Wwg\ddlZddlmZddlmZddlmZddlmZmZm Z ddl m Z ddl m Z ddlmZdd lmZmZmZdd lmZd d lmZd d lmZmZmZddlmZddlmZm Z m!Z!ddl"m#Z#m$Z$m%Z%m&Z&ddl'm(Z(m)Z)ddl*m+Z+ddl,m-Z-m.Z.m/Z/gdZ0ejbe2Z3e de.Z4GddeZ5eejlejlZ7dZ8eejrejrZ:dZ;dedez8RevocationInfoValidationType.as_tuple..Us*QWW*s)tuple)clss r5as_tuplez%RevocationInfoValidationType.as_tupleSs*c***N) __name__ __module__ __qualname____doc__ ADOBE_STYLEPADES_LT PADES_LTA classmethodr9r:r5r$r$;s?K H I ++r:r$)ee_certificate_ruleintermediate_ca_cert_rulec $tddti|SNrevocation_checking_policyrC)r &DEFAULT_LTV_INTERNAL_REVO_CHECK_POLICYkwargss r5!_default_ltv_internal_revo_policyrL^s  #I   r:c $tddti|SrG)r %STRICT_LTV_INTERNAL_REVO_CHECK_POLICYrJs r5 _strict_ltv_internal_revo_policyrOks  #H   r: timestampvalidation_context_kwargscFd|d<||d<|jdd}|jdd}|J|jdd}|r$|dk7rttj|}n4|dk(r/t |}n"|j js t|}||d<y) NFallow_fetchingmomentrevinfo_policyretroactive_revinforevocation_modez soft-failrV) getpopr r from_legacyrLrH essentialrO)rPrQrU retroactive legacy_rms r5_strict_vc_context_kwargsr_rs 38./*3h' *C)F)F$*N,//0EuMK-112CTJ k1/(44Y?N+ %>$/N 6 6 @ @9 + 3A./r:tst_signed_datavalidation_contextexpected_tst_imprintcKt|||d{}tdi|}|jr |js/tj d|j td|S7Xw)a Wrapper around :func:`validate_tst_signed_data` for use when analysing timestamps for the purpose of establishing a timestamp chain. Its main purpose is throwing/logging an error if validation fails, since that amounts to lack of trust in the purported validation time. This is internal API. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to apply to the timestamp. :param expected_tst_imprint: The expected message imprint for the ``TSTInfo`` value. :return: A :class:`.TimestampSignatureStatus` if validation is successful. :raises: :class:`SignatureValidationError` if validation fails. Nz0Could not validate embedded timestamp token: %s.z\Could not establish time of signing, timestamp token did not validate with current settings.rC)rr#validtrustedloggerwarningsummaryr)r`rarbtimestamp_status_kwargstimestamp_statuss r5r)r)s2%=+-A%0J2IJ  ! !)9)A)A >  $ $ & ' .   sA.A,AA.readerreturncBtdt|jS)a: Get the document timestamp chain of the associated reader, ordered from new to old. :param reader: A :class:`.PdfFileReader`. :return: An iterable of :class:`~pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature` objects representing document timestamps. c@|jjdddk(S)Nz/Typez /DocTimeStamp) sig_objectrY)sigs r5z%get_timestamp_chain..sCNN&&w5Hr:)filterreversedembedded_signatures)rks r5r'r's" H++, r:c<eZdZUeed<eeed<eed<eed<y)_TimestampTrustData latest_dtsearliest_ts_statusts_chain_lengthcurrent_signature_vc_kwargsN) r;r<r=r__annotations__rr#intdictrCr:r5rvrvs $$ !9::!%%r:rv emb_timestampc |jj|j}tj|}|j |S#t $r2|jdd|jddtdi|cYSwxYw)NcrlsrCocsps) rkget_historical_resolversigned_revisionrread_dssas_validation_contextr setdefaultr )r~rQ hist_resolverdsss r5_instantiate_ltv_vcrs >%,,DD  ) ) $,,];(()BCC >!,,VR8!,,Wb9 =#<==>sA A 8BBcXKt|}t|}|}d}d}d}t|D]g\}}|j|krnS|j } t |j || d{}t|j|t||}it|||dz|S7:w)Nr)rwrxryrz) r'r} enumeratercompute_digestr) signed_datar_rPrrv) rkbootstrap_validation_contextrQuntil_revision timestamps current_vc ts_statusts_countr~external_digests r5_establish_timestamp_trust_ltars %V,J $%> ?