Wwg ddlZddlZddlZddlZddlZddlZddlmZddlm Z m Z ddl m Z m Z mZmZmZmZddlmZmZmZmZddlmZddlmZmZddlmZmZmZdd l m!Z!m"Z"m#Z#dd l$m%Z%m&Z&m'Z'dd l$m(Z)dd l*m+Z+m,Z,m-Z-m.Z.dd l/m0Z0m1Z1ddl2m3Z3m4Z4ddl5m6Z6m7Z7ddl8m9Z9ddl:m;Z;ddlm?Z?m@Z@ddlAmBZBmCZCmDZDddlEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNddlOmPZPmQZQddlRmSZSmTZTmUZUddlVmWZWejeYZZedGddZ[Gdd eHejZ]Gd!d"e]eSZ^Gd#d$e]eTZ_Gd%d&e]eUZ` e?jd'Zb e?jd(Zc d`d)Zdd`d*Zed`d+ZfejGd,d-ejZi dad.ejd/eWfd0Zkd1ed2ejd3ejfd4Zmd1ed2ejd3ejfd5Znd2ejd6ej4d7ejfd8Zod1ed9ee!jeeffd:Zqd1ed2ejd3ejfd;Zsd2ejdZtd3ejd?ejd@e[fdAZv dadBe ejd.ejd/eWd@e[d9ejf dCZxGdDdEeyZzGdFdGZ{GdHdIejZ}GdJdKejZ~ejdLZdMe!jdNej4dOeejd9e9fdPZGdQdRe{ePZePjedSejdTe{d9eejfdUZdVejdTe{d9eeejeeWffdWZdXe?jfdYZdZZd[Zd\Zd]ZeLjGd^d_eLZy)bN) dataclass)sha1sha256)DictListOptionalSetTupleUnion)algoscmscorex509)RSAESOAEPParams)KeyEncryptionAlgorithmKeyEncryptionAlgorithmId)PrivateKeyInfoPublicKeyAlgorithm PublicKeyInfo)hasheskeywrap serialization)ECDHEllipticCurvePrivateKeyEllipticCurvePublicKey)generate_private_key)MGF1OAEPAsymmetricPaddingPKCS1v15) RSAPrivateKey RSAPublicKey)X448PrivateKey X448PublicKey)X25519PrivateKeyX25519PublicKey)KeyDerivationFunction)X963KDF)pkcs12)genericmisc)aes_cbc_decryptaes_cbc_encrypt rc4_encrypt) AuthResult AuthStatus CryptFilterCryptFilterBuilderCryptFilterConfigurationIdentityCryptFilterSecurityHandlerSecurityHandlerVersionbuild_crypt_filter)SerialisableCredentialSerialisedCredential)AESCryptFilterMixinAESGCMCryptFilterMixinRC4CryptFilterMixin)PubKeyPermissionsT)frozenc,eZdZUdZeed< dZeed<y)RecipientEncryptionPolicyFignore_key_usage prefer_oaepN)__name__ __module__ __qualname__rCbool__annotations__rDU/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko/pdf_utils/crypt/pubkey.pyrBrBFs#"d"KrKrBceZdZUdZdZeded<ddddfd Zed e fd Z fd Z e jfd eej d ede fdZd efdZd efdZfdZxZS)PubKeyCryptFiltera Crypt filter for use with public key security handler. These are a little more independent than their counterparts for the standard security handlers, since different crypt filters can cater to different sets of recipients. :param recipients: List of CMS objects encoding recipient information for this crypt filters. :param acts_as_default: Indicates whether this filter is intended to be used in ``/StrF`` or ``/StmF``. :param encrypt_metadata: Whether this crypt filter should encrypt document-level metadata. .. warning:: See :class:`.SecurityHandler` for some background on the way pyHanko interprets this value. NPubKeySecurityHandler_handlerFT) recipientsacts_as_defaultencrypt_metadatac x||_||_||_d|_dx|_|_t |di|y)NFrJ)rQrRrS_pubkey_auth_failed _shared_key_recp_key_seedsuper__init__)selfrQrRrSkwargs __class__s rLrYzPubKeyCryptFilter.__init__msD%. 0#( 1554. "6"rKreturnc|jSN)rUrZs rL _auth_failedzPubKeyCryptFilter._auth_failed|s'''rKclt|tstt||dx|_|_yr_) isinstancerO TypeErrorrX_set_security_handlerrVrW)rZhandlerr\s rLrez'PubKeyCryptFilter._set_security_handlers0'#89O %g.1554.rKcertspolicypermsc|js!