Wwg}IdZddlZddlZddlZddlZddlmZddlmZddlmZmZddl m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZddlZddlmZmZddlmZdd lmZm Z dd l!m"Z"dd l#m$Z$dd l%m&Z&dd l'm(Z(m)Z)ddl*m+Z+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7ddl8m9Z9ddl:m;Z;ddlm?Z?m@Z@mAZAddlBmCZCmDZDddlEmFZFmGZGddlHmIZIddlJmKZKddlLmMZMmNZNddlOmPZPmQZQmRZRmSZSmTZTddlUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\ddl]m^Z^m_Z_m`Z`maZaddlbmcZcddldmeZemfZfmgZgmhZhmiZimjZjmkZkmlZld d!lmmnZnd"d#lompZpd"d$l`mqZqd"d%lrmsZsmtZtmuZumvZvmwZwmxZxd"d&lymzZzgd'Z{eje}Z~ed(eid)*Zd+e5d,eefd-Zd+e5d,eefd.ZGd/d0Zed)1Gd2d3eeZeGd4d5Zedddd6d7ejd8ewd9ed:eed;ee;dZedddd6d7ejd8ewd9ed;ee;d>>c|jtjk(r3t|jj j }n|jtjk(r._pairss7 (:; %;C@*$ %s#0 0)_things)selfrrkvs ` ry__init__zValidationObjectSet.__init__s) % *02A12 2s (rjcHt|jjSr)iterrvalues)rs ry__iter__zValidationObjectSet.__iter__sDLL'')**r{ctdSN)rrr{ryemptyzValidationObjectSet.emptys "2&&r{N) __name__ __module__ __qualname__r r'rr r staticmethodrrr{ryrrs:3H5E,F3+(#34+''r{r)frozencLeZdZUdZeed< eeed< eeed< e ed<y)rbuR Result of validation of basic signatures. ETSI EN 319 102-1, § 5.3 ades_subindic api_status failure_msgvalidation_objectsN) rrr__doc__r<__annotations__rrfstrrrr{ryrbrbsD  $$ # ,+r{rbceZdZUeed<eeed<eeed<eeed<eje Z e ed<dZ eeed<dZ eeed <dZeeed <dZeeed <d Zy) _InternalBasicValidationResultrsignature_poe_timesignature_not_before_timevalidation_path)default_factory status_kwargsNtrust_subindic_updatesignature_ts_validitycontent_ts_validitysigner_attr_statusc|j}|j|d<|jr|j|d<|r|jr|j|d<|r|jr|j|d<|rW|j rK|j j |d<|j j|d<|j j|d<|di|S) Nrtrust_problem_indictimestamp_validitycontent_timestamp_validityac_attrscades_signer_attrsac_validation_errsr) rrrrrrrrr)r status_clswith_ts with_attrsrs ryupdatez%_InternalBasicValidationResult.updates** +/+?+? '(  % %373M3MM/ 0 t11262L2LM. / t//(( 6 7 $11(,(?(?(H(HM* %'':: . /'':: . /*M**r{)rrrr<rrrr, dataclassesfielddictrrrrPrrrNrrr{ryrrs **'11n--++++DAM4A488L18@D8$<=D>B":;B:>!67>+r{r) timing_infovalidation_data_handlersextra_status_kwargstst_signed_datavalidation_specexpected_tst_imprintrrrrc Kywrr)rrrrrrrs ryr`r` !$c Kywrr)rrrrrrs ryr`r`s !$rcK|xstj}|jxs |j}| t ||}|j ||}t |||||d{S7w)uW Validate a timestamp token according to ETSI EN 319 102-1 § 5.4. :param tst_signed_data: The ``SignedData`` value of the timestamp. :param validation_spec: Validation settings to apply. :param expected_tst_imprint: The expected message imprint in the timestamp token. