U cX@sJddlZddlZddlZddlZddlmZddlmZddlm Z m Z m Z m Z m Z mZmZddlZddlmZddlmZddlmZddlmZmZdd lmZdd lmZmZdd lm Z dd l!m"Z"dd l#m$Z$ddl%m&Z&m'Z'Gdddej(Z)eddGdddZ*eGdddZ+dddddZ,e-dddZ.ej/Z0d7ee1e2fdddZ3e e e2e*fdd d!Z4eddGd"d#d#ej5Z6eddGd$d%d%ej5Z7eddGd&d'd'ej5Z8Gd(d)d)ej(Z9eddGd*d+d+ej5Z:ee2e1fd,d-d.Z;d/Ze&e'd1Z?e+dd2d3Z@e-e-d4d5d6ZAdS)8N) dataclass) timedelta)AnyDictIterableListOptionalSetUnion)x509)ValidationContext) config_utils)ConfigurationErrorcheck_config_keys) get_and_apply) SimpleSignerload_certs_from_pemder)load_cert_from_pemder)DEFAULT_SIGNING_STAMP_STYLE)KeyUsageConstraints) QRStampStyleTextStampStylec@seZdZeZeZdS) StdLogOutputN)__name__ __module__ __qualname__enumautoSTDERRSTDOUTr r 2/tmp/pip-unpacked-wheel-0kb_yl26/pyhanko/config.pyrsrT)frozenc@sHeZdZUeeefed<eeefed<eeeefdddZ dS) LogConfigleveloutputreturncCs>t|tstd|}|dkr(tjS|dkr6tjS|SdS)Nz)Log output must be specified as a string.stderrstdout) isinstancestrrlowerrrr)specZspec_lr r r!parse_output_spec(s zLogConfig.parse_output_specN) rrrr intr+__annotations__r staticmethodr.r r r r!r#s r#c@seZdZUeeefed<eeefed<eed<eed<eed<eed<ee ee fed<eeefed<eeefed <eeefed <e eed <dd dZ dddZ de dddZd edddZddZddZddZd S)! CLIConfigvalidation_contexts stamp_stylesdefault_validation_contextdefault_stamp_styletime_toleranceretroactive_revinfo log_config pemder_setups pkcs12_setups pkcs11_setupsbeid_module_pathNcCs@|p|j}z |j|WStk r:td|dYnXdS)Nz&There is no validation context named ''.)r5r3KeyErrorr)selfnamer r r!_get_validation_settings_rawGs   z&CLIConfig._get_validation_settings_rawFcCs,||}t||j|j}|r"|Stf|SN)rBparse_trust_configr7r8r )r@rAZas_dict vc_config vc_kwargsr r r!get_validation_contextPs z CLIConfig.get_validation_contextr&cCs||}zt|d}Wntk r2i}YnXz|d}|d|Wntk r`YnXz|d}|d|Wntk rYnXt|S)Nsigner-key-usage-policysigner-key-usagez key-usagesigner-extd-key-usagezextd-key-usage)rBdictr? setdefaultr from_config)r@rArEZpolicy_settingsZkey_usage_stringsr r r!get_signer_key_usagesWs   zCLIConfig.get_signer_key_usagesc Cs|p|j}zt|j|}WnLtk r@td|dYn*tk rh}z t|W5d}~XYnXt|dd}||S)NzThere is no stamp style named 'r>typetext) r6rKr4r?r TypeErrorSTAMP_STYLE_TYPESpoprM)r@rAZ style_configeclsr r r!get_stamp_styleqs  zCLIConfig.get_stamp_stylecCs>z|j|}Wn$tk r2td|dYnXt|S)Nz There's no PKCS#11 setup named '')r<r?rPKCS11SignatureConfigrMr@rAsetupr r r!get_pkcs11_config~s zCLIConfig.get_pkcs11_configcCs>z|j|}Wn$tk r2td|dYnXt|S)Nz There's no PKCS#12 setup named 'rW)r;r?rPKCS12SignatureConfigrMrYr r r!get_pkcs12_configs zCLIConfig.get_pkcs12_configcCs>z|j|}Wn$tk r2td|dYnXt|S)Nz There's no PEM/DER setup