-JIHM#,Z#8 -  ( (> 9 '6683  % %z?   "   !: ) 4  $  $ 1 $=   sA+B*-B(.;B* embedded_sigvalidation_typer diff_policykey_usage_settings skip_diffc Kt|xsi} | jdd| jdd| d} |r!t| | d<|Nt| |d<n>d| vr:| jdt| ||jdt| |j} |t j k(rd} |xs tdi| } nVtj| } || j| d } n+|} | jj| j|j|jd}d}d }|t j k7rt!| | | |j" d{}|j$}|j&} |j(rt+|j(| } |j,|t j.k(r t1d |t j2k(s|j$d k\sJ|j,}|j(}|j4}|B|j6}|Jt9|| |d{}|J|j:}|| d<|)||d<n#|t j.k(r|d k(r t1d| t1dt=|j:| d}|t j k(rEt?|j@\}}|| d<|| d<tdi| }|p||d<||d<tdi|}nZ|t j2k(r)| J| j| }|0| j|}n|Jt+|| }| t+||}||t j2k(r?||}n|J|jB}tE|tF|d|j:i}|d{}n|}|jI|||jK}|jM|j:|dtOjP|}tS|jB|jT|||d{}tW||dd|%|jj|jX|jMt[|j\|j^||j@dd{tOdi|S7Q7777w)a  .. versionadded:: 0.9.0 Validate a PDF LTV signature according to a particular profile. :param embedded_sig: Embedded signature to evaluate. :param validation_type: Validation profile to use. :param validation_context_kwargs: Keyword args to instantiate :class:`.pyhanko_certvalidator.ValidationContext` objects needed over the course of the validation. :param ac_validation_context_kwargs: Keyword arguments for the validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param bootstrap_validation_context: Validation context used to validate the current timestamp. :param force_revinfo: Require all certificates encountered to have some form of live revocation checking provisions. :param diff_policy: Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param skip_diff: If ``True``, skip the difference analysis step entirely. :return: The status of the signature. rSTrVFrXrUNrW)include_revinfor)rQrz>Purported PAdES-LTA signature does not have a timestamp chain.rrTzlPAdES-LTA signature requires separate timestamps protecting the signature & the rest of the revocation info.z+LTV signatures require a trusted timestamp.rrrP) status_clsra status_kwargs)rr)signer_reported_dttimestamp_validity) raw_digestrarrvalidation_path)timestamp_found signed_attrs)sd_attr_certificates signer_certrasd_signed_attrsrC)0r}rrLrOrkr$r?r rrrcertificate_registryregister_multiple load_certsrcompute_tst_digestrrryrzrwrrxrArr@attached_timestamp_datatst_signature_digestr)rPr_r& signer_inforrr#compute_integrity_infosummarise_integrity_infoupdater!default_usage_constraintsrrrother_embedded_certsrembedded_attr_certsr)rrrQrac_validation_context_kwargs force_revinforrr vc_kwargsr]rkrrearliest_good_timestamp_strwry ts_trust_datar`r signature_poe stored_ac_vcrr stored_vcts_to_validatets_status_cororjrs r5r(r(sh4:;I)40 .612K&G +' "# ( 30(3 ))9 : ) +  -+ N  ( 3 ( 3 3 1(3  F6BBB1 5F6 6 $,,V4 ' /2253J6J  + + = =cnn>N O!##%FJ15JO6BBB<  &/'77   (77!==  # #,(()J  , , 4#?#I#II*P  ;DD D,,1  2&3%E%E""-- #::O"+@@#///+D Z)=, & "*5552<< + ( ' 35B ( 27AAA q ' ?  ")& 9  8BBINL6BBB4\5M5MN t" ' &%2 2 ' 349 ( 137 ( 0,L/KLL 8AA A--i8 ' 344,L%%%' I> ' 3.8L # :CC C  &,N ) ))'33N5 /(&(B(L(LM   rs)!..&3 3& '  M)     8 $ \ 9 +4+:*B.@@4FF*& )A.CC4II)% "A"A48"AJ'^^')' 'T  "#( && & >' >#  #`15@D!%(,8<h/&h/1h/ (~h/#++<"= h/*%h/!!45h/h/h/V 8<@r: