U c @sBdZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z m Z m Z m Z m Z mZmZmZmZmZmZmZddlZddlmZmZddlmZdd lmZmZdd lmZdd lm Z dd l!m"Z"dd l#m$Z$m%Z%ddl&m'Z'm(Z(ddl)m*Z*ddl+m,Z,m-Z-ddl.m/Z/ddl0m1Z1ddl2m3Z3ddl4m5Z5m6Z6ddl7m8Z8m9Z9ddl:m;Z;mZ>ddl?m@Z@ddlAmBZBmCZCddlDmEZEmFZFmGZGmHZHmIZIddlJmKZKmLZLmMZMmNZNmOZOmPZPmQZQddlRmSZSmTZTmUZUmVZVddlWmXZXddlYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_m`Z`maZadd lbmcZcmdZdmeZed!d"lfmgZgmhZhmiZimjZjd#d$d%d&d'd(d)gZkelemZned*e^d+Zoed,d-Gd.d'd'ZpeGd/d0d0Zqdddeafejreiesee1ee(ee ete feeoepd1d2d&Zuejve5eeejwd3d4d5Zxdeafejre"esee ete feeoepd6d7d8Zyezesepd9d:d;Z{ejre^e"ee"eed<d=d>Z|eie1e(d?d@dAZ}ddddde`fejreiee1eesee(eeee ete feeoepdB dCd#Z~ejre"e"ee"eXeeseeee ete feeoeepeqfdD dEdFZed,d-GdGd(d(epZeeGjeFjeFjeFjeFjhZddddde`fejreiee1eesee(eeee ete feeoedB dHd$ZGdIdJdJe9Ze>ee,dKdLdMZe@ee,dNdOdPZeje(ee6dQdRdSZdqeje'e(eeee3efdTdUdVZejreie,eeFeeezdWdXdYZdrejreie,eeFeeeIdZd[d\Zed,d-Gd]d^d^Zejrd_d`daZejredbdcddZeCezeecdedfdgZdseeeiee1e,dhdidjZeeGjeFjeFjeFjeFjeFjeFjhZeeFjeFjeFjeFjeFjhZed,d-Gdkd)d)eZeTeie,ee1eepdldmdnZdteTehee1eeedodpd%ZdS)ua This module contains a number of functions to handle AdES signature validation. .. danger:: This API is incubating, and not all features of the spec have been fully implemented at this stage. There will be bugs, and API changes may still occur. N)copy) dataclass)datetime) AnyDict FrozenSetIterableIteratorListOptionalSetTupleTypeTypeVarUnion)cmskeys)pdf)tspx509)CertificateList) OCSPResponse)ValidationContext)CertTrustAnchor TrustAnchor)CertValidationPolicySpecValidationDataHandlers) past_validate) POEManagerdigest_for_poe)ades_gather_prima_facie_revinfo)ValidationTimingInfo)ValidationPath)AlgorithmUsagePolicyRevocationCheckingRule) PathBuilder TrustManager) CRLContainer OCSPContainer) CRLOfInterest)OCSPResponseOfInterest)HistoricalResolver PdfFileReader) AdESFailureAdESIndeterminate AdESPassed AdESStatus AdESSubIndic)CMSExtractionErrorCMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorextract_certificate_infofind_cms_attributefind_unique_cms_attribute)DocumentSecurityStoreEmbeddedPdfSignatureerrors generic_cms)KeyUsageConstraints)DocumentTimestampStatusPdfSignatureStatusRevocationDetailsSignatureCoverageLevelSignatureStatusSignerAttributeStatusStandardCMSSignatureStatusTimestampSignatureStatus) DiffPolicy DiffResultSuspiciousModification)LocalKnowledgePdfSignatureValidationSpecSignatureValidationSpec"bootstrap_validation_data_handlersades_basic_validationades_with_time_validationades_lta_validationades_timestamp_validationAdESBasicValidationResultAdESWithTimeValidationResultAdESLTAValidationResult StatusType)boundT)frozenc@s2eZdZUdZeed<eeed<eeed<dS)rSuR Result of validation of basic signatures. ETSI EN 319 102-1, § 5.3 ades_subindic