o &zhs@@sddlZddlmZmZddlmZmZmZmZmZddl m Z m Z m Z ddl mZddlmZmZmZmZddlmZmZddlmZdd lmZmZmZdd lmZdd lm Z dd l!m"Z"m#Z#m$Z$m%Z%dd l&m'Z'm(Z(m)Z)ddl*m+Z+ddgZ,dede dededeee"ee'ff ddZ-defddZ.dede j/dede j0def ddZ1deded ed!efd"d#Z2d$eedededeed%e j0def d&d'Z3ded(ede d ed)eed!ed*e+e4d+e+edefd,d-Z5ded(ede d ed)eed!edefd.dZ6dS)/N)datetime timedelta)IterableListOptionalSetTuple)algoskeysx509) ValProcState)DisallowedAlgorithmErrorInsufficientPOEErrorInsufficientRevinfoError RevokedError)ValidationTimingInfoValidationTimingParams)ValidationPath)AlgorithmUsagePolicyCertRevTrustPolicyRevocationCheckingRule)RevinfoContainer)RevinfoManager) CRLOfInterest_check_cert_on_crl_and_delta_CRLErrs collect_relevant_crls_with_paths)OCSPResponseOfInterest_check_ocsp_status%collect_relevant_responses_with_paths)ConsList time_slideades_gather_prima_facie_revinfopathrevinfo_manager control_timerevocation_checking_rulereturnc sb|j}|jrt||||IdH}|j}ng}|jr+t||||IdH}|j}||fSg}||fS)a Gather potentially relevant revocation information for the leaf certificate of a candidate validation path. Only the scope of the revocation information will be checked, no detailed validation will occur. :param path: The candidate validation path. :param revinfo_manager: The revocation info manager. :param control_time: The time horizon that serves as a relevance cutoff. :param revocation_checking_rule: Revocation info rule controlling which kind(s) of revocation information will be fetched. :return: A 2-element tuple containing a list of the fetched CRLs and OCSP responses, respectively. N)leaf ocsp_relevantr responses crl_relevantrcrls) r#r$r%r&cert ocsp_resultocsps crl_resultr,r1_/var/www/html/kangema/venv/lib/python3.10/site-packages/pyhanko_certvalidator/ltv/time_slide.pyr")s   ccs>|}|dfV|jdkr|}|dfV|jdks dSdS)NTF)pkix_lencopy_and_drop_leaf)r#cur_pathr1r1r2_tailsVs   r7 algo_policy algo_used public_keyval_proc_statecCsn||||}|dj}|js5|jrt||j}|Sd|d}|jdur-|d|j7}tj||dd|S)N algorithmz Algorithm z- is banned outright without time constraints.z Reason: ) banned_since)signature_algorithm_allowednativeallowednot_allowed_afterminfailure_reasonr from_state)r8r9r%r:r;sig_constraint algo_namemsgr1r1r2_apply_algo_policy^s$    rHrevinfo_containerrev_trust_policytime_tolerancec CsL||tt||dd|d}|j}|jjs$|jp|}|dur$t||}|S)NT)validation_timebest_signature_timepoint_in_time_validation) timing_inforK) usable_atrr issuance_daterating usable_adeslast_usable_atrB)r%rIrJrK usabilityrQ cutoff_dater1r1r2"_update_control_time_for_unrevoked}s"   rW revoked_dateissuer_public_keycCs8|rt||}|j}|dur|durt|||||}|SN)rBrevinfo_sig_mechanism_usedrH)rXr%rIr8rYr;r9r1r1r2_update_control_times r\init_control_timealgo_usage_policy cert_stack path_stackc% s|j}|jdkr |Stttt|} j} | D]\} } t| | r*|jn|jdIdH\} }| j }| | | |t d}| |kr_t d|jjdd|| s|st|tjrn|jj}nd}|jdurtdd |d|d }d}| D]}|jj}|r|ks| |jkrq|j}ttd d | DBtjfd d |DIdH}tg||D]J}t|jj ||j|j t!d\}}|jj }t|tjsJ||duO}|j}|dur|}n|jr |jr |j|jkr |}t"|||j#|dqqd}|D]}|j$}|j}|r5|ks5| |j$kr7qt%|j&dIdHzt'|t ddd}Wnt(yk} z | j)}WYd} ~ nd} ~ ww||duO}|j&j }!t|!tjsJ|dus|jr|j|kr|}t"|||!j#|dqdurt| *d}"t+|d|"j#|d|sdd||fD}#t,|#fdddd}$|$durt-|$dqS)Nr)r$r%r&)cert_path_stackz0No proof of existence available for certificate z at control time .zattribute certificatezNo revocation info from before z found for certificate Fcss|]}|VqdSrZ)dump).0r-r1r1r2 s z_time_slide..c 3sB|]}|jjr|jjvrt|jdVqdS)r_r`N)r#r(rc _time_slide)rdcrl_pathr^r%new_cert_stacknew_path_stackrJr$sub_path_skip_listrKr1r2re s$  ) crl_issuerr-certificate_list_contdelta_certificate_list_conterrs)rIr8rYr;rf) ocsp_response proc_stater%signature_algorithm)r;cSsg|]}|dur|qSrZr1)rdxr1r1r2 sz_time_slide..cs |jpSrZ)rQ)ru)r%r1r2s z_time_slide..)keydefault)r%rIrJrK).revocation_checking_policyr4listreversedr7 poe_managerr"ee_certificate_ruleintermediate_ca_cert_ruler(consrcr rrDsubjecthuman_friendly isoformat isinstancer Certificateocsp_no_check_valuercrlrQ prov_pathssetasynciogatherrBrr#deltarr\r:rqrg prov_pathrr revocation_dtiter_authoritiesrHmaxrW)%r#r]r$rJr^rKr_r`checking_policy partial_pathsr} current_pathis_eer,r/r-rrident once_revokedmost_recent_crlcrl_of_interestissued sub_pathssub_path_control_timescandidate_crl_pathrXrevoked_reason crl_iss_cert crl_containermost_recent_ocspocsp_of_interestocsp_containere ocsp_iss_certleaf_ca revinfo_itemsmost_recent_revinfor1rir2rgsF               !          rgc s(t||||||ttdIdHS)a Execute the ETSI EN 319 102-1 time slide algorithm against the given path. .. warning:: This is incubating internal API. .. note:: This implementation will also attempt to take into account chains of trust of indirect CRLs. This is not a requirement of the specification, but also somewhat unlikely to arise in practice in cases where AdES compliance actually matters. :param path: The prospective validation path against which to execute the time slide algorithm. :param init_control_time: The initial control time, typically the current time. :param revinfo_manager: The revocation info manager. :param rev_trust_policy: The trust policy for revocation information. :param algo_usage_policy: The algorithm usage policy. :param time_tolerance: The tolerance to apply when evaluating time-related constraints. :return: The resulting control time. rfN)rgr empty)r#r]r$rJr^rKr1r1r2r!s$ )7rrrtypingrrrrr asn1cryptor r r pyhanko_certvalidator._stater pyhanko_certvalidator.errorsr rrrpyhanko_certvalidator.ltv.typesrrpyhanko_certvalidator.pathr!pyhanko_certvalidator.policy_declrrr&pyhanko_certvalidator.revinfo.archivalr%pyhanko_certvalidator.revinfo.managerr*pyhanko_certvalidator.revinfo.validate_crlrrrr+pyhanko_certvalidator.revinfo.validate_ocsprrrpyhanko_certvalidator.utilr __all__r"r7SignedDigestAlgorithm PublicKeyInforHrWr\bytesrgr!r1r1r1r2s      -  $   [