, strict=instr.strict)
             if (
                 w.security_handler is not None
                 and instr.file_credential is not None

diff --git a/pyhanko/sign/validation/dss.py b/pyhanko/sign/validation/dss.py
@@ -490,6 +490,7 @@ def add_dss(
         force_write: bool = False,
         embed_roots: bool = True,
         file_credential: Optional[SerialisedCredential] = None,
+        strict: bool = True,
     ):
         """
         Wrapper around :meth:`supply_dss_in_writer`.
@@ -535,8 +536,11 @@ def add_dss(
             .. versionadded:: 0.13.0
 
             Serialised file credential, to update encrypted files.
+        :param strict:
+            If ``True``, enforce strict validation of the input stream.
+            Default is ``True``.
         """
-        pdf_out = IncrementalPdfFileWriter(output_stream)
+        pdf_out = IncrementalPdfFileWriter(output_stream, strict=strict)
         if pdf_out.security_handler is not None and file_credential is not None:
             pdf_out.security_handler.authenticate(file_credential)
         dss = cls.supply_dss_in_writer(