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :return: A :class:`.AdESBasicValidationResult`. Nspecrrhandlers)rr)r+nowts_cert_validation_policycert_validation_policyr[build_validation_context'_ades_timestamp_validation_from_context) rrrrrrrrvalidation_contexts ryr`r`!sB;!5!9!9!;K11 2  1 1  '#E k$  0HH*BI9/   sA(A1*A/+A1 signer_info algo_policy control_time public_keyc|d}|j|||}|sYd|jd|d}tj||jt j t jy)Nsignature_algorithm)rzSignature algorithm z not allowed as of z:, which is the time of the earliest PoE for the signature.ades_subindication)signature_algorithm_allowedsignature_algorFSignatureValidationErrornot_allowed_afterr9CRYPTO_CONSTRAINTS_FAILURE!CRYPTO_CONSTRAINTS_FAILURE_NO_POE)rrrrsig_algo sig_allowedmsgs ry#_ades_signature_crypto_policy_checkrYs +66K*LH99,::K "8#:#:";< > ? -- 008"<<  'HH   r{rc#dK|y|jD]d}tj|D]}ttj | t |D]}ttj| f|jD]'}ttjt|)ywr) ocspsr3 load_multir'r(rtrTrocrlsrrr2)rocspcontcertcrls ry_enumerate_validation_objectsrss!"((K!,,T2 MD"#7#E#EtL L M(. KD"#7#C#CTJ J KK "&&L377c9JKKLsB.B0statusc#K|y|j}|r3|jdD]}ttj| t |t r:t|jEd{t|jEd{t |tr;t|jEd{t|jEd{yy7m7R7'7 w)NT) include_root) r iter_certsr'r(ro isinstancerO_enumerate_certs_in_pathsrrrrr)rpathrs ryrrs~  ! !D OOO6 KD"#7#C#CTJ J K&45,V-F-FGGG,V-N-NOOO&89,V-I-IJJJ,V-G-GHHH: HOJHsHA-C%/C0C% C ,C%9C!:C%C#C%C%!C%#C%c>Ktt|}t|xsi}tj|||d{}|j ||di|}|j sttj|d|S|jsttj|d|St|||ddd{} || _ tt|t| }t| j | j |ddd|S77Vw)N)rrrrrrac_validation_contextrFrrr)rrrrGvalidate_tst_signed_datarintactrbr8 HASH_FAILUREvalidSIG_CRYPTO_FAILURE_process_basic_validationrrrr) rrrrrvosrstatus_kwargs_from_validationr interm_results ryrrs= ;K48I((..#<  !"<<N+-=f #    * *jmm ;)44I( (((4,/'')B-)-6,?,?)!$5$D$DD*== #///%55)11 $11AA/77 -8 88(F2$/!44[AI +EE&66))0#N3   &6M )#/%";0F3EF#33(/:  i Zs&BGGDGGAGGc|jj||}|j|jj||}n|}|j|jj||}nd}|||fS)Nr)rrrac_validation_policy)rrrrr rs ry _init_vcsr.-s ..GG#.F H  00<  5 5 N N'2J O   !3++7  0 0 I I'2J J   !% 46K KKr{)r raw_digestrrrr/c Kywrrr rrrr/rrrs ryr]r]Os !$rc Kywrrr rrr/rrrs ryr]r]]rrc K|xstj}| t||}t|||\}} } t ||| | |j |||||j  d{} t| tr| S| jtdd} tt|t| t| t| } t| j| d| S7yw)u Validate a CMS signature according to ETSI EN 319 102-1 § 5.3. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param raw_digest: The expected message digest attribute value. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A :class:`.AdESBasicValidationResult`. Nr) r rr rkey_usage_settingsr/rrralgorithm_policyFTrr)r+rr[r._ades_basic_validationr5signature_algorithm_policyrrbrrOrrrr)r rrr/rrrrrr rrrrs ryr]r]jsH;!5!9!9!;K'#E k$   /;0HI 1-33*==";/(CC  M-!:;)6)=)="Ed*>*F %&89%&;<%&;<!&)  C %#11  3 sA%C#'C!