o vh\@sNddlZddlmZddlmZddlmZddlmZmZm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZmZmZd d lmZd d lmZmZmZddlmZddlmZm Z m!Z!ddl"m#Z#m$Z$m%Z%m&Z&ddl'm(Z(m)Z)ddl*m+Z+ddl,m-Z-m.Z.m/Z/gdZ0e1e2Z3e de.dZ4GdddeZ5eej6ej6dZ7ddZ8eej9ej9dZ:ddZ;ded ed$ed%e?fd&d'Z@d(ed)ee(fd*d+ZAeGd,d-d-ZBd.e(fd/d0ZCd)eBfd1d2ZD    3   3dAd4e(d5e5d ee<d6eed7eed8ee+d9eEd)e-fd:d;ZFdZH dBdUsz8RevocationInfoValidationType.as_tuple..)tuple)clsr1r1r2as_tupleSsz%RevocationInfoValidationType.as_tupleN) __name__ __module__ __qualname____doc__ ADOBE_STYLEPADES_LT PADES_LTA classmethodr6r1r1r1r2r#;sr#)ee_certificate_ruleintermediate_ca_cert_rulecKtddti|SNrevocation_checking_policyr1)r &DEFAULT_LTV_INTERNAL_REVO_CHECK_POLICYkwargsr1r1r2!_default_ltv_internal_revo_policy^ rGcKrArB)r %STRICT_LTV_INTERNAL_REVO_CHECK_POLICYrEr1r1r2 _strict_ltv_internal_revo_policykrHrJ timestampvalidation_context_kwargscCsd|d<||d<|dd}|dd}|dur6|dd}|r,|dkr,tt|}n|dkr5t|d}n |jjs?t|d}||d<dS) NFallow_fetchingmomentrevinfo_policyretroactive_revinforevocation_modez soft-failrP) getpopr r from_legacyrGrC essentialrJ)rKrLrO retroactive legacy_rmr1r1r2_strict_vc_context_kwargsrs(     rYtst_signed_datavalidation_contextexpected_tst_imprintcsJt|||IdH}tdi|}|jr|js#td|td|S)a Wrapper around :func:`validate_tst_signed_data` for use when analysing timestamps for the purpose of establishing a timestamp chain. Its main purpose is throwing/logging an error if validation fails, since that amounts to lack of trust in the purported validation time. This is internal API. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to apply to the timestamp. :param expected_tst_imprint: The expected message imprint for the ``TSTInfo`` value. :return: A :class:`.TimestampSignatureStatus` if validation is successful. :raises: :class:`SignatureValidationError` if validation fails. Nz0Could not validate embedded timestamp token: %s.z\Could not establish time of signing, timestamp token did not validate with current settings.r1)rr"validtrustedloggerwarningsummaryr)rZr[r\timestamp_status_kwargstimestamp_statusr1r1r2r(s  r(readerreturncCstddt|jS)a: Get the document timestamp chain of the associated reader, ordered from new to old. :param reader: A :class:`.PdfFileReader`. :return: An iterable of :class:`~pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature` objects representing document timestamps. cSs|jdddkS)Nz/Typez /DocTimeStamp) sig_objectrS)sigr1r1r2sz%get_timestamp_chain..)filterreversedembedded_signatures)rdr1r1r2r&sr&c@s6eZdZUeeed<eeed<eed<eed<dS)_TimestampTrustData latest_dtsearliest_ts_statusts_chain_lengthcurrent_signature_vc_kwargsN) r7r8r9rr__annotations__r"intdictr1r1r1r2rls   rl emb_timestampcCs^z|j|j}t|}||WSty.|dd|ddtdi|YSw)Ncrlsr1ocsps) rdget_historical_resolversigned_revisionrread_dssas_validation_contextr setdefaultr )rtrL hist_resolverdssr1r1r2_instantiate_ltv_vcs     r~c st|}t|}|}d}d}d}t|D]$\}}|j|kr n|} t|j|| IdH}t|j|t ||}qt |||d|dS)Nr)rmrnrorp) r&rs enumeraterxcompute_digestr( signed_datarYrKr~rl) rdbootstrap_validation_contextrLuntil_revision timestamps current_vc ts_statusts_countrtexternal_digestr1r1r2_establish_timestamp_trust_ltas4  rF embedded_sigvalidation_typer diff_policykey_usage_settings skip_diffc st|pi} | dd| dd| d} |r,t| d| d<|dur+t| d|d<nd| vrF| dt| d|durF|dt| d|j} |tjkrZd} |pXtdi| } nt | } |durk| j | dd } n |} | j | ||d}d}d }|tjkrt| | | |jd IdH}|j}|j} |jrt|j| } |jdur|tjkrtd |tjks|jd ksJ|j}|j}|j}|dur|j}|dusJt|| |IdH}|dusJ|j}|| d<|dur||d<n |tjkr|d krtd|durtdt|j| d}|tjkrAt|j \}}|| d<|| d<tdi| }|dur@||d<||d<tdi|}n3|tjkr^| dusNJ| | }|dur]| |}n|duseJt|| }|durtt||}|dus|tjkr|dur|}n |dusJ|j!