U c @sddlZddlZddlmZddlmZmZmZmZmZm Z m Z m Z ddl m Z mZmZmZddlmZddlmZddlmZmZmZddlmZmZmZmZmZmZm Z dd l!m"Z"dd l#m$Z$dd l%m&Z&m'Z'dd l(m)Z)m*Z*dd l+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5ddl6m7Z7ddl8m9Z9m:Z:ddl;mZ>ddl?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFddlGmHZHmIZImJZJdddddddddd d!d"g ZKdd#lLmMZMeNeOZPe d$eDd%ZQeRd&d'd(ZSejTe jUd)d*d+ZVe jUe jWe jXd,d-d"ZYdLe jZejTe[e\ee&eeeeReRfd.d/dZ]e j^e0d0d1d Z_dMe j^e\eee`ee$ee'e>d2d3dZadNejTee>ee$ee'd4d5d6ZbeDddddfe j^e eQe\ee`e>d7d8dZce jZeed9d:dZddOe jZeRee j^d<d=dZee jZee\d9d>dZfe jZee\d?d@dZge j^eee\dAdBdZhee jiejTeeee)eejfdCdDdEZkee jiejTeee jUdFdGd!Zldddde7jmdfe e\ee jne jofe j^eeee>eEdHdIdZpdJdKZqdS)PN)datetime)IOIterableListOptionalTupleTypeTypeVarUnion)cmscoretspx509)InvalidSignature)hashes)CancelableAsyncIteratorValidationContextfind_valid_path)DisallowedAlgorithmError ExpiredErrorInvalidCertificateErrorPathBuildingErrorPathValidationError RevokedErrorValidationError)TimeSlideFailure)ValidationPath)AlgorithmUsagePolicyPKIXValidationParams)ACValidationResultasync_validate_ac) CMSExtractionErrorCMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorSignedDataCertscheck_ess_certidextract_certificate_infoextract_signer_infofind_unique_cms_attributeget_pyca_cryptography_hash)misc) AdESFailureAdESIndeterminate)errors)KeyUsageConstraints)CAdESSignerAttributeAssertionsCertifiedAttributesClaimedAttributesRevocationDetailsSignatureStatusStandardCMSSignatureStatusTimestampSignatureStatus)DEFAULT_ALGORITHM_USAGE_POLICYextract_message_digest validate_rawvalidate_sig_integrityasync_validate_cms_signaturecollect_timing_infovalidate_tst_signed_dataasync_validate_detached_cmscms_basic_validationcompute_signature_tst_digestextract_tst_dataextract_self_reported_tsextract_certs_for_validationcollect_signer_attr_statusvalidate_algorithm_protection)lift_iterable_async StatusType)boundv2c Cs|rdnd}|rtjntj}zt||}||WStk rLYdStk r}ztj }t j d|d|W5d}~XYnXdS)NZsigning_certificate_v2Zsigning_certificatez3Wrong cardinality for signing certificate attributeZades_subindication) r ZSigningCertificateV2ZSigningCertificater)loaddumpr$r#r/NO_SIGNING_CERTIFICATE_FOUNDr1SignatureValidationError) signed_attrsrM attr_nameclsvalueeerrrYG/tmp/pip-unpacked-wheel-0kb_yl26/pyhanko/sign/validation/generic_cms.py_grab_signing_cert_attrOs  r[)certrScCsft|dd}|dkr t|dd}|dkr,dS|dd}t||sbtj}tjd|jjd|ddS) NTrLFcertsrzWSigning certificate attribute does not match selected signer's certificate for subject"z".rN)r[r&r/rQr1rRsubjecthuman_friendly)r\rSattrZcertidrXrYrYrZ_check_signing_certificatees    ra)attrsclaimed_digest_algorithm_objclaimed_signature_algorithm_objcCszt|d}Wn2tk r&d}Yntk r@tdYnX|dk r|dj}||jkrhtd|dj}|dkrtdn||jkrtddS) a+ Internal API to validate the CMS algorithm protection attribute defined in :rfc:`6211`, if present. :param attrs: A CMS attribute list. :param claimed_digest_algorithm_obj: The claimed (i.e. unprotected) digest algorithm value. :param claimed_signature_algorithm_obj: The claimed (i.e. unprotected) signature algorithm value. :raises errors.CMSStructuralError: if multiple CMS protection attributes are present :raises errors.CMSAlgorithmProtectionError: if a mismatch is detected Zcms_algorithm_protectionNz4Multiple CMS algorithm protection attributes presentdigest_algorithmzCDigest algorithm does not match CMS algorithm protection attribute.signature_algorithmz._checkNzChain of trust validation for z failed.)handle_certvalidator_errorsr^r_rwarning) r\rrrrrrrrZsubjrYrrZrs  rrzZ status_clsrrrrcs,||}t|||||dIdH}|f|S)a Validate a CMS signature (i.e. a ``SignedData`` object). :param signed_data: The :class:`.asn1crypto.cms.SignedData` object to validate. :param status_cls: Status class to use for the validation result. :param raw_digest: Raw digest, computed from context. :param validation_context: Validation context to validate the signer's certificate. :param status_kwargs: Other keyword arguments to pass to the ``status_class`` when reporting validation results. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :return: A :class:`.SignatureStatus` object (or an instance of a proper subclass) )rN)default_usage_constraintsrBrrYrYrZr>s )rirnc Cs8z|d}t|d}|jWSttfk r2YnXdS)a Extract self-reported timestamp (from the ``signingTime`` attribute) Internal API. :param signer_info: A ``SignerInfo`` value. :return: The value of the ``signingTime`` attribute as a ``datetime``, or ``None``. rSZ signing_timeN)r)rgr$r#)risastrYrYrZrEs  F)risignedrnc CsVz8|r|d}t|d}n|d}t|d}|d}|WSttfk rPYnXdS)a Extract signed data associated with a timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :param signed: If ``True``, look for a content timestamp (among the signed attributes), else look for a signature timestamp (among the unsigned attributes). :return: The ``SignedData`` value found, or ``None``. rSZcontent_time_stampZunsigned_attrsZsignature_time_stamp_tokenrN)r)r$r#)rirrZtstZuatst_signed_datarYrYrZrDs  cCsft|}|dkrdS|d}|djd}|ddj}|dj}t|}t|}|||S)a. Compute the digest of the signature according to the message imprint algorithm information in a signature timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :return: The computed digest, or ``None`` if there is no signature timestamp. Nrrmessage_imprintZhash_algorithmrorr)rDparsedrgr*rrrr)riZtst_datarmiZtst_md_algorithmZsignature_bytesZ tst_md_specrrYrYrZrC0s   )rits_validation_contextrc si}t|}|dk r||d<t|dd}|dk rXt||t|IdH}tf|}||d<t|dd}|dk rt|||dIdH} tf| } | |d<|S) a Collect and validate timing information in a ``SignerInfo`` value. This includes the ``signingTime`` attribute, content timestamp information and signature timestamp information. :param signer_info: A ``SignerInfo`` value. :param ts_validation_context: The timestamp validation context to validate against. :param raw_digest: The raw external message digest bytes (only relevant for the validation of the content timestamp token, if there is one) Nsigner_reported_dtF)rZtimestamp_validityT)expected_tst_imprintZcontent_timestamp_validity)rErDr@rCr9) rirrrrrZtst_validity_kwargsZ tst_validityZcontent_tst_signed_dataZcontent_tst_validity_kwargsZcontent_tst_validityrYrYrZr?Os2     )rrrc sd}|dd}t|tjr"|j}t|tjs>tjdtj d|dj }t }t ||d|i|dIdH}|d d j }||krtd |d |d d|d<|S)a Validate the ``SignedData`` of a time stamp token. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to validate against. :param expected_tst_imprint: The expected message imprint value that should be contained in the encapsulated ``TSTInfo``. :return: Keyword arguments for a :class:`.TimeStampSignatureStatus`. Nrrz'SignedData does not encapsulate TSTInforNZgen_time timestamp)rrrrZhashed_messagezTimestamp token imprint is z, but expected rqFr|) isinstancer ZParsableOctetStringrr ZTSTInfor1rRr.rwrgr9rrBrrhex) rrrZtst_infoZtst_info_bytesrZ ku_settingsrZ tst_imprintrYrYrZr@~s0     )acsr}rrnc szfdd|D}g}g}t|D]J}z||IdHWq&ttfk rn}z||W5d}~XYq&Xq&||fS)Ncsg|]}t|dqS))Z holder_cert)r ).0acr}rrYrZ sz+process_certified_attrs..)asyncioZ as_completedappendrr)rr}rjobsresultsr1ZjobrWrYrrZprocess_certified_attrss rsd_attr_certificatesr}rsd_signed_attrsc szt|d}WnNtk r&d}Yn8tk r\}ztjt|tjd|W5d}~XYnXi}d}d}|dk rN|d} t t | t j s| nd} |d} d} t | t j sdd| D} t | t | k} |dk rt| ||}|IdH\}}|dk rt|}nd}| pt |d t j  }|dk r:|r:td t| |||d |d <|dk rt|||IdH\}}|r~|||r||t||d <||d<|S)NZsigner_attributes_v2rNZclaimed_attributesrYZcertified_attributes_v2FcSsg|]}|jdkr|jqS)Z attr_cert)nameZchosen)rr`rYrYrZrs z.collect_signer_attr_status..Zsigned_assertionszCAdES signer attributes with externally certified assertions for which no validation method is available. This may affect signature semantics in unexpected ways.)Z claimed_attrsZcertified_attrsac_validation_errsZunknown_attrs_presentZcades_signer_attrsZac_attrsr)r)r$r#r1rRstrr.rwr5 from_iterablerr ZVoidlenrr4Z from_resultsrrr3extend)rr}rrZ signer_attrsrWresultZcades_ac_resultsZcades_ac_errorsZ claimed_asn1ZclaimedZcertified_asn1Zunknown_cert_attrsZ cades_acsZval_jobZ certifiedZ unknown_attrsZ ac_resultsZ ac_errorsrYrYrZrGs~        ) input_datarzsigner_validation_contextrac_validation_contextrrncs|dkr |}t|}|ddj} tt| } t|trF| |n@t|tj tj frl| t|dnt |} t j | || |d| } t||| dIdH} t|}t|| || |dIdH} t|}|dk r|j|j| t|j|j||dd IdHtf| S) a .. versionadded: 0.9.0 .. versionchanged: 0.11.0 Added ``ac_validation_context`` param. Validate a detached CMS signature. :param input_data: The input data to sign. This can be either a :class:`bytes` object, a file-like object or a :class:`cms.ContentInfo` / :class:`cms.EncapsulatedContentInfo` object. If a CMS content info object is passed in, the `content` field will be extracted. :param signed_data: The :class:`cms.SignedData` object containing the signature to verify. :param signer_validation_context: Validation context to use to verify the signer certificate's trust. :param ts_validation_context: Validation context to use to verify the TSA certificate's trust, if a timestamp token is present. By default, the same validation context as that of the signer is used. :param ac_validation_context: Validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param key_usage_settings: Key usage parameters for the signer. :param chunk_size: Chunk size to use when consuming input data. :param max_read: Maximal number of bytes to read from the input stream. :return: A description of the signature's status. Nreror)max_read)rr)rrrrrSr)r(rgrrr*rrrr ContentInfoEncapsulatedContentInfo bytearrayr,Zchunked_digestrr?r8rrBr'rrrrGZattribute_certsr})rrzrrrr chunk_sizerrirehZtemp_bufZ digest_bytesrr~rYrYrZrA!sP2     c s6d}zdd|IdHfWStk rP}ztj|j|dtj}W5d}~XYntk r}ztj|j|dtj}W5d}~XYntk r}z|j dkrtj }ntj }W5d}~XYnjt k r8}zXt|j|j rtj}n:|jrtj}td|j|jd}ntj}td|j|jd}W5d}~XYntk rn}ztjd|dtj}W5d}~XYntk r}z.t|j|j s|jrtj}ntj}W5d}~XYnrtk r}ztj|j|dtj}W5d}~XYn:tk r*}ztj|j|dtj}W5d}~XYnX||dfS)z Internal error handling function that maps certvalidator errors to AdES status indications. :param coro: :return: NrF)Z ca_revokedZrevocation_dateZrevocation_reasonTzFailed to build path)rrrZ failure_msgr/ZCHAIN_CONSTRAINTS_FAILURErZNO_POErZ banned_sinceZCRYPTO_CONSTRAINTS_FAILUREZ!CRYPTO_CONSTRAINTS_FAILURE_NO_POErZis_side_validationrZ is_ee_certZREVOKED_NO_POEr6Z revocation_dtreasonZREVOKED_CA_NO_POErZNO_CERTIFICATE_CHAIN_FOUNDrZOUT_OF_BOUNDS_NO_POErr)cororrWrrYrYrZr}sZ   r)NN)NNNNN)N)F)rrloggingrtypingrrrrrrr r Z asn1cryptor r r rZcryptography.exceptionsrZcryptography.hazmat.primitivesrZpyhanko_certvalidatorrrrZpyhanko_certvalidator.errorsrrrrrrrZ pyhanko_certvalidator.ltv.errorsrZpyhanko_certvalidator.pathrZ!pyhanko_certvalidator.policy_declrrZpyhanko_certvalidator.validaterr Zpyhanko.sign.generalr!r"r#r$r%r&r'r(r)r*Z pdf_utilsr,Z ades.reportr.r/r1settingsr2statusr3r4r5r6r7r8r9utilsr:r;r<__all__Zpdf_utils.miscrI getLogger__name__rrJboolr[Z CertificateZ CMSAttributesraZDigestAlgorithmZSignedDigestAlgorithmrHZ SignerInforrr=Z SignedDatarFdictrBrr>rErDrCr?r@ZAttributeCertificateV2 ExceptionrrGZDEFAULT_CHUNK_SIZErrrArrYrYrYrZs (  $  0   $      :   _  $   0 1  d \