Wwg`bdZddlZddlZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZmZmZddlZddlmZmZmZddlmZddlmZddlmZdd lmZmZmZdd l m!Z!dd l"m#Z#m$Z$dd l%m&Z& dd lm'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-ddlm.Z/ddlm0Z1gdZ4ejje6Z7de ede1jpde ee9e9ffdZ:de ede1jpde;fdZ< d4de e1jzde e>de ede e1jpfdZ?edGddZ@e*je*je*je*je*jdZFe*je*je*je*je*jdZLe'je'je'je'je'jdZRe*je*je*je*je*jdZXe*je*je*je*je*jdZ^e*je*je*je*je*jdZ`d ejd!e9d"e;de@fd#Zb d5d$e9de e>d%e e9de ed&ee9ecdfde-f d'Zd d4d(e;d)e e9d*e eefd+Zf d4d,e-d)e e9d*e eefd-Zgd!e9d.e;fd/ZhGd0d1e&ZiGd2d3Zjy#e2$rZ3e2de3dZ3[3wwxYw)6z This module provides PKCS#11 integration for pyHanko, by providing a wrapper for `python-pkcs11 `_ that can be seamlessly plugged into a :class:`~.signers.PdfSigner`. N) dataclass)AnyCallableDictListOptionalSetTupleUnion)algoscorex509)RSASSAPSSParams)hashes)CertificateStore)PKCS11PinEntryModePKCS11SignatureConfig TokenCriteria)coalesce) SigningErrorget_pyca_cryptography_hash)Signer)MGFPROTECTED_AUTH Attribute Mechanism ObjectClass PKCS11ErrorSession)lib)typeszpyhanko.sign.pkcs11 requires pyHanko to be installed with the [pkcs11] option. You can install missing dependencies by running "pip install 'pyHanko[pkcs11]'".) PKCS11Signeropen_pkcs11_sessionPKCS11SigningContext find_tokenselect_pkcs11_signing_paramscriteriatokenreturnc6|gSg}|j6|j|jk7r|jd|jf|jD|j|jk7r+|jd|jjf|S)Nlabelserial)r+appendr,hex)r'r( err_itemss J/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko/sign/pkcs11.pycriteria_mismatchesr1=s I~~!ekkX^^&C'8>>23"u||x'F(HOO$7$7$9:; ct|| SN)r1)r'r(s r0criteria_satisfied_byr5Ls#8U3 33r2slotsslot_notoken_criteriac|.|,t|dk(r|djStd|)|D]#} |j}t||r|cS%y|t|k\rtd|dt|||j}t ||}|r*dj d|D}td |d |d |S#t$rYwxYw) a Internal helper method to find a token. :param slots: The list of slots. :param slot_no: Slot number to use. If not specified, the first slot containing a token satisfying the criteria will be used :param token_criteria: Criteria the token must satisfy. :return: A PKCS#11 token object, or ``None`` if none was found. NrzJModule has more than 1 slot; slot index or token criteria must be providedz Slot index z too large; there are only , c30K|]\}}|d|yw)z is not N).0fieldvals r0 zfind_token..~s$ .8eS5'#) szToken in slot z does not satisfy criteria; .)len get_tokenrr5r1join)r6r7r8slotr(errorserr_strs r0r%r%Rs*&'/ u:?8%%' '#   D ((? L@ ,  c%j gY&A#e*N g((*$^U; ii ":;;r2rK)sha1sha224sha256sha384sha512signature_mechanismdigest_algorithmuse_raw_mechanismcddlm}ddlm}d}d}i} |j}|dk(r2|r"tj|d<t|d }nlt||d<n^|d k(r3|r!tj|d<t|d }n t||d<|}n&|d k(r2|r!tj|d<t|d }n t||d<|}n|d k(rt|r td|d} || ddj k(sJt ||d<t"|} | dddj } t$| } | dj } | | | f|d<nv|dk(r!|r tdtj&|d<nP|dk(r<|r tdtj&|d<t)j*dd dd|d<ntd|dt-|||S#t $r|dj }YwxYw)aZ Internal helper function to set up a PKCS #11 signing operation. :param signature_mechanism: The signature mechanism to use (as an ASN.1 value) :param digest_algorithm: The digest algorithm to use :param use_raw_mechanism: Whether to attempt to use the raw mechanism on pre-hashed data. :return: r)encode_dsa_signature)encode_ecdsa_signatureN algorithmrsassa_pkcs1v15 mechanismT)wrap_digest_infodsaFecdsa rsassa_pssz$RSASSA-PSS not available in raw mode parametershash_algorithmmask_gen_algorithm salt_lengthmechanism_paramed25519z!Ed25519 not available in raw modeed448zEd448 not available in raw modez@?LPzSignature algorithm 'z' is not supported.)rLrMrN)pkcs11.util.dsar_pkcs11.util.ecr`signature_algo ValueErrornativerRSA_PKCS _hash_fully RSA_MECH_MAPDSA DSA_MECH_MAPECDSAECDSA_MECH_MAPNotImplementedErrorRSASSA_PSS_MECH_MAPDIGEST_MECH_MAP MGF_MECH_MAPEDDSAstructpackrK)r[r\r]r_r`rMrNkwargsrqparamspss_digest_parammgf_val pss_mgf_param pss_salt_lens r0r&r&sX 55FA,;;** "+"4"4F; !, 4" #//?"@F;  5 "+--F; !, 5" #//?"@F; 2 7 " "+//F; !, 5"  #11A"BF; 4 < ' %&LM M"5l"C6*:#;K#H#O#OOOO22BC{*+;<-.|<[IPP$W- m,33    %  ! 9 $ %&IJ J'oo{ 7 " %&GH H'oo{%+KKq!$D !!#N#33F G   (-/ Y A,[9@@As GGG lib_location token_labeluser_pinct|}|(|&tjdtt |}|j }t |||}|t| d|ddi}|||d<|jdi|S) a Open a PKCS#11 session :param lib_location: Path to the PKCS#11 module. :param slot_no: Slot number to use. If not specified, the first slot containing a token labelled ``token_label`` will be used. :param token_label: .. deprecated:: 0.14.0 Use ``token_criteria`` instead. Label of the token to use. If ``None``, there is no constraint. :param token_criteria: Criteria that the token should match. :param user_pin: User PIN to use, or :attr:`.PROTECTED_AUTH`. If ``None``, authentication is skipped. .. note:: Some PKCS#11 implementations do not require PIN when the token is opened, but will prompt for it out-of-band when signing. Whether :attr:`.PROTECTED_AUTH` or ``None`` is used in this case depends on the implementation. :return: An open PKCS#11 session object. z9'token_label' is deprecated, use 'token_criteria' instead)r+)r7r8zNo token matching criteria z foundzNo token foundrr=) p11_libwarningswarnDeprecationWarningr get_slotsr%ropen) rr7rr8rr r6r(rs r0r#r#@sD , C+"9 G  '[9 MMOE ugn ME })*.);6 B  "  F%z 5::  r2 no_resultsr+cert_idcg}||jd|d|7|jdtj|jdd|rddj |nd}|rd|d }|Sd |d }|S) Nzlabel ''zID 'asciiz with r;zCould not find certrBzFound more than one cert)r-binasciihexlifydecoderE)rr+r info_strs qualifiererrs r0_format_pull_err_msgr{s I 75'+,4 0 0 9 @ @ IJ!LM3<&9-./"I#I;a0 J) 15 Jr2pkcs11_sessionctjtji}|||tj<|||tj <|j |}t|}t|dk(r5|d}tjj|tjSt| ||}t|)Nr:r)rr+r)rCLASSr CERTIFICATELABELID get_objectslistrCr CertificateloadVALUErr)rr+r query_paramsqresultscert_objrs r0 _pull_certrs OO[%<%<=L (- Y__%%, Y\\"""<0A1gG 7|q1:$$Xioo%>??""{% #r2rdcJtdtdtffd }|S)Ndatar)c tj}|j||j}rIt j j tjd|djS|S)N)rarh)r\digest) rHashupdatefinalizer DigestInfolowerr Nulldump)rhrr\md_specrds r0_hz_hash_fully.._hss KK   ##&6%;%;%=&*iik)% df Mr2)rrU)r\rdrrs`` @r0rurus(()9:G5" Ir2ceZdZdZ ddedeedeejdeedee dee f fd Z d Z e d e fd Ze d Zd ed efdZ dde d ed e fdZd eejfdZdZdZdZxZS)r"a Signer implementation for PKCS11 devices. :param pkcs11_session: The PKCS11 session object to use. :param cert_label: The label of the certificate that will be used for signing, to be pulled from the PKCS#11 token. :param cert_id: ID of the certificate object that will be used for signing, to be pulled from the PKCS#11 token. :param signing_cert: The signer's certificate. If the signer's certificate is provided via this parameter, the ``cert_label`` and ``cert_id`` parameters will not be used to retrieve the signer's certificate. :param ca_chain: Set of other relevant certificates (as :class:`.asn1crypto.x509.Certificate` objects). :param key_label: The label of the key that will be used for signing. Defaults to the value of ``cert_label`` if left unspecified and ``key_id`` is also unspecified. .. note:: At least one of ``key_id``, ``key_label`` and ``cert_label`` must be supplied. :param key_id: ID of the private key object (optional). :param other_certs_to_pull: List labels of other certificates to pull from the PKCS#11 device. Defaults to the empty tuple. If ``None``, pull *all* certificates. :param bulk_fetch: Boolean indicating the fetching strategy. If ``True``, fetch all certs and filter the unneeded ones. If ``False``, fetch the requested certs one by one. Default value is ``True``, unless ``other_certs_to_pull`` has one or fewer elements, in which case it is always treated as ``False``. :param use_raw_mechanism: Use the 'raw' equivalent of the selected signature mechanism. This is useful when working with tokens that do not support a hash-then-sign mode of operation. .. note:: This functionality is only available for ECDSA at this time. Support for other signature schemes will be added on an as-needed basis. r cert_label signing_cert key_labelkey_idrc t|| s|nd|_t| |s| nd|_t| |s| nd|_t|| s|nd|_||_||_d|_|t|dkrd|_ n| |_ | |_ d|_ d|_ d|_ t |=|||||j j#|||j j%|yy)z- Initialise a PKCS11 signer. NFr:) prefer_pss embed_rootsr)rrrrrr other_certs_other_certs_loadedrC bulk_fetchr] _key_handle_loaded_PKCS11Signer__loading_eventsuper__init___cert_registryregister_multipleregister)selfrrrca_chainrrrother_certs_to_pullrrrr] __class__s r0rzPKCS11Signer.__init__s$#  d viwTJ ztL !)vZ4P,.#(  *s3F/G1/L#DO(DO!2 # !#%       1 1( ;  #    ( ( 6 $r2c|js2|j}|jj|d|_|jS)NT)r_load_other_certsrr)rcertss r0_init_cert_registryz PKCS11Signer._init_cert_registrysC''**,E    1 1% 8'+D $"""r2r)c"|jSr4)rrs r0 cert_registryzPKCS11Signer.cert_registry's''))r2c:|j|jSr4) _load_objects _signing_certrs r0rzPKCS11Signer.signing_cert-s !!!r2r\cp|j}t|j|||jS)N)r])rr&"get_signature_mechanism_for_digestr])rr\s r0_select_pkcs11_signing_paramsz*PKCS11Signer._select_pkcs11_signing_params2s;,113+  3 34D E "44  r2rc8K|ry|jd{ddlm}|j|j |j j fd}t j}|jd|d{S7y7w)Ns00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000r) SignMixinc|jfij}jj|}|Sr4)signrLrN) signaturerkhspecs r0_perform_signaturez7PKCS11Signer.async_sign_raw.._perform_signatureLs@9(8(89I''3 44Y?  r2) ensure_objects_loadedpkcs11rrrrMasyncioget_running_looprun_in_executor) rrr\dry_runrrlooprrs ` @@r0async_sign_rawzPKCS11Signer.async_sign_raw<s ((***$((112BC  " " .**40D  '')))$0BCCC! + Ds"BBA4BBBBc4t|jSr4)set_PKCS11Signer__pullrs r0rzPKCS11Signer._load_other_certsUs4;;=!!r2c#PK|j}|t|dk(ry| |jr|jj t j tji}tjd|D]i}|t j}|||vsd|d}tj|tjj|t jky|D]5}d|d}tj|t!|j|7yw)Nrz.Pulling all certificates from PKCS#11 token...zFound certificate with label 'z ' on token.z Pulling certificate with label 'z' from PKCS#11 token...)rrCrrrrrrrloggerdebugrrrrrr)rother_cert_labelsrrr+msgs r0__pullzPKCS11Signer.