o vh/@sddlZddlZddlmZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZmZddlmZddlmZddlmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'dd l(m)Z)m*Z*m+Z+dd l,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4dd l5m6Z6dd l7m8Z8dd l9m:Z:ddl;mm?Z?ddl@mAZAddlBmCZCmDZDddlEmFZFddlGmHZHddlImJZJmKZKmLZLmMZMmNZNmOZOmPZPddlQmRZRmSZSmTZTmUZUgdZVeWeXZYedeNdZZdej[deej\ej]dffddZ^d e_fd!d"Z`d#ejadej[fd$d%Zbd&ej[d'ejcd(e ejdd)e ejefd*d+Zf  dnd,ejgd#ejad-ehd.eid/e eSd0e edee_e_ffd1d2Zjd3ejkde"fd4d5Zl      dod3ejkd6e eid7e e*d8e emd9e e8d:e e:d;e eSdZn dpd#ejad7e*d._checkN)r.handle_certvalidator_errors)rkrrrrrrZrr[r-s r)rrrr status_clscdSNrZ)rrrrrrrZrZr[rGJs rGcrrrZ)rrrrrrZrZr[rGVscs4||}t||||||dIdH}|di|S)a Validate a CMS signature (i.e. a ``SignedData`` object). :param signed_data: The :class:`.asn1crypto.cms.SignedData` object to validate. :param status_cls: Status class to use for the validation result. :param raw_digest: Raw digest, computed from context. :param validation_context: Validation context to validate the signer's certificate. :param status_kwargs: Other keyword arguments to pass to the ``status_class`` when reporting validation results. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :return: A :class:`.SignatureStatus` object (or an instance of a proper subclass) )rrNrZ)default_usage_constraintsrK)rrrrrrreff_key_usage_settingsrZrZr[rGas'  c Cs4z |d}t|d}|jWSttfyYdSw)a Extract self-reported timestamp (from the ``signingTime`` attribute) Internal API. :param signer_info: A ``SignerInfo`` value. :return: The value of the ``signingTime`` attribute as a ``datetime``, or ``None``. rU signing_timeN)r ryrr)rsastrZrZr[rNs  rNFsignedc CsRz|r |d}t|d}n |d}t|d}|d}|WSttfy(YdSw)a Extract signed data associated with a timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :param signed: If ``True``, look for a content timestamp (among the signed attributes), else look for a signature timestamp (among the unsigned attributes). :return: The ``SignedData`` value found, or ``None``. rUcontent_time_stampunsigned_attrssignature_time_stamp_tokenrN)r rr)rrrtstuatst_signed_datarZrZr[rMs  rMcCsft|}|dur dS|d}|djd}|ddj}|dj}t|}t|}|||S)a. Compute the digest of the signature according to the message imprint algorithm information in a signature timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :return: The computed digest, or ``None`` if there is no signature timestamp. Nrrmessage_imprinthash_algorithmrr)rMparsedryr!rrrr)rtst_datarmitst_md_algorithmsignature_bytes tst_md_specrrZrZr[rLs   rLts_validation_contextc si}t|}|dur||d<t|dd}|dur7t|}|dus#Jt|||IdH}td i|}||d<t|dd} | durVt| ||dIdH} td i| } | |d<|S) a Collect and validate timing information in a ``SignerInfo`` value. This includes the ``signingTime`` attribute, content timestamp information and signature timestamp information. :param signer_info: A ``SignerInfo`` value. :param ts_validation_context: The timestamp validation context to validate against. :param raw_digest: The raw external message digest bytes (only relevant for the validation of the content timestamp token, if there is one) Nsigner_reported_dtF)rtimestamp_validityT)expected_tst_imprintcontent_timestamp_validityrZ)rNrMrLrIrA) rrrrrrtst_signature_digesttst_validity_kwargs tst_validitycontent_tst_signed_datacontent_tst_validity_kwargscontent_tst_validityrZrZr[rHs8     rHrrc sd}|dd}t|tjr|j}t|tjs tjdtj d|dj }t }t ||d|i||dIdH}|d d j } || krVtd | d |d d|d<|S)a Validate the ``SignedData`` of a time stamp token. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to validate against. :param expected_tst_imprint: The expected message imprint value that should be contained in the encapsulated ``TSTInfo``. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :return: Keyword arguments for a :class:`.TimeStampSignatureStatus`. Nrrz'SignedData does not encapsulate TSTInfor^gen_time timestamp)rrrrrhashed_messagezTimestamp token imprint is z, but expected rFr) isinstancerParsableOctetStringrrTSTInfor9rer6rryrArrKrwarninghex) rrrrtst_infotst_info_bytesr ku_settingsr tst_imprintrZrZr[rIs8       rIacsrc s~fdd|D}g}g}t|D]&}z ||IdHWqtttfy:}z ||WYd}~qd}~ww||fS)Ncsg|] }t|dqS)) holder_cert)r1).0acrrrZr[ gs z+process_certified_attrs..)asyncio as_completedappendr(r)r')rrrjobsresultsr9jobrirZrr[process_certified_attrs]s$  rsd_attr_certificatessd_signed_attrsc szt|d}Wn!tyd}Ynty)}z tjt|tjd|d}~wwi}d}d}|dur|d} t t | t j sB| nd} |d} d} t | t j sqdd| D} t | t | k} |durqt| ||}|IdH\}}|dur{t|}nd}| pt |d t j  }|dur|rtd t| |||d |d <|durt|||IdH\}}|r|||r||t||d <||d<|S)Nsigner_attributes_v2r^claimed_attributesrZcertified_attributes_v2FcSsg|] }|jdkr|jqS) attr_cert)namechosen)rrYrZrZr[rs  z.collect_signer_attr_status..signed_assertionszCAdES signer attributes with externally certified assertions for which no validation method is available. This may affect signature semantics in unexpected ways.) claimed_attrscertified_attrsac_validation_errsunknown_attrs_presentcades_signer_attrsac_attrsr)r rrr9restrr6rr= from_iterablerrVoidlenrr< from_resultsrrr;extend)rrrr signer_attrsriresultcades_ac_resultscades_ac_errors claimed_asn1claimedcertified_asn1unknown_cert_attrs cades_acsval_job certified unknown_attrs ac_results ac_errorsrZrZr[rPys         rP input_datasigner_validation_contextac_validation_contextc s|dur|}t|} | ddj} tt| } t|tr$| |n t|tj tj fr7| t|dn t |} t j | || |d| } t| || dIdH}t|}t|| ||||dIdH}t|}|durs|j|j|t|j|j|| dd IdHtd i|S) a .. versionadded: 0.9.0 .. versionchanged: 0.11.0 Added ``ac_validation_context`` param. Validate a detached CMS signature. :param input_data: The input data to sign. This can be either a :class:`bytes` object, a file-like object or a :class:`cms.ContentInfo` / :class:`cms.EncapsulatedContentInfo` object. If a CMS content info object is passed in, the `content` field will be extracted. :param signed_data: The :class:`cms.SignedData` object containing the signature to verify. :param signer_validation_context: Validation context to use to verify the signer certificate's trust. :param ts_validation_context: Validation context to use to verify the TSA certificate's trust, if a timestamp token is present. By default, the same validation context as that of the signer is used. :param ac_validation_context: Validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :param key_usage_settings: Key usage parameters for the signer. :param chunk_size: Chunk size to use when consuming input data. :param max_read: Maximal number of bytes to read from the input stream. :return: A description of the signature's status. Nrvrr)max_read)rr)rrrrrrU)rrrrrZ)rryrrr!rrrr ContentInfoEncapsulatedContentInfo bytearrayr3chunked_digestrrHr@rrKrrrrrPattribute_certsr)r2rr3rr4rr chunk_sizer5rrvhtemp_buf digest_bytesrrrZrZr[rJsV=     rJ ResultTypeT) covariant)frozenc@s^eZdZUdZeeed<dZeeed<dZ ee ed<dZ ee ed<dZ eeed<dS)CertvalidatorOperationResultzB Internal class to inspect error data from certvalidator. rNrrrr)__name__ __module__ __qualname____doc__r r?__annotations__rr>rrrr.rr7rZrZrZr[rBLs  rBcoroc sd}d}}z t|IdHdWSty.}ztj|j|dtj}WYd}~n1d}~wtyK}ztj|j|dtj}WYd}~nd}~wt yj}ztj|j|dtj }|j }WYd}~nd}~wt y}z tj|j|d|j }|jdurtj}ntj}|j}WYd}~nd}~wty}z5|j }t|j|j}|jrtj}n|jrtj}td|j|jd}n tj}td|j|jd}WYd}~nd}~wty}ztjd|dtj}WYd}~nod}~wty}z!|j }t|j|j}|js|jrtj}ntj}WYd}~nBd}~wty=}z|j }tj|j|dtj}WYd}~n"d}~wt yZ}ztj|j|dtj}WYd}~nd}~wwtd||||dS) z Internal error handling function that maps certvalidator errors to AdES status indications. :param coro: :return: N)rrF) ca_revokedrevocation_daterevocation_reasonTzFailed to build path)rrrrr)!rBr'rr failure_msgr7CHAIN_CONSTRAINTS_FAILUREr-NO_POEr+ TRY_LATER time_cutoffr% original_path banned_sinceCRYPTO_CONSTRAINTS_FAILURE!CRYPTO_CONSTRAINTS_FAILURE_NO_POEr* revocation_dtis_side_validationr is_ee_certREVOKED_NO_POEr>reasonREVOKED_CA_NO_POEr(NO_CERTIFICATE_CHAIN_FOUNDr& expired_dtOUT_OF_BOUNDS_NO_POEr)r,)rH time_horizonrrrirrZrZr[rYs    r)NN)NNNNNNr)F)rlogging dataclassesrrtypingrrrrrr r r r r rrr asn1cryptorrrrrcryptography.exceptionsrcryptography.hazmat.primitivesrpyhanko.sign.generalrrrrrrrrr r!pyhanko_certvalidatorr"r#r$pyhanko_certvalidator.errorsr%r&r'r(r)r*r+r, pyhanko_certvalidator.ltv.errorsr-pyhanko_certvalidator.pathr.!pyhanko_certvalidator.policy_declr/pyhanko_certvalidator.validater0r1 pdf_utilsr3pdf_utils.miscr4 ades.reportr6r7r9settingsr:statusr;r<r=r>r?r@rAutilsrBrCrDrE__all__ getLoggerrCrrS CMSAttributesrar`rRboolrX CertificaterpDigestAlgorithmSignedDigestAlgorithm HmacAlgorithmrQ SignerInforrrF SignedDatarOdictrKrrGrNrMrLrHrIAttributeCertificateV2rrPDEFAULT_CHUNK_SIZEr6r7rJr?rBrrZrZrZr[s  <  0 (      $      K  ) !        6  ! 9 >   h k