WwgZ ddlZddlZddlmZddlmZmZmZmZm Z m Z ddl m Z m Z mZddlmZddlmZmZmZddlmZddlmZmZd d lmZmZmZmZmZmZm Z m!Z!d d l"m#Z#m$Z$d d l%m&Z&m'Z'd d l(m)Z)d dl*m+Z+ddl,m-Z-m.Z.ddlm/Z/ddl0m1Z1ddl2m3Z3ddl4m5Z5gdZ6e-ej^dej^ddddde.jnZ8e9gdZ: Gdd eZ;Gd!d"Zd'Z?d(Z@d)ejd*e jfd+ZCd*e e je=ffd,ZDe:er>JsrCr>c eZdZdZej ddiZdZede de de fdZ ee fde de d ejd ee fd Zd ed efdZede de d e fdZde d ej(fdZded ee ej.ffdZde dee d ee e ffdZdej.de dej(de d ejf dZde de d e fdZdd de dee ded ej:fd!Zd"ej>d e fd#Z d$ej(d%e!jDfd&Z#d ejfd'Z$d ejd e%fd(Z&d ejde dee fd)Z'y*)+r+a: Internal utility class to create and validate PDF MAC tokens. .. warning:: This is a class to simplify local overrides for creating test documents with various defects. Instances of this class should never be created or manipulated directly during regular operation. algorithmr7c ||_||_yNmac_kek md_algorithm)selfrJrKs rD__init__zPdfMacTokenHandler.__init__\s (rCfile_encryption_keykdf_saltrKc:|j||}|||S)NrI)_derive_mac_kek)clsrNrOrKrJs rD from_key_matzPdfMacTokenHandler.from_key_mat`s$%%&98D7>>rC auth_data allowed_mdsc|d}|dj}|dk7r td|d}|dj}||vrt|tjd|j |||S) N mac_algorithmrFr7z:Only HMAC-SHA256 is currently supported for PDF MAC tokensdigest_algorithmT)oid_type permanent)rNrOrK)nativeNotImplementedErrorr r DigestAlgorithmIdrS) rRrNrOrTrU mac_algo_objmac_algodigest_algo_objmd_algos rDfor_validationz!PdfMacTokenHandler.for_validationgs-6o,F  ,33 x %L 2;;M1N!+.55 + %*00    3    rCinclude_signature_digestreturnctjt|jj }|j ||r|ndd}t |jS)NT)document_digestsignature_digestdry_run)rHashrrKfinalizebuild_pdfmac_tokenlendump)rLrc dummy_hash dummy_tokens rDdetermine_token_sizez'PdfMacTokenHandler.determine_token_sizesb[[ &t'8'8 9 (* --&+CZ. ;##%&&rCcztjtjd|d}|j |S)N sPDFMAC)rFlengthsaltinfo)rHKDFrSHA256derive)rRrNrOkdfs rDrQz"PdfMacTokenHandler._derive_mac_keks6 iimmo   zz-..rCmessage_digestctj|jtjd|jid}tj t ddt d|t d|gS)NrF)rWrX content_typepdf_mac_integrity_inforzcms_algorithm_protection)r CMSAlgorithmProtectionmac_algo_identDigestAlgorithmrK CMSAttributesr)rLrzalgo_protections rD_format_auth_attrsz%PdfMacTokenHandler._format_auth_attrssy44!%!4!4$'$7$7 $"3"34%    $^5MN$%5~F$.   rCrhc D|r td}ntjd}tj|j |}t jd|tjddit jddid}|t jd|ifS) Nrr) wrapping_key key_to_wraprrFpdf_mac_wrap_kdf aes256_wrap)version encrypted_keykey_derivation_algorithmkey_encryption_algorithmpwri) bytessecrets token_bytesr aes_key_wraprJr PasswordRecipientInfor KdfAlgorithmKeyEncryptionAlgorithm RecipientInfo)rLrhmac_keyrrs rD_get_mac_keying_infoz'PdfMacTokenHandler._get_mac_keying_infos BiG))"-G,,7 ((!.,1,>,>#%7- -0,F,F -0-   ))64.999rCrfrgcd|i}|||d<d|d<t|}|j}t|j}t j |}|j ||j}||fS)N data_digestrgrr)r*rmrrKrriupdaterj) rLrfrgmessage_kwargsmessage message_bytesmd_specmd_funrzs rD_format_messagez"PdfMacTokenHandler._format_messages+8)I  '1AN- .$%y!%n5  ,T->->?W% m$*n,,rCrecipient_infor auth_attrsmacc tjd|gtjdditjd|jitj dt j|d||dS)NrrFr7r}r|content)rrecipient_infosrWrXencap_content_inforr)r AuthenticatedData HmacAlgorithmrrKEncapsulatedContentInfor ParsableOctetString)rLrrrrs rD_format_auth_dataz$PdfMacTokenHandler._format_auth_datas$$$2#3!$!2!2K3J!K$'$7$7 $"3"34%'*&A&A(@#'#;#;M#J' )   rCr data_to_macctj|tj}|j ||j S)N)keyrF)rHMACrrwrrj)rLrrhmac_funs rD compute_maczPdfMacTokenHandler.compute_macs399FMMOD $  ""rCFrhc0|j|\}}|j||\}}|j|}|j||j j } |j |||| } tjd| dS)Nr)rr)rrrrauthenticated_datar) rrrruntagrmrr ContentInfo) rLrfrgrhrrirrzrr authed_datas rDrkz%PdfMacTokenHandler.build_pdfmac_tokens///@ (,(<(< -) % ~,,^< )9)9);)@)@)B ,,'! - 1k J  rC recp_infoscd} |\}|j}t|tjs t d|d}|t us|djdk7r t d|dd}|jdk7rtd|jd |d j} tj|j| }|S#t$rYwxYw#tj$r t d wxYw) NzWPDF MAC requires exactly one recipientInfo, which must be of PasswordRecipientInfo typerrFrz_PDF MAC tokens must have their key derivation algorithm explicitly identified as pdfMacWrapKdf.rrzPPDF MAC only supports unpadded 256-bit AES key wrapping for key encryption; not .r)r wrapped_keyzFailed to unwrap MAC key)chosen ValueError isinstancer rr>r r[r\dottedraes_key_unwraprJ InvalidUnwrap)rLrrrecprykea_objrrs rD_retrieve_mac_keyz$PdfMacTokenHandler._retrieve_mac_keys+  GT;;D$ 9 9:'0  -. $;#k*115GG':  12;? >>] *%44;NN3EQH  _-44  D,,!\\}G ?   8$$ D'(BC C DsC#!C CCC4attrs encap_contentc6t|j}tj|}|j t ||j } t|d}|j|k7r tdy#ttf$r tdwxYw)NrzzMValue of messageDigest attribute does not match hash of encapsulated content.zcMessage digest not found in authenticated attributes, or multiple messageDigest attributes present.) rrKrrirrrjrr[r>rr)rLrrrmdrzclaimed_message_digests rD_validate_message_digestz+PdfMacTokenHandler._validate_message_digestDs-T->->? [[ ! % &' %>'& "&,,>+,? *+DE '=  s &A==Bc|d}t| t|d|d|d|dd}|j ||y#t$r}td|jz|d}~wwxYw) NrrXrW)claimed_signature_algorithm_objclaimed_digest_algorithm_objclaimed_mac_algorithm_objz%CMS alg protection validation error: rr)r)_validate_content_type_attrr!rr>failure_messager)rLrTre int_info_objs rD_validate_auth_attrsz'PdfMacTokenHandler._validate_auth_attrsZs|,  $J/  )04-67I-J*3O*D  !!56yA  %%j %M+ '7!:K:KK  sA A* A%%A*c|d}|tur td|d}|d}|j|}|j||j j }t ||djs td |j||d d j}|d k7r td |d d jS#t$r}td|jz|d}~wwxYw)N unauth_attrsz5PDF MAC tokens cannot have unauthenticated attributesrr)rrzPDF MAC token has invalid MACzCMS structural error: rr|r}z_The content type of the encapsulated content in a PDF MAC token must be id-pdfMacIntegrityInfo.r) r r>rrrrmrr[rrrparsed) rLrTrrrr computed_macreci_cts rD#_validate_and_extract_encap_contentz6PdfMacTokenHandler._validate_and_extract_encap_contentqs+!0 t #'G  |, )23D)E ((4'' !1!1!3!8!8!:( lIe,<,C,CD'(GH H   % %i 0/0@GG - -'8 -.y9@@@" '(1+<+<<  sC C4C//C4c@|j|}t|||yrH)r _validate_pdf_mac_integrity_info)rLrTrfrgrs rDvalidate_pdfmac_token_cmsz,PdfMacTokenHandler.validate_pdfmac_token_cmss$@@K ( ?,< rCN)(r?r@rA__doc__r rrrM classmethodrstrrSr/rrrbboolintrprQrrrrrrrrrrrkRecipientInfosrr rrrr*rrrBrCrDr+r+Nsx 'S&& X'>?N)?"'?38?HK??  '6  "  ((  s^   @ 'T 'c ' /"' /38 /  / /  3;L;L &:: uc''' (::-$-8@- ue| -$ ))  %%       4#5#u##   #5/      6$C,>,>$5$L&&7;7O7O,Nc.C.CN.&A..