api_status failure_msgN) __name__ __module__ __qualname____doc__r1__annotations__r rVstrrbrb@/tmp/pip-unpacked-wheel-0kb_yl26/pyhanko/sign/validation/ades.pyrSts   c@seZdZUeed<eeed<eeed<dZeeed<dZ eeed<dZ ee ed<dZ ee ed<dZ eeed <d d ZdS) _InternalBasicValidationResultrYsignature_poe_timesignature_not_before_timeN status_kwargstrust_subindic_updatesignature_ts_validitycontent_ts_validitysigner_attr_statuscCsv|j}|jr|j|d<|r*|jr*|j|d<|r>|jr>|j|d<|rl|jrl|jj|d<|jj|d<|jj|d<|f|S)Ntrust_problem_indicZtimestamp_validityZcontent_timestamp_validityac_attrscades_signer_attrsac_validation_errs)rgrhrirjrkrmrnro)self status_clswith_ts with_attrsrgrbrbrcupdates      z%_InternalBasicValidationResult.update)r\r]r^r1r`r rrgdictrhrirErjrkrCrtrbrbrbrcrds   rd)tst_signed_datavalidation_specexpected_tst_imprint timing_infovalidation_data_handlersextra_status_kwargsrqreturnc sR|p t}|jp|j}|dkr,t||d}|j||d}t|||||dIdHS)uW Validate a timestamp token according to ETSI EN 319 102-1 § 5.4. :param tst_signed_data: The ``SignedData`` value of the timestamp. :param validation_spec: Validation settings to apply. :param expected_tst_imprint: The expected message imprint in the timestamp token. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :return: A :class:`.AdESBasicValidationResult`. Nspecryryhandlers)r{rq)r!nowts_cert_validation_policycert_validation_policyrNbuild_validation_context'_ades_timestamp_validation_from_context) rvrwrxryrzr{rqrvalidation_contextrbrbrcrRs(! ) signer_info algo_policy control_time public_keycCsT|d}|j|||d}|sPd|jd|d}tj||jdkrFtjntjddS)NZsignature_algorithm)rzSignature algorithm z not allowed as of z:, which is the time of the earliest PoE for the signature.ades_subindication)Zsignature_algorithm_allowedZsignature_algor;SignatureValidationErrorZnot_allowed_afterr.ZCRYPTO_CONSTRAINTS_FAILURE!CRYPTO_CONSTRAINTS_FAILURE_NO_POE)rrrrZsig_algoZ sig_allowedmsgrbrbrc#_ades_signature_crypto_policy_checksr)rvrrxr{rqr|c st|pi}tj|||dIdH}|||f|}|jsLttj|ddS|jsbttj |ddSt |||dddIdH}||_ t|j |j|dddddS)N)rrxrYrZr[ac_validation_contextrfFrrrs) rur<Zvalidate_tst_signed_datartintactrSr- HASH_FAILUREvalidSIG_CRYPTO_FAILURE_process_basic_validationrgrY) rvrrxr{rqrgstatus_kwargs_from_validationstatus interm_resultrbrbrcrsJ     r)signed tst_digestr|cs8tj||d}|dk r(t|||IdHSttjdddS)NrrYr[rZ)r<extract_tst_datarrSr.ZGENERIC)rrrrrvrbrbrc_ades_process_attached_ts*s r) signed_data temp_statusts_validation_contextrrfcs|j}t|}d}|tjtjfkrt||dt|ddjdIdH}|j t j kr|j }|dk rpt |j|}n|j}|tjkr|j} | j} tj} n|jj} tj} || kr| }t|} tj| j| j||ddIdH} |pt j }t||||tf| ddS)NT signed_attrsZmessage_digestrr)Zsd_attr_certificates signer_certrZsd_signed_attrs)rYrhrjrfrkre)rlr<extract_signer_infor.REVOKED_NO_POEOUT_OF_BOUNDS_NO_POErr8nativerYr/OKrZmax timestamprevocation_detailsrevocation_dater-ZREVOKED