U ci@sLddlZddlZddlZddlZddlmZddlmZmZm Z ddl m Z m Z m Z mZddlmZddlmZmZmZddlmZmZdd lmZmZmZmZmZdd lmZm Z m!Z!m"Z"dd l#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-dd l.m/Z/m0Z0dd l1m2Z2m3Z3eGdddZ4ee5e6fe6dddZ7d6e6e4e e6dddZ8d7e6e4e6e e6dddZ9dddZ:e6dddZ;d8e6e6e e6e6dd d!ZZ?Gd$d%d%ej@e/ZAGd&d'd'e'ejBZCGd(d)d)eCe2ZDGd*d+d+eCe3ZEeFd,ZGd-d.ZHd/d0ZIejJd1d2d3ZKe,jLGd4d5d5e,ZMe/LeAdS)9N) dataclass)sha256sha384sha512)DictOptionalTupleUnion)core)Cipher algorithmsmodes)genericmisc)compute_o_value_legacycompute_o_value_legacy_prepcompute_u_value_r2compute_u_value_r34legacy_normalise_pw)aes_cbc_decryptaes_cbc_encrypt as_signed rc4_encrypt) ALL_PERMS AuthResult AuthStatus CryptFilterCryptFilterBuilderCryptFilterConfigurationIdentityCryptFilterPdfKeyNotAvailableErrorSecurityHandlerSecurityHandlerVersion)SerialisableCredentialSerialisedCredential)AESCryptFilterMixinRC4CryptFilterMixinc@s:eZdZUeed<eed<eed<eeddddZdS) _R6KeyEntry hash_valuevalidation_saltkey_salt)entryreturncCs4t|dkstt|dd|dd|ddS)N0 ()lenAssertionErrorr()clsr,r4D/tmp/pip-unpacked-wheel-0kb_yl26/pyhanko/pdf_utils/crypt/standard.py from_bytes,sz_R6KeyEntry.from_bytesN)__name__ __module__ __qualname__bytes__annotations__ classmethodr6r4r4r4r5r(&s r()passwordr-cCs8t|tr,|sdSddlm}||d}|ddS)Nr)saslprepzutf-8) isinstancestrZ _saslprepr?encode)r=r?r4r4r5_r6_normalise_pw2s   rD)pw_bytesr,u_entrycCst||j|}||jkSN) _r6_hash_algor*r))rEr,rFZpurported_hashr4r4r5_r6_password_authenticate<srI)rEr,e_entryrFcCs2t||j|}t|dkstt||tdddS)Nr/FkeydataZiv use_padding)rHr+r1r2rr:)rEr,rJrFZ interm_keyr4r4r5_r6_derive_file_keyBsrPTF)TFZ input_bytescCstdd|DdS)Ncss|]}|dVqdS)Nr4.0br4r4r5 Ssz_bytes_mod_3..rT)sumrSr4r4r5 _bytes_mod_3QsrZ)rE current_saltrFr-c Cst|}t|dkst|||r@t|dks6t|||}tttf}d}}|dksn||dkr|||pzdd}t|dd||ddd d d } |t| dd} | | }| t| d }|d 7}qZ|ddS) u3 Algorithm 2.B in ISO 32000-2 § 7.6.4.3.4 r.r@r/r>NrKFrLr) rr1r2updatedigestrrrrZ) rEr[rFZ initial_hashkhashesZround_noZ last_byte_valZk1eZ next_hashr4r4r5rHVs0       rHc@sFeZdZdZdZdZdZdZdZe j ddd Z e ddd d Z dS) StandardSecuritySettingsRevisionz;Indicate the standard security handler revision to emulate.rTNr-cCs |j}|dkrtSt|SrG)valuerZ NullObject NumberObject)selfvalr4r4r5 as_pdf_objectsz.StandardSecuritySettingsRevision.as_pdf_objectcCs*z t|WStk r$tjYSXdSrG)rc ValueErrorOTHER)r3rhr4r4r5 from_numbers z,StandardSecuritySettingsRevision.from_number)r7r8r9__doc__ RC4_BASICZ RC4_EXTENDED RC4_OR_AES128AES256rnrZ PdfObjectrlr<ror4r4r4r5rcssrcc@sXeZdZdejfdejddifgZeedddZe ddd Z ee d d d Z d S)_PasswordCredential pwd_bytesid1optionalTrgcCsdS)Nrur4r3r4r4r5get_namesz_PasswordCredential.get_namecCs|SrG)dumprjr4r4r5 _ser_valuesz_PasswordCredential._ser_value)rNcCs0z t|WStk r*tdYnXdS)Nz)Failed to deserialise password credential)rtloadrmr PdfReadError)r3rNr4r4r5 _deser_values z _PasswordCredential._deser_valueN) r7r8r9r Z OctetString_fieldsr<rBryr:r|rr4r4r4r5rtsrtcsTeZdZUdZdZded<eddZfddZe d d d Z fd d Z Z S)StandardCryptFilterzB Crypt filter for use with the standard security handler. NStandardSecurityHandler_handlercCst|jtr|jjStdSrG)rArr _auth_failedNotImplementedErrorr{r4r4r5rs z StandardCryptFilter._auth_failedcs$t|tstt|d|_dSrG)rAr TypeErrorsuper_set_security_handler _shared_key)rjhandler __class__r4r5rs  z)StandardCryptFilter._set_security_handlerrgcCs |jSrG)rget_file_encryption_keyr{r4r4r5derive_shared_encryption_keysz0StandardCryptFilter.derive_shared_encryption_keycst}t|j|d<|S)N/Length)rrlrrikeylenrjresultrr4r5rls z!StandardCryptFilter.as_pdf_object) r7r8r9rprr;propertyrrr:rrl __classcell__r4r4rr5rs    rc@seZdZdZdS)StandardAESCryptFilterz= AES crypt filter for the standard security handler. Nr7r8r9rpr4r4r4r5rsrc@seZdZdZdS)StandardRC4CryptFilterz= RC4 crypt filter for the standard security handler. Nrr4r4r4r5rsrz/StdCFcCsttt|dittdSNr)Zdefault_stream_filterZdefault_string_filter)rSTD_CFrrr4r4r5_std_rc4_configs  rcCsttt|dittdSr)rrrrr4r4r5_std_aes_configs  r)cfdictcCs|dd}t|ddS)Nrr0r\r)getr)rZ_acts_as_default keylen_bitsr4r4r5#_build_legacy_standard_crypt_filters rcs>eZdZUdZedddddddZeeje fe d<e e dd d Z e d d d ed d feedddZe d ed fddZed-ddZd.eeeedfdd Ze ejedddZe ejdddZdd Zed!d"d#Zed!d$d%Zd/e ee!d&d'd(Z"e#e$e efdd)d*Z%edd+d,Z&Z'S)0ra Implementation of the standard (password-based) security handler. You shouldn't have to instantiate :class:`.StandardSecurityHandler` objects yourself. For encrypting new documents, use :meth:`build_from_pw` or :meth:`build_from_pw_legacy`. For decrypting existing documents, pyHanko will take care of instantiating security handlers through :meth:`.SecurityHandler.build`. cCs tddS)NrKrr___r4r4r5r>z StandardSecurityHandler.cCs tddS)Nr/rrrr4r4r5rr>cCstSrG)r rr4r4r5rr>)z/V2z/AESV2z/AESV3z /Identity_known_crypt_filtersrgcCs tdS)N /Standard)r NameObjectrxr4r4r5rysz StandardSecurityHandler.get_nameNrKT)revpermsc  KsLt|}|dk rt|n|}|tjkr4t|d|tjkrDd}n|rV|tjkrVd}t|||j|} t|d@}|tjkrt|dB}t|| ||\} } nt ||j|| ||| \} } |tjkrt j}n|tjkrt j }nt j }|tjkr|dkr|rt dd}n t|d}|f||||| | || d| }| |_t||d |_|S) a Initialise a legacy password-based security handler, to attach to a :class:`~.pyhanko.pdf_utils.writer.PdfFileWriter`. Any remaining keyword arguments will be passed to the constructor. .. danger:: The functionality implemented by this handler is deprecated in the PDF standard. We only provide it for testing purposes, and to interface with legacy systems. :param rev: Security handler revision to use, see :class:`.StandardSecuritySettingsRevision`. :param id1: The first part of the document ID. :param desired_owner_pass: Desired owner password. :param desired_user_pass: Desired user password. :param keylen_bytes: Length of the key (in bytes). :param use_aes128: Use AES-128 instead of RC4 (default: ``True``). :param perms: Permission bits to set (defined as an integer) :param crypt_filter_config: Custom crypt filter configuration. PyHanko will supply a reasonable default if none is specified. :return: A :class:`StandardSecurityHandler` instance. Nz/ is not supported by this bootstrapping method.rKlr)versionrevision legacy_keylen