o vh`@sddlZddlZddlmZddlmZddlmZmZddl m Z ddl m Z ddl mZddlmZdd lmZmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZm Z ddl!m"Z"ddl#m$Z$ddl%m&Z&m'Z'ddl(m)Z)gdZ*ddl+m,Z,ddl-m.Z.e/e0Z1eGdddZ2ddZ3GdddZ4 d)d!e)d"e fd#d$Z5d d%d dd ej6d%fd!e)d"e d&e7fd'd(Z8dS)*N) dataclass)field)IterableOptional)crl)ocsp)x509) Certificate)genericmisc)pdf_name)IncrementalPdfFileWriter) get_and_apply) PdfHandler)BasePdfFileWriter)CertificateValidatorValidationContext)ValidationPath)extract_certificate_info)NoDSSFoundErrorValidationInfoReadingError)EmbeddedPdfSignature)VRIDocumentSecurityStoreasync_add_validation_infocollect_validation_infoenumerate_ocsp_certs)SerialisedCredential) PdfFileReaderc@s^eZdZUdZeedZeed< eedZeed< eedZ eed< de j fddZ d S) raA VRI dictionary as defined in PAdES / ISO 32000-2. These dictionaries collect data that may be relevant for the validation of a specific signature. .. note:: The data are stored as PDF indirect objects, not asn1crypto values. In particular, values are tied to a specific PDF handler. )default_factorycertsocspscrlsreturncCsbttdtdi}|jrt|j|td<|jr%t|j|td<t|j|td<|S)zT :return: A PDF dictionary representing this VRI entry. z/Type/VRIz/OCSPz/CRLz/Cert)r DictionaryObjectr r$ ArrayObjectr%r#)selfvrir,Y/var/www/html/hyperkenya/venv/lib/python3.10/site-packages/pyhanko/sign/validation/dss.py as_pdf_objectBszVRI.as_pdf_objectN) __name__ __module__ __qualname____doc__ data_fieldsetr#__annotations__r$r%r r(r.r,r,r,r-r's  rccsN|dj}|dkr#|d}|djdkr%|dj}|dEdHdSdSdS) zJ Essentially nabbed from _extract_ocsp_certs in ValidationContext response_status successfulresponse_bytes response_typebasic_ocsp_responseresponser#N)nativeparsed) ocsp_responsestatusr8r;r,r,r-rPs  rc @s&eZdZdZ     d-deefddZeddZdd Z d d Z d d Z ddZ e dejfddZddddddZddZdeejfddZ d.defddZededdfdd Zeddddddd!d"ed#eddfd$d%Zedddddd&dddd' d(ed#ed)eed*efd+d,ZdS)/rz, Representation of a DSS in Python. Nwriterc Cs|dur|ni|_|dur|ni|_|dur|ng|_|dur!|ng|_||_|dur-|nt|_i}|jD] }|j } ||| <q7||_ i} |jD] } | j } | | | <qK| |_ d|_ dS)NF) vri_entriesr#r$r%r@r r(backing_pdf_object get_objectdata _ocsps_seen _crls_seen _modified) r*r@r#r$r%rArB ocsps_seenocsp_ref ocsp_bytes crls_seencrl_ref crl_bytesr,r,r-__init__bs(        zDocumentSecurityStore.__init__cCs|jSN)rGr*r,r,r-modifiedszDocumentSecurityStore.modifiedcCs0|jsd|_|jdur|j|jdSdSdS)NT)rGrBr@update_containerrPr,r,r-_mark_modifieds  z$DocumentSecurityStore._mark_modifiedc csl|D]0}|}z||VWqty3|jtj|d}||||<|||VYqwdS)N stream_data)dumpKeyErrorr@ add_objectr StreamObjectrSappend)r*objsseendestobj obj_bytesrefr,r,r-_cms_objects_to_streamss    z-DocumentSecurityStore._cms_objects_to_streamscs fdd}fdd|DS)Nc3sD] }t|EdHqdSrO)r)respr$r,r- extra_certsszADocumentSecurityStore._embed_certs_from_ocsp..extra_certscsg|]}|qSr, _embed_cert).0cert_rPr,r- z@DocumentSecurityStore._embed_certs_from_ocsp..r,)r*r$rdr,)r$r*r-_embed_certs_from_ocsps z,DocumentSecurityStore._embed_certs_from_ocspcCsd|jdur tdz|j|jWStyYnw|jtj|d}| ||j|j<|S)N"This DSS does not support updates.rT) r@ TypeErrorr# issuer_serialrWrXr rYrVrS)r*certr`r,r,r-rfs   z!DocumentSecurityStore._embed_certr&cCs"t|}td|S)a Hash the contents of a signature object to get the corresponding VRI identifier. This is internal API. :param contents: Signature contents. :return: A name object to put into the DSS. /)hashlibsha1digesthexupperr )contentsidentr,r,r-sig_content_identifiers z,DocumentSecurityStore.sig_content_identifierr,r#r$r%c sjdur tdt|}t|}t}t}fdd|D}|r-t|jj}|r:t|jj}| t ||dur`t |||d}j | j|<dSdS)a Register validation information for a set of signing certificates associated with a particular signature. :param identifier: Identifier of the signature object (see `sig_content_identifier`). If ``None``, only embed the data into the DSS without associating it with any VRI. :param certs: Certificates to add. :param ocsps: OCSP responses to add. :param crls: CRLs to add. Nrlcsh|]}|qSr,re)rgrorPr,r- rjz5DocumentSecurityStore.register_vri..ry)r@rmlistr4rarEr$rFr%updaterkrrXr.rArS) r* identifierr#r$r% ocsp_refscrl_refs cert_refsr+r,rPr- register_vris2   z"DocumentSecurityStore.register_vricCsl|j}tt|j|d<|jrt|j|d<|jr't|j|t d<|j r4t|j |t d<|S)z Convert the :class:`.DocumentSecurityStore` object to a python dictionary. This method also handles DSS updates. :return: A PDF object representing this DSS. /Certsr'/OCSPs/CRLs) rBr r)r{r#valuesrAr(r$r r%)r*pdf_dictr,r,r-r.sz#DocumentSecurityStore.as_pdf_objectccs0|jD]}|}t|j}|VqdS)z Return a generator that parses and yields all certificates in the DSS. :return: A generator yielding :class:`.Certificate` objects. N)r#rrCr loadrD)r*cert_ref cert_streamror,r,r- load_certs s  z DocumentSecurityStore.load_certsTc Cst|}|dg}t||}|rXt|dd}|jD]}|}tj|j }| |q||d<t|dd} |j D]} | } t j | j } | | qA| |d<tdd|i|S)ag Construct a validation context from the data in this DSS. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :param include_revinfo: If ``False``, revocation info is skipped. :return: A validation context preloaded with information from this DSS. other_certsr$r,r%)dictpopr{rr$rC asn1_ocsp OCSPResponserrDrZr%asn1_crlCertificateListr) r*validation_context_kwargsinclude_revinfordr#r$rI ocsp_streamrbr%rL crl_streamrr,r,r-as_validation_contexts"     z+DocumentSecurityStore.as_validation_contexthandlerc Cs<z|jd}Wnty}zt|d}~wwi}t|dtgd}|D]}|}t|j}|||j <q$t|dtgd} g} | D]} | } t j | j} | | qBt|dtgd}g}|D]}|}t j|j}| |qazt|d}Wn tyd}Ynwt|tr|}nd}|||| |||d}|S) a Read a DSS record from a file and add the data to a validation context. :param handler: PDF handler from which to read the DSS. :return: A DocumentSecurityStore object describing the current state of the DSS. /DSSNr)defaultrrr')r@r#r$rAr%rB)rootrWrrr{rCr rrDrnrrrZrrr isinstancer)clsrdss_dicter cert_ref_listrrror~r$rIrrbrr%rLrrrAr@dssr,r,r-read_dss8sR       zDocumentSecurityStore.read_dssr#r$r%pathsvalidation_context embed_rootspdf_outrcsz ||} d} Wntyd} ||d} Ynw|dur$t|} nd} dttjffdd } fdd } fd d }| j| | | |d | }| rd| |}||j t d <| | S)aD Add or update a DSS, and optionally associate the new information with a VRI entry tied to a signature object. You can either specify the CMS objects to include directly, or pass them in as output from `pyhanko_certvalidator`. :param pdf_out: PDF writer to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :return: a :class:`DocumentSecurityStore` object containing both the new and existing contents of the DSS (if any). FT)r@Nr&c3s@pdEdHp dD]}t|}st||EdHq dSNr,)iternext)path path_parts)r#rrr,r-_certss  z:DocumentSecurityStore.supply_dss_in_writer.._certsc3,pdEdHdurjEdHdSdSrrcr,)r$rr,r-_ocsps z:DocumentSecurityStore.supply_dss_in_writer.._ocspsc3rr)r%r,)r%rr,r-_crlsrz9DocumentSecurityStore.supply_dss_in_writer.._crlsryr) rrrrxrrr rr.rXrr update_root)rr sig_contentsr#r$r%rrrrcreatedr}rrrrdss_refr,)r#r%rr$rrr-supply_dss_in_writervs0:    z*DocumentSecurityStore.supply_dss_in_writerF) r#r$r%rr force_writerfile_credentialstrictrrrc  Cs^t|| d} | jdur| dur| j| |j| ||||||| d} |s'| jr-| dSdS)a Wrapper around :meth:`supply_dss_in_writer`. The result is applied to the output stream as an incremental update. :param output_stream: Output stream to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param force_write: Force a write even if the DSS doesn't have any new content. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :param file_credential: .. versionadded:: 0.13.0 Serialised file credential, to update encrypted files. :param strict: If ``True``, enforce strict validation of the input stream. Default is ``True``. )rNr)r security_handler authenticaterrQwrite_in_place)r output_streamrr#r$r%rrrrrrrrr,r,r-add_dsss @  zDocumentSecurityStore.add_dss)NNNNN)T) r/r0r1r2rrrNpropertyrQrSrarkrf staticmethodr NameObjectrxrr.rrr rrr classmethodrrboolrr rr,r,r,r-r]sx " 1  #=  h    rF embedded_sigrcs^jj}|js tdgfdd}||jIdH|s-|jdur-||jIdHS)a Query revocation info for a PDF signature using a validation context, and store the results in a validation context. This works by validating the signer's certificate against the provided validation context, which causes revocation info to be cached for later retrieval. .. warning:: This function does *not* actually validate the signature, but merely checks the signer certificate's chain of trust. :param embedded_sig: Embedded PDF signature to operate on. :param validation_context: Validation context to use. :param skip_timestamp: If the signature has a time stamp token attached to it, also collect revocation information for the timestamp. :return: A list of validation paths. zfRevocation mode is set to soft-fail/tolerant mode; collected revocation information may be incomplete.csFt|}|j}|j}t||d}|jtdIdH}|dS)N)intermediate_certsr) key_usage)r signer_certrrasync_validate_usager4rZ) signed_data cert_inforor validatorrrrr,r-_validate_signed_dataWsz6collect_validation_info.._validate_signed_dataN)revinfo_policyrevocation_checking_policy essentialloggerwarningrattached_timestamp_data)rrskip_timestamprevinfo_fetch_policyrr,rr-r0s rTrc s|j} |r| j} }t|nt|} t|||dIdH} |r+|jd} nd} t | } || _ t j | | || |d}|sD|jrQ|rK| n| | n|sc| jdtt|| j| t|| S)aY .. versionadded: 0.9.0 Add validation info (CRLs, OCSP responses, extra certificates) for a signature to the DSS of a document in an incremental update. This is a wrapper around :func:`collect_validation_info`. :param embedded_sig: The signature for which the revocation information needs to be collected. :param validation_context: The validation context to use. :param skip_timestamp: If ``True``, do not attempt to validate the timestamp attached to the signature, if one is present. :param add_vri_entry: Add a ``/VRI`` entry for this signature to the document security store. Default is ``True``. :param output: Write the output to the specified output stream. If ``None``, write to a new :class:`.BytesIO` object. Default is ``None``. :param in_place: Sign the original input stream in-place. This parameter overrides ``output``. :param chunk_size: Chunk size parameter to use when copying output to a new stream (irrelevant if ``in_place`` is ``True``). :param force_write: Force a new revision to be written, even if not necessary (i.e. when all data in the validation context is already present in the DSS). :param embed_roots: Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. :return: The (file-like) output object to which the result was written. )rNascii)rrrr)readerstreamr !assert_writable_and_random_accessprepare_rw_output_streamr pkcs7_contentrtencoder from_reader IO_CHUNK_SIZErrrQrwriteseek chunked_write bytearrayfinalise_output)rrr add_vri_entryin_placeoutputr chunk_sizerrworking_outputrrr resulting_dssr,r,r-rks:8          r)F)9rqlogging dataclassesrrr3typingrr asn1cryptorrrrrasn1crypto.x509r pyhanko.pdf_utilsr r pyhanko.pdf_utils.genericr $pyhanko.pdf_utils.incremental_writerr pyhanko.pdf_utils.miscrpyhanko.pdf_utils.rw_commonrpyhanko.pdf_utils.writerrpyhanko_certvalidatorrrpyhanko_certvalidator.pathrgeneralrerrorsrr pdf_embeddedr__all__pdf_utils.cryptr pdf_utils.readerr! getLoggerr/rrrrrDEFAULT_CHUNK_SIZErrr,r,r,r-sf                 ( Y >