U c\ @sddlZddlmZddlmZddlmZmZmZddl m Z ddl m Z ddl mZddlmZmZmZdd lmZd d lmZd d lmZmZmZd dlmZd dlmZmZm Z d dl!m"Z"m#Z#m$Z$m%Z%d dl&m'Z'm(Z(d dl)m*Z*d dl+m,Z,m-Z-m.Z.ddddddgZ/e0e1Z2ede-dZ3GdddeZ4eej5ej5dZ6ddZ7eej8ej8dZ9d d!Z:d"d#Z;e jeee'd&d'dZ?eGd(d)d)Z@e'd*d+d,ZAd-d.ZBd6e'e4eeeeee*eCe,d0d1dZDe jEd2d3dZFd7e jEed4d5dZGdS)8N) dataclass)Enum)IteratorOptionalTypeVar)cms)pdf)ValidationContext)CertRevTrustPolicyRevocationCheckingPolicyRevocationCheckingRule) PdfFileReader) DiffPolicy)MultivaluedAttributeErrorNonexistentAttributeErrorfind_unique_cms_attribute)DocumentSecurityStore)NoDSSFoundErrorSignatureValidationErrorValidationInfoReadingError)async_validate_cms_signaturecms_basic_validationcollect_signer_attr_statusvalidate_tst_signed_data)EmbeddedPdfSignaturereport_seed_value_validation)KeyUsageConstraints)PdfSignatureStatusSignatureStatusTimestampSignatureStatusRevocationInfoValidationTypeapply_adobe_revocation_inforetrieve_adobe_revocation_infoget_timestamp_chain async_validate_pdf_ltv_signatureestablish_timestamp_trust StatusType)boundc@s(eZdZdZdZdZdZeddZdS)r"zP Indicates a validation profile to use when validating revocation info. adobeZpadesz pades-ltacCstdd|DS)Ncss|] }|jVqdS)N)value).0mr.?/tmp/pip-unpacked-wheel-0kb_yl26/pyhanko/sign/validation/ltv.py Rsz8RevocationInfoValidationType.as_tuple..)tuple)clsr.r.r/as_tuplePsz%RevocationInfoValidationType.as_tupleN) __name__ __module__ __qualname____doc__ ADOBE_STYLEPADES_LT PADES_LTA classmethodr3r.r.r.r/r"8s )Zee_certificate_ruleZintermediate_ca_cert_rulecKstfdti|SNrevocation_checking_policy)r &DEFAULT_LTV_INTERNAL_REVO_CHECK_POLICYkwargsr.r.r/!_default_ltv_internal_revo_policy[s rAcKstfdti|Sr<)r %STRICT_LTV_INTERNAL_REVO_CHECK_POLICYr?r.r.r/ _strict_ltv_internal_revo_policyhs rCcCsd|d<||d<|dd}|dd}|dkrl|dd}|rX|dkrXtt|}q~|dkr~t|d}n|jjs~t|d}||d<dS) NFallow_fetchingmomentrevinfo_policyretroactive_revinforevocation_modez soft-failrG) getpopr r Z from_legacyrAr=Z essentialrC) timestampvalidation_context_kwargsrF retroactiveZ legacy_rmr.r.r/_strict_vc_context_kwargsos(    rO)tst_signed_datavalidation_contextexpected_tst_imprintcsDt|||IdH}tf|}|jr(|js@td|td|S)a Wrapper around :func:`validate_tst_signed_data` for use when analysing timestamps for the purpose of establishing a timestamp chain. Its main purpose is throwing/logging an error if validation fails, since that amounts to lack of trust in the purported validation time. This is internal API. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to apply to the timestamp. :param expected_tst_imprint: The expected message imprint for the ``TSTInfo`` value. :return: A :class:`.TimestampSignatureStatus` if validation is successful. :raises: :class:`SignatureValidationError` if validation fails. Nz0Could not validate embedded timestamp token: %s.z\Could not establish time of signing, timestamp token did not validate with current settings.)rr!ZvalidZtrustedloggerwarningsummaryr)rPrQrRZtimestamp_status_kwargstimestamp_statusr.r.r/r's   )readerreturncCstddt|jS)a: Get the document timestamp chain of the associated reader, ordered from new to old. :param reader: A :class:`.PdfFileReader`. :return: An iterable of :class:`~pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature` objects representing document timestamps. cSs|jdddkS)Nz/Typez /DocTimeStamp)Z sig_objectrJ)sigr.r.r/z%get_timestamp_chain..)filterreversedZembedded_signatures)rWr.r.r/r%s c@s.eZdZUeed<eed<eed<eed<dS)_TimestampTrustData latest_dtsearliest_ts_statusts_chain_lengthcurrent_signature_vc_kwargsN)r4r5r6r__annotations__r!intdictr.r.r.r/r^s r^) emb_timestampcCs`z$|j|j}t|}||WStk rZ|dd|ddtf|YSXdS)Ncrlsr.ocsps) rWZget_historical_resolversigned_revisionrread_dssas_validation_contextr setdefaultr )rfrMZ hist_resolverdssr.r.r/_instantiate_ltv_vcs   rnc st|}t|}|}d}d}d}t|D]J\}}|j|kr>qt|t|j||jIdH}t|j |t ||}q(t |||d|dS)Nr)r_r`rarb) r%re enumeratericompute_digestr' signed_dataexternal_digestrOrLrnr^) rWbootstrap_validation_contextrMuntil_revisionZ timestamps current_vcZ ts_statusZts_countrfr.r.r/_establish_timestamp_trust_ltas:  rwF) embedded_sigvalidation_typert diff_policykey_usage_settings skip_diffrXc st|pi}|dd|dd|d} |rVt| d|d<|dk rt| d|d<n4d|kr|dt| d|dk r|dt| d|j} |tjkrd} |ptf|} n6t | } |dkr| j |dd } n|} | j | ||d} d}|tjkr|t| | ||jd IdH} | j}| jr:t| j|} | jdkrZ|tjkrZtd |tjksv| jd ksvt| j}|j}|dk rt|| |jIdH}|j}||d <|dk r||d <n |tjkr| jd krtd|dkrtdt|j|d}|tjkr^t |j!