Wwg`ddlZddlZddlmZddlmZddlmZmZddl m Z ddl m Z ddl mZddlmZdd lmZmZdd lmZdd lmZmZdd lmZdd lmZddlmZddlm Z ddl!m"Z"ddl#m$Z$ddl%m&Z&m'Z'ddl(m)Z)gdZ*ddl+m,Z,ddl-m.Z.ej^e0Z1eGddZ2dZ3GddZ4 d&d e)d!efd"Z5dd#dddejld#fd e)d!ed$e7fd%Z8y)'N) dataclass)field)IterableOptional)crl)ocsp)x509) Certificate)CertificateValidatorValidationContext)ValidationPath)genericmisc)pdf_name)IncrementalPdfFileWriter) get_and_apply) PdfHandler)BasePdfFileWriter)extract_certificate_info)NoDSSFoundErrorValidationInfoReadingError)EmbeddedPdfSignature)VRIDocumentSecurityStoreasync_add_validation_infocollect_validation_infoenumerate_ocsp_certs)SerialisedCredential) PdfFileReaderceZdZUdZeeZeed< eeZeed< eeZ eed< de jfdZ y) raA VRI dictionary as defined in PAdES / ISO 32000-2. These dictionaries collect data that may be relevant for the validation of a specific signature. .. note:: The data are stored as PDF indirect objects, not asn1crypto values. In particular, values are tied to a specific PDF handler. )default_factorycertsocspscrlsreturnctjtdtdi}|jr+tj|j|td<|j r+tj|j |td<tj|j |td<|S)zT :return: A PDF dictionary representing this VRI entry. z/Type/VRIz/OCSPz/CRLz/Cert)rDictionaryObjectrr& ArrayObjectr'r%)selfvris R/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko/sign/validation/dss.py as_pdf_objectzVRI.as_pdf_objectBs &&(98F;K'LM ::%,%8%8%DC! " 99$+$7$7 $BC !!(!4!4TZZ!@HW  N) __name__ __module__ __qualname____doc__ data_fieldsetr%__annotations__r&r'rr+r0r1r/rr's[C0E30C0E303/D#/ w77 r1rc#K|dj}|dk(r5|d}|djdk(r|dj}|dEd{yyy7w) zJ Essentially nabbed from _extract_ocsp_certs in ValidationContext response_status successfulresponse_bytes response_typebasic_ocsp_responseresponser%N)nativeparsed) ocsp_responsestatusr=r@s r/rrPsn , - 4 4F &'78 / * 1 15J J%j188H( ( ( K )sAAA Ac ReZdZdZ ddeefdZedZdZ dZ dZ d Z e d ejfd Zd d d d dZdZd eej*fdZ d d efdZeded dfdZeddddddddeded dfdZedddddddddd dededeedefdZy)!rz, Representation of a DSS in Python. Nwriterc||ni|_||ni|_||ng|_||ng|_||_||nt j |_i}|jD]!}|jj} ||| <#||_ i} |jD]!} | jj} | | | <#| |_ d|_ y)NF) vri_entriesr%r&r'rFrr+backing_pdf_object get_objectdata _ocsps_seen _crls_seen _modified) r-rFr%r&r'rHrI ocsps_seenocsp_ref ocsp_bytes crls_seencrl_ref crl_bytess r/__init__zDocumentSecurityStore.__init__bs+6*A;r#/UR #/UR  ,D"  "- ))+     .H!,,.33J%-Jz " .& yy +G**,11I#*Ii  +$r1c|jSN)rNr-s r/modifiedzDocumentSecurityStore.modifieds ~~r1c|js:d|_|j&|jj|jyyy)NT)rNrIrFupdate_containerrXs r/_mark_modifiedz$DocumentSecurityStore._mark_modifieds>~~!DN&&2 ,,T-D-DE3r1c#K|D]}|j} ||y#t$r\|jjt j |}|j |||<|j||YwxYww)N stream_data)dumpKeyErrorrF add_objectr StreamObjectr\append)r-objsseendestobj obj_bytesrefs r/_cms_objects_to_streamsz-DocumentSecurityStore._cms_objects_to_streamss C I 9o%  kk,,((Y?