signing_certnot_valid_afterZEXPIREDr6Zcollect_signer_attr_statusZattribute_certsrrdrC)rrrrrfZades_trust_statusr ts_statusZcontent_ts_result revo_detailscutoffZ perm_status cert_infoZattr_status_kwargsrYrbrbrcr8s^       r)rwryrzcCsZ|jj||d}|jdk r,|jj||d}n|}|jdk rL|jj||d}nd}|||fS)Nr)rrrZac_validation_policy)rwryrzrrrrbrbrc _init_vcs~s"  r) rrwry raw_digestrzrfr{rqr|c s~|p t}|dkr t||d}t|||\}} } t||| | |j||||d IdH} t| trb| St| j| j t dddddS)u Validate a CMS signature according to ETSI EN 319 102-1 § 5.3. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param raw_digest: The expected message digest attribute value. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A :class:`.AdESBasicValidationResult`. Nr}) rrrrkey_usage_settingsrrfr{rqFTrr) r!rrNr_ades_basic_validationr isinstancerSrYrtrD) rrwryrrzrfr{rqrrrrrbrbrcrOs<$   ) rrrrrrrfr{rqr|c  st|pi} z&tj||||dIdH} | | Wn:tjk rl} zt| j| jddWYSd} ~ XYnX|f| } | j stt j | ddS| j stt j | ddSt|| |||dIdH} | | _| S)N)rrrrrr)rur<Zcms_basic_validationrtr;rrSrfailure_messagerr-rrrrrg)rrrrrrrfr{rqrgrerrrbrbrcrsJ    rc@s"eZdZUeed<eeed<dS)rTbest_signature_timerfN)r\r]r^rr`r rbrbrbrcrTs c s|p t}|dkr t||d}t|||\}} } |dddj} |j| } t||| | |j||||d IdH} t| t rt | j | j | j | |dS| j tkrt| tst| j}| j|ddd }t | j |d| |dSt|}t||d t|d IdH}| j|d dd }|j tjkr,t | j |d| |dS|j }| dk rJt|j| } n|j} || _| | _| j tjkr|j}| |j krt | j |d| |dSn0| j tj!kr| |j"j#krt tj$|d| |dS|dk r|| krt tj%|d| |dSd| _&d| j'd <| j|ddd }t tj|d| |dS) u Validate a CMS signature with time according to ETSI EN 319 102-1 § 5.5. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param raw_digest: The expected message digest attribute value. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A :class:`.AdESBasicValidationResult`. Nr} signer_infosr signature)rrrrrrfr{rq)rYrZr[rrfTrFrrl)(r!rrNrr poe_managerrrrrSrTrYrZr[_WITH_TIME_FURTHER_PROCrdAssertionErrorrfrtr<rrZcompute_signature_tst_digestr/rminrrirer.rrrrrnot_valid_before NOT_YET_VALIDZTIMESTAMP_ORDER_FAILURErhrg)rrwryrrzrfr{rqrrr sig_bytesrerrZrZ sig_ts_resultrrrrrbrbrcrP(s$           c@s4eZdZejedddZejeedddZ dS) _TrustNoOne)certr|cCsdS)NFrbrprrbrbrcis_rootsz_TrustNoOne.is_rootcCstdS)Nrb)iterrrbrbrcfind_potential_issuerssz"_TrustNoOne.find_potential_issuersN) r\r]r^r Certificateboolrr rrrbrbrbrcrsrcrlrrcstfdd|jDS)Nc3s|]}|jjkVqdSN)pathleaf).0 prov_pathrrrbrc sz0_crl_issuer_cert_poe_boundary..)anyZ prov_pathsrrbrrc_crl_issuer_cert_poe_boundarysrocsprrcCs||jj|kSr)rrrrbrbrc_ocsp_issuer_cert_poe_boundarysr)rrzrrevocation_checking_rulecsj}|jtd}tjdfdd tfdd|D}j}g}g} t} |D]} | IdH\} } | D]8}t |j |r| |qv|j j }| t|qv| D]8}t|j |r| |q|jj}| t|qq`|s| rj| j| || fS)N)r trust_manager)isscs$tt|gd}t|jdS)N)Z trust_anchorZintermr)rrevinfo_managerrr)r"rr