feat: Update to use latest c2pa-python SDK

feat: Update to use latest c2pa-python SDK

Author: tmathern

app.py

@@ -19,8 +19,10 @@
 import boto3
 import base64
 from flask_cors import CORS
-from c2pa import *
-from hashlib import sha256
+from c2pa import Builder, C2paSigningAlg, Signer
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.asymmetric import ec
+from cryptography.hazmat.backends import default_backend
 
 
 # Load environment variable from .env file
@@ -45,33 +47,38 @@
 # By default, env vars with the `FLASK_`` prefix
 # app.config.from_prefixed_env()
 
+# Declare global variables
+global private_key, kms, kms_key_id
+
 private_key = None
+kms = None
+kms_key_id = None
 
 if 'USE_LOCAL_KEYS' in app_config and app_config['USE_LOCAL_KEYS'] == 'True':
     # local test certs for development (and test client)
     print('Using local test certs for signing')
 
-    env_ps256_pem_path = os.environ.get('PS256_PEM_PATH_PYTHON_EXAMPLE')
+    env_es256_pem_path = os.environ.get('ES256_PEM_PATH_PYTHON_EXAMPLE')
     env_cert_chain_path = os.environ.get('CERT_CHAIN_PATH_PYTHON_EXAMPLE')
-    ps256_pem_path = 'tests/test-certs/ps256.pem'
-    cert_chain_path = 'tests/test-certs/ps256.pub'
+    es256_pem_path = 'tests/test-certs/es256_private.key'
+    cert_chain_path = 'tests/test-certs/es256_certs.pem'
 
-    if env_ps256_pem_path is not None and env_cert_chain_path is not None:
-        print(f"Using certificates pointed to by env variables {env_ps256_pem_path} and {env_cert_chain_path}")
-        ps256_pem_path = env_ps256_pem_path
+    if env_es256_pem_path is not None and env_cert_chain_path is not None:
+        print(f"Using certificates pointed to by env variables {env_es256_pem_path} and {env_cert_chain_path}")
+        es256_pem_path = env_es256_pem_path
         cert_chain_path = env_cert_chain_path
-    elif os.path.exists(ps256_pem_path) and os.path.exists(cert_chain_path):
-        print(f"Using certificates added locally to this repo {ps256_pem_path} and {cert_chain_path}")
+    elif os.path.exists(es256_pem_path) and os.path.exists(cert_chain_path):
+        print(f"Using certificates added locally to this repo {es256_pem_path} and {cert_chain_path}")
     else:
         print("Using provided default test certificates and certificate chain")
-        ps256_pem_path = 'tests/certs/ps256.pem'
-        cert_chain_path = 'tests/certs/ps256.pub'
+        es256_pem_path = 'tests/certs/es256_private.key'
+        cert_chain_path = 'tests/certs/es256_certs.pem'
 
-    private_key = open(ps256_pem_path, 'rb').read()
+    private_key = open(es256_pem_path, 'rb').read()
     cert_chain = open(cert_chain_path, 'rb').read()
 
     encoded_cert_chain = base64.b64encode(cert_chain).decode('utf-8')
-    signing_alg_str = 'PS256'
+    signing_alg_str = 'ES256'
 else:
     print('Using KMS for signing')
 
@@ -108,17 +115,18 @@
 if 'TIMESTAMP_URL' in app_config and app_config['TIMESTAMP_URL']:
     timestamp_url = app_config['TIMESTAMP_URL']
 else:
-    timestamp_url = 'http://timestamp.digicert.com' # Default timestamp URL (change to None later?)
+    # Default timestamp URL (change to None later?)
+    timestamp_url = 'http://timestamp.digicert.com'
 
 # TODO: Get signing_alg_str from env when we support more algorithms
 try:
-    signing_alg = getattr(SigningAlg, signing_alg_str)
+    signing_alg = getattr(C2paSigningAlg, signing_alg_str)
 except AttributeError:
     raise ValueError(f"Unsupported signing algorithm: {signing_alg_str}")
 