perm_flagsodataudatacrypt_filter_configencrypt_metadatarurv)rrcrrrmrqrrhrrrr#RC4_40RC4_LONGER_KEYSrrrrt _credential)r3rrvdesired_owner_passdesired_user_passZ keylen_bytesZ use_aes128rrrkwargso_entryrFrMrshr4r4r5build_from_pw_legacys'             z,StandardSecurityHandler.build_from_pw_legacyc Kst|}|dk rt|n|}td}td} td} t|| } | | | } t|| } t| |tddd\}}t|dksttd}td}t||| }|||}t||| }t||tddd\}}t|dkstt d|d@}|d |rd nd d td }t t |t }|}|||}|ftjtjd||| ||||d |}||_td|i|_|S)a Initialise a password-based security handler backed by AES-256, to attach to a :class:`~.pyhanko.pdf_utils.writer.PdfFileWriter`. This handler will use the new PDF 2.0 encryption scheme. Any remaining keyword arguments will be passed to the constructor. :param desired_owner_pass: Desired owner password. :param desired_user_pass: Desired user password. :param perms: Desired usage permissions. :param encrypt_metadata: Whether to set up the security handler for encrypting metadata as well. :return: A :class:`StandardSecurityHandler` instance. Nr/r\rKF)rOzzDStandardSecurityHandler.gather_encryption_metadata../UEcSs|jSrGrrr4r4r5r r>/PermscSs|jSrGrrr4r4r5r r>/EncryptMetadataT)default)rrrrrrrr) rrrKeyErrordictrrrZ get_and_applybool)r3rrrrrr4r4r5gather_encryption_metadatas@      z2StandardSecurityHandler.gather_encryption_metadata)rcCs>t|d}t|d}tf||||d||S)N/V/R)rrr)r#rorcrZprocess_crypt_filtersr)r3rvrr4r4r5instantiate_from_pdf_objectsz3StandardSecurityHandler.instantiate_from_pdf_objectcCst}td|d<t|j|d<t|j|d<tt|j|d<|j s\|j t j krpt|j d|d<|j |d<|j|d <|j t j krt|j|d <||j|jtjkrt|j|d <t|j|d <t|j|d <|S)Nrz/Filterrrrr\rrrrrrr)rDictionaryObjectrZByteStringObjectrrrirrZ_compat_entriesrr#rrrlrZ BooleanObjectrr^rrcrsrrrrr4r4r5rls(    z%StandardSecurityHandler.as_pdf_object)rvcCst|j}|j}|tjkr.t||j|j|\}}n:t||j|j |j|j||j \}}|dd}|dd}||k|fS)NrK) rrrcrqrrrrrhrr)rjrvr=rZ user_tokenZuser_tok_suppliedrMr4r4r5_auth_user_password_legacy5s*    z2StandardSecurityHandler._auth_user_password_legacyc st||d}|j}t||j|j}|tjkr.)rtrrrhrrcrqrrranger:rrrOWNERUSERFAILED) rjrvr=credrrMZ prp_userpassrkZnew_keyZowner_passwordZ user_passwordr4rr5_authenticate_legacyFs,    z,StandardSecurityHandler._authenticate_legacy)rvr-cCst|trt|}t|tttfs:tdt |dt|trX|dj }|dj }|j }|t j krx||\}}n*|dkrtdt|}|||\}}|dk r||_nd|_t||jdS) a Authenticate a user to this security handler. :param credential: The credential to use (a password in this case). :param id1: First part of the document ID. This is mandatory for legacy encryption handlers, but meaningless otherwise. :return: An :class:`AuthResult` object indicating the level of access obtained. z]Standard authentication credential must be a string, byte string or _PasswordCredential, not .rvruNz+id1 must be specified for legacy encryptionT)statusZpermission_flags)rAr%r$Z deserialisertrBr:rr~typeZnativerrcrs_authenticate_r6rrrrrr)rjZ credentialrvrresrMr4r4r5 authenticatecs,      z$StandardSecurityHandler.authenticatec Cs4t|}t|j}t|j}t|||jrHtj}t|||j |j}n*t||rhtj }t|||j }n tj dfSt t|t}|}||j|} | dddk} | |jtd| dddkM} zt| d} | | |jkM} Wntk r d} YnX| std td |i|_||fS) N rzsd  0       h