U c@s2 ddlZddlZddlZddlZddlZddlmZddlmZddlm Z m Z ddl Z ddl Z ddl mZmZddlmZddlZddlmZddlmZmZmZmZmZmZmZmZmZmZm Z dd l!m"Z"m#Z#dd l$m%Z%dd l&m'Z'dd l(m)Z)dd l*m+Z+ddl,m-Z-ddl.m/Z/ddl0m1Z1m2Z2m3Z3ddl4m5Z5m6Z6ddl7m8Z8ddl9m:Z:ddl;mZ>ddl?m@Z@ddlAmBZBddlCmDZDmEZEmFZFdgZGeHeIZJzddlKZKdZLWneMk rdZKdZLYnXdZNGdddejOZPdZQeRd d!d"ZSed#d$ZTd%ZUGd&d'd'e ZVd(d)ZWe Xe jYd*ed+e jZd,d-eUd.de [d/d0e jZd1d2ddeRdd3e j\d4dZ]e]jXd5d6d7d8d9Z^e j_dddd:Z`d6d;d<Zad=d>Zbd?d@ZcdAdBZddCdDZed7dEdFZfdGdHZgdIdJZhedKdLdMZie^jjdNdOdPe jkdQe [dRdSe jZdTdUeRddddVe jZdWdXeRddddVece jZdYdZe le@mdd[e jZd\d]eRddddVe jZd^d_eRddddVe jZd`daeRddddVe jZdbdceRddddVe jZdddeendd[e jZdfdendgdhe jZdideRddjdke jZdle [dRdmdne jZdodpeRddddVe j\dqdrZoe^jjdsdtdPe jkdQe [dRdSe jZdudvdeRddddwdxdyZpe^jjdzd{dPe jkdQe [d|dSe jZd}d~dendde jZdbdceRddddVece j\ddZqe^jjdddPe jkdQe [d|dSe jZdddde jZd}d~dendde jZdddeRddddece j\ddZre^jXdddPe jZdddde jZdddde jZdddde jZdddde jZdddddeRdde jZdddddeRdde jZd}d~dendde jZdddddeRdde jZdddddeRdde jZdddeRdde jZdddddeRdde jZdddend0e jZdddend0ece jZdeRdddde jZddeRddde jZdbdceRddddVe jZdodeRddddVe j\ddZsd8ddZtddZue2jvdddZwe2jvdddZxe2jydddZzddZ{ddZ|esjjdddPe jkdQe`dSe jkde [ddSe jZdde`dd[e jZdde`dd[e jZde`dddǍe jZdendddʍe jZddde [d/dd΍e jZddeRddddVe j\dd҄Z}esjjdddPe jkdQe`dSe jkde [ddSe jkde`dd֍e jZdendddʍe jZde`dddǍe jZddde [d/dd΍e j\dd܄Z~ddބZe jkdQe`dSe jkde [ddSe jZdde`dd[e jZddendd[e jZddendd[e jZddeRddde jZddendd[e jZdddedde jZdeRdddddde jZdendddʍe j\ddZe jkdQe`dSe jkde [ddSe jZdde`dd[e jZdeRdddddde jZdddedde j\ddZddZddefddefgZddZeddZd9ddZe^jjdddPe jkdQe [dRdSe jkde [ddSe jZddddddd Ze]jjd d d7e jkdQe`dSe jkde j_ddd dSe jkd edSe jkdedSe jZdddend0e jZdddeddde jZdddend0e j\dd Ze]jjddd7e jkdQe`dSe jkde j_ddd dSe jZdfddend0e jZdddde j_ddddddZe]jXddd7d dZe jZd!d"deRddd#Zejjd$d%d7e jkdQe`dSe jkde j_ddd dSe jZdfd&dend0ed'd(Zejjd)dd7e jkdQe`dSe jkde j_ddd dSe jZde`dd*dʍe jZdÐd+e`dd[e jZdde [dRdd͐d,e jZddeRddddVed-d.Ze"jd/d0d1Zejjd2dd7e jkdQe`dSe jkde j_ddd dSe jkde`dSe jZdde [d/d3d͐d,ed4d5ZdS(:N)contextmanager)datetime)Enumauto)cmspem)ValidationContext) __version__) CLIConfig LogConfigPemDerSignatureConfigPKCS11PinEntryModePKCS11SignatureConfigPKCS12SignatureConfig StdLogOutput TokenCriteriainit_validation_context_kwargsparse_cli_configparse_logging_config)cryptmisc)ConfigurationError)IncrementalPdfFileWriter) LayoutError)isoparse) PdfFileReader)copy_into_new_writer)fieldssigners validation) SigningErrorload_certs_from_pemder)DEFAULT_SIGNER_KEY_USAGE) BuildProps)PdfCMSSignedAttributes)HTTPTimeStamper)RevocationInfoValidationType)SignatureValidationError) QRStampStyle qr_stamp_filetext_stamp_filecliTFZPYHANKO_PKCS11_PINc@seZdZedddZdS)NoStackTraceFormatterreturncCsdS)N)selfeir0r0//tmp/pip-unpacked-wheel-0kb_yl26/pyhanko/cli.pyformatException@sz%NoStackTraceFormatter.formatExceptionN)__name__ __module__ __qualname__strr4r0r0r0r3r,?sr,z4%(asctime)s - %(name)s - %(levelname)s - %(message)s)verbosecCs|D]\}}t|}||jt|jtrlttjkrJt t j }nt }|rbt t }qtt }nt|j}t t }||||qdSN)itemslogging getLoggersetLevellevel isinstanceoutputrSTDOUT StreamHandlersysstdout FormatterLOG_FORMAT_STRINGr, FileHandler setFormatter addHandler)Z log_configsr9module log_configZ cur_loggerhandler formatterr0r0r3 logging_setupGs         rOc csxd}}z dVWn<tjk r.Yn$tjk r`}z|}d|j}W5d}~XYntjk r}z|}d|j}W5d}~XYntjk r}z|}d|j}W5d}~XYntk r}z|}d|j}W5d}~XYn^tk r&}z|}d|j}W5d}~XYn,t k rP}z |}d}W5d}~XYnX|dk rtt j ||dt|dS)NzcFailed to read PDF file in strict mode; rerun with --no-strict-syntax to try again. Error message: zFailed to read PDF file: zFailed to write PDF file: z*Error raised while producing signed file: z/Error raised while producing signature layout: zGeneric processing error.exc_info) clickClickExceptionrZPdfStrictReadErrormsgZ PdfReadErrorZ PdfWriteErrorr r Exceptionloggererror)rT exceptioner0r0r3pyhanko_exception_manager^s6   rZz pyhanko.ymlc@sHeZdZeZeZeZeZeZeZ eZ eZ eZ eZ dS)CtxN)r5r6r7rSIG_META EXISTING_ONLY TIMESTAMP_URL CLI_CONFIG STAMP_STYLE STAMP_URLNEW_FIELD_SPEC PREFER_PSS DETACH_PEMLENIENTr0r0r0r3r[sr[cCsttjddddS)NzmWARNING: passphrase is empty. If you intended to sign with an unencrypted private key, use --no-pass instead.T)Zbold)rRZechostyler0r0r0r3_warn_empty_passphrases rgZpyHanko)Z prog_nameversionz--configz.YAML file to load configuration from[default: ]rhelprequiredtypez --verbosezRun in verbose mode)rlrmdefaultrnis_flagc Csd}|dkrz&ttd}|}W5QRXt}Wqtk rFYqtk r}ztdtdt|W5d}~XYqXnDz |}Wn6tk r}ztdt|W5d}~XYnX|t |dk rt ||j t j <}|j}nti}|r"|d}ttj|jd|d<n8|dj} ttj| d|d<d|krZttj| d|d<t|||rttd|dk rtd |d n td dS) NrjzFailed to read : zFailed to read configuration: )r?rAzpyhanko_certvalidator.fetcherszfontTools.subsetzRunning with --verbosez$Finished reading configuration from .z$There was no configuration to parse.)openDEFAULT_CONFIG_FILEreadFileNotFoundErrorIOErrorrRrSr8Z ensure_objectdictrobjr[r_rLrr r<DEBUGrAWARNINGrOdebug) ctxconfigr9Z config_textfrYcfgrLZroot_logger_configZ log_outputr0r0r3r+sZ             zsign PDFs and other filessign)rlnamecCsdSr:r0r0r0r0r3signingsr)existsreadabledir_okayc Cs|jtjd}z<|dk rt||fr2td|dkrDtdz|j|dd}WnFtk r} z(d|d} t j | | dt| W5d} ~ XYnXn||s|rt ||||d}nb|dk rz|jdd}Wn@tk r} z d } t j | | dt| W5d} ~ XYnXni}|dk r0||d <n | d d|rJd|d <|WStjk rhYn~t k r} z d } t j | | dt| W5d} ~ XYn@tk r} z d } t j | | dt| W5d} ~ XYnXdS)NzC--validation-context is incompatible with --trust and --other-certszNo config file specified.T)Zas_dictzAConfiguration problem. Are you sure that the validation context '0' is properly defined in the configuration file?rP)trust trust_replace other_certsretroactive_revinfoz*Failed to load default validation context.allow_fetchingrz+I/O problem while reading validation configz:Generic processing problem while reading validation config)rygetr[r_anyrRrSZget_validation_contextrrVrWr setdefaultrwrU) r}validation_contextrrrrr cli_configresultrYrTr0r0r3_build_vc_kwargssf        rcCs(|jtjd}|dkrdS|j|dS)N)r)ryrr[r_Zget_signer_key_usages)r}rrr0r0r3_get_key_usage_settings+src Csftjdddtd|}tjddddtd|}tjd d dtdddd |}tjd d ddtd|}|S)Nz--validation-contextz"use validation context from configFrkz--trustz#list trust roots (multiple allowed)T)rlrmmultiplernz--trust-replacez4listed trust roots supersede OS-provided trust storerlrmrnrpro show_defaultz --other-certsz#other certs relevant for validation)rRoptionr8 readable_filebool)rr0r0r3 trust_options7sLrc Csz|jtj}Wn0tk r@|s*YdStdtdYnXz||}WnFtk r}z(d|d}t j ||dt|W5d}~XYnX|rt |t stdn|st |t rtd|S)Nz2Using stamp styles requires a configuration file (z by default).z4Configuration problem. Are you sure that the style 'rrPzAThe --stamp-url parameter is only meaningful for QR stamp styles.z/QR stamp styles require the --stamp-url option.) ryr[r_KeyErrorrRrSrtZget_stamp_stylerrVrWr@r()r} style_nameurlrrfrYrTr0r0r3 _select_styleMs0  rcCs6|r|rtd|rd}n|r&d}nd}||d<|S)Nz<--soft-revocation-check is incompatible with --force-revinforequirez soft-fail hard-failrevocation_moderRrS) vc_kwargssoft_revocation_check force_revinfoZrev_moder0r0r3 _prepare_vclsrcCsD|dkr*tf|}tjjj||||d}ntj||||||d}|S)N)key_usage_settingssigner_validation_context skip_diff)rrZvalidation_context_kwargsr)rpyhankorrZvalidate_pdf_signatureZvalidate_pdf_ltv_signature) ltv_profilerrr embedded_sigrvcstatusr0r0r3_signature_status}s" rc Cs|}zBt|r$t|\}}}tj|}|djdkrHt dWn.t k rx}zt d|W5d}~XYnXt j ||d||d}t |S)N content_type signed_dataz"CMS content type is not signedDatazCould not parse CMS objectcontent)rrr)rurdetectZunarmorrZ ContentInfoloadZnativerRrS ValueErrorrZasync_validate_detached_cmsasynciorun) infileZ sig_infilerrZ sig_bytes_Z content_inforYZvalidation_coror0r0r3_validate_detacheds   rc CszL|}|r&|s&|jrdnd|jfWS|r:||jfWS||jfWSWntjk r}z8dt|}t||r|dfWYSWYdSW5d}~XYn\tk r}z-s z%validate_signatures..)rrrzQStrict PDF syntax is disabled; this could impact validation results. Use caution.strictFile password: promptPassword didn't match.zIThe CLI supports only password-based encryption when validating (for now)cstdS)N)rrrrrr)rr0)rrrrno_diff_analysisrr0r3rTszField rq=z z%s:%s:%szValidation failed)rRrSr&rrrrrZrprintrVinforsecurity_handlerr@rStandardSecurityHandlergetpassdecryptr AuthStatusFAILED enumerateembedded_regular_signatures signer_certsha256hexZself_reported_timestamp field_namelen)r}rrrrrrrrrrZno_revocation_checkpasswordrrrZvalidation_timeno_strict_syntaxZuse_claimed_validation_timeZ status_strZ signature_okrjsh auth_resultZall_signatures_okix fingerprintrheaderliner0)rrrrrrrrr3validate_signaturess>                  rlistzlist signature fieldsz --skip-statuszdo not print statusrc Cslt\t|}t|}t|D]:\}\}}}|r>t|q"t|d|dkrRdndq"W5QRXdS)N:ZEMPTYZFILLED)rZrrZenumerate_sig_fieldsrr)rZ skip_statusrjZ field_inforrvalueZ field_refr0r0r3list_sigfieldsls rZ ltaupdatezupdate LTA timestampzr+bz--timestamp-urlzURL for timestamp server)rlrmrnroc CsPt@t||||||}t|} t|} t| | tf|W5QRXdSr:)rZrr%rrPdfTimeStamperZupdate_archival_timestamp_chainr) r}rrrrr timestamp_urlrr timestamperrjr0r0r3 lta_update|s  rZltvfixz5add revocation information for a signature to the DSSz--fieldzname of the signature field)rlrmz--apply-lta-timestampz8Apply a document timestamp after adding revocation info.)rlrmrnrorprc  s|r|stdt|||||ddd} d| d<t|} ztfdd| jD} Wn&tk rztd d YnXtj| t f| dd } |rt |} t | j t| t jt f| dd dS) Nz8Please specify a timestamp server using --timestamp-url.FT)rrrrc3s|]}|jkr|VqdSr:)r).0sfieldr0r3 s zltv_fix..z(Could not find a PDF signature labelled rr)Zin_place)rRrSrrnextr StopIterationrZadd_validation_inforr%rrZ timestamp_pdfr DEFAULT_MD)r}rrrZapply_lta_timestamprrrrrrjZemb_sigrArr0rr3ltv_fixsH    raddsigzadd a signaturez--namezexplicitly specify signer namez--reasonzreason for signingz --locationzlocation of signingz --certifyzadd certification signature)rlrmrorprnrz--existing-onlyznever create signature fieldsz --use-padesz)sign PAdES-style [level B/B-T/B-LT/B-LTA]z--use-pades-ltazproduce PAdES-B-LTA signaturez --prefer-pssz6prefer RSASSA-PSS to PKCS#1 v1.5 padding, if available)rprornrlz--with-validation-infozembed revocation infoz --style-namez)stamp style name for signature appearancez --stamp-urlz$QR code URL to use in QR stamp stylez--detachz^write only the signature CMS object to the output file; this can be used to sign non-PDF files)rnrprorlz --detach-pemz2output PEM data instead of DER when using --detach)rlrnrprozAttempt to ignore syntactical problems in the input file and enable signature creation in hybrid-reference files.(warning: such documents may behave in unexpected ways)cCsH|p |dk|jtj<||jtj<||jtj<|rL||jtj<d|jtj<dS| rfd}} |sftd|rtt j j }nt j j }t }| rt|| | | ||dd}tf|}t|| }|dk r|jdk r|j}nd}t|dd\}}tj||||||| ||| tdtdd |jtj<||jtj<t||||jtj<||jtj<||jtj<dS) NTz/--timestamp-url is required for --use-pades-ltarF)require_full_specz pyHanko CLI)rrevision) rlocationreasonrcertify subfilterZembed_validation_inforZsigner_key_usage use_pades_ltaZapp_build_props)ryr[r]r^rcrdr\rRrSrZSigSeedSubFilterZPADESZADOBE_PKCS7_DETACHEDr"rrr key_usageparse_field_location_specrZPdfSignatureMetadatar#r rbrr`rare)r}rrrrrZ existing_onlyrZ use_padesrZwith_validation_inforrrrr stamp_url prefer_pssrdetachZ detach_pemrrrrrZkey_usage_settrnew_field_specr0r0r3rsp:          c Cst|d}t|| d}|jjr|jj}t|tjrPtjd|d}| |nDt|tj r|dk rt ||}t d|||n td|S)Nrrz"Password for encrypted file '%s': raThe file '%s' appears to be encrypted using public-key encryption. This is only partially supported in pyHanko's CLI. PyHanko will attempt to decrypt the document using the signer's public key, but be aware that using the same key for both signing and