|jrtjd|j!t j d|_g|_|j |j tjdt||j |||j}|jj|y)ay Add recipients to this crypt filter. This always adds one full CMS object to the Recipients array :param certs: A list of recipient certificates. :param policy: Encryption policy choices for the chosen set of recipients. :param perms: The permission bits to assign to the listed recipients. zCA non-default crypt filter cannot have multiple sets of recipients.NzYAdding recipients after deriving the shared key or before authenticating is not possible.)rhinclude_permissions) rRrQr,PdfErrorsecrets token_bytesrWrVconstruct_recipient_cmsappend)rZrgrhrinew_cmss rLadd_recipientsz PubKeyCryptFilter.add_recipientss$##--  ?? "#*"5"5b"9D  DO    '4+>+>+F--9 *      $ 4 4   w'rKc|jD]6}t||\}}|||_ttj |cSttj S)a Authenticate to this crypt filter in particular. If used in ``/StmF`` or ``/StrF``, you don't need to worry about calling this method directly. :param credential: The :class:`.EnvelopeKeyDecrypter` to authenticate with. :return: An :class:`AuthResult` object indicating the level of access obtained. )rQread_seed_from_recipient_cmsrWr1r2USERFAILED)rZ credentialrecpseedris rL authenticatezPubKeyCryptFilter.authenticatesYOO :D6tZHKD%&*#!*//599  : *++,,rKc|jJ|jtjd|jjt j k\r t}n t}|j|j|jD]!}|j|j#|js|jr|jd|jd|jS)Nz&No seed available; authenticate first.s)rPrWr,rmversionr8AES256rrupdaterQdumprSrRdigestkeylen)rZmdrys rLderive_shared_encryption_keyz.PubKeyCryptFilter.derive_shared_encryption_keys}}(((    &-- HI I == $:$A$A ABB $%%&OO #D IIdiik " #$$)=)= II) *yy{=T[[))rKc2t|}tj|jdz|d<tj d|j D}|jr||d<n|d|d<tj|j|d<|S)N/Lengthc3bK|]'}tj|j)ywr_r+ByteStringObjectr.0rys rL z2PubKeyCryptFilter.as_pdf_object..s&) 6:G $ $TYY[ 1) -/ /Recipientsr/EncryptMetadata) rX as_pdf_objectr+ NumberObjectr ArrayObjectrQrR BooleanObjectrS)rZresultrQr\s rLrzPubKeyCryptFilter.as_pdf_objects&(#00qAy(() >Boo)     $.F= !%/qMF= !%,%:%:  ! !& !" rK)rErFrG__doc__rPrrIrYpropertyrHrarer?allow_everythingrr CertificaterBrsr1r{bytesrr __classcell__r\s@rLrNrNVs(37Hh./6  #(d((6$F#4#E#E#G )(D$$%)(*)(! )(V-*-& *e *rKrNceZdZdZy)PubKeyAESCryptFilterz< AES crypt filter for public key security handlers. NrErFrGrrJrKrLrr  rKrceZdZdZy)PubKeyAESGCMCryptFilterz@ AES-GCM crypt filter for public key security handlers. NrrJrKrLrrrrKrceZdZdZy)PubKeyRC4CryptFilterz< RC4 crypt filter for public key security handlers. NrrJrKrLrrrrKrz/DefaultCryptFilterz/DefEmbeddedFilec Tttt|d||ittSNT)rrRrQrSdefault_stream_filterdefault_string_filter)r5DEFAULT_CRYPT_FILTERrrrQrSs rL_pubkey_rc4_configr3 # "6 $%!1 # 32  rKc Tttt|d||ittSr)r5rrrs rL_pubkey_aes_configr!rrKcRtttd||ittS)NT)rRrQrSr)r5rrrQrSs rL_pubkey_gcm_configr0s0 # "9 $%!1# 32  rKc|eZdZdZej dZej dZej dZy)PubKeyAdbeSubFilterz{ Enum describing the different subfilters that can be used for public key encryption in the PDF specification. z/adbe.pkcs7.s3z/adbe.pkcs7.s4z/adbe.pkcs7.s5N) rErFrGrr+ NameObjectS3S4S5rJrKrLrr>sB   , -B   , -B   , -BrKrrzricTt|dk(sJ||r|jzSdzS)NrkrK)lenas_bytes)rzrirls rLconstruct_envelope_contentrJs1 t9?? ':5>># DD DDrK pub_key_inforid envelope_keyct}tjdtjdi}t j |j }t|tsJ|j||}t|||S)N algorithmrsaes_pkcs1v15paddingralgoencrypted_data) r r rrrload_der_public_keyrrcr"encrypt _format_ktri)rrrrrpub_keyrs rL_rsaes_pkcs1v15_recipientrQs{ jG  % % c223CDE D// 0A0A0CDG g| ,, ,__\7_CN Cd> JJrKc ddlm}ddlm}||}||}t j t j dtd|idd|iddd}tt||d }tj|j} t| tsJ| j|| } t!||| S) Nrget_pyca_cryptography_hash)select_suitable_signing_md rsaes_oaeprmgf1r parameters)hash_algorithmmask_gen_algorithmmgfrlabelrr)pyhanko.sign.generalrpyhanko.sign.signers.pdf_cmsrr rrrrrrrrrcr"rr) rrrrrdigest_function_name digest_specrrrrs rL_rsaes_oaep_recipientrbs @G5lC,-ABK  % %55lC)'24H&I%+'24H&I+  DtK(KtLG// 0A0A0CDG g| ,, ,__\7_CN Cd> JJrKrrc `tjdtjd|||diS)Nktrir)r}rkey_encryption_algorithm encrypted_key)r RecipientInfoKeyTransRecipientInfors rLrrs=    C-- 04%3    rKr]cb|j}|dk(r|jdz}n |dk(rd}nd}|dkr)tjt dt dfS|dkr)tj t d t d fStj t d t d fS) Necr*x25519 aes128_wrapz1.3.132.1.11.1 aes192_wrapz1.3.132.1.11.2 aes256_wrapz1.3.132.1.11.3)rbit_sizerSHA256rSHA384SHA512)r algo_nameapprox_sec_levels rL_choose_ecdh_settingsrs &&ID'00A5 h 3 MMO $] 3 $%5 6  S MMO $] 3 $%5 6   MMO $] 3 $%5 6  rKc t|\}}}td|i}tj|j }t |t r0t|j}|jt|} nrt |tr&tj}|j|} ncontent) rrnror/r8r EncryptionAlgorithmr EncryptionAlgorithmIdEncryptedContentInfo ContentType EnvelopedData ContentInfo)r9rzrirhrlenvelope_contentrr;encrypted_envelope_contentr! rec_infosrrBrCs rLrprp7s,2 e)<&&r*L%4&4&"B"!   d6:I  " "44\B  D !55OOF3,0!; &&(&< N ??OO,<=%  =sC+c eZdZy)InappropriateCredentialErrorN)rErFrGrJrKrLrOrO~srKrOc eZdZdZedej fdZdede jdefdZ dede jde jdedef d Z y ) EnvelopeKeyDecrypterz General credential class for use with public key security handlers. This allows the key decryption process to happen offline, e.g. on a smart card. r]ct)zI :return: Return the recipient's certificate rr`s rLr!zEnvelopeKeyDecrypter.certs "!rKr algo_paramsct)a Invoke the actual key decryption algorithm. Used with key transport. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :raises InappropriateCredentialError: if the credential cannot be used for key transport. :return: The decrypted payload. rS)rZrrTs rLdecryptzEnvelopeKeyDecrypter.decrypts "!rKoriginator_identifierrct)a" Decrypt an envelope key using a key derived from a key exchange. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :param originator_identifier: Information about the originator necessary to complete the key exchange. :param user_keying_material: The user keying material that will be used in the key derivation. :return: The decrypted payload. rS)rZrrTrWrs rLdecrypt_with_exchangez*EnvelopeKeyDecrypter.decrypt_with_exchanges ,"!rKN)rErFrGrrrrr!rr rrVrrYrJrKrLrQrQs"d&&"""""141K1K" "$""//" #<< " $ "  "rKrQc0eZdZdefdej fgZy)_PrivKeyAndCertkeyr!N)rErFrGrrr_fieldsrJrKrLr[r[s~&1A1A(BCGrKr[cXeZdZdefdej dddfdej ddifgZy ) ECCCMSSharedInfokey_info entityUInforT)explicitoptional suppPubInforbr*N)rErFrGrr OctetStringr]rJrKrLr_r_sA +,     - ((:q/:GrKr_zaes(\d+)_wrap(_pad)?rrrc |dj}tj|}|st|dt |j d}t ||dzt||tjd|djS)Nr* is not a supported key wrapping algorithmr-rz>I)r`rard)rlength sharedinfo) r+AES_WRAP_PATTERN fullmatchrintgroupr(r_structpackr)rrrr wrap_match kek_bit_lens rLr r s *+6==!++,<=J ! J K  j&&q)*K a#)3%{{4=  $&  rKc PeZdZdZej dZedefdZ de fdZ ede fdZ de jd efd Zede jfd Zedd ZeddZde dej.de fdZde dej.dej2dee de f dZy )SimpleEnvelopeKeyDecrypterz Implementation of :class:`.EnvelopeKeyDecrypter` where the private key is an RSA or ECC key residing in memory. :param cert: The recipient's certificate. :param private_key: The recipient's private key. z1\.3\.132\.1\.11\.(\d+)r]cy)N raw_privkeyrJclss rLget_namez#SimpleEnvelopeKeyDecrypter.get_namesrKcf|j|jd}t|jS)N)r\r!) private_keyr!r[r)rZvaluess rL _ser_valuez%SimpleEnvelopeKeyDecrypter._ser_values*))499=v&++--rKr=c tj|}|d}|d}t ||S#t$r}tjd|d}~wwxYw)Nr\r!z-Failed to decode serialised pubkey credentialr!rz)r[r ValueErrorr, PdfReadErrorrs)rwr=decodedr\r!es rL _deser_valuez'SimpleEnvelopeKeyDecrypter._deser_valuesc %**40G%.C6?D *tEE  ##?  s. AA  Ar!rzc ||_||_yr_)rz_cert)rZr!rzs rLrYz#SimpleEnvelopeKeyDecrypter.__init__ s+6 rKc|jSr_)rr`s rLr!zSimpleEnvelopeKeyDecrypter.certs zzrKNcddlm} |||}ddlm}||}t||S#ttt f$r!}t jd|Yd}~yd}~wwxYw) a Load a key decrypter using key material from files on disk. :param key_file: File containing the recipient's private key. :param cert_file: File containing the recipient's certificate. :param key_passphrase: Passphrase for the key file, if applicable. :return: An instance of :class:`.SimpleEnvelopeKeyDecrypter`. r)load_private_key_from_pemder) passphrase)load_cert_from_pemderz%Could not load cryptographic materialexc_infoNr~) keysrrIOErrorrrdloggererrorrs)key_file cert_filekey_passphraserrzrr!rs rLrzSimpleEnvelopeKeyDecrypter.loadsf 9 6^K 6(3D*tMMY/  LL@1L M s-A"AA"c\ t|d5}|j}dddtj|\}}}ddlm}m} ||}| |}t||S#1swYHxYw#tttf$r%} tjd|d| Yd} ~ yd} ~ wwxYw) aZ Load a key decrypter using key material from a PKCS#12 file on disk. :param pfx_file: Path to the PKCS#12 file containing the key material. :param passphrase: Passphrase for the private key, if applicable. :return: An instance of :class:`.SimpleEnvelopeKeyDecrypter`. rbNr))_translate_pyca_cryptography_cert_to_asn1(_translate_pyca_cryptography_key_to_asn1zCould not open PKCS#12 file .rr~) openreadr)load_key_and_certificatesrrrrrrdrrrs) rwpfx_filerf pfx_bytesrzr! other_certsrrrs rL load_pkcs12z&SimpleEnvelopeKeyDecrypter.load_pkcs120s h% %FFH  %/5/O/O:0 ,[$   =TBDB;OK *tMM# % %Y/  LL7zCaL P s- A2A&:A2&A/+A22B+B&&B+rrTc|dj}|dk(r t}n|dk(rxddlm}|d}|d}|dj}|dk7rt d |d t t ||ddj ||d djd }nt d|dtj|jjd } t| ts td| j||S)a Decrypt the payload using RSA with PKCS#1 v1.5 padding or OAEP. Other schemes are not (currently) supported by this implementation. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. Must use ``rsaes_pkcs1v15`` or ``rsaes_oaep``. :return: The decrypted payload. rrrrrrrrz#Only MGF1 is implemented, but got 'r*)rrNrzSOnly 'rsaes_pkcs1v15' and 'rsaes_oaep' are supported for envelope decryption, not 'z'.passwordz5The loaded key does not seem to be an RSA private keyr)r+r rrrrrrload_der_private_keyrzrrcr!rOrV) rZrrTrrr oaep_paramsrmgf_namepriv_keys rLrVz"SimpleEnvelopeKeyDecrypter.decryptQsA ,33 ( (jG , & G+6|+DK23C;'..H6!)9(1E8L)+6== 5 01+>EE G&--6Kr; !55    ! ! #d (M2.G  w??rKrWrc|d}|jj|j}d}|rntjtj tj tjdj|jdd}|s tdtjj|dj}|dj} t j| st| d| j#drt$j&nt$j(} t+||| } |j,d k7r td |j.j1} t3j4| j} t3j6|j8jd }d }t;|t<rct;| t>r-| j@j,|j@j,k7r tC||jEtG| }nt;|tHr-t;| tJs tC||jE| }nHt;|tLr-t;| tNs tC||jE| }n tQd| jS|}| ||S)am Decrypt the payload using a key agreed via ephemeral-static standard (non-cofactor) ECDH with X9.63 key derivation. Other schemes aer not supported at this time. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :param originator_identifier: The originator info, which must be an EC key. :param user_keying_material: The user keying material that will be used in the key derivation. :return: The decrypted payload. rN)0123r-zGOnly dhSinglePass-stdDH algorithms from SEC 1 / RFC 5753 are supported.rrg_padrrz Only originator_key is supportedrzCOriginator's public key is not compatible with selected private keyz4The loaded key does not seem to be an EC private key)r wrapped_key)*dhsinglepass_stddh_arc_patternrkdottedrSHA224rrrgetrmrr rrrr+rjendswithraes_key_unwrap_with_paddingaes_key_unwrapr rchosenuntagrrrrzrcrrrrrrr%r&r#r$rOr )rZrrTrWroidmatchrrr unwrap_keyroriginator_pub_key_infooriginator_pub_keyr mismatch_msgr derived_keks rLrYz0SimpleEnvelopeKeyDecrypter.decrypt_with_exchanges2+&33==cjjI59 ]]_]]_]]_]]_  c%++a.$'  %  2277  % * * , !.k : A A))*:;%#$$NO   ((0  / /''   !'!5  ! % %)9 9%&HI I " ( ( . . 0 +>> # ( ( * !55    ! ! #d   (  h 7 813IJ%++00HNN4G4GG ..!**463EFJ "2 30/B ..!**+=>J . 10-@ ..!**+=>J.F jj, { NNrKr_)rErFrGrrecompiler classmethodstrrxrr|rrrrrYrr! staticmethodrrr rrVrrrYrJrKrLrsrss>&0RZZ0J%K".E. F F FT--Nd&&NN6NN@4@"4@141K1K4@ 4@lfOfO//fO #<< fO 'uo fO  fOrKrsed decrypterc 2|dD]}|jdk(r|j}|dj}t|tjs t d|d}|dj }|jj|k(s|jj|k(s |j|dj |dcS|jd k(r|j}|d D]} | dj}t|tjs t d|d}|dj }|jj|k(se|jj|k(s |j| dj |d|d |d j ccSt dy#t$r}|d}~wt$r}tjd |d}~wwxYw#t$r}|d}~wt$r}tjd |d}~wwxYw)NrArrz;Recipient identifier must be of type IssuerAndSerialNumber.r%r&rrzFailed to decrypt envelope keyrrrr)rWrzLRecipientInfo must be of type KeyTransRecipientInfo or KeyAgreeRecipientInfo)rrrcr r0rr+r!r%r&rVrO Exceptionr,rrY) rrrec_inforissuer_and_serialr%serialrrrecipient_enc_keys rLread_envelope_keyrsC()9 ==F "??D $U 2 2 /1J1JK)Q'x0F&7>>F%%/NN00F: $,,_-4478]]f $??D%)*D%E !!$5e$<$C$C!!"3S5N5NO-U+84*?;BBNN))V3!44> !(>>-o>EE !;<26|2D15e1C1C ?  !6&+ m9v Q4G ++848 $!"//< !!sH"!F/&4G$/ G!8F:: G!GG!$ H-G// H;HH recipient_cmsc|dj}|dk7rtjd|z|d}|d}t||}|y|d}|dj} |j}d ti} d d lm } | j| j| j| jd || vr| |} |j } | ||| }n+|dk(r t#||}ntjd|d|dd}d}t%|dk(rt'j(|dd}||fS#t t f$r|d j}YwxYw#t$r} |d vr td| Yd} ~ d} ~ wwxYw)Nr>rCz7Recipient CMS content type must be enveloped data, not rDrB)NNr?r@raesr) symmetric)des tripledesrc2z0DES, 3DES and RC2 require oscrypto to be presentrc4zCipher z is not allowed in PDF 2.0.rk)r+r,rrencryption_cipherrKeyErrorr.oscryptorrdes_cbc_pkcs5_decrypttripledes_cbc_pkcs5_decryptrc2_cbc_pkcs5_decryptrr encryption_ivr0rr? from_bytes)rrr>rrBrrrL cipher_namewith_ivrrdecryption_funr;rDrzris rLruru5s!077L'' E   *)4B 89$R3L %;&%D"8" f/,, o&G&  66&BB 66  g -    /I2N  l,FGk]"= >   3BN OO   <   sA10B1BcZ|jdd}td|dz|dt|S)Nr(rrrRrJ)rrr)rrR keylen_bitss rL_build_legacy_pubkey_cfrs>**Y+K  a'  'v . rKc0tdd|dt|S)NrrrJrrrrRs rL_build_aes128_pubkey_cfr)  '  'v . rKc0tdd|dt|S)Nr#rrJrrs rL_build_aes256_pubkey_cfrrrKc.tdd|it|S)NrRrJ)rrrs rL_build_aesgcm_pubkey_cfrs$ " ' +G+O rKc neZdZUdZej deej deej deej de ej ddiZ e ej e fe d<ed ej d d ej$d ed fd eej,d ed ededdf dZ d'dedededdeedeef fd ZedefdZede efdZ!edejDdede#fdZ$edejDdedffd Z%edejDfdZ&edejDfd Z'edejDfd!Z(d"Z)ej$efd eej,d ed efd#Z* d(d$e+e,e-fde.fd%Z/defd&Z0xZ1S))rOz Security handler for public key encryption in PDF. As with the standard security handler, you essentially shouldn't ever have to instantiate these yourself (see :meth:`build_from_certs`). z/V2z/AESV2z/AESV3z/AESV4z /IdentityctSr_)r6)___s rLzPubKeySecurityHandler.s 7J7LrK_known_crypt_filtersrTrgrirhpdf_macr]c  ||rtjntj} d} |tjk(r|rt d|d} nt |d|} | r=|tjk\r*|tjz}tjd} nd} ||| |f|| d| d| }|j||||S)aO Create a new public key security handler. This method takes many parameters, but only ``certs`` is mandatory. The default behaviour is to create a public key encryption handler where the underlying symmetric encryption is provided by AES-256. Any remaining keyword arguments will be passed to the constructor. :param certs: The recipients' certificates. :param keylen_bytes: The key length (in bytes). This is only relevant for legacy security handlers. :param version: The security handler version to use. :param use_aes: Use AES-128 instead of RC4 (only meaningful if the ``version`` parameter is :attr:`~.SecurityHandlerVersion.RC4_OR_AES128`). :param use_crypt_filters: Whether to use crypt filters. This is mandatory for security handlers of version :attr:`~.SecurityHandlerVersion.RC4_OR_AES128` or