XAdES Helpers
Use XAdES helpers when you authenticate with certificate material or need to sign the authentication token request locally. Higher-level authentication methods call these helpers for the common paths.
Load certificate material
Section titled “Load certificate material”import os
from ksef2.core.xades import load_certificate_from_pem, load_private_key_from_pem
password = os.environ.get("KSEF2_KEY_PASSWORD")cert = load_certificate_from_pem("company.pem")private_key = load_private_key_from_pem( "company.key", password=password.encode() if password else None,)import os
from ksef2.core.xades import load_certificate_and_key_from_p12
password = os.environ.get("KSEF2_P12_PASSWORD")cert, private_key = load_certificate_and_key_from_p12( "company.p12", password=password.encode() if password else None,)Authenticate with XAdES
Section titled “Authenticate with XAdES”auth = client.authentication.with_xades( nip="5261040828", cert=cert, private_key=private_key,)Generate TEST certificates
Section titled “Generate TEST certificates”from ksef2.core.xades import generate_test_certificate
cert, private_key = generate_test_certificate(nip="5261040828")For personal TEST identities, use generate_personal_test_certificate().
Sign XML directly
Section titled “Sign XML directly”from ksef2.core.xades import build_auth_token_request_xml, sign_xades
xml = build_auth_token_request_xml( challenge="challenge-from-ksef", nip="5261040828",)signed_xml = sign_xades(xml, cert, private_key)Recommended flow
Section titled “Recommended flow”-
Load certificate material from PEM or PKCS#12.
-
Keep private-key passwords in environment variables.
-
Authenticate through
with_xades()when possible. -
Use direct signing helpers only for low-level integration work.