\}}||d<||d<tf|}|dk r||d<||d<tf|}nN|tjkr| |}|dk r| |}n"t| j|}|dk rt| j|}|dk s|tjkr|dk r|}n| jj"}t#|t$|d|jid}|IdH}n|}|j%||d|&}|'|j|dt()|}t*|j"|j+|||dIdH}t,||ddd|dk rx|j |j-|'t.|j/|j0||j!ddIdHt(f|S)a  .. versionadded:: 0.9.0 Validate a PDF LTV signature according to a particular profile. :param embedded_sig: Embedded signature to evaluate. :param validation_type: Validation profile to use. :param validation_context_kwargs: Keyword args to instantiate :class:`.pyhanko_certvalidator.ValidationContext` objects needed over the course of the validation. :param ac_validation_context_kwargs: Keyword arguments for the validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param bootstrap_validation_context: Validation context used to validate the current timestamp. :param force_revinfo: Require all certificates encountered to have some form of live revocation checking provisions. :param diff_policy: Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param skip_diff: If ``True``, skip the difference analysis step entirely. :return: The status of the signature. rDTrGFrIrFNrH)Zinclude_revinfo)rMruz>Purported PAdES-LTA signature does not have a timestamp chain.rrEzlPAdES-LTA signature requires separate timestamps protecting the signature & the rest of the revocation info.z+LTV signatures require a trusted timestamp.rhrgrL)Z status_clsrQ status_kwargs)rzr|)Zsigner_reported_dtZtimestamp_validity)Z raw_digestrQr}r{Zvalidation_path)Ztimestamp_found signed_attrs)Zsd_attr_certificates signer_certrQZsd_signed_attrs)1rerlrArCrWr"r8r rrjrkZcertificate_registryZregister_multipleZ load_certsrqZcompute_tst_digestrwrirbr_rnr`r:rr9raAssertionErrorZattached_timestamp_datar'Ztst_signature_digestrLrOr$ signer_inforrrr!Zcompute_integrity_infoZsummarise_integrity_infoupdaterZdefault_usage_constraintsrrsrZother_embedded_certsrZembedded_attr_certsr)rxryrMrtZac_validation_context_kwargsZ force_revinforzr{r|rNrWrmrvZ ts_trust_dataZearliest_good_timestamp_strPZ signature_poeZ stored_ac_vcrhrgZ stored_vcZts_to_validateZts_status_cororVr}r.r.r/r&sR3                                )rc Cslzt|dd}Wn0ttfk rB}ztd|W5d}~XYnXt|dpPd}t|dp`d}||fS)a' Retrieve Adobe-style revocation information from a ``SignerInfo`` value, if present. Internal API. :param signer_info: A ``SignerInfo`` value. :return: A tuple of two (potentially empty) lists, containing OCSP responses and CRLs, respectively. r~Zadobe_revocation_info_archivalz@No revocation info archival attribute found, or multiple presentNZocspr.Zcrl)rrrrlist)rZrevinfoerhrgr.r.r/r$&s )rrXcCs(|pi}t|\}}tf||d|S)ag Read Adobe-style revocation information from a CMS object, and load it into a validation context. :param signer_info: Signer info CMS object. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :return: A validation context preloaded with the relevant revocation information. )rhrg)r$r )rrMrhrgr.r.r/r#As )NNNFNNF)N)HloggingZ dataclassesrenumrtypingrrrZ asn1cryptorrZasn1_pdfZpyhanko_certvalidatorr Z!pyhanko_certvalidator.policy_declr r r Zpyhanko.pdf_utils.readerr Z diff_analysisrZgeneralrrrrmrerrorsrrrZ generic_cmsrrrrZ pdf_embeddedrrsettingsrstatusrr r!__all__ getLoggerr4rSr(r"ZCHECK_IF_DECLAREDr>rAZCRL_OR_OCSP_REQUIREDrBrCrOZ SignedDatabytesr'r%r^rnrwboolr&Z SignerInfor$r#r.r.r.r/s           # ) -