named 'rW)r:r?rPemDerSignatureConfigrMrYr r r!get_pemder_configs zCLIConfig.get_pemder_config)N)NF)N)N)rrrrr+rKr0rboolrr#rBrGrrNrrVr[r]r_r r r r!r27s$    r2F)r8r7cCst|ts<|dkrttd}nt|tr4t|d}ntdd|i}|rPd|d<|rt|trd|f}tt|}|r~||d<n||d<|rt|tr|f}tt||d<|S) Nseconds5time-tolerance parameter must be specified in secondsr7Tr8Z trust_rootsZextra_trust_roots other_certs)r*rDEFAULT_TIME_TOLERANCEr/rr+listr)trust trust_replacerdr8r7rFZ trust_certsr r r!init_validation_context_kwargss.        rir&c CsBtdd|t|d|dd|d|d||d|d S) Nr )rg trust-replace other-certstime-toleranceretroactive-revinforIrJrHrgrjFrkrlrm)rgrhrdr7r8)rriget)Z trust_configr7r8r r r!rDs  rDcCsfz ||}Wn4tk r@|dk r,|YStd|dYnXt|ttfsbtdt||S)NzLogging config for 'z' does not define a log level.z#Log levels must be int or str, not )r?rr*r/r+rO)Z settings_dictkeydefault level_specr r r!_retrieve_log_levels   rrc Cst|tstdt|dtd}t|dtjtj d}dt||i}| di}t|ts`td| D]H\}}t|t stdt|d}t|d tjtj d}t||d ||<qh|S) Nz%logging config should be a dictionaryz root-levelrpz root-outputz by-modulez"logging.by-module should be a dictz+Keys in logging.by-module should be stringsr$r%)r$r%) r*rKrrrDEFAULT_ROOT_LOGGER_LEVELrr#r.rrrnitemsr+) log_config_specZroot_logger_levelZroot_logger_outputr9Zlogging_by_modulemoduleZmodule_logging_settingsrqZ output_specr r r!parse_logging_configs>     rxcszeZdZUdZeed<dZeej ed<dZ e ed<dZ e ed<dZe ed <efd d Zdee ed d dZZS)r\zf Configuration for a signature using key material on disk, contained in a PKCS#12 bundle. pfx_fileNrdpfx_passphraseTprompt_passphraseF prefer_psscstt||dd}t|tr(|f}tt||d<z"|d}|dk rX|d|d<Wntk rnYnXdS)Nrdr rzutf8 superprocess_entriesrnr*r+rfrencoder?rU config_dictrd passphrase __class__r r!rs   z%PKCS12SignatureConfig.process_entries)provided_pfx_passphraser'cCs6|jp|}tj|j||j|jd}|dkr2td|S)N)ryrrdr| Error while loading key material)rzrZ load_pkcs12ryrdr|r)r@rrresultr r r! instantiate.s z!PKCS12SignatureConfig.instantiate)N)rrr__doc__r+r0rdrr Certificaterzbytesr{r`r| classmethodrrrr __classcell__r r rr!r\s    r\cseZdZUdZeed<eed<dZeej ed<dZ e ed<dZ e ed<d Ze ed <efd d Zdee ed ddZZS)r^zV Configuration for a signature using PEM or DER-encoded key material on disk. key_file cert_fileNrdkey_passphraseTr{Fr|cstt||dd}t|tr(|f}tt||d<z"|d}|dk rX|d|d<Wntk rnYnXdS)Nrdr rr}r~rrr r!rYs   z%PemDerSignatureConfig.process_entries)provided_key_passphraser'cCs:|jp|}tj|j|j|j|j|d}|dkr6td|S)N)rrrdr|rr)rrloadrrrdr|r)r@rrrr r r!ris z!PemDerSignatureConfig.instantiate)N)rrrrr+r0rdrr rrrr{r`r|rrrrrrr r rr!r^:s    r^c@s>eZdZUdZdZeeed<dZee ed<e ddZ dS) TokenCriteriazL .. versionadded:: 0.14.0 Search criteria for a PKCS#11 token. Nlabelserialc CsZzt|d|d<Wn>tk r*Yn,tk rT}ztd|W5d}~XYnXdS)Nrzsz8PKCS11PinEntryMode.parse_mode_setting...) r*r+r __members__upperr?rjoinPROMPTSKIP)rr r r!parse_mode_settings   z%PKCS11PinEntryMode.parse_mode_settingN) rrrrrrrZDEFERrr1rrr r r r!rs   rcs&eZdZUdZeed<dZeeed<dZee ed<dZ ee j ed<dZ eeed<dZeee j ed<dZeeed <dZee ed <dZeeed <dZeeed <ejZeed <dZeeeed<dZeed<dZeed<dZeed<ee edfdd Z!efddZ"Z#S)rXz Configuration for a PKCS#11 signature. This class is used to load PKCS#11 setup information from YAML configuration. module_pathN cert_labelcert_idsigning_certificatetoken_criteriard key_labelkey_idslot_nouser_pin prompt_pinr other_certs_to_pullT bulk_fetchFr| raw_mechanism) keys_suppliedcstdd|DdS)NcSsh|]}|dkr|qS)) token_labelz token-labelr )rkr r r! -sz:PKCS11SignatureConfig.check_config_keys..)rr)rUrrr r!r)s z'PKCS11SignatureConfig.check_config_keyscs t||dd}t|tr(|f}tt||d<|dd}|dk rXt||d<d|krrt|d|d<nd|krd|krt dd|krt|d|d<nd|krd|krt d t |d t j t j d |d <d |krtd t|d }d|kr d|i|d<n|dd|dS)Nrdr rrrrzNEither 'key_id', 'key_label' or 'cert_label' must be provided in PKCS#11 setuprzYEither 'cert_id', 'cert_label' or 'signing_certificate' must be provided in PKCS#11 setuprrsrz?'token_label' is deprecated, use 'token_criteria.label' insteadrr)rrrnr*r+rfrr_process_pkcs11_id_valuerrrrrwarningswarnDeprecationWarningrSrL)rUrrdrZlblrr r!r2sP          z%PKCS11SignatureConfig.process_entries)$rrrrr+r0rrrrrr rrrrdrrrrr/rrrrrrrr`r|rrr rrrr r rr!rXs(     rXrcCs"t|trt|gSt|SdSrC)r*r/rrrrr r r!rds  rrp )ZqrrPcCst|p i}tft|SrC)yamlZ safe_loadr2process_config_dict)Zyaml_strrr r r!parse_cli_configssr)rr'c Cs"tii}z|d}||Wntk r2YnXttjddi}z|d}||Wntk rnYnX|di}t|}|di}|di}|di} |d d} |d t} |d t} |d t} t | t st d t | d}t |dd}t|| |||| |||| | d S)Nzvalidation-contextsZ __stamp__)z stamp-textZ backgroundz stamp-stylesloggingz pkcs11-setupsz pkcs12-setupsz pemder-setupszbeid-module-pathzdefault-validation-contextzdefault-stamp-stylerlrcrarmF) r3r5r7r8r4r6r9r<r;r:r=)DEFAULT_VALIDATION_CONTEXTupdater?DEFAULT_STAMP_STYLErZ stamp_textrnrxrer*r/rrr`rK)rvcsZvc_specsZ stamp_configsZ stamp_specsrvr9r<r;r:r=Z default_vcr6Ztime_tolerance_secondsr7r8r r r!rxsj       r)N)BrrrrZ dataclassesrdatetimertypingrrrrrr r rZ asn1cryptor Zpyhanko_certvalidatorr Zpyhanko.pdf_utilsr Zpyhanko.pdf_utils.config_utilsrrZpyhanko.pdf_utils.miscrZ pyhanko.signrrZpyhanko.sign.generalrZpyhanko.sign.signersrZ pyhanko.sign.validation.settingsrZ pyhanko.stamprrEnumrr#r2rirKrDINFOrtr/r+rrrxZConfigurableMixinr\r^rrrXrrrrerRrrr r r r!s`  $       ] $ "8;0