U c_@sxddlZddlZddlmZddlmZddlmZddlm Z ddlm Z ddl mZddlmZmZdd lmZdd lmZmZdd lmZdd lmZdd lmZddlmZddlm Z ddl!m"Z"ddl#m$Z$m%Z%ddl&m'Z'ddddgZ(ddl)m*Z*ddl+m,Z,e-e.Z/eGdddZ0ddZ1GdddZ2d&e'ed!d"dZ3d d#d dd ej4d#fe'ee5d$d%dZ6dS)'N) dataclass)field)Optional)crl)ocsp) Certificate)CertificateValidatorValidationContext)ValidationPath)genericmisc)pdf_name)IncrementalPdfFileWriter) get_and_apply) PdfHandler)BasePdfFileWriter)extract_certificate_info)NoDSSFoundErrorValidationInfoReadingError)EmbeddedPdfSignatureVRIDocumentSecurityStoreasync_add_validation_infocollect_validation_info)SerialisedCredential) PdfFileReaderc@sXeZdZUdZeedZeed<eedZeed<eedZ eed<e j dddZ d S) raA VRI dictionary as defined in PAdES / ISO 32000-2. These dictionaries collect data that may be relevant for the validation of a specific signature. .. note:: The data are stored as PDF indirect objects, not asn1crypto values. In particular, values are tied to a specific PDF handler. )default_factorycertsocspscrlsreturncCsbttdtdi}|jr0t|j|td<|jrJt|j|td<t|j|td<|S)zT :return: A PDF dictionary representing this VRI entry. z/Type/VRIz/OCSPz/CRLz/Cert)r DictionaryObjectr r! ArrayObjectr"r )selfvrir*?/tmp/pip-unpacked-wheel-0kb_yl26/pyhanko/sign/validation/dss.py as_pdf_object>szVRI.as_pdf_objectN) __name__ __module__ __qualname____doc__ data_fieldsetr __annotations__r!r"r r&r,r*r*r*r+r#s  ccsD|dj}|dkr@|d}|djdkr@|dj}|dEdHdS) zJ Essentially nabbed from _extract_ocsp_certs in ValidationContext Zresponse_statusZ successfulresponse_bytesZ response_typeZbasic_ocsp_responseresponser N)Znativeparsed)Z ocsp_responsestatusr4r5r*r*r+enumerate_ocsp_certsLs   r8c @seZdZdZd*edddZeddZdd Zd d Z d d Z ddZ e e jdddZddddddZddZddZd+edddZeedddd Zeddddddd!eedd"d#d$Zedddddd%ddd&eeeed'd(d)ZdS),rz, Representation of a DSS in Python. Nwriterc Cs|dk r |ni|_|dk r|ni|_|dk r0|ng|_|dk rB|ng|_||_|dk rZ|nt|_i}|jD]}|j } ||| <qn||_ i} |jD]} | j } | | | <q| |_ d|_ dS)NF) vri_entriesr r!r"r:r r&backing_pdf_object get_objectdata _ocsps_seen _crls_seen _modified) r(r:r r!r"r;r<Z ocsps_seenocsp_refZ ocsp_bytesZ crls_seencrl_refZ crl_bytesr*r*r+__init__^s&       zDocumentSecurityStore.__init__cCs|jSN)rAr(r*r*r+modifiedyszDocumentSecurityStore.modifiedcCs(|js$d|_|jdk r$|j|jdS)NT)rAr<r:Zupdate_containerrFr*r*r+_mark_modified}s z$DocumentSecurityStore._mark_modifiedc csn|D]d}|}z||VWqtk rf|jtj|d}||||<|||VYqXqdS)NZ stream_data)dumpKeyErrorr: add_objectr StreamObjectrHappend)r(objsseendestobjZ obj_bytesrefr*r*r+_cms_objects_to_streamss  z-DocumentSecurityStore._cms_objects_to_streamscs fdd}fdd|DS)Nc3sD]}t|EdHqdSrE)r8)respr!r*r+ extra_certsszADocumentSecurityStore._embed_certs_from_ocsp..extra_certscsg|]}|qSr* _embed_cert).0Zcert_rFr*r+ sz@DocumentSecurityStore._embed_certs_from_ocsp..r*)r(r!rWr*)r!r(r+_embed_certs_from_ocsps z,DocumentSecurityStore._embed_certs_from_ocspcCsf|jdkrtdz|j|jWStk r4YnX|jtj|d}| ||j|j<|S)N"This DSS does not support updates.rI) r: TypeErrorr issuer_serialrKrLr rMrJrH)r(certrSr*r*r+rYs  z!DocumentSecurityStore._embed_certr#cCs"t|}td|S)a Hash the contents of a signature object to get the corresponding VRI identifier. This is internal API. :param contents: Signature contents. :return: A name object to put into the DSS. /)hashlibsha1digesthexupperr )contentsidentr*r*r+sig_content_identifiers z,DocumentSecurityStore.sig_content_identifierr*r r!r"c sjdkrtdt|}t|}t}t}fdd|D}|rZt|jj}|rtt|jj}| t ||dk rt |||d}j | j|<dS)a Register validation information for a set of signing certificates associated with a particular signature. :param identifier: Identifier of the signature object (see `sig_content_identifier`). If ``None``, only embed the data into the DSS