r)rZtruncated_path)rrrrzrbrc_for_candidate_issuerszB_find_revinfo_data_for_leaf_in_past.._for_candidate_issuercsg|] }|qSrbrb)rr)rrbrc sz7_find_revinfo_data_for_leaf_in_past..) cert_registryrrrrasyncioZ as_completedrsetrrappendrcrl_datadumpaddrrZ ocsp_responseZocsp_response_datarZ evict_crlsZ evict_ocsps)rrzrrregistryZcandidate_issuersZ job_futuresrcrlsocspsZto_evictZ fut_resultsZnew_crlsZ new_ocspsZcrl_oiZ revinfo_dataZocsp_oirb)rrrrrzrc#_find_revinfo_data_for_leaf_in_pastsJ         r)rvalidation_policy_specrzinit_control_timer|c st|j|jd}d}||}zR|2zF3dHW}tt||||dIdH\}}} |dkr$|| fW Sq$6W5|IdHXd} |dk rtj | |dntj | dt j ddS)N)rr)rrrzrz2Unable to construct plausible past validation pathrrz": no prima facie paths constructed) r%rrZasync_build_paths_lazycancelr<Zhandle_certvalidator_errorsrr;rr.ZNO_CERTIFICATE_CHAIN_FOUND) rrrzrZ path_builderZcurrent_subindicationpathsZ cand_pathrvalidation_timerrbrbrc_build_and_past_validate_cert&s<  rrrwrcurrent_time_sub_indicr is_timestampcsHt|d|d}|dddj}||}zt|} | j} Wn$tk r^tjdtjdYnX|rr|j pn|j } n|j } t | ||| j j jdIdH\t| | |d IdH\} } fd d }|| kr6|tjkr|dS|tjtjfkrdS|tjtjfkr6|| jkr tjd tjd n|| jkr6|dStjd|d dS)NT)Z is_historicalpoe_manager_overriderrrz,signer certificate not included in signaturer)rr)rrzcs$tps tj}tjd|ddS)N)zoPOE for signature available, but could not obtain sufficient POE for the issuance of the revocation informationr)rr.REVOCATION_OUT_OF_BOUNDS_NO_POEr;r)rZ leaf_crlsZ leaf_ocspsrbrc(_pass_contingent_on_revinfo_issuance_poes  zQ_ades_past_signature_validation.._pass_contingent_on_revinfo_issuance_poez'Signature predates cert validity periodrzHPast signature validation did not manage to improve current time result.)rNrr6rr2r;rr.ZNO_SIGNING_CERTIFICATE_FOUNDrrrZrevinfo_policyZrevocation_checking_policyZee_certificate_rulerrREVOKED_CA_NO_POErrOUT_OF_BOUNDS_NOT_REVOKEDrr-rrZSigSeedValueValidationError)rrwrrrrrzsignature_bytesrrrrZ cert_pathrrrbrrc_ades_past_signature_validationQsr      r)rrwrrrr|c sv|d}|djdk}z"t||||||dIdHtjWStjk rp}zt||jWYSd}~XYnXdS)u Validate a CMS signature in the past according to ETSI EN 319 102-1 § 5.6.2.4. This is internal API. .. danger:: The notion of "past validation" used here is only valid in the narrow technical sense in which it is used within AdES. It should _never_ be relied upon as a standalone validation routine. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param poe_manager: The POE manager from which to source existence proofs. :param current_time_sub_indic: The AdES subindication from validating the signature at the current time with the relevant settings. :param init_control_time: Initial value for the control time parameter. :return: An AdES subindication indicating the validation result after going through the past validation process. encap_content_info content_typetst_inforN) rrr/rr;rloggerwarningr)rrwrrrZecirrrbrbrcades_past_signature_validations!  rc@s\eZdZUeed<eed<eeed<ej ed<eed<e e e dfed<e dd d ZdS) PrimaFaciePOE pdf_revision timestamp_dtdigests_coveredtimestamp_token_signed_data doc_digestN diff_result)managercCs |jD]}|j||jdqdS)N)digestdt)r Zregister_by_digestr )rprthingrbrbrcadd_to_poe_managers z PrimaFaciePOE.add_to_poe_manager)r\r]r^intr`rrbytesr SignedDatarrHrIrrrbrbrbrcrs   r)sdccs,|dD]}|jdkrt|jVqdS)NZ certificates)Z certificateZ v2_attr_set)namerZchosenr)rZ cert_choicerbrbrc&_extract_cert_digests_from_signed_datas  r)rr|cCs|ddj}|djS)Nrcontentgen_time)parsedr)rrrbrbrc_get_tst_timestampsr)rinclude_content_ts diff_policyc CsDt}t}g}t|jD]"\}}|j||dkdt||jd}|j} d} d} |jdkrf| } d} n|rztj |j dd} | dk rt |} | ddt| j| j| jD| ||} |tjk}|r|t|jt| t|| | |jd t}| t| | t| |j d }| sz2t|d }| d dt|d |dDWntt fk rYnX|j dj!}|"t#|zt$|d}Wnt t%fk rd}YnXzt$|j dd}Wnt t%fk rd}YnXt||D]2}|ddD]}|dj!}|"t#|qq q|S)N)Z skip_diff)revisionFz /DocTimeStampTrcss|]}t|jVqdSr)r get_objectdataritemrbrbrcrQszC_build_prima_facie_poe_index_from_pdf_timestamps..)r r r r r rrZadobe_revocation_info_archivalcss|]}t|VqdSr)rrr$rbrbrcr}srrrZcontent_time_stamprbZunsigned_attrsZsignature_time_stamprr)&r enumerateZembedded_signaturesZcompute_integrity_infor+signed_revisionrZsig_object_typer<rrr9read_dssrt itertoolschainrrcertsvaluescompute_digestZevaluate_signature_coveragerAZENTIRE_REVISIONrrr frozensetrrr8r4r5rrrr7r3)rrr Zcollected_so_farZ for_next_tsprima_facie_poe_setsix embedded_sigZ hist_handlerrZts_signed_dataZ is_doc_tsdssr Zcoverage_normalrZ revinfo_attrrZ content_tsesZsignature_tsesZts_dataZts_signer_infoZ ts_sig_bytesrbrbrc0_build_prima_facie_poe_index_from_pdf_timestampss             r3)r/rwcur_timing_infor|c s:t|ddd}|p"tjtd}t}|j|t|D]\}}t |}|t |dkrt||d}||t |||d} t |j |||j| d|jitdIdH} | j} | jtjkr||q>| jtjkrtjd | d q>t| tstt|j ||| |jd IdH} | jtjkr&||q>tjd | d q>|S) NcSs|jSrr )prbrbrcz+_validate_prima_facie_poe..)keytzrJryrr)rvrwryrxrzr{rqz9Permanent failure while evaluating timestamp in PoE chainr)rrwrrrzZCould not validate timestamp in PoE chain at current time, and past validation also failed)sortedr!rtzlocal get_localzonerlocal_knowledgerr&rlenrNrRr r rr>rYrr0ZPASSEDZFAILEDr;rrr.rrr) r/rwr4Zcandidate_poesZresulting_poesr0poeZtemporary_poesZnext_poerzZcur_time_resultZ sub_indicZ past_resultrbrbrc_validate_prima_facie_poesf          rCc@s*eZdZUdZeeed<eeed<dS)rUu Result of a PAdES validation for a signature providing long-term availability and integrity of validation material. See ETSI EN 319 102-1, § 5.6.3. oldest_evidence_record_timestampsignature_timestamp_statusN)r\r]r^r_r rr`rSrbrbrbrcrUs  )r1rwrryr|c s"|jdj}|j}|jp|j}|j}|dkr0dSt||||t|||ddIdH}|j } t | t r| t krz2t |||| |jddIdHttj|jdd} Wqtjk