decryption is considered bad practice. Never use the same RSA key that you use to decrypt messages tosign hashes that you didn't compute yourself!zRInput file appears to be encrypted, but appropriate credentials are not available.)rsrprevZ encryptedrr@rrrencryptPubKeySecurityHandlerSimpleEnvelopeKeyDecrypterrVwarningencrypt_pubkeyrRrS) infile_pathlenientr signer_keyrwriterrZpdf_passcredr0r0r3_open_for_signing4s.      rcCs$d}|jtj}|dk r d|i}|S)Nr)ryr[ra)r} text_paramsrr0r0r3get_text_paramsWs  r)signercCst|||||}t|Sr:)async_detached_sigrr)rroutfileruse_pemcoror0r0r3 detached_sig_src st|dk rt|}d}nd}tjtd}t|d&}|j|tj |t |ddIdH}W5QRX| } |rt d| } || W5QRXdS)N)tzr)Z signing_time)rZsigned_attr_settingsZPKCS7)rZr%rnowtzlocalZ get_localzonersZasync_sign_general_datarrr$dumprZarmorwrite) rrrrrr timestampinf signatureZ output_bytesr0r0r3rgs&  rc CsZtJ|dk rt|} nd} t||j|j| d} t| |||| ||||d W5QRXdS)N)rrr rrsignature_metarrrfr existing_fields_onlyr)rZr%rZ signing_certZ signing_keygeneric_sign_pdf) rrrrr'r(rfrr rrrr0r0r3addsig_simple_signers* r*c CsRtj|||||dj|||d} | } || | |jj|dS)N)rr stamp_styler )r(Zappearance_text_params) rZ PdfSignerZsign_pdf getbufferr"releaser streamclose) rrr'rrrfr r(rrbufr0r0r3r)s   r)c Cs`|dkr dSztt|WSttfk rZ}ztjd||dWYdSd}~XYnXdS)Nz!Could not load certificates from rP)rr!rwrrVrW)filesrYr0r0r3 grab_certssr2Zpemderz$read key material from PEM/DER filesrwbz--keyz)file containing the private key (PEM/DER)z--certz2file containing the signer's certificate (PEM/DER)z--chainzkfile(s) containing the chain of trust for the signer's certificate (PEM/DER). May be passed multiple times.)rnrrlz--pemder-setupzCname of preconfigured PEM/DER profile (overrides all other options))rnrmrlz --passfilez2file containing the passphrase for the private keystdin)rlrmrnrz --no-passz*assume the private key file is unencryptedc Cs|jtj} |jtj} |jtj} |r|jtjd} | dkrJtdz| |} Wqt k r}z&d|}t j ||dt|W5d}~XYqXn0|r|stdnt ||t||jtjd} | jdk r| j}nX|dk r|d}|n2| jr6|s6tjddd}|s:tnd}| j|d }|jtjdkrrt|||| |jtjd t|||| | | |jtjt||jtj|jtjd d dS) Nz7The --pemder-setup option requires a configuration filez"Error while reading PEM/DER setup rPzXEither both the --key and --cert options, or the --pemder-setup option must be provided.)key_file cert_filerrutf-8Key passphrase: r)Zprovided_key_passphraserrFrr'r(rfrr r) ryr[r\r]r^rr_rRrSZget_pemder_configrrVrWr r2rckey_passphrasereadlinestripencoder/prompt_passphraserrg instantiaterrdr*r`rrbre)r}rrkeycertchainZ pemder_setuppassfileno_passr'r(rrZ pemder_configrYrT passphraserr0r0r3 addsig_pemdersp            rGZpkcs12z%read key material from a PKCS#12 filepfx)rnrmz --p12-setupzCname of preconfigured PKCS#12 profile (overrides all other options)zPEM/DER file(s) containing extra certificates to embed (e.g. chain of trust not embedded in the PKCS#12 file)May be passed multiple times.z4file containing the passphrase for