&A &AP  ((    #5/  rCr+int_inforfrgc|dj}||k7r td|d}||tur tdy|j}| td||k7r tdy)Nrz;Document digest does not match value in PdfMacIntegrityInforgz;PdfMacIntegrityInfo contains an unexpected signature digestz6Could not find signature digest in PdfMacIntegrityInfozr )rrfrgclaimed_data_digestsig_digest_objclaimed_signature_digests rDrrs #=188o-# I  01N  %'M  & $2#8#8 # +'H  $'7 7'N  8rCc t|d}|jdk7rtd|jy#tt f$r tdwxYw)Nr|r}zRThe content type attribute of a PDF MAC token must be id-pdfMacIntegrityInfo, not z`Content type not found in authenticated attributes, or multiple content-type attributes present.)rr[r>rrr)rr|s rDrrst  0^L   ": :'//;/B/B.EG  ; &'@ A # 8   s 36Ac |jd}t|tjs t dt |dk(r(|\}}}}d|zdz}|dk(r||z|k(r |||z|zk(ryt d#t$rd}YswxYw)N /ByteRangez(No sensible /ByteRange found in AuthCoder#rz;PDF MAC token must have /ByteRange covering the entire file)raw_getKeyErrorrr ArrayObjectr>rl) pdf_dictfile_len payload_len byte_rangeo1l1o2l2 value_lit_lens rD_validate_byte_rangers%%l3  j'"5"5 6#$NOO :!#BBK!+ !G]"b(BGm33  E !  sA99 BBac_dictrdcH |jdj}t j j|}t|}t|j}||k7rt d|d|dt||||S#ttf$r t dwxYw)N/MACz'Failed to retrieve standalone MAC valuezr rloadrlrmr)rr mac_bytesmac_cir token_lens rD_extract_standalone_macrsOOOF+:: __ ! !) ,Fi.KFKKM"Ii#%&@ L   (K8 M! n %O#$MNNOs BB!c t|}t jj|}t|}t|||d}|djdk(r|d}t|ddk(r|dd}| t d t|d d }||d jfS#tttjf$r t dwxYw#ttf$r t d wxYw) Nz%Failed to retrieve signature contentsr| signed_datar signer_infosr)rzQSignature dictionary must contain a SignedData message with exactly 1 signerInfo.unsigned_attrs pdf_mac_dataz;Signature must have exactly 1 pdfMacData unsigned attribute signature)r"rrr PdfReadErrorr>r rrrlrr[rrr)sig_dictr sig_bytessig_cir signer_infosdrs rD_extract_mac_in_sigrsM$X. __ ! !) ,Fi.K8[9K n$$ 5 I  r.! "a '^,Q/K# )   * ( )>  ;{+22 229 nd&7&7 8M#$KLLM. &'@ A # I   s B$C$*CC,readerrU handler_clsc |jjd}t|tj r t dt|tjs t dd}d} |jd}t|tjr|dk(rd}n|dk(rd}|jjd tj}|rt||}|d } d} ni|r\ |jd } | j!} t| tjs t dt#| |\}} | d } n t d|dj$dk7r t d|j&} | J|d}|ddj$j)}t+|j| |\}}| @t-j.t1|}|j3| |j5}nd} | j7}|j=| j?|||jA|||y#t$rd}Y8wxYw#t$rYwxYw#tj$r t d t$r t d wxYw#t8j:$r}t d|d}~wwxYw)N /AuthCodez&AuthCode dictionary cannot be indirectz$Failed to locate AuthCode dictionaryF /MACLocation /StandaloneTz/AttachedToSigrrz /SigObjRefz7Value of /SigObjRef entry must be an indirect referencez"/AttachedToSig requires /SigObjRefz)/SigObjRef does not point to a dictionaryz Failed to locate MAC in documentr|rz0MAC tokens must be of CMS type AuthenticatedDatarrXrF)rrKzError retrieving salt)rNrOrTrU)rTrfrg)! trailer_viewrrrrIndirectObjectr>DictionaryObject NameObjectstreamseekosSEEK_ENDrget_value_as_referenceIndirectObjectExpected get_objectrr[security_handlerlowerrrrirrrj get_kdf_saltrr rbget_file_encryption_keyr)rrUrr is_standaloneis_in_signature mac_locationrrrsignature_valuesig_refrshrTrK_rfsig_mdrgrtrs rDr,r,&s %%--k:'7112#$LMM gw77 8#$JKKMO ~6 lG$6$6 7}, $ !11"&}}!!!R[[1H((;\*   N44\BG%%'(G$<$<='; #6h"Il+ #$FGG n$$(<<# >    B >>y!I/0=DDJJLL* *<A"7 EF o&!??,D 668   ') U "    -- 'I  N'(LM M NB   D#$;r+rrrrrrrrrr,r2DEFAULT_CHUNK_SIZEr-rBrCrDr^s >>'' @@3+   I<D"&/     )!!!&)1'..    1 V V r !uo:  0  % %__03uS__e5K/L3H#2,>U U3U()Up7)7!  && 4 4 4rC