}t"|t#|d|jid}|IdH}n|}|j$||d|%}|&|j|dt'(|}t)|j!|j*|||dIdH}t+||ddd|dur|j |j,|&t-|j.|j/||j ddIdHt'di|S)a  .. versionadded:: 0.9.0 Validate a PDF LTV signature according to a particular profile. :param embedded_sig: Embedded signature to evaluate. :param validation_type: Validation profile to use. :param validation_context_kwargs: Keyword args to instantiate :class:`.pyhanko_certvalidator.ValidationContext` objects needed over the course of the validation. :param ac_validation_context_kwargs: Keyword arguments for the validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param bootstrap_validation_context: Validation context used to validate the current timestamp. :param force_revinfo: Require all certificates encountered to have some form of live revocation checking provisions. :param diff_policy: Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param skip_diff: If ``True``, skip the difference analysis step entirely. :return: The status of the signature. rMTrPFrRrONrQ)include_revinfor)rLrz>Purported PAdES-LTA signature does not have a timestamp chain.rrNzlPAdES-LTA signature requires separate timestamps protecting the signature & the rest of the revocation info.z+LTV signatures require a trusted timestamp.rvrurK) status_clsr[ status_kwargs)rr)signer_reported_dttimestamp_validity) raw_digestr[rrvalidation_path)timestamp_found signed_attrs)sd_attr_certificates signer_certr[sd_signed_attrsr1)0rsr{rGrJrdr#r;r rryrzcertificate_registryregister_multiple load_certsrcompute_tst_digestrrxrorprmr~rnr=rr<attached_timestamp_datatst_signature_digestr(rKrYr% signer_inforrr"compute_integrity_infosummarise_integrity_infoupdater default_usage_constraintsrrrother_embedded_certsrembedded_attr_certsr)rrrLrac_validation_context_kwargs force_revinforrr vc_kwargsrWrdr}rearliest_good_timestamp_strmro ts_trust_datarZr signature_poe stored_ac_vcrvru stored_vcts_to_validatets_status_cororcrr1r1r2r'sH 4                                 r'rc Csbz t|dd}Wnttfy}ztd|d}~wwt|dp#d}t|dp+d}||fS)a' Retrieve Adobe-style revocation information from a ``SignerInfo`` value, if present. Internal API. :param signer_info: A ``SignerInfo`` value. :return: A tuple of two (potentially empty) lists, containing OCSP responses and CRLs, respectively. radobe_revocation_info_archivalz@No revocation info archival attribute found, or multiple presentNocspr1crl)rrrrlist)rrevinfoervrur1r1r2r%Bs r%cCs(|pi}t|\}}td||d|S)ag Read Adobe-style revocation information from a CMS object, and load it into a validation context. :param signer_info: Signer info CMS object. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :return: A validation context preloaded with the relevant revocation information. )rvruNr1)r%r )rrLrvrur1r1r2r$]s r$)NNNFNNFr-)Jlogging dataclassesrrenumrtypingrrr asn1cryptorr asn1_pdfpyhanko.pdf_utils.readerr pyhanko_certvalidatorr !pyhanko_certvalidator.policy_declr r r diff_analysisrgeneralrrrr}rerrorsrrr generic_cmsrrrr pdf_embeddedrrsettingsrstatusr r!r"__all__ getLoggerr7r_r)r#CHECK_IF_DECLAREDrDrGCRL_OR_OCSP_REQUIREDrIrJrsrY SignedDatabytesr(r&rlr~rboolr' SignerInfor%r$r1r1r1r2s            # *   0  -