the PKCS#12 file.cCs|jtj}|jtj}|jtj} |r|jtjd} | dkrJtdz| |} Wqt k r} z&d|} t j | | dt| W5d} ~ XYqXn*|stdnt |t||jtjd} | jdk r| j}nF|dk r|d}|n | jrtjddd}nd}| j|d }|jtjdkrZt|||| |jtjd t|||| |||jtjt||jtj|jtjd d dS) Nz4The --p12-setup option requires a configuration filez#Error while reading PKCS#12 config rPzCEither the PFX argument or the --p12-setup option must be provided.)Zpfx_filerrr7zPKCS#12 passphrase: r)Zprovided_pfx_passphraser9Fr:)ryr[r\r]r^rr_rRrSZget_pkcs12_configrrVrWrr2rcZpfx_passphraser<r=r>r/r?rr@rrdr*r`rrbre)r}rrrHrCrDZ p12_setupr'r(rrZ pkcs12_configrYrTrFrr0r0r3 addsig_pkcs12sn             rIc Cst|jtjdkr>t|||||jtjdW5QRS|dk rPt|}nd}tt||j tj d||jtj|||jtj |jtj |jtj t|d W5QRXdS)Nr9Fr&)rZryr[r\rrdr%r)rrrer`rbr]r)r}rrrrrr0r0r3 _sign_pkcs11Ns.      rJz--libzpath to PKCS#11 modulez --token-labelzPKCS#11 token labelz --cert-labelzcertificate labelz--raw-mechanismzinvoke raw PKCS#11 mechanism)rlrnrprmz --key-labelz key labelz --slot-nozspecify PKCS#11 slot to usez--skip-user-pinz7do not prompt for PIN (e.g. if the token has a PIN pad))rnrrormrprlz --p11-setupzCname of preconfigured PKCS#11 profile (overrides all other options)c  Csddlm} |jtj} | r|jtjd} | dkr>tdz| | }Wqt k r}z&d| }t j ||dt|W5d}~XYqXn<|r|std|rt jnt j}t||||t||| d}|j}|dkrtjtd}|r|}|jt jkr|dkrtjdd }z.| j||d }t||||| W5QRXWnP| jk r}z.t j d |dtd t|jd |W5d}~XYnXdS)Nr)pkcs11z4The --p11-setup option requires a configuration filez#Error while reading PKCS#11 config rPz3The parameters --lib and --cert-label are required.) module_path cert_label key_labelslot_noZtoken_criteria prompt_pin raw_mechanismzPKCS#11 user PIN: r)user_pin PKCS#11 errorPKCS#11 error: [] ) pyhanko.signrKryr[r^rr_rRrSZget_pkcs11_configrrVrWr ZSKIPZPROMPTrrrRosenvironP11_PIN_ENV_VARr=rPrZPKCS11SigningContextrJ PKCS11Errorrnr5)r}rrlibZ token_labelrMrNrOZ skip_user_pinZ p11_setuprQrKrrZ pkcs11_configrYrTZ pinentry_modeZpinZpin_envrr0r0r3 addsig_pkcs11fsZ     r\z"path to libbeidpkcs11 library filez--use-auth-certzuse Authentication cert insteadc Csddlm}|sB|jtjd}|dks2|jdkr._unavailablez [dependencies missing])pkcs11_availablePKCS11_COMMANDSrd)argsrerrbrcr0r0r3_process_pkcs11_commandss  ricCsTz,t|}|st|dkr$|dWS|WSWn"tk rNtd|YnXdS)Nrrz=Sig field parameter PAGE should be a nonzero integer, not %s.)intrrRrS)pagepage_ixr0r0r3 _index_pages  rmc Cs|dkr|rtddSz|d\}}}Wn0tk r^|rNtdn |dfYSYnXt|}ztt|d\}}}} Wntk rtdYnX|tj|||||| fdfS)Nz(A signature field spec was not provided.)NN/z;Sig field spec should be of the form PAGE/X1,Y1,X2,Y2/NAME.,z9Sig field parameters X1,Y1,X2,Y2 should be four integers.)Zsig_field_nameZon_pagebox) rRrSsplitrrmmaprjrZ SigFieldSpec) specrrkrprrlx1y1Zx2y2r0r0r3rs4  rZ addfieldsz)add empty signature fields to a PDF fieldzPAGE/X1,Y1,X2,Y2/NAME)metavarrrmc CsftVt|}|D](}t|\}}|dk s0tt||q||||W5QRXdSr:)rZrrAssertionErrorrZappend_signature_fieldr"r/)rrrrrrrsr0r0r3 add_sig_field$s   ryzstamp