##%"%Y C   s&B #B A"BB BB c`fd}|Dcgc]}|j|c}Scc}w)Nc3FKD]}t|Ed{y7wrW)r)respr&s r/ extra_certszADocumentSecurityStore._embed_certs_from_ocsp..extra_certss' 6/555 65s !!) _embed_cert)r-r&rocert_s ` r/_embed_certs_from_ocspz,DocumentSecurityStore._embed_certs_from_ocsps, 66A]CE  'CCCs+cR|j td |j|jS#t$rYnwxYw|jj t j|j}|j||j|j<|S)N"This DSS does not support updates.r^) rF TypeErrorr% issuer_serialrarbrrcr`r\)r-certrjs r/rpz!DocumentSecurityStore._embed_certs ;; @A A ::d001 1   kk$$  TYY[ 9  ), 4%%& s 2 >>r(ctj|jjj }t d|zS)a Hash the contents of a signature object to get the corresponding VRI identifier. This is internal API. :param contents: Signature contents. :return: A name object to put into the DSS. /)hashlibsha1digesthexupperr)contentsidents r/sig_content_identifierz,DocumentSecurityStore.sig_content_identifiers< X&--/335;;=e $$r1r9r%r&r'c|j tdt|}t|}t}t}|Dchc]}|j |}}|r0t|j ||j |j}|r0t|j ||j|j}|jt|j||Ut|||} |jj| j|j|<|j!yycc}w)a Register validation information for a set of signing certificates associated with a particular signature. :param identifier: Identifier of the signature object (see `sig_content_identifier`). If ``None``, only embed the data into the DSS without associating it with any VRI. :param certs: Certificates to add. :param ocsps: OCSP responses to add. :param crls: CRLs to add. Nrtr)rFrulistr7rprkrLr&rMr'updaterrrrbr0rHr\) r- identifierr%r&r' ocsp_refscrl_refsrw cert_refsr.s r/ register_vriz"DocumentSecurityStore.register_vris&" ;; @A AU DzE 58=>T%%d+> > ,,4++TZZI ,,T4??DIINH T88?@A  !IYXFC+/;;+A+A!!#,D  Z (    ! "#?sEc|j}tjt|jj |d<|j r"tj|j |d<|jr+tj|j|td<|jr+tj|j|td<|S)z Convert the :class:`.DocumentSecurityStore` object to a python dictionary. This method also handles DSS updates. :return: A PDF object representing this DSS. /Certsr*/OCSPs/CRLs) rIrr,rr%valuesrHr+r&rr')r-pdf_dicts r/r0z#DocumentSecurityStore.as_pdf_objects**$00djj6G6G6I1JK   &778H8HIHV  ::+2+>+>tzz+JHXh' ( 99*1*=*=dii*HHXg& 'r1c#K|jjD]5}|j}tj|j }|7yw)z Return a generator that parses and yields all certificates in the DSS. :return: A generator yielding :class:`.Certificate` objects. N)r%rrJr loadrK)r-cert_ref cert_streamrws r/ load_certsz DocumentSecurityStore.load_certs sM ))+ H080C0C0EK##K$4$45DJ sAATc~t|}|jdg}t|j|z}|rt|jdd}|jD]L}|j }t jj|j}|j|N||d<t|jdd} |jD]L} | j } tjj| j} | j| N| |d<tdd|i|S)ag Construct a validation context from the data in this DSS. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :param include_revinfo: If ``False``, revocation info is skipped. :return: A validation context preloaded with information from this DSS. other_certsr&r9r')dictpoprrr&rJ asn1_ocsp OCSPResponserrKrdr'asn1_crlCertificateListr ) r-validation_context_kwargsinclude_revinforor%r&rP ocsp_streamrnr'rS crl_streamrs r/as_validation_contextz+DocumentSecurityStore.as_validation_contexts)%))B$C!/33M2F T__&'+5 266wCDE JJ #4<4G4G4I  --22;3C3CD T" #27 %g .155fbABD99 !3:3E3E3G ..33JOOD C  !15 %f - PUP6OPPr1handlerc0 |jd}i}t|dtg}|D]@}|j }t j|j}|||j<Bt|dtg} g} | D]L} | j } tjj| j} | j| Nt|dtg}g}|D]L}|j }tjj|j}|j|N t|d}t!|t"r|}nd}|||| |||}|S#t$r}t|d}~wwxYw#t$rd}YNwxYw) a Read a DSS record from a file and add the data to a validation context. :param handler: PDF handler from which to read the DSS. :return: A DocumentSecurityStore object describing the current state of the DSS. /DSSNr)defaultrrr*)rFr%r&rHr'rI)rootrarrrrJr rrKrvrrrdrrr isinstancer)clsrdss_dicter cert_ref_listrrrwrr&rPrrnrr'rSrrrHrFdsss r/read_dsszDocumentSecurityStore.read_dss8s +||F+H %h$K % 5H080C0C0EK + 0 01A1A BD,4Id(( ) 5 "(HdBG ! H080C0C0EK))..