Wwg?"ddlZddlmZddlmZddlmZmZmZmZddl m Z ddl m Z ddl mZddlmZmZdd lmZdd lmZdd lmZdd lmZmZmZd dlmZmZmZm Z m!Z!ddl"m#Z#m$Z$dejJdejLdefdZ'GddeejPZ)Gdde)Z*e+hdZ,e)j[ee,Z.de.dfde/de/dej`dejJde1d ee)d!eefd"Z2d#ejffd$Z4y)%N)datetime)Optional)algoscmskeysx509) serialization)padding) DSAPublicKey)ECDSAEllipticCurvePublicKey)Ed448PublicKey)Ed25519PublicKey) RSAPublicKey)AlgorithmUsageConstraintAlgorithmUsagePolicyDisallowWeakAlgorithmsPolicy)MultivaluedAttributeErrorNonexistentAttributeErrorfind_unique_cms_attribute&get_pyca_cryptography_hash_for_signingprocess_pss_params)DisallowedAlgorithmErrorSignatureValidationErrorsignature_algomessage_digest_algoreturnc|djdk(r0|dj}|dvr tdStdd|d S tjd|ji}|N|j |j k7r-tdd|djd |dj StdS#t $rd}YiwxYw) N algorithmed448)shake256 shake256_lenT)allowedFzDigest algorithm z: does not match value implied by signature algorithm ed448)r%failure_reasonz5 does not match value implied by signature algorithm )nativerrDigestAlgorithm hash_algo ValueErrordump)rralgosig_hash_algo_objs T/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko/sign/validation/utils.py_ensure_digest_matchr/ s k"))W4#;/66 / /+D9 9+'v.PQ !!11 .22 3  %  " " $(;(@(@(B B'#$7 $D$K$K#LMG!+.5568   $D 11 ! !s!C CCcpeZdZdZdej dej deede fdZ e de ddfdZ y ) CMSAlgorithmUsagePolicyz4 Algorithm usage policy for CMS signatures. rrmomentrct||S)a Verify whether a digest algorithm is compatible with the digest algorithm implied by the provided signature algorithm, if any. By default, this enforces the convention (requirement in RFC 8933) that the message digest must be computed using the same digest algorithm as the one used by the signature, if applicable. Checking whether the individual algorithms are allowed is not the responsibility of this method. :param signature_algo: A signature mechanism to use :param message_digest_algo: The digest algorithm used for the message digest :param moment: The point in time for which the assessment needs to be made. :return: A usage constraint. )r/)selfrrr2s r.digest_combination_allowedz2CMSAlgorithmUsagePolicy.digest_combination_allowedNs4$N4GHHpolicyc<t|tr|St|S)aP Lift a 'base' :class:`.AlgorithmUsagePolicy` to a CMS usage algorithm policy with default settings. If the policy passed in is already a :class:`.CMSAlgorithmUsagePolicy`, return it as-is. :param policy: The underlying original policy :return: The lifted policy ) isinstancer1_DefaultPolicyMixin)r7s r. lift_policyz#CMSAlgorithmUsagePolicy.lift_policyjs f5 6M&v. .r6N)__name__ __module__ __qualname____doc__rSignedDigestAlgorithmr(rrrr5 staticmethodrr;r6r.r1r1IslI33I#22I" I " I8/0/5N//r6r1ceZdZdefdZdej deede fdZ dejdeedee jde fdZy ) r:underlying_policyc||_yN)_policy)r4rDs r.__init__z_DefaultPolicyMixin.__init__}s ( r6r,r2rc:|jj||SrF)rGdigest_algorithm_allowed)r4r,r2s r.rJz,_DefaultPolicyMixin.digest_algorithm_alloweds||44T6BBr6 public_keyc<|jj|||SrF)rGsignature_algorithm_allowed)r4r,r2rKs r.rMz/_DefaultPolicyMixin.signature_algorithm_alloweds" ||77 &*  r6N)r<r=r>rrHrr(rrrrJr@r PublicKeyInforMrBr6r.r:r:|s|)*>)C))C3;H3EC !C  )) " T//0  "  r6r:>md2md5sha1F signature signed_datacertsignature_algorithm md_algorithmalgorithm_policy time_indicc||j|||j}|sJd|djd} |j| d|jz } t | |j du|j |tjd|id} | s#t | j| j du  |j} t| | } tj|jj} |j}|d k(r9t!| t"sJ| j%||t'j(| y|d k(r;t!| t"sJt+|d || \}}| j%||||y|dk(r&t!| t,sJ| j%||| y|dk(r/t!| t.sJ| j%||t1| y|dvr%t!| t2sJ| j%||y|dvr%t!| t4sJ| j%||yt7d|d#t$r|} YwxYw)z1 Validate a raw signature. Internal API. N)r2rKzSignature algorithm r!z, is not allowed by the current usage policy.z Reason: ) permanent)rrr2)failure_messagerZ) prehashedrsassa_pkcs1v15 rsassa_pss parametersdsaecdsaed25519r"zSignature mechanism z is not supported.)rMrKr'r&rnot_allowed_afterr5rr(r)r*rr load_der_public_keyr+rr9rverifyr PKCS1v15rr r r rrNotImplementedError)rRrSrTrUrVr\rWrXsig_algo_allowedmsgdigest_compatibleverify_md_algo verify_mdpub_keysig_algo pss_paddingr)s r. validate_rawrps#+GG  tH  &&{3::;222y+.!"8*,> ?  A &%&s< I II signer_infocv t|dd}|jS#ttf$r t dwxYw)N signed_attrsmessage_digestzUMessage digest not found in signature, or multiple message digest attributes present.)rr'rrr)rqembedded_digests r.extract_message_digestrvsQ  3  ')9 %%% %'@ A & )   s8)5abcrtypingr asn1cryptorrrrcryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr -cryptography.hazmat.primitives.asymmetric.dsar ,cryptography.hazmat.primitives.asymmetric.ecr r /cryptography.hazmat.primitives.asymmetric.ed448r1cryptography.hazmat.primitives.asymmetric.ed25519r-cryptography.hazmat.primitives.asymmetric.rsar!pyhanko_certvalidator.policy_declrrrgeneralrrrrrerrorsrrr@r(r/ABCr1r: frozensetDEFAULT_WEAK_HASH_ALGORITHMSr;DEFAULT_ALGORITHM_USAGE_POLICYbytes Certificatestrrp SignerInforvrBr6r.rsC --8=FKNF G&2//&2..&2&2R0/2CGG0/f 1 ( ))?@!8!D!D !=>" '%)P P P    P 44 P  P P "P f    r6