__pullXs  ,,  (S1B-Cq-H   $##//+"9"9:A LLI J K 1$,9J0J;5'MCLL%**//0IJJ K+ = 7ug>'( S! !4!4e<< =s BD&B D&cRK|jry|jdtjx|_}tj}|j d|j d{|jy|jjd{y787w)a Async method that, when awaited, ensures that objects (relevant certificates, key handles, ...) are loaded. This coroutine is guaranteed to be called & awaited in :meth:`sign_raw`, but some property implementations may cause object loading to be triggered synchronously (for backwards compatibility reasons). This blocks the event loop the first time it happens. To avoid this behaviour, asynchronous code should ideally perform `await signer.ensure_objects_loaded()` after instantiating the signer. .. note:: The asynchronous context manager on :class:`PKCS11SigningContext` takes care of that automatically. N) rrrEventrrrrwait)reventrs r0rz"PKCS11Signer.ensure_objects_loaded{s$ <<     '+2==? :D 5++-D&&tT-?-?@ @ @ IIK&&++- - - A .s$A(B'*B#+2B'B%B'%B'cT|jry|j|j1t|j|j |j |_|jjtj|j|j}||_ d|_y)N)r+r)r+idT) rrrrrrrget_keyr PRIVATE_KEYrrr)rrs r0rzPKCS11Signer._load_objectss <<    "    %!+##4??DLL"D  ( (  # #4>>dkk)  r2) NNNNFTr=TNNF)F)rOrPrQrRrrrSrrrUrrpropertyrrrrKrrr rrrr __classcell__)rs@r0r"r"s.f%)37#'"&#'+7+7SM+7t//0 +7 C= +7+7%+7Z#*/** "" # % ;@DD-0D D2"3t'7'7#8"!=F.<r2r"cTeZdZdZ d dedeefdZdZde fdZ d Z d Z d Z d Zy)r$z+Context manager for PKCS#11 configurations.Nconfigrc.||_d|_||_yr4)r_session _user_pin)rrrs r0rzPKCS11SigningContext.__init__s  !r2c|jxs|jj}| t|}|S|jjt j k(rt}|Sd}|Sr4)rrrrS prompt_pinrDEFERr)rpins r0 _handle_pinz PKCS11SigningContext._handle_pinsbnn4 4 4 ?c(C  [[ # #'9'?'? ? C C r2r)c 2|j}|j} t|j|j|j |x|_}t||j|j|j|j |j"|j$|j&|j(|j*|j, S#tj$r7}td|jdt|jd||d}~wwxYw)N)r7r8rz'PKCS#11 error while opening session to z: [z] ) rrrr]rrrrr)rr r# module_pathr7r8rrrrtyperOr"rrrr raw_mechanismrrrrsigning_certificate)rrr sessionexs r0 _instantiatez!PKCS11SigningContext._instantiates   &9""%44 ' DMG    ''&&(($22 & : :((==NN33  !! 9&:L:L9MSQUVXQYQbQbPccefheij  s4C D2DDc"|jSr4)rrs r0 __enter__zPKCS11SigningContext.__enter__s  ""r2cKtj}|jd|jd{}|j d{|S77wr4)rrrrr)rrsigners r0 __aenter__zPKCS11SigningContext.__aenter__sP'')++D$2C2CDD**,,, E,s!4AAAAAAc8|jjyr4rcloserexc_typeexc_valexc_tbs r0__exit__zPKCS11SigningContext.__exit__s r2c@K|jjywr4rrs r0 __aexit__zPKCS11SigningContext.__aexit__s sr4)rOrPrQrRrrrSrr r"rrrr"r$r=r2r0r$r$sJ5HL"+"7?}"  l :# r2r$)NN)NNNN)krRrrloggingrr dataclassesrtypingrrrrrr r r r asn1cryptor r rasn1crypto.algosrcryptography.hazmat.primitivesrpyhanko_certvalidator.registryrpyhanko.config.pkcs11rrrpyhanko.pdf_utils.miscrpyhanko.sign.generalrrpyhanko.sign.signersrrrrrrrrr rr! p11_types ImportErrore__all__ getLoggerrOrTokenrSr1boolr5Slotintr%rK SHA1_RSA_PKCSSHA224_RSA_PKCSSHA256_RSA_PKCSSHA384_RSA_PKCSSHA512_RSA_PKCSrvSHA1_RSA_PKCS_PSSSHA224_RSA_PKCS_PSSSHA256_RSA_PKCS_PSSSHA384_RSA_PKCS_PSSSHA512_RSA_PKCS_PSSr|SHA1SHA224SHA256SHA384SHA512r~ ECDSA_SHA1 ECDSA_SHA224 ECDSA_SHA256 ECDSA_SHA384 ECDSA_SHA512rzDSA_SHA1 DSA_SHA224 DSA_SHA256 DSA_SHA384 DSA_SHA512rxSHA_1r}SignedDigestAlgorithmr&objectr#rUrrrur"r$r=r2r0rUs  !III ((,1; ,I'&)    8 $ }% .7oo  %S/ 4}%4.7oo4 4".23   3 c]3]+3ioo 3l $.  # #''''''''    ' '++++++++  HHjjjjjjjj    $$$$$$$$    """" """"   OO i44iii" i\"!%.2)- 8 8 c]8 #8 ]+ 8 C%& 8  8 z # C=e_( # C=e_2#D4h6hV??C  E  s0K99L > LL