without associating it with any VRI. :param certs: Certificates to add. :param ocsps: OCSP responses to add. :param crls: CRLs to add. Nr]csh|]}|qSr*rX)rZr`rFr*r+ sz5DocumentSecurityStore.register_vri..rj)r:r^listr2rTr?r!r@r"updater\rrLr,r;rH) r( identifierr r!r" ocsp_refscrl_refs cert_refsr)r*rFr+ register_vris4  z"DocumentSecurityStore.register_vricCsl|j}tt|j|d<|jr4t|j|d<|jrNt|j|t d<|j rht|j |t d<|S)z Convert the :class:`.DocumentSecurityStore` object to a python dictionary. This method also handles DSS updates. :return: A PDF object representing this DSS. /Certsr%/OCSPs/CRLs) r<r r'rlr valuesr;r&r!r r")r(Zpdf_dictr*r*r+r,sz#DocumentSecurityStore.as_pdf_objectccs.|jD]}|}t|j}|Vq dS)z Return a generator that parses and yields all certificates in the DSS. :return: A generator yielding :class:`.Certificate` objects. N)r rvr=rloadr>)r(cert_ref cert_streamr`r*r*r+ load_certss z DocumentSecurityStore.load_certsTc Cst|}|dg}t||}|rt|dd}|jD]$}|}tj|j }| |q>||d<t|dd} |j D]$} | } t j | j } | | q| |d<tfd|i|S)ag Construct a validation context from the data in this DSS. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :param include_revinfo: If ``False``, revocation info is skipped. :return: A validation context preloaded with information from this DSS. other_certsr!r*r")dictpoprlrzr!r= asn1_ocsp OCSPResponserwr>rNr"asn1_crlCertificateListr ) r(Zvalidation_context_kwargsZinclude_revinforWr r!rB ocsp_streamrUr"rC crl_streamrr*r*r+as_validation_context s*      z+DocumentSecurityStore.as_validation_context)handlerr$c CsLz|jd}Wn*tk r8}z t|W5d}~XYnXi}t|dtgd}|D]"}|}t|j}|||j <qRt|dtgd} g} | D]$} | } t j | j} | | qt|dtgd}g}|D]$}|}t j|j}| |qzt|d}Wntk rd}YnXt|tr0|}nd}|||| |||d}|S) a Read a DSS record from a file and add the data to a validation context. :param handler: PDF handler from which to read the DSS. :return: A DocumentSecurityStore object describing the current state of the DSS. /DSSNrs)defaultrtrur%)r:r r!r;r"r<)rootrKrrrlr=rrwr>r_r~rrNrrr| isinstancer)clsrdss_dicterqZ cert_ref_listrxryr`ror!rBrrUrpr"rCrrr;r:dssr*r*r+read_dss.sL       zDocumentSecurityStore.read_dssr r!r"pathsvalidation_context embed_roots)pdf_outrr$csz||} d} Wn"tk r4d} ||d} YnX|dk rJt|} nd} fdd} fdd} fd d }| j| | | |d | }| r||}||jtd <| | S) aD Add or update a DSS, and optionally associate the new information with a VRI entry tied to a signature object. You can either specify the CMS objects to include directly, or pass them in as output from `pyhanko_certvalidator`. :param pdf_out: PDF writer to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :return: a :class:`DocumentSecurityStore` object containing both the new and existing contents of the DSS (if any). FTr9Nc3s>pdEdHpdD]"}t|}s.t||EdHqdSNr*)iternext)path path_parts)r rrr*r+_certss  z:DocumentSecurityStore.supply_dss_in_writer.._certsc3s&pdEdHdk r"jEdHdSrrVr*)r!rr*r+_ocspssz:DocumentSecurityStore.supply_dss_in_writer.._ocspsc3s&pdEdHdk r"jEdHdSr)r"r*)r"rr*r+_crlssz9DocumentSecurityStore.supply_dss_in_writer.._crlsrjr) rrrrirrr,rLrr Z update_root)rr sig_contentsr r!r"rrrrcreatedrnrrrrZdss_refr*)r r"rr!rrr+supply_dss_in_writerhs24   z*DocumentSecurityStore.supply_dss_in_writerF)r r!r"rr force_writerfile_credential)rrrc CsVt|} | jdk r&| dk r&| j| |j| ||||||| d} |sJ| jrR| dS)a$ Wrapper around :meth:`supply_dss_in_writer`. The result is applied to the output stream as an incremental update. :param output_stream: Output stream to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param force_write: Force a write even if the DSS doesn't have any new content. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :param file_credential: .. versionadded:: 0.13.0 Serialised file credential, to update encrypted files. Nr)rZsecurity_handlerZ authenticaterrGwrite_in_place) rZ output_streamrr r!r"rrrrrrrr*r*r+add_dsss2  zDocumentSecurityStore.add_dss)NNNNN)T)r-r.r/r0rrDpropertyrGrHrTr\rY staticmethodr Z NameObjectrirrr,rzr r classmethodrrboolrrrrr*r*r*r+rYsb 1  $9aF) embedded_sigrcs\jj}|jstdgfdd}||jIdH|sX|jdk rX||jIdHS)a Query revocation info for a PDF signature using a validation context, and store the results in a validation context. This works by validating the signer's certificate against the provided validation context, which causes revocation info to be cached for later retrieval. .. warning:: This function does *not* actually validate the signature, but merely checks the signer certificate's chain of trust. :param embedded_sig: Embedded PDF signature to operate on. :param validation_context: Validation context to use. :param skip_timestamp: If the signature has a time stamp token attached to it, also collect revocation information for the timestamp. :return: A list of validation paths. zfRevocation mode is set to soft-fail/tolerant mode; collected revocation information may be incomplete.csDt|}|j}|j}t||d}|jtdIdH}|dS)N)Zintermediate_certsr)Z key_usage)rZ signer_certr{rZasync_validate_usager2rN) signed_dataZ cert_infor`r{Z validatorrrrr*r+_validate_signed_data,sz6collect_validation_info.._validate_signed_dataN)Zrevinfo_policyZrevocation_checking_policyZ essentialloggerwarningrZattached_timestamp_data)rrskip_timestampZrevinfo_fetch_policyrr*rr+rs T)rrrc s|j} |r | j} }t|n t|} t|||dIdH} |rT|jd} nd} t | } || _ t j | | || |d}|s|jr|r| q| | n$|s| jdtt|| j| t|| S)aY .. versionadded: 0.9.0 Add validation info (CRLs, OCSP responses, extra certificates) for a signature to the DSS of a document in an incremental update. This is a wrapper around :func:`collect_validation_info`. :param embedded_sig: The signature for which the revocation information needs to be collected. :param validation_context: The validation context to use. :param skip_timestamp: If ``True``, do not attempt to validate the timestamp attached to the signature, if one is present. :param add_vri_entry: Add a ``/VRI`` entry for this signature to the document security store. Default is ``True``. :param output: Write the output to the specified output stream. If ``None``, write to a new :class:`.BytesIO` object. Default is ``None``. :param in_place: Sign the original input stream in-place. This parameter overrides ``output``. :param chunk_size: Chunk size parameter to use when copying output to a new stream (irrelevant if ``in_place`` is ``True``). :param force_write: Force a new revision to be written, even if not necessary (i.e. when all data in the validation context is already present in the DSS). :param embed_roots: Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. :return: The (file-like) output object to which the result was written. )rNascii)rrrr)readerstreamr Z!assert_writable_and_random_accessZprepare_rw_output_streamrZ pkcs7_contentreencoderZ from_readerZ IO_CHUNK_SIZErrrGrwriteseekZ chunked_write bytearrayZfinalise_output)rrrZ add_vri_entryZin_placeoutputr chunk_sizerrZworking_outputrrrZ resulting_dssr*r*r+r?s<4         )F)7rbloggingZ dataclassesrrr1typingrZ asn1cryptorrrr~Zasn1crypto.x509rZpyhanko_certvalidatorrr Zpyhanko_certvalidator.pathr Zpyhanko.pdf_utilsr r Zpyhanko.pdf_utils.genericr Z$pyhanko.pdf_utils.incremental_writerrZpyhanko.pdf_utils.miscrZpyhanko.pdf_utils.rw_commonrZpyhanko.pdf_utils.writerrZgeneralrerrorsrrZ pdf_embeddedr__all__Zpdf_utils.cryptrZpdf_utils.readerr getLoggerr-rrr8rrZDEFAULT_CHUNK_SIZErrr*r*r*r+s`                 ( 4 9