(A:C#r5r6c Kt|xsi} tt|t|t|} tj|||||d{} | j | | di| }|jsttj|d| S|j sttj"|d| St%|||||d{}| |_|S7#t j$r?} t| jxstj| jd| cYd} ~ Sd} ~ wwxYw7dw)N)r/rr5r6rrrr)rrrrGcms_basic_validationrrFrrbrr9r failure_messagerr8rrrrr)r rr rr5r/rrr6rrrrerrs ryr7r7sY,23M %&89%&;<%&;< C  .9.N.N !11- / ) % :;)9=9F ==(%22"   \\(%88"   43"; M#0M S)   * * (..K2C2K2K))"    2sS8EC+C)C+.A-EE E)C++D=>4D82D=3E8D==Ec(eZdZUeed<eeed<y)rcbest_signature_timerN)rrrrrrrr{ryrcrcs!!'11r{rcc Kywrrr3s ryr^r^ s $'rc Kywrrr1s ryr^r^s $'rc @ K|xstj}| t||}t|||\}} } |dddj} |j | } t ||| | |j|||||j d{} t| trktt|t| t| t| j}t| j | j| j"| ||S| j t$vrt| t&sJ| j(}| j+|dd }tt|t| t| t|}t| j |d| ||St-j.|}| j+|d d }t-j0|}|[tt|t| t| t| }tt2j4|d |j6||St9||d | d{}tt|t| t| t| t|j}|j t:j<k7rt|j |d| ||S|j}t|t>sJ| tA|jB| } n |jB} || _"| | _#| j t2jHk(r6|jJ}| |jLk\rt| j |d| ||S| j t2jNk(r8| |jPjRkrtt2jT|d| ||S| j t2jVk(s| j t2jXk(r*| |jZk\rt| j |d| ||S|$|| kDrtt2j\|d| ||Sd| _/d| j`d <| j+|dd }tt:j<|d| ||S7 7Rw)u Validate a CMS signature with time according to ETSI EN 319 102-1 § 5.5. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param raw_digest: The expected message digest attribute value. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A :class:`.AdESBasicValidationResult`. Nrrlrrm) rr rr5r/rrrr6)rrrr>rrTrFzNo signature timestamp presentrr)1r+rr[r.rx poe_managerr7r5r8rrbrrrrrcrr_WITH_TIME_FURTHER_PROCrrrrGrcompute_signature_tst_digestr9SIG_CONSTRAINTS_FAILUREr>r r:rrPminrrrrrrrrnot_valid_before NOT_YET_VALIDr TRY_LATERerror_time_horizonTIMESTAMP_ORDER_FAILURErr)r rrr/rrrrrr r sig_bytesrrrrrr r sig_ts_resultr%r'rs ryr^r^&sH;!5!9!9!;K'#E k$   /;0HI N+A.{;BBI1==iH0-33*==";/(CC  M-!:;! )*< = )*? @ )*? @ %m&>&> ?   ,'55$//%11 2&?"     $ $,C C-)GHHH$1$K$K!")) * " )*< = )*? @ )*? @ %j 1   ,'55! 2&?"   11+>K&&Ed'K 99+FJ" )*< = )*? @ )*? @ %m 4   ,+CC"8 + ? ?&?"   4'*M %&89%&;<%&;<!-0!-":":;  C""jmm3+'55" 2&?"   ((I i!9 :: :% !4!46HI&00*3M''9M$""&7&F&FF*5*H*H !=!= =/+99& $6*C#&    $ $(9(N(N N  8 8 I I I//==& $6*C#&   ##  > > ?  & &*;*E*E E !?!? ?/+99& $6*C#&   "- %(: :++CC" 2&?"   +/M'9=M 56  ! !*dt ! LF ' mm.";  O Vs&B R R F=R R IRRcZeZdZdejdefdZdejdeefdZ y) _TrustNoOnerrjcy)NFrrrs ryis_rootz_TrustNoOne.is_root sr{ctdSr)rrQs ryfind_potential_issuersz"_TrustNoOne.find_potential_issuerss Bxr{N) rrrr CertificateboolrRr rrTrr{ryrOrO s;D,,$$ + r{rOrr(rBcDtfd|jDS)Nc3VK|] }|jjk"ywr)rleaf).0 prov_pathr(rBs ry z0_crl_issuer_cert_poe_boundary..s-  INN''(F2s&))any prov_paths)rr(rBs ``ry_crl_issuer_cert_poe_boundaryr_s#  r{rc:||jj|kSr)r[rY)rr(rBs ry_ocsp_issuer_cert_poe_boundaryras t~~** +v 55r{rrevocation_checking_rulecKj}|jt}dtjffd }t j |Dcgc] }|| c}}j} g} g} t} |D]} | d{\}}|D]i}t|j| r| j|,|jjj}| jt!