 
 @app.route("/attach", methods=["POST"])
-def resize():
+def attach_sign_image():
     """Gets a JPEG image to sign and returns the signed JPEG image"""
 
     request_data = request.get_data()
@@ -139,11 +147,12 @@ def resize():
                 "data": {
                     "actions": [
                         {
-                            "action": "c2pa.edited",
+                            "action": "c2pa.created",
                             "softwareAgent": {
                                 "name": "C2PA Python Example",
                                 "version": "0.1.0"
-                            }
+                            },
+                            "digitalSourceType": "http://cv.iptc.org/newscodes/digitalsourcetype/digitalCreation"
                         }
                     ]
                 }
@@ -152,26 +161,45 @@ def resize():
     })
 
     try:
-      builder = Builder(manifest)
-
-      signer = create_signer(kms_sign, signing_alg,
-                            cert_chain, timestamp_url)
-
-      result = io.BytesIO(b"")
-      builder.sign(signer, content_type, io.BytesIO(request_data), result)
-
-      return result.getvalue()
+        with Builder(manifest) as builder:
+            # Create signer using the new API
+            callback_func = es256_sign if private_key is not None else kms_sign
+            signer = Signer.from_callback(
+                callback=callback_func,
+                alg=signing_alg,
+                certs=cert_chain,
+                tsa_url=timestamp_url
+            )
+
+            result = io.BytesIO(b"")
+            builder.sign(signer, content_type, io.BytesIO(request_data), result)
+
+            return result.getvalue()
     except Exception as e:
         logging.error(e)
         abort(500, description=e)
 
 
+# Uses ES256 alg to sign
+def es256_sign(data: bytes) -> bytes:
+    """Signs the data using ES256 algorithm with the private key"""
+    private_key_obj = serialization.load_pem_private_key(
+        private_key,
+        password=None,
+        backend=default_backend()
+    )
+    signature = private_key_obj.sign(
+        data,
+        ec.ECDSA(hashes.SHA256())
+    )
+    return signature
+
+
 # Uses KMS to sign
 def kms_sign(data: bytes) -> bytes:
     """Signs the data using a KMS key id"""
-
-    hashed_data = sha256(data).digest()
-    return kms.sign(KeyId=kms_key_id, Message=hashed_data, MessageType="DIGEST", SigningAlgorithm="ECDSA_SHA_256")["Signature"]
+    result = kms.sign(KeyId=kms_key_id, Message=data, MessageType="RAW", SigningAlgorithm="ECDSA_SHA_256")["Signature"]
+    return result
 
 
 @app.route("/health", methods=["GET"])
@@ -208,8 +236,8 @@ def sign():
     try:
         data = request.get_data()
         if private_key is not None:
-            print('Using sign_ps256')
-            return sign_ps256(data, private_key)
+            print('Using es256_sign')
+            return es256_sign(data)
         else:
             print('Using kms_sign')
             return kms_sign(data)

requirements.txt

@@ -1,4 +1,4 @@
-c2pa-python==0.6.1
+c2pa-python>=0.25.0
 boto3
 pyyaml
 pyasn1==0.4.8

tests/README.md

@@ -0,0 +1,67 @@
+# C2PA Python example client
+
+NOTE: This documentation is for the example developer.
+
+This directory contains the client for signing JPEG images with Content Credentials. The client works with the C2PA Python example server in development mode using demo certificates (included in this repository).
+
+## Overview
+
+The `client.py` file is a command-line test tool that signs JPEG image files. It connects to the signing server defined in `app.py` to add Content Credentials to JPEG images.
+
+## Prerequisites
+
+1. Install Python dependencies. Enter this command in the top level of the repo: 
+
+   ```bash
+   pip install -r requirements.txt
+   ```
+
+2. Run the signing server (`app.py`). It uses local certificates and must be accessible to the client:
+
+   ```bash
+   python app.py
+   ```
+
+3. Run the client as explained below to submit images for the server to sign.
+
+## Usage
+
+NOTE: This test client supports only JPEG images.
+
+### Basic command
+
+```bash
+python tests/client.py <image-file> -o <output-directory>
+```
+
+### Command line arguments
+
+| Argument | Type | Required | Description |
+|----------|------|----------|-------------|
+| `files` | string | Yes | One or more image files to be signed |
+| `-o, --output` | string | Yes | Output directory where signed images will be saved |
+| `-f, --envfile` | string | No | Path to environment configuration file |
+
+### Examples
+
+#### Sign a single image
+
+```bash
+python tests/client.py ./image-to-sign.jpeg -o signed-images
+```
+
+#### Use custom configuration
+
+```bash
+python tests/client.py ./image-to-sign.jpeg -o signed-images -f ./my-config.env
+```
+
+## Signing flow when using the client
+
+1. **Server Connection**: Client connects to the signing server's `/signer_data` endpoint.
+2. **Configuration Retrieval**: Gets signing algorithm, certificate chain, and signing URL.
+3. **Signer Creation**: Creates a remote signer using the modern C2PA API (`Signer.from_callback`)/
+4. **Manifest Creation**: Generates a default C2PA manifest.
+5. **Image Processing**: Creates a thumbnail for the manifest and adds it as resource.
+6. **Remote Signing**: Uses the `Builder.sign()` method with remote signing callback.
+7. **Output**: Saves the signed image to the specified output directory.

tests/certs/es256_certs.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIChzCCAi6gAwIBAgIUcCTmJHYF8dZfG0d1UdT6/LXtkeYwCgYIKoZIzj0EAwIw
+gYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU29tZXdoZXJl
+MScwJQYDVQQKDB5DMlBBIFRlc3QgSW50ZXJtZWRpYXRlIFJvb3QgQ0ExGTAXBgNV
+BAsMEEZPUiBURVNUSU5HX09OTFkxGDAWBgNVBAMMD0ludGVybWVkaWF0ZSBDQTAe
+Fw0yMjA2MTAxODQ2NDBaFw0zMDA4MjYxODQ2NDBaMIGAMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExEjAQBgNVBAcMCVNvbWV3aGVyZTEfMB0GA1UECgwWQzJQQSBU
+ZXN0IFNpZ25pbmcgQ2VydDEZMBcGA1UECwwQRk9SIFRFU1RJTkdfT05MWTEUMBIG
+A1UEAwwLQzJQQSBTaWduZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQPaL6R
+kAkYkKU4+IryBSYxJM3h77sFiMrbvbI8fG7w2Bbl9otNG/cch3DAw5rGAPV7NWky
+l3QGuV/wt0MrAPDoo3gwdjAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQMMAoGCCsG
+AQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUFznP0y83joiNOCedQkxT
+tAMyNcowHwYDVR0jBBgwFoAUDnyNcma/osnlAJTvtW6A4rYOL2swCgYIKoZIzj0E
+AwIDRwAwRAIgOY/2szXjslg/MyJFZ2y7OH8giPYTsvS7UPRP9GI9NgICIDQPMKrE
+LQUJEtipZ0TqvI/4mieoyRCeIiQtyuS0LACz
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICajCCAg+gAwIBAgIUfXDXHH+6GtA2QEBX2IvJ2YnGMnUwCgYIKoZIzj0EAwIw
+dzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQHDAlTb21ld2hlcmUx
+GjAYBgNVBAoMEUMyUEEgVGVzdCBSb290IENBMRkwFwYDVQQLDBBGT1IgVEVTVElO
+R19PTkxZMRAwDgYDVQQDDAdSb290IENBMB4XDTIyMDYxMDE4NDY0MFoXDTMwMDgy
+NzE4NDY0MFowgYwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJ
+U29tZXdoZXJlMScwJQYDVQQKDB5DMlBBIFRlc3QgSW50ZXJtZWRpYXRlIFJvb3Qg
+Q0ExGTAXBgNVBAsMEEZPUiBURVNUSU5HX09OTFkxGDAWBgNVBAMMD0ludGVybWVk
+aWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHllI4O7a0EkpTYAWfPM
+D6Rnfk9iqhEmCQKMOR6J47Rvh2GGjUw4CS+aLT89ySukPTnzGsMQ4jK9d3V4Aq4Q
+LsOjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQW
+BBQOfI1yZr+iyeUAlO+1boDitg4vazAfBgNVHSMEGDAWgBRembiG4Xgb2VcVWnUA
+UrYpDsuojDAKBggqhkjOPQQDAgNJADBGAiEAtdZ3+05CzFo90fWeZ4woeJcNQC4B
+84Ill3YeZVvR8ZECIQDVRdha1xEDKuNTAManY0zthSosfXcvLnZui1A/y/DYeg==
+-----END CERTIFICATE-----
+

tests/certs/es256_private.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgfNJBsaRLSeHizv0m
+GL+gcn78QmtfLSm+n+qG9veC2W2hRANCAAQPaL6RkAkYkKU4+IryBSYxJM3h77sF
+iMrbvbI8fG7w2Bbl9otNG/cch3DAw5rGAPV7NWkyl3QGuV/wt0MrAPDo
+-----END PRIVATE KEY-----