Wwgz ^ddlZddlZddlZddlZddlmZddlmZmZm Z ddl m Z m Z m Z mZddlmZddlmZmZmZddlmZmZdd lmZmZmZmZmZdd lmZm Z m!Z!dd l"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+dd l,m-Z-m.Z.dd l/m0Z0m1Z1m2Z2ddl3m4Z4eGddZ5dee6e7fde7fdZ8 d5de7de5de e7fdZ9 d5de7de5de7de e7fdZ:dddZ;de7fdZ< d5de7de7de e7de7fd Z=ej|Gd!d"ej~Z@Gd#d$eje-ZBGd%d&e%ejZDGd'd(eDe0ZEGd)d*eDe1ZFGd+d,eDe2ZGejd-ZId.ZJd/ZKd0ZLd1ejfd2ZNe*jGd3d4e*ZPe-jeBy)6N) dataclass)sha256sha384sha512)DictOptionalTupleUnion)core)Cipher algorithmsmodes)genericmisc)compute_o_value_legacycompute_o_value_legacy_prepcompute_u_value_r2compute_u_value_r34legacy_normalise_pw)aes_cbc_decryptaes_cbc_encrypt rc4_encrypt) AuthResult AuthStatus CryptFilterCryptFilterBuilderCryptFilterConfigurationIdentityCryptFilterPdfKeyNotAvailableErrorSecurityHandlerSecurityHandlerVersion)SerialisableCredentialSerialisedCredential)AESCryptFilterMixinAESGCMCryptFilterMixinRC4CryptFilterMixin)StandardPermissionscFeZdZUeed<eed<eed<ededdfdZy) _R6KeyEntry hash_valuevalidation_saltkey_saltentryreturncNt|dk(sJt|dd|dd|ddS)N0 ()lenr*)clsr.s W/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko/pdf_utils/crypt/standard.py from_bytesz_R6KeyEntry.from_bytes0s55zR5":uR|U2b\BBN)__name__ __module__ __qualname__bytes__annotations__ classmethodr7r8r6r*r**s7OCuCCCr8r*passwordr/clt|tr |syddlm}||j d}|ddS)Nr8r)saslprepzutf-8) isinstancestr _saslpreprBencode)r@rBs r6_r6_normalise_pwrH6s6(C 'H%,,W5 DS>r8pw_bytesr.u_entrycNt||j|}||jk(SN) _r6_hash_algor,r+)rIr.rJpurported_hashs r6_r6_password_authenticaterOAs)#8U-B-BGLN U-- --r8e_entryct||j|}t|dk(sJt||t ddS)Nr2Fkeydataiv use_padding)rMr-r4rr<)rIr.rPrJ interm_keys r6_r6_derive_file_keyrYHsB xAJ w<2    Wr r8TF)TF input_bytesc,td|DdzS)Nc3&K|] }|dz yw)Nr?).0bs r6 z_bytes_mod_3..Zs*q1u*sr_)sum)r\s r6 _bytes_mod_3rdXs *k* *Q ..r8 current_saltct|}t|dk(sJ|j||r!t|dk(sJ|j||j}ttt f}dx}}|dks||dