o vhZ @s2ddlZddlZddlmZddlmZmZmZmZm Z m Z ddl m Z m Z mZddlmZddlmZmZmZddlmZddlmZmZd d lmZmZmZmZmZmZm Z m!Z!d d l"m#Z#m$Z$d d l%m&Z&m'Z'd d l(m)Z)d dl*m+Z+ddl,m-Z-m.Z.ddlm/Z/ddl0m1Z1ddl2m3Z3ddl4m5Z5gdZ6e-e/de/ddddde.j7dZ8e9gdZ: Gdd d eZ;Gd!d"d"Zd(d)Z?d*d+Z@d,ejAd-e jBfd.d/ZCd-e e jBe=ffd0d1ZDe:eN)compare_digest)AnyDict FrozenSetOptionalTupleType)algoscmscore)VOID)hasheshmackeywrap)hkdf)genericmisc)CMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorValueErrorWithMessagebyte_range_digestfind_unique_cms_attributeget_pyca_cryptography_hashsimple_cms_attribute)PdfByteRangeDigestPreparedByteRangeDigest)CMSAlgorithmProtectionErrorDisallowedAlgorithmError)validate_algorithm_protection)extract_contents)DeveloperExtensionDevExtensionMultivalued)pdf_name) PdfFileReader)BasePdfFileWriter)PdfMacIntegrityInfo)PdfMacTokenHandlervalidate_pdf_macadd_standalone_macISO32004ALLOWED_MD_ALGSz/ISO_z/2.0i}z:2024z'https://www.iso.org/standard/45877.htmlF) prefix_name base_versionextension_levelextension_revisionurlcompare_by_level multivalued)sha256sha3_256sha384sha3_384sha512sha3_512shake256c@s eZdZdS)PdfMacValidationErrorN)__name__ __module__ __qualname__rArA\/var/www/html/hyperkenya/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/crypt/pdfmac.pyr=Jsr=c @seZdZdZeddiZddZede de de fd d Z ee fde de d ej d ee fd dZdedefddZede de de fddZde dejfddZdedee ejffddZde dee dee e ffddZdejd e d!ejd"e dej f d#d$Zd%e d&e de fd'd(Zd)d*de dee dedejfd+d,Zd-ejde fd.d/Z d0ejd1e!j"fd2d3Z#d ej fd4d5Z$d ej de%fd6d7Z&d ej de dee fd8d9Z'd:S);r*a: Internal utility class to create and validate PDF MAC tokens. .. warning:: This is a class to simplify local overrides for creating test documents with various defects. Instances of this class should never be created or manipulated directly during regular operation. algorithmr6cCs||_||_dSNmac_kek md_algorithm)selfrFrGrArArB__init__\s zPdfMacTokenHandler.__init__file_encryption_keykdf_saltrGcCs|||}|||dS)NrE)_derive_mac_kek)clsrJrKrGrFrArArB from_key_mat`s  zPdfMacTokenHandler.from_key_mat auth_data allowed_mdsc Cs\|d}|dj}|dkrtd|d}|dj}||vr&t|tjdd|j|||dS) N mac_algorithmrCr6z:Only HMAC-SHA256 is currently supported for PDF MAC tokensdigest_algorithmT)oid_type permanent)rJrKrG)nativeNotImplementedErrorrr DigestAlgorithmIdrN) rMrJrKrOrP mac_algo_objmac_algodigest_algo_objmd_algorArArBfor_validationgs&  z!PdfMacTokenHandler.for_validationinclude_signature_digestreturncCs8tt|j}|j||r|nddd}t|S)NT)document_digestsignature_digestdry_run)r HashrrGfinalizebuild_pdfmac_tokenlendump)rHr] dummy_hash dummy_tokenrArArBdetermine_token_sizes  z'PdfMacTokenHandler.determine_token_sizecCs tjtd|dd}||S)N sPDFMAC)rClengthsaltinfo)rHKDFr SHA256derive)rMrJrKkdfrArArBrLs z"PdfMacTokenHandler._derive_mac_kekmessage_digestcCs@t|jtd|jid}ttddtd|td|gS)NrC)rQrR content_typepdf_mac_integrity_inforrcms_algorithm_protection)r CMSAlgorithmProtectionmac_algo_identDigestAlgorithmrG CMSAttributesr)rHrralgo_protectionrArArB_format_auth_attrssz%PdfMacTokenHandler._format_auth_attrsrac Csb|rtd}ntd}tj|j|d}td|t ddit ddid}|t d|ifS) Nrj) wrapping_key key_to_wraprrCpdf_mac_wrap_kdf aes256_wrap)version encrypted_keykey_derivation_algorithmkey_encryption_algorithmpwri) bytessecrets token_bytesr aes_key_wraprFr PasswordRecipientInfor KdfAlgorithmKeyEncryptionAlgorithm RecipientInfo)rHramac_keyrrrArArB_get_mac_keying_infos&  z'PdfMacTokenHandler._get_mac_keying_infor_r`c Cs^d|i}|dur ||d<d|d<t|}|}t|j}t|}|||}||fS)N data_digestr`rr)r)rfrrGr rbupdaterc) rHr_r`message_kwargsmessage message_bytesmd_specmd_funrrrArArB_format_messages   z"PdfMacTokenHandler._format_messagerecipient_infor auth_attrsmacc CsDtd|gtdditd|jitdt|d||dS)NrrCr6rtrscontent)rrecipient_infosrQrRencap_content_inforr)r AuthenticatedData HmacAlgorithmrxrGEncapsulatedContentInfor ParsableOctetString)rHrrrrrArArB_format_auth_datas  z$PdfMacTokenHandler._format_auth_datar data_to_maccCs$tj|td}|||S)N)keyrC)rHMACr rorrc)rHrrhmac_funrArArB compute_macs zPdfMacTokenHandler.compute_macFrac Csb|j|d\}}|||\}}||}|j||d} |j|||| d} td| dS)Nr)rr)rrrrauthenticated_datar) rrr{runtagrfrr ContentInfo) rHr_r`rarrirrrrr authed_datarArArBrds"  z%PdfMacTokenHandler.build_pdfmac_token recp_infoscCsd}z|\}|j}Wn tyYnwt|tjstd|d}|tus-|djdkr1td|dd}|jdkrEtd|j d |d j}z t j |j |d }W|St j yatd w) NzWPDF MAC requires exactly one recipientInfo, which must be of PasswordRecipientInfo typerrCr~z_PDF MAC tokens must have their key derivation algorithm explicitly identified as pdfMacWrapKdf.rrzPPDF MAC only supports unpadded 256-bit AES key wrapping for key encryption; not .r)r| wrapped_keyzFailed to unwrap MAC key)chosen ValueError isinstancer rr=r rUrVdottedraes_key_unwraprF InvalidUnwrap)rHrrrecprqkea_objrrrArArB_retrieve_mac_keys@      z$PdfMacTokenHandler._retrieve_mac_keyattrs encap_contentc Csht|j}t|}|t||}zt|d}|j|kr$t dWdSt t fy3t dw)NrrzMValue of messageDigest attribute does not match hash of encapsulated content.zcMessage digest not found in authenticated attributes, or multiple messageDigest attributes present.) rrGr rbrrrcrrUr=rr)rHrrrmdrrclaimed_message_digestrArArB_validate_message_digestDs$   z+PdfMacTokenHandler._validate_message_digestc Cst|d}t|zt|d|d|ddWnty*}ztd|j|d}~ww|dd}|j||ddS) NrrRrQ)claimed_signature_algorithm_objclaimed_digest_algorithm_objclaimed_mac_algorithm_objz%CMS alg protection validation error: rr)r)_validate_content_type_attrr rr=failure_messager)rHrOre int_info_objrArArB_validate_auth_attrsZs&  z'PdfMacTokenHandler._validate_auth_attrsc Cs|d}|tur td|d}|d}||}|j||d}t||djs0tdz||Wnt