|k|D]i}t#|j| r| j|,|j$j&j}| jt!|k| s| r6j(j+| j(j-| | | fScc}w7)w)N)r trust_managerisscdtt|g}t|jS)N) trust_anchorintermrY)rrevinfo_managerrrb)r,rr*ri)retruncated_pathrrrbrs ry_for_candidate_issuerzB_find_revinfo_data_for_leaf_in_past.._for_candidate_issuer6s:'(-bt /4DD%%=   r{) cert_registryrTrOrrUasyncio as_completedrBsetr_r appendrrsrqaddr)ra ocsp_responseruri evict_crls evict_ocsps)rrrrbregistrycandidate_issuersrkre job_futuresrBrrto_evict fut_resultsnew_crls new_ocspscrl_oi revinfo_dataocsp_ois```` ry#_find_revinfo_data_for_leaf_in_pastr#s(55H 77 8  4#3#3   &&/@A s #AK+66K "D*,E5H"; $//) ;F,,,k F#%zz22779  ^L9: ;! ;G---{ W%&44GGLLN  ^L9: ;;0 u 00;;HE 00<$> !)88O$,&222 /11lln! 2 ! % llnelln >C(--4I  --"e#EF0KK  s5D-C B0B*B0&C (B,)C  C D-$B.%D-*B0,C .D-0C 2D-CD- C' C#!C''AD-current_time_sub_indicr is_timestampcKt|d|}|dddj}||} t|} | j} |jj | j |r|jxs |j} n |j} t| ||| jj j"d{\t%| | | d{\} } fd }|| kr|tj&k(s|tj(k(r || S|tj*tj,fvr| S|tj.tj0fvrL|| j2kr%tjd t4j6 || j8kr || Stj:d | #t$r&tjdtjwxYw767 w)NT) is_historicalpoe_manager_overriderlrrmz,signer certificate not included in signaturer)rrb)rrcrtxss'tj}tjd|y)N)zoPOE for signature available, but could not obtain sufficient POE for the issuance of the revocation informationr)rVr9REVOCATION_OUT_OF_BOUNDS_NO_POErFr)r leaf_crls leaf_ocspss ry(_pass_contingent_on_revinfo_issuance_poezQ_ades_past_signature_validation.._pass_contingent_on_revinfo_issuance_poes=I+,&FFF11! $*  -r{z'Signature predates cert validity periodrzHPast signature validation did not manage to improve current time result.)r[rxrArrlregister_multiple other_certsr=rFrr9NO_SIGNING_CERTIFICATE_FOUNDrrrrevinfo_policyrevocation_checking_policyee_certificate_rulerrrIREVOKED_CA_NO_POErrOUT_OF_BOUNDS_NOT_REVOKEDrGr8rHr SigSeedValueValidationError)r rrBrrrrsignature_bytesr>r*rr cert_pathrrrrs @@ry_ades_past_signature_validationrs" Bt+ ".1!4[AHHO%o6  ,[9 $$ ..@@  ! !   5 5 655  "1!G!G"E  & " 1 1 L L ` ` #Iz(E 5!9("I o- #&7&F&F F%):)D)DD 4 6  #  / /  ? ?(    #  2 2  7 7(  #T%:%::55$M'2'@'@%(<(<<8:    , , .2  Y  -- :0MM   "s<)G?>#D)   sB&B(dssc #K|jD]i}|jj}tt |t t jttj|k|jD]i}|jj}tt |t t jttj|k|jj!D]j}|jj}tt |t t j"t$j&j|lyw)Nrr)r get_objectrrr)r'r(rrr2rloadrrtr3rcertsrrorrU)rcrl_objrocsp_objcert_objs ry!_read_validation_objects_from_dssrs688 !!#(( !$'.044"?#7#7#=>   II ""$)) !$'.0>>#L$5$5d$;<   II$$& ""$)) !