PDF filesstamp)writablerxyz%stamp style name for stamp appearancez--pagez)page on which the stamp should be appliedr)rlrmrnrorc CsZtJt|||}t|} |r8t|||| |||dnt|||| ||dW5QRXdS)N) dest_pager|r}r)r~r|r})rZrrmr)r*) r}rrr|r}rrkrr+rlr0r0r3rz;s* z encrypt PDF files (AES-256 only)r z!password to encrypt the file withz --recipientzIcertificate(s) corresponding to entities that can decrypt the output file)rr)rmrrlrnc Cs|r|rtdn|s(|s(tjdd}d}|r>tt|d}tht|dR}t|}t|}|rr| |n |j |dt|d}| |W5QRXW5QRXW5QRXdS)Nz2Specify either a password or a list of recipients.zOutput file password: r)Z cert_filesr)Z owner_passr3) rRrSrrr!rZrsrrrr r") rrrZ recipientZrecipient_certsr$rjwoutfr0r0r3 encrypt_file\s(     rz6decrypt PDF files (any standard PDF encryption scheme)rcCsdSr:r0r0r0r0r3rsz--forcez1ignore access restrictions (use at your own risk))rlrmrnrprozdecrypt using passwordrz!password to decrypt the file withc Cstt|d}t|}|jdkr0td|s@tjdd}||}|jt j j krh|shtdn|jt j j krtdt |}t|d}||W5QRXW5QRXW5QRXdS)NrFile is not encrypted.rrzjPassword specified was the user password, not the owner password. Pass --force to decrypt the file anyway.rr3)rZrsrrrRrSrrrrrUSERrrr") rrrforcer$rjrrrr0r0r3decrypt_with_passwords"        rz#decrypt using private key (PEM/DER)z5file containing the recipient's private key (PEM/DER)z5file containing the recipient's certificate (PEM/DER))rmrnrlrc Csd|dk r|}|n&|srgrr r_decrypt_pubkey) rrrArBrDrrErFsedkr0r0r3decrypt_with_pemders r)rc Cstt|d}t|}|jdkr0tdt|jtjsHtd| |}|j tj j krp|stdn|j tj j krtdt|}t|d}||W5QRXW5QRXW5QRXdS)Nrrz:File was not encrypted with a public-key security handler.zhChange of encryption is typically not allowed with user access. Pass --force to decrypt the file anyway.zFailed to decrypt the file.r3)rZrsrrrRrSr@rr Zdecrypt_pubkeyrrrrrr") rrrrr$rjrrrr0r0r3rs(      rz#decrypt using private key (PKCS#12)z3file containing the passphrase for the PKCS#12 filecCsX|dkrtjddd}n|d}|tjj||d}t||||dS)Nr8rr7)rF) rr>r<r=r/rr Z load_pkcs12r)rrrHrDrrFrr0r0r3decrypt_with_pkcs12s r)N)F)NN)T)rrr<rWrD contextlibrrenumrrrRr Z asn1cryptorrZpyhanko_certvalidatorrZ$pyhanko.sign.validation.pdf_embeddedrr Zpyhanko.configr r r r rrrrrrrZpyhanko.pdf_utilsrrZpyhanko.pdf_utils.config_utilsrZ$pyhanko.pdf_utils.incremental_writerrZpyhanko.pdf_utils.layoutrZpyhanko.pdf_utils.miscrZpyhanko.pdf_utils.readerrZpyhanko.pdf_utils.writerrrVrrrZpyhanko.sign.generalr r!Zpyhanko.sign.signersr"Z"pyhanko.sign.signers.pdf_byteranger#Zpyhanko.sign.signers.pdf_cmsr$Zpyhanko.sign.timestampsr%Zpyhanko.sign.validationr&Zpyhanko.sign.validation.errorsr'Z pyhanko.stampr(r)r*__all__r=r5rVrKrf ImportErrorrYrFr,rGrrOrZrtr[rggroupZversion_optionrZFileZ pass_contextr+rPathrrrrrrrrrrraargumentZChoiceas_tupler8rrrrrrrZSignerrrZ SimpleSignerr*r)r2rGrIrJrjr\r`rdrgrirmrryrzrrZdecrypt_force_flagrrr rrr0r0r0r3s    4                "     ;   D      (k   #   09 #    9    :     ;