r} zt| j| j|jd} W5d} ~ XYqXn|} |dd j} |j| d d |jd r| d j} ||| | S)Nrr<)rvrwryrxrzTrrrrrZmessage_imprintZhash_algorithm)Zmomentr)rrZattached_timestamp_datarralgorithm_usage_policyrRZcompute_tst_digestrNrYrr._LTA_TS_FURTHER_PROCrrrSr/rrZr;rrrrZdigest_algorithm_allowedregister)r1rwrryrZ signature_tsrrZsignature_ts_prelim_resultZts_current_time_sub_indicsignature_ts_resultrrZsignature_ts_dtrbrbrc_process_signature_tssn       rJ)r1pdf_validation_specryrfr|c s|ptjtd}tjd|jd}|j}|j}t j}dd|j D}dd|j D} t |} t|j||j| |j| |jd} tj|| d} d } d }zRt|| |d Id H} ttfd d |d d d d}|d k r|j}n tdWn4tjk r*}ztjd|dW5d }~XYnX|d krFt} | | | d k sTt t!| || d}t"j#| ||$|dj%it&dId H}|j'}|t(krd|d}t)||j*||j+|j,|d dSj-dj.}| /||j+t0| | |dId H}t1|t2rtz"t3j#| | ||j4ddId HWnPtjk rr}z.| |}t)|j5|j6|j*||j,||dWYSd }~XYnX| |}| j7j8}z(j9}t:j-|||j;dt.cSs"g|]}tt|jdqS))r)r'rrLr"r#)rrrbrbrcrs) known_ocsps known_crls known_certs known_poes)r@N)rwr4cs |jjkSr)r r'rBr1rbrcr7r8z%ades_lta_validation..cSs|jSrr5rRrbrbrcr7r8)r9defaultzRNo document timestamps after signature; proceeding without past proof of existencezXDocument timestamp chain failed to validate; proceeding without past proof of existence.)exc_info)r~ryrr)rrwryrzrrfr{rqz?Validation of signature at current time failed with indication z!. Past validation not applicable.)rYrZr[rrfrDrEr)rwrryFr)rYr[rZrrfrErD)rrr)rYrZr[rrfrErD)>r!rr>r?r3readerr Zsignature_validation_specr@r9r(rrlistZ load_certsrKrNrOrPrQ dataclassesreplacerCrfilterr rrr;rrrrrNrPrr-rr?rY_LTA_FURTHER_PROCrUrZrrfrrrHrJrr.rrrrrrFrrrr/r)r1rKryrfZpoe_listrwZinit_local_knowledger2Z dss_ocspsZdss_crlsZ dss_certsr@Zaugmented_validation_specZupdated_poe_managerrDZoldest_docts_recordrZwith_time_data_handlersZsignature_prelim_resultrr[rrIZsig_poererrrYrbrSrcrQ^s            )N)N)N)NN)r_rrXr)loggingrrrtypingrrrrr r r r r rrrr>Z asn1cryptorrrZasn1_pdfrrZasn1crypto.crlrZasn1crypto.ocsprZpyhanko_certvalidatorrZpyhanko_certvalidator.authorityrrZpyhanko_certvalidator.contextrrZ#pyhanko_certvalidator.ltv.ades_pastrZpyhanko_certvalidator.ltv.poerrZ$pyhanko_certvalidator.ltv.time_slider Zpyhanko_certvalidator.ltv.typesr!Zpyhanko_certvalidator.pathr"Z!pyhanko_certvalidator.policy_declr#r$Zpyhanko_certvalidator.registryr%r&Z&pyhanko_certvalidator.revinfo.archivalr'r(Z*pyhanko_certvalidator.revinfo.validate_crlr)Z+pyhanko_certvalidator.revinfo.validate_ocspr*Zpyhanko.pdf_utils.readerr+r,Zpyhanko.sign.ades.reportr-r.r/r0r1Zpyhanko.sign.generalr2r3r4r5r6r7r8Zpyhanko.sign.validationr9r:r;r<Z pyhanko.sign.validation.settingsr=Zpyhanko.sign.validation.statusr>r?r@rArBrCrDrEZ diff_analysisrGrHrIZ policy_declrKrLrMrN__all__ getLoggerr\rrVrSrdrrrarRZ SignerInfoZ PublicKeyInforrrrrrrOrrTr.rrrrrrrPrrrrrrrrrrrr3rCrrr[rGrUrJrQrbrbrbrcs    8          $  (   # 8  +  G & F 1     L , j 3  ' J   J