U c> @sddlZddlmZmZddlmZmZmZmZmZddl m Z m Z m Z ddl mZddlmZmZmZmZddlmZmZddlmZdd lmZmZmZdd lmZdd lm Z dd l!m"Z"m#Z#m$Z$m%Z%dd l&m'Z'm(Z(m)Z)ddl*m+Z+ddgZ,ee eeeee"ee'fdddZ-edddZ.ee j/ee j0dddZ1eeeedddZ2eeeeeee j0dddZ3eee eeeee+e4e+eed d d!Z5eee eeeeed"d#dZ6dS)$N)datetime timedelta)IterableListOptionalSetTuple)algoskeysx509) ValProcState)DisallowedAlgorithmErrorInsufficientPOEErrorInsufficientRevinfoError RevokedError)ValidationTimingInfoValidationTimingParams)ValidationPath)AlgorithmUsagePolicyCertRevTrustPolicyRevocationCheckingRule)RevinfoContainer)RevinfoManager) CRLOfInterest_check_cert_on_crl_and_delta_CRLErrs collect_relevant_crls_with_paths)OCSPResponseOfInterest_check_ocsp_status%collect_relevant_responses_with_paths)ConsList time_slideades_gather_prima_facie_revinfo)pathrevinfo_manager control_timerevocation_checking_rulereturnc sZ|j}|jr(t||||IdH}|j}ng}|jrNt||||IdH}|j}ng}||fS)a Gather potentially relevant revocation information for the leaf certificate of a candidate validation path. Only the scope of the revocation information will be checked, no detailed validation will occur. :param path: The candidate validation path. :param revinfo_manager: The revocation info manager. :param control_time: The time horizon that serves as a relevance cutoff. :param revocation_checking_rule: Revocation info rule controlling which kind(s) of revocation information will be fetched. :return: A 2-element tuple containing a list of the fetched CRLs and OCSP responses, respectively. N)leafZ ocsp_relevantr responsesZ crl_relevantrcrls) r#r$r%r&certZ ocsp_resultocspsZ crl_resultr*r-H/tmp/pip-unpacked-wheel-rwcmptg8/pyhanko_certvalidator/ltv/time_slide.pyr"*s(  )r#ccs0|}|dfV|jdkr,|}|dfVqdS)NTF)pkix_lenZcopy_and_drop_leaf)r#Zcur_pathr-r-r._tailsWs   r1) algo_policy algo_usedr% public_keycCsl||||}|dj}|jsh|jr2t||j}n6d|d}|jdk rX|d|j7}t|dddd|S)N algorithmz Algorithm z- is banned outright without time constraints.z Reason: FT)Z is_ee_certZis_side_validationZ banned_since)Zsignature_algorithm_allowedZnativeallowedZnot_allowed_afterminZfailure_reasonr )r2r3r%r4Zsig_constraintZ algo_namemsgr-r-r._apply_algo_policy_s(   r9r%revinfo_containerrev_trust_policytime_tolerancec CsL||tt||dd|d}|j}|jjsH|jp4|}|dk rHt||}|S)NT)Zvalidation_timeZbest_signature_timeZpoint_in_time_validation)Z timing_infor=)Z usable_atrr issuance_dateZratingZ usable_adesZlast_usable_atr7)r%r;r<r=Z usabilityr>Z cutoff_dater-r-r."_update_control_time_for_unrevoked~s"   r?) revoked_dater%r;r2issuer_public_keycCs6|rt||}|j}|dk r2|dk r2t||||}|SN)r7Zrevinfo_sig_mechanism_usedr9)r@r%r;r2rAr3r-r-r._update_control_times rC) r#init_control_timer$r<algo_usage_policyr= cert_stack path_stackr'c% s|j}|jdkr|Stttt|} j} | D]j\} } t| | rR|jn|jdIdH\} }| j }| | | |t d}| |krt d|jjdd|| s |s t|tjr|jj}nd}|jdkr tdd |d|d }d}| D]}|jj}|r|ks| |jjkrLq|j}ttd d | DBtjfd d |DIdH}tf||D]}t|j j ||j|j!t"d\}}|j j }t|tjst#||dk O}|j}|dks|j|jkr|}t$|||j%dqqd}|D]}|j&}|j}|r:|ks:| |j&j'krpq:t(|j)dIdHzt*|t ddd}Wn*t+k r} z | j,}W5d} ~ XYnX||dk O}|j)j }!t|!tjst#|dks|j|kr|}t$|||!j%dq:dk r^t| -d}"t.|d|"j%|s6dd||fD}#t/|#fdddd}$|$dk r6t0|$dq6S)Nr)r$r%r&)Zcert_path_stackz0No proof of existence available for certificate z at control time .zattribute certificatezNo revocation info from before z found for certificate Fcss|]}|VqdSrB)dump).0r+r-r-r. sz_time_slide..c 3s@|]8}|jjr|jjkrt|jdVqdS)rFrGN)r#r(rI _time_slide)rJZcrl_pathrEr%Znew_cert_stackZnew_path_stackr<r$Zsub_path_skip_listr=r-r.rK s )Z crl_issuerr+Zcertificate_list_contZdelta_certificate_list_contZerrs)r;r2rArL) ocsp_response proc_stater%Zsignature_algorithmcSsg|]}|dk r|qSrBr-)rJxr-r-r. ysz_time_slide..cs |jpSrB)r>)rR)r%r-r.~z_time_slide..)keydefaultr:)1Zrevocation_checking_policyr0listreversedr1 poe_managerr"Zee_certificate_ruleZintermediate_ca_cert_ruler(ZconsrIr rZ from_statesubjectZhuman_friendly isoformat isinstancer Z CertificateZocsp_no_check_valuerZcrlr>Zcrl_dataZ prov_pathssetasyncioZgatherr7rr#deltarAssertionErrorrCr4rOZocsp_response_datarMZ prov_pathrrZ revocation_dtZiter_authoritiesr9maxr?)%r#rDr$r<rEr=rFrGZchecking_policyZ partial_pathsrZ current_pathZis_eer*r,r+rPidentZ once_revokedZmost_recent_crlZcrl_of_interestZissuedZ sub_pathsZsub_path_control_timesZcandidate_crl_pathr@Zrevoked_reasonZ crl_iss_certZ crl_containerZmost_recent_ocspZocsp_of_interestZocsp_containereZ ocsp_iss_certZleaf_caZ revinfo_itemsZmost_recent_revinfor-rNr.rMs4                      rM)r#rDr$r<rEr=r'c s&t||||||ttdIdHS)a Execute the ETSI EN 319 102-1 time slide algorithm against the given path. .. warning:: This is incubating internal API. .. note:: This implementation will also attempt to take into account chains of trust of indirect CRLs. This is not a requirement of the specification, but also somewhat unlikely to arise in practice in cases where AdES compliance actually matters. :param path: The prospective validation path against which to execute the time slide algorithm. :param init_control_time: The initial control time, typically the current time. :param revinfo_manager: The revocation info manager. :param rev_trust_policy: The trust policy for revocation information. :param algo_usage_policy: The algorithm usage policy. :param time_tolerance: The tolerance to apply when evaluating time-related constraints. :return: The resulting control time. rLN)rMr empty)r#rDr$r<rEr=r-r-r.r!s$)7r_rrtypingrrrrrZ asn1cryptor r r Zpyhanko_certvalidator._stater Zpyhanko_certvalidator.errorsr rrrZpyhanko_certvalidator.ltv.typesrrZpyhanko_certvalidator.pathrZ!pyhanko_certvalidator.policy_declrrrZ&pyhanko_certvalidator.revinfo.archivalrZ%pyhanko_certvalidator.revinfo.managerrZ*pyhanko_certvalidator.revinfo.validate_crlrrrrZ+pyhanko_certvalidator.revinfo.validate_ocsprrrZpyhanko_certvalidator.utilr __all__r"r1ZSignedDigestAlgorithmZ PublicKeyInfor9r?rCbytesrMr!r-r-r-r.sp      -   &  Y