yK}ztd|j |d}~ww|d d j}|d kr[td |d d j S)N unauth_attrsz5PDF MAC tokens cannot have unauthenticated attributesrr)rrzPDF MAC token has invalid MACzCMS structural error: rrsrtz_The content type of the encapsulated content in a PDF MAC token must be id-pdfMacIntegrityInfo.r) r r=rrrrfrrUrrrparsed) rHrOrrrr computed_macreci_ctrArArB#_validate_and_extract_encap_contentqs:  z6PdfMacTokenHandler._validate_and_extract_encap_contentcCs||}t|||dSrD)r _validate_pdf_mac_integrity_info)rHrOr_r`rrArArBvalidate_pdfmac_token_cmss z,PdfMacTokenHandler.validate_pdfmac_token_cmsN)(r>r?r@__doc__r rrwrI classmethodrstrrNr.rrr\boolintrirLryr{rrrrrrrrrdRecipientInfosrr rrrr)rrrArArArBr*Ns              &  (r*int_infor_r`cCsh|dj}||kr td|d}|dur|turtddS|j}|dur*td||kr2tddS)Nrz;Document digest does not match value in PdfMacIntegrityInfor`z;PdfMacIntegrityInfo contains an unexpected signature digestz6Could not find signature digest in PdfMacIntegrityInfoz|rz|d } Wntjy{td tytd w| } t| tjstdt| |\}} | d } ntd|djdkrtd|j} | dusJ|d}|ddj}t|j | |d\}}| durtt|}|| |}nd}z| }Wntjy}ztd|d}~ww|j| |||dj |||ddS)N /AuthCodez&AuthCode dictionary cannot be indirectz$Failed to locate AuthCode dictionaryF /MACLocation /StandaloneTz/AttachedToSigrrz /SigObjRefz7Value of /SigObjRef entry must be an indirect referencez"/AttachedToSig requires /SigObjRefz)/SigObjRef does not point to a dictionaryz Failed to locate MAC in documentrsrz0MAC tokens must be of CMS type AuthenticatedDatarrRrC)rrGzError retrieving salt)rJrKrOrP)rOr_r`)! trailer_viewrrrrIndirectObjectr=DictionaryObject NameObjectstreamseekosSEEK_ENDrget_value_as_referenceIndirectObjectExpected get_objectrrUsecurity_handlerlowerrr rbrrrc get_kdf_saltrrr\get_file_encryption_keyr)rrPrr is_standaloneis_in_signature mac_locationrrrsignature_valuesig_refrshrOrG_r_sig_mdr`rlrrArArBr+&s                 r+cseZdZfddZZS)StandalonePdfMaccs$tjtd|dtd|d<dS)Nr)data_keybytes_reservedrr)superrIr%)rHr __class__rArBrIszStandalonePdfMac.__init__)r>r?r@rI __classcell__rArArrBr~srr6wrGc Cs|j|d}|jdd}td|d}|td||j||j|||d}t|\} } |j| j dd} | j | | d t || S) N)rGF)r]r")rr)rGin_place chunk_sizeoutput)r_r`)cms_data) _init_mac_handlerrirset_custom_trailer_entryr%fillrGnextrdr_ fill_with_cmsrfinalise_output) rrGr r"r!handlertok_sizemac_dict cms_writerprepared_br_digest res_output pdfmac_tokenrArArBr,s(   r,)Jrrrrtypingrrrrrr asn1cryptor r r asn1crypto.corer cryptography.hazmat.primitivesr r"cryptography.hazmat.primitives.kdfrpyhanko.pdf_utilsrr sign.generalrrrrrrrrsign.signers.pdf_byterangerrsign.validation.errorsrrsign.validation.generic_cmsr sign.validation.pdf_embeddedr! extensionsr#r$r%rr&writerr'_iso32004_asn1r)__all__ALWAYSr- frozensetr.r=r*rrrrrrrrrr+rDEFAULT_CHUNK_SIZEr,rArArArBs    (          [  $ X