$'.0<<&&++D1   sE9E;rinclude_content_ts diff_policyc ht}t}g}t|jD]\}}|j||dut ||j }|j } d} d} |jdk(r| } d} n#|r!tj|jd} | tj|} |jt| |j||j!} |j#t$j&k\}|rT|j)t+|j t-| t/|| | |j1t}|jt3| |jt3| |jd}| s' t5|d }|jt7||jd j<}|j?tAtC|tEtFjH|j   tK|d } tK|jdd}tOjP||D]^}|d}|dD]O}|d j<}|j?tAtC|tEtFjR|  Q`|S#t$rYwxYw#t8t:f$rY&wxYw#t:tLf$rd}YwxYw#t:tLf$rd}YwxYw)N) skip_diff)revisionFz /DocTimeStampTr)rrrrrrradobe_revocation_info_archivalrmrrcontent_time_stamprunsigned_attrssignature_time_stamprrl)*ro enumerateembedded_signaturescompute_integrity_infor6signed_revisionr sig_object_typerGrrrDread_dssrrrUcompute_digestevaluate_signature_coveragerLENTIRE_REVISIONrprr frozensetsummarise_integrity_inforrCrr?r@rxrqrr)r'r(rvrBr>rrrw)rrrcollected_so_far for_next_tsprima_facie_poe_setsix embedded_sig hist_handlerr ts_signed_data is_doc_tsrrcoverage_normalr revinfo_attrrL content_tsessignature_tsests_datats_data_contentts_signer_info ts_sig_bytess ry0_build_prima_facie_poe_index_from_pdf_timestampsrsc<14,/5K?A &a&;&;<GL++ !T) , * 44 '3&>&> 37  ' '? :(NI (99((N  % +44\B ''(I#(NO  # #K 0%446J88:)99: $++/%1%A%A%7%G%./?%@4B#-&2&K&K&M  "e   6~F  A+NO $//?  -$&F ""B<P!,,[9@@  %i0"2 4 @ @ '22 #   -2L  /(()9:&N!~|D G%i0O"1."A -k:AA &-l; +;(<(F(F"1+    oGR G#  Z./HI  2*+=> L *+=> N sH)/K 6&K0> L L K-,K-0LLLLL10L1rcur_timing_infoc Kt|d}|xs(tjtj}t }|j j|t|D]w\}}t|}|t|dz kr||dz}|j|t|||} t|j|||j| |jt d{} | j"} | j$t&j(k(r|j|| j$t&j*k(rt-j.d| t1| t2sJt5|j||| |j6 d{} | j$t&j(k(r|j|ct-j.d | |S77Pw) Nc|jSrr)ps ryz+_validate_prima_facie_poe..hs r{)keyrrSrr)rrrrrrrz9Permanent failure while evaluating timestamp in PoE chainr)r rrBrrzZCould not validate timestamp in PoE chain at current time, and past validation also failed)sortedr+rrrr%local_knowledgerrrlenr[r`rrrrIrrr;PASSEDFAILEDrFrrr9rr) rrrcandidate_poesresulting_poesrpoetemporary_poesnext_poercur_time_result sub_indicrs ry_validate_prima_facie_poer%^s06NON%)=)A)A  "*O \N##66~F^,2Cn- N#a' '%b1f-H  ' ' 7#E '!/$  !:;;+'!$%= # 1 1.!  $11   z00 0  " "> 2   !2!2 211K#,  i):; ;; >;; /*'0"1"A"A !K!!Z%6%66&&~655<'0]2f O 0s&C,G..G*/B,G.G,AG.,G.c4eZdZUdZeeed< eeed<y)rdu Result of a PAdES validation for a signature providing long-term availability and integrity of validation material. See ETSI EN 319 102-1, § 5.6.3. oldest_evidence_record_timestampsignature_timestamp_statusN)rrrrrrrrbrr{ryrdrds, '/x&88!))B CCr{rdrc K|jdj}|j}|jxs |j}|j }|y|j }|Jt||||t|||d{} | j} t| tr| tvry t|||| |jdd{} tt j"| j$r!t'j(| j$| ndd| j*} n| } |d d j4}|D|j7|d d |j r!|dj}|j9||| S77#t,j.$rE} t| j0xs| | j2| j$| j*} Yd} ~ d} ~ wwxYww)Nrmr)rrrrrTr)rrrrrmessage_imprinthash_algorithm)momentr)rrxattached_timestamp_datarralgorithm_usage_policycompute_tst_digestr`r[rrr9_LTA_TS_FURTHER_PROCrrrbr:rrrreplacerrFrrr;rdigest_algorithm_allowedregister)rrrBrr signature_tsrrrsignature_ts_prelim_resultts_current_time_sub_indicrsignature_ts_resultr<rsignature_ts_dts ry_process_signature_tsr9s #..{;BBO#/#G#GL11 2  1 1)??K'::<  ++ +'@$'1!C #!," ( "!; H H ,.?@ %)= = %D( /''@"-"="=! %O#<(mm2<<  ''2==(7  #=#P#P # ,901)<CCH;#G#G"#$45**$H$#:.55_o> } "*,.. ";22O6O--5@@#=#P#P #  sPBG!F(G!.F F AF%AG!FG;GG!GG!readerc & tj|}|jDcgc]I}tjt j |jjD]}|K}}}|jDcgc]9}ttj |jj;}}t|j}t|||}|Scc}}wcc}w#t$rt}Y|SwxYw)N)rs) known_ocsps known_crls known_certs)rDrrr3rrrrrrr2rlist load_certsrVrU) r:rrespr dss_ocspsrdss_crls dss_certsrs ry_dss_to_local_knowledgerE*s +#,,V4  %00!!$//"3"8"89     xx  /"6"6s~~7G7L7L"M N  )* (!!  '   +(* +s/$C9AC.4C9>C4)C9. C99DDpdf_validation_specc K|xs(tjtj}t j d|j }|j}|j}tj }t|j|jz|j|jz|j|jz|j|j}t!j"||} d} d} t%|| |d{} t't)fd |d d } | | j*} n!|jst,j/d | t5} |j7| | Jt9| |t;| }t=j>| ||jA|jCtDd{}|jF}|tHvrAd|d}tK||jL||jN|jP| d|jRSjTdjV}| jY|tZj\|jNt_| t;| |d{}ta|tbr;t;| } tej>| |||jfdd{|} | |}| jljn} jp}|#tsjT|||jttvjx}d}tK||jL|||jP|| |jRS7c#t0j2$r"} t,j/d | Yd} ~ Ed} ~ wwxYw777#t0j2$rX} ||}tK| jhxs|| jj|jL||jP|| |jRcYd} ~ Sd} ~ wwxYw#t0j2$r'} | jhxs|}| jj}Yd} ~ d} ~ wwxYww)u Validate a PAdES signature providing long-term availability and integrity of validation material. See ETSI EN 319 102-1, § 5.6.3. For the purposes of PAdES validation, the chain of document time stamps in the document serves as the unique Evidence Record (ER). :param embedded_sig: The PDF signature to validate. :param pdf_validation_spec: PDF signature validation settings. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A validation result. rTrr)r:)r<r=r> known_poesnonrevoked_assertions)rN)rrc6|jjkDSr)rr)r rs ryrz%ades_lta_validation..sC,,|/K/KKr{c|jSrr)r s ryrz%ades_lta_validation..s C,,r{)rdefaultzRNo document timestamps after signature; proceeding without past proof of existencezXDocument timestamp chain failed to validate; proceeding without past proof of existence.)exc_info)rrr)r rrrr/rrrz?Validation of signature at current time failed with indication z!. Past validation not applicable.)rrrr>rr'r(rrm)rdt)rrBrFr)rrrr>rr(r'r)rrr)rrrr>rr(r'r)=r+rrrrr:rsignature_validation_specrrErVr<r=r>rIrJrr1r%rFfilterrrrrFrr%rr[rr^r rrrJr_LTA_FURTHER_PROCrdrr>rrrrxr3r&rr9rr9rrrr;rr.rrrr:r)rrFrrpoe_listrinit_local_knowledge dss_factsraugmented_validation_specupdated_poe_managerr'oldest_docts_recordr<with_time_data_handlerssignature_prelim_resultrrrr7past_sig_poe_managersig_poerrrrs` ryr_r_Es4!5!9!9  ""K @'33H *CCO*::(|/B/BCI$(44y7L7LL'22Y5I5II(44y7L7LL'222HH O!, 3 3!'+$ $= 5'%  " K -    */B/O/O , ++ NN2 (/(l**+>?  ** * A &!"56 %> ,,1!8..0";(AAC% % 5BB%66 012   '0.99# 7 K K'AA-M'+6II  #..{;BBO  ## " 6 6!!61,- !(*;< $$78 1(44 90'="-"="="   #7 (-_= "88OO (!-!9!9  " /(('/??   #  ##*55. # = =#6)I2EE  m .  * *  /    * V .. *?;G*22L6L--2==$++EE+>4#:#M#M  J  * *(,,F0F '' (sDQ'M<M9AM<'A8Q'N4 B9Q'N7Q':(N<"N:#N<)Q'AP*1Q'9M<<N1N,&Q',N11Q'7Q':N<<P'A P"P'Q'"P''Q'*Q$=QQ'Q$$Q'future_validation_timecurrent_reference_timec  K|xs$tjtj t |d|}t |j dd|j}|j t|j  t j} |j jd}|jt|jj | fd}t%j& t|| } t%j&|t%j&|t)t*j,|  } t/|| | d{S#t"$rYwxYw7w) a .. versionadded:: 0.21.0 Simulate a future LTA validation of a PDF signature, assuming perfect timestamp maintenance until the specified point in time. .. warning:: This is experimental API. The purpose of this utility function is to act as a sanity check for signers and signature archivists. It takes validation spec, a future validation time and a current reference time (defaults to the current time), and, by fiat, generates proofs of existence for all relevant objects in the PDF for that reference time. It then executes the PAdES LTA validation algorithm with that set of PoEs against the future validation time, with all remote fetching functionality disabled. The idea is that this allows the caller to assess whether a signature is "LTA maintainable", i.e. whether it contains the necessary information for the signature to remain validatable if the timestamp chain is extended properly. If this check fails but the signature validates at the current time, it may indicate a lack of contemporaneous revocation information. :param embedded_sig: The signature under scrutiny. :param pdf_validation_spec: The validation spec against which the simulated validation should be executed. :param future_validation_time: The future validation time at which the validation should be simulated. :param current_reference_time: The reference time at which all relevant objects in the PDF are presumed to have been proven to exist for the purposes of the (future) validation being simulated. Defaults to the current time. :return: An AdES LTA validation result. rT)rpoint_in_time_validationr>NrH)atc3KjEd{jEd{D]F}|jD]5}ttj|j |j 7Hy7i7Rwr)assert_existence_known_atrr$r&PROVIDEDrr)prima_facie_poeitem dss_knowledgerorig_local_knowledgeprima_facie_poess ry_poesz2simulate_future_ades_lta_validation.._poesgs (AA#FFF ::3???/ O'44 $--;; &*&<&<    G?s BBBBABB)rIrJ)revinfo_gathering_policyr)rP)r)rrrutcr+rr:rPrrEr?rJembedded_timestamp_signaturesrpr.rsha256 IndexErrorrr1rYrX LOCAL_ONLYr_)rrFr]r^rorig_sig_validation_specnew_nonrevoked_assertionslast_tsrkupdated_local_knowledgeupdated_pdf_validation_specrhrrirjs @@@@ryrara"sjX ! AHLLHLL$AC&.!%2K H$ 3LL3CC+L,?,?@M $%9%O%O P %%CCBG!(( %##**/E  &*11=7 #."5"5"-"5"5 $%@)44&4 #  #%# M    L s8BE:A E)!BE:$E8%E:) E52E:4E55E:r)NN)rrmrrloggingrrrrtypingrrr r r r r rrrrrrrrr asn1cryptorrrasn1_pdfrrasn1crypto.crlrasn1crypto.ocsprpyhanko_certvalidatorrpyhanko_certvalidator.authorityrrpyhanko_certvalidator.contextr r!pyhanko_certvalidator.errorsr"#pyhanko_certvalidator.ltv.ades_pastr#pyhanko_certvalidator.ltv.poer$r%r&r'r(r)$pyhanko_certvalidator.ltv.time_slider*pyhanko_certvalidator.ltv.typesr+pyhanko_certvalidator.pathr,!pyhanko_certvalidator.policy_declr-r.r/pyhanko_certvalidator.registryr0r1&pyhanko_certvalidator.revinfo.archivalr2r3*pyhanko_certvalidator.revinfo.validate_crlr4+pyhanko_certvalidator.revinfo.validate_ocspr5pyhanko.pdf_utils.readerr6r7pyhanko.sign.ades.reportr8r9r:r;r<pyhanko.sign.generalr=r>r?r@rArBrCpyhanko.sign.validationrDrErFrG pyhanko.sign.validation.settingsrHpyhanko.sign.validation.statusrIrJrKrLrMrNrOrP diff_analysisrRrrTrU policy_declrVrWrXrYrZr[utilsr\__all__ getLoggerrrrfrrzrrerrbrrr` SignerInfo PublicKeyInforrrrrVr rr.r]r7rcrrrrrrIrrCr^rOr_rarUrrrrrrrrRevocationInfoArchivalrrrr%rrrRr0rdr9rEr_rarr{ryrsK !'$ & *(3H3=Q@5 ENDNF A   '%#+    8 $ \D I  e_$1,<1#1.''$ $ 3> !+!+ !+H 37AE48 $^^ $, $  $ Z $ ./ $''=> $"$sCx.1 $ $  $ 37AE48$^^$,$ $ ./ $ ''=> $"$sCx.1$$ $37AE48'5^^5,5 5./ 5 ''=> 5 "$sCx.1 55p  %  ++,  4 L !23 Lt+, LI /#A4G HI*59' 2^^2)2 2"$sCx.1 2  2j-1?D$QQ Q-Q$$56 Q (1 QhL,L%L5LD 37"&AE4848 $ $, $Z $ ./ $  $''=> $ (1 $"$sCx.1 $ $  $ 37"&AE4848 $ $, $./ $  $ ''=> $ (1 $"$sCx.1 $ $  $37"&AE4848)MM,M./M M ''=> M (1 M"$sCx.1MM`<<)<-<$$56 < , <  < (1<"$sCx.1<67<Z < $&D DE<~ $2#<22 $ ;;((++##..   37"&AE4848 ' ', './ '  ' ''=> ' (1 '"$sCx.1 '" '  ' 37"&AE4848 ' ', 'Z ' ./ '  '''=> ' (1 '"$sCx.1 '" '  ' 37"&AE4848)aa,a./a a ''=> a (1 a"$sCx.1a"aH,  (7A6 6*26AK6 D   D4DD5 DN(   ( 4( 5(  >8 #$ ( Vgg,gg%%67 g  g  gg^-1 5C5C,5C5C%%67 5C  ) 5C  5Cp $(((  $*   !4-. 4'3>>'h'  55 !4-. *  !4-. @t t t *%t  %& t z7; F:;F - F 23 FFR ((++..33;;99##  !++..33;;99  $:,Q&Q,QQ& Q '( Qh <3748 Z&Z3Z./Z (1 Z  ZB26 l&l3l%l%X. l  lr{