{/?/?@D LL   !7D"E G/6/A/A/CJ**// @C KK    x/0K g0 1FF #'   _ +!# * +6 K s)E+8F+ F4 E??F FFr%r&r'pathsvalidation_context embed_rootspdf_outrc |j|} d} |tj|} nd} dtt j ffd } fd} fd}| j| | | | | j}| r9|j|}||jtd <|j| S#t$rd} ||} YwxYw) aD Add or update a DSS, and optionally associate the new information with a VRI entry tied to a signature object. You can either specify the CMS objects to include directly, or pass them in as output from `pyhanko_certvalidator`. :param pdf_out: PDF writer to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :return: a :class:`DocumentSecurityStore` object containing both the new and existing contents of the DSS (if any). FT)rFNr(c3KxsdEd{xsdD]$}t|}s t||Ed{&y727 wNr9)iternext)path path_partsr%rrs r/_certsz:DocumentSecurityStore.supply_dss_in_writer.._certssO{ " "  &!$Z "$%%%  & #&s AA*AAAAc3`KxsdEd{jEd{yy77wr)r&)r&rsr/_ocspsz:DocumentSecurityStore.supply_dss_in_writer.._ocspss7{ " "!--3333. #3 .*.,..c3`KxsdEd{jEd{yy77wr)r')r'rsr/_crlsz9DocumentSecurityStore.supply_dss_in_writer.._crlss7zr ! !!--2222. "2rrr) rrrrrr r rr0rbrr update_root)rr sig_contentsr%r&r'rrrrcreatedrrrrrdss_refs `````` r/supply_dss_in_writerz*DocumentSecurityStore.supply_dss_in_writervst &,,w'CG  #.EEJJ &!1!12 & 4  3  fhfhUW  $$& ((2G-4GLL&) *    ! U* &GW%C &sCC('C(F) r%r&r'rr force_writerfile_credentialstrictrrrc t|| } | j| | jj| |j| ||||||| } |s | jr| j yy)a Wrapper around :meth:`supply_dss_in_writer`. The result is applied to the output stream as an incremental update. :param output_stream: Output stream to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param force_write: Force a write even if the DSS doesn't have any new content. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :param file_credential: .. versionadded:: 0.13.0 Serialised file credential, to update encrypted files. :param strict: If ``True``, enforce strict validation of the input stream. Default is ``True``. )rNr)rsecurity_handler authenticaterrYwrite_in_place)r output_streamrr%r&r'rrrrrrrrs r/add_dsszDocumentSecurityStore.add_dsss@+=H  # # /O4O  $ $ 1 1/ B&&  1#'   #,,  " " $'r1)NNNNN)T) r2r3r4r5rrrUpropertyrYr\rkrrrp staticmethodr NameObjectrrr0rr r rr r classmethodrrboolrr!rr9r1r/rr]s  *+ DF D  %G,>,> % %13"2/"b* HT%5%56 :>!Q !QF;z;.E;;z   f"ff !ffP  ! :>M%M%M%""67M%M%M%r1rF embedded_sigrcKjj}|jstj dgfd}||j d{|s&|j ||j d{S7.7w)a Query revocation info for a PDF signature using a validation context, and store the results in a validation context. This works by validating the signer's certificate against the provided validation context, which causes revocation info to be cached for later retrieval. .. warning:: This function does *not* actually validate the signature, but merely checks the signer certificate's chain of trust. :param embedded_sig: Embedded PDF signature to operate on. :param validation_context: Validation context to use. :param skip_timestamp: If the signature has a time stamp token attached to it, also collect revocation information for the timestamp. :return: A list of validation paths. zfRevocation mode is set to soft-fail/tolerant mode; collected revocation information may be incomplete.cKt|}|j}|j}t||}|j t d{}j |y7w)N)intermediate_certsr) key_usage)r signer_certrr async_validate_usager7rd) signed_data cert_inforwr validatorrrrs r/_validate_signed_dataz6collect_validation_info.._validate_signed_dataWsf,[9 $$++ ( *1 33ce3DD TEsAA+A)A+N)revinfo_policyrevocation_checking_policy essentialloggerwarningrattached_timestamp_data)rrskip_timestamprevinfo_fetch_policyrrs ` @r/rr0s: ))DD ) ) 8 E  8 8 999 lBBN#L$H$HIII L :Is$AB B'B B B  B Trc K|j} |r$| jx} }tj|ntj|} t |||d{} |r*|j jjd} nd} tj| } || _ tj| | || |}|s |jr%|r| jnY| j!| nG|sE| jj#dtj$t'|| j| tj(|| S7w)aY .. versionadded: 0.9.0 Add validation info (CRLs, OCSP responses, extra certificates) for a signature to the DSS of a document in an incremental update. This is a wrapper around :func:`collect_validation_info`. :param embedded_sig: The signature for which the revocation information needs to be collected. :param validation_context: The validation context to use. :param skip_timestamp: If ``True``, do not attempt to validate the timestamp attached to the signature, if one is present. :param add_vri_entry: Add a ``/VRI`` entry for this signature to the document security store. Default is ``True``. :param output: Write the output to the specified output stream. If ``None``, write to a new :class:`.BytesIO` object. Default is ``None``. :param in_place: Sign the original input stream in-place. This parameter overrides ``output``. :param chunk_size: Chunk size parameter to use when copying output to a new stream (irrelevant if ``in_place`` is ``True``). :param force_write: Force a new revision to be written, even if not necessary (i.e. when all data in the validation context is already present in the DSS). :param embed_roots: Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. :return: The (file-like) output object to which the result was written. )rNascii)rrrr)readerstreamr!assert_writable_and_random_accessprepare_rw_output_streamr pkcs7_contentr}encoder from_reader IO_CHUNK_SIZErrrYrwriteseek chunked_write bytearrayfinalise_output)rrr add_vri_entryin_placeoutputr chunk_sizerrworking_outputrrr resulting_dsss r/rrks5p)//F"(--/ ..v666v>)( E#11557>>wG  &226:G&G)>>- ?Mm,,   " " $ MM. )   1 9Z0&--P    779 sAEEC9E)F)9rzlogging dataclassesrrr6typingrr asn1cryptorrrrr asn1crypto.x509r pyhanko_certvalidatorr r pyhanko_certvalidator.pathr pyhanko.pdf_utilsrrpyhanko.pdf_utils.genericr$pyhanko.pdf_utils.incremental_writerrpyhanko.pdf_utils.miscrpyhanko.pdf_utils.rw_commonrpyhanko.pdf_utils.writerrgeneralrerrorsrr pdf_embeddedr__all__pdf_utils.cryptr!pdf_utils.readerr" getLoggerr2rrrrrDEFAULT_CHUNK_SIZErrr9r1r/rs!+%&('I5+.I026.?. 4-   8 $ %% %P )P%P%l8&8)8|  &&c8&c8)c8c8r1