higher. :param perms: Permission flags. :param encrypt_metadata: Whether to encrypt document metadata. .. warning:: See :class:`.SecurityHandler` for some background on the way pyHanko interprets this value. :param pdf_mac: Include an ISO 32004 MAC. .. warning:: Only works for PDF 2.0 security handlers. :param policy: Encryption policy choices for the chosen set of recipients. :return: An instance of :class:`.PubKeySecurityHandler`. Nr)rSrQrr#)rScrypt_filter_configrkdf_saltrirh) rrrr8 RC4_OR_AES128rrr~r?TOLERATE_MISSING_PDF_MACrnrors)rwrg keylen_bytesr}use_aesuse_crypt_filtersrirSrhrr[ subfiltercfcrshs rLbuild_from_certsz&PubKeySecurityHandler.build_from_certssp! " "$''   ,:: :()9d) #%5 w"8"?"?? '@@@ @E**2.HH      . #     %uV< rKr}pubkey_handler_subfilterrr5rrc  |tjk\r(|tjk7rt j d||tj k(rtd||}nz|tjk(rt|||}nX|tjk(rt||}n7|tjk\rtd||}nt j dt |9||||||||_||_d|_y)NzESubfilter /adbe.pkcs7.s5 is required for security handlers beyond V4.)rrSrQrr#z1Failed to impute a reasonable crypt filter config)rScompat_entriesr)r8rrrr,rmRC4_40rRC4_LONGER_KEYSAES_GCMrr~rrXrYrrSrV) rZr}r  legacy_keylenrSrrr rr\s rLrYzPubKeySecurityHandler.__init__s' -;; ;(,?,B,BB--   &0777&8%5-'# 2BBB&8(%5-'# 2:::&8-@P'#2999 '9%5-'# mmG    -)  2 0rKc,tjdS)Nz /Adobe.PubSec)r+rrvs rLrxzPubKeySecurityHandler.get_name^s!!/22rKcHtDchc]}|jc}Scc}wr_)rr)rwrs rLsupport_generic_subfiltersz0PubKeySecurityHandler.support_generic_subfiltersbs!45A555srrRcbt|j||}|tjd|S)NzJAn absent CFM or CFM of /None doesn't make sense in a PubSec CF dictionary)r9rr,r)rwrrRcfs rLread_cf_dictionaryz(PubKeySecurityHandler.read_cf_dictionaryfsA  $ $fo  :##'  rK encrypt_dictct||}|j|}|(|tjk7rt j d|(|tjk(rt j d|S)Nz=Crypt filters require /adbe.pkcs7.s5 as the declared handler.z./adbe.pkcs7.s5 handler requires crypt filters.)rXprocess_crypt_filters_determine_subfilterrrr,r)rwrrrr\s rLrz+PubKeySecurityHandler.process_crypt_filterstsg+L9,,\: ?y,?,B,BB## [Y*=*@*@@##@  rKc  |jdd}|dzdk7rtjd|dz}tj|dd}|jdtd }t ||||jd d  S)Nrrrrz"Key length must be a multiple of 8rcz|Dcgc]+}tjj|j-c}Scc}wr_)r rJrr)lstrs rLrz?PubKeySecurityHandler.gather_pub_key_metadata..s)MA--a.>.>?MMs08rTdefault/KDFSaltcrt|tjtjfr |jSdSr_)rcr+TextStringObjectrr)rs rLrz?PubKeySecurityHandler.gather_pub_key_metadata..s:!G44g6N6NO$$  rK)rrrSr)rr,rm get_and_applyrHdict)rwrrrrQrSs rLgather_pub_key_metadataz-PubKeySecurityHandler.gather_pub_key_metadatas"&&y#6 !O !-- DE E!''   M (55 d6  %-!//    rKc tj|dtd|vrtjStjS#t $rtj d|dzwxYw)N /SubFilterz/CFrz8Invalid /SubFilter in public key encryption dictionary: )r,r#rrrrr)rwrs rLrz*PubKeySecurityHandler._determine_subfilters %%# ,(**  -//   ##J|,-  s.AA%A+ctj|d}td||j||j |d|j |S)N/V)r}r rrJ)r8 from_numberrOrrr%)rwrvs rLinstantiate_from_pdf_objectz1PubKeySecurityHandler.instantiate_from_pdf_objects_ # . .|D/A B$ %(%=%=l%K # 9 9, G )),7   rKctj}tj|j|d<|jj |d<|j j|d<|jr"tj|j|d<|js|j tjk(r%tj|jdz|d<|j tjkDr"tj|j |d<|jt"j$k(r+|j'|j(j|S|j+}t-|t.st0tj2d|j4D|d <|S) Nz/Filterr'r)r rrrc3bK|]'}tj|j)ywr_rrs rLrz6PubKeySecurityHandler.as_pdf_object..s)8((58rr)r+DictionaryObjectrrxrrr}r _kdf_saltr_compat_entriesr8rrrrrSrrrrget_stream_filterrcrNrdrrQ)rZr default_cfs rLrz#PubKeySecurityHandler.as_pdf_objectsf))+#..t}}?y#~~33|||113t >>!(!9!9$..!IF:   ||5EEE ' 4 4T[[1_ EF9  <<0@@ @)0)>)>%%*F% & >>033 3 MM$22@@B C //1Jj*;<$+$7$78&118%F= ! rKc|jjD]'}t|ts|j |||)y)Nr)rstandard_filtersrcrNrs)rZrgrirhrs rLrsz$PubKeySecurityHandler.add_recipientssG**;;= ABb"34   e5  @ ArKrxcTt|trJtj|}t|ts"t j dt|d|}n|}tj}|jjD]k}t|ts|j|}|jtj k(r|cS|j"}|Ut|tsJ||z}mt|tr||_t'tj(|S)a Authenticate a user to this security handler. :param credential: The credential to use (an instance of :class:`.EnvelopeKeyDecrypter` in this case). :param id1: First part of the document ID. Public key encryption handlers ignore this key. :return: An :class:`AuthResult` object indicating the level of access obtained. zRPubkey authentication credential must be an instance of EnvelopeKeyDecrypter, not r)rcr;r: deserialiserQr,rtyper?rrr5rNr{statusr2rwpermission_flags _credentialr1rv) rZrxid1deser_credentialactual_credentialrirrcf_flagss rLr{z"PubKeySecurityHandler.authenticates( j"6 75AA*M .0DE''1156F1G0HK!1  * !224**;;= "Bb"34__%67F}} 1 11 ..H#!(,=>>>! " ')? @0D *//511rKcJ|jjjSr_)rget_for_stream shared_keyr`s rLget_file_encryption_keyz-PubKeySecurityHandler.get_file_encryption_key's''668CCCrK)TNNTNr_)2rErFrGrr+rrrrrrrr4rIrr8r~r?rrBrrrrHrrrlistrrYrrxr rr/r3rrr%rr,rrsr rQr;r1r{rCrrs@rLrOrOs 5!#:8$&=8$&=8$&=;')L J$w113EEF&--#E#4#E#E#G,E,GYD$$%Y!Y*YY !YY@DH)-$(A 'A #6A &&@A A !A 5/A F33363s866 -- @D    "33 , -" 73K3K  B0H0H$  "33    B$F#4#E#E#G,E,G AD$$% A! A* A$ 02.0DDE02  02dDDrKrO)NT)T)abcenumloggingrrnrn dataclassesrhashlibrrtypingrrrr r r asn1cryptor r rrasn1crypto.algosrasn1crypto.cmsrrasn1crypto.keysrrrcryptography.hazmat.primitivesrrr,cryptography.hazmat.primitives.asymmetric.ecrrrrr1cryptography.hazmat.primitives.asymmetric.paddingrrrr -cryptography.hazmat.primitives.asymmetric.rsar!r".cryptography.hazmat.primitives.asymmetric.x448r#r$0cryptography.hazmat.primitives.asymmetric.x25519r%r&"cryptography.hazmat.primitives.kdfr'*cryptography.hazmat.primitives.kdf.x963kdfr(,cryptography.hazmat.primitives.serializationr)r+r,_utilr.r/r0apir1r2r3r4r5r6r7r8r9cred_serr:r; filter_mixinsr<r=r> permissionsr? getLoggerrErrBABCrNrrrrrDEF_EMBEDDED_FILErrruniqueEnumrrrr1rrr HashAlgorithmrr2rrrr8rJrprdrOrQSequencer[r_rrjr rsregisterrIrrur/rrrrrrOrJrKrLrfs   ! ::--,KMMII  E>?@@   C +   8 $ $   K SWWK\ ,.A  /1G  ,.A  *w))*?@ 'G&&'9:    .$)). .@DE E)EKK KK"KK KKB  $ $&    24LL B77 , ,77t , ,!  $ $    6( (   (  &( ` Dt''(D D D & D  __ DN 9 8"8"vDdmmD t}} 2::56$$--#5/   4BO!57MBOJ  :;? ?&:? e_?DG??G/CG 8E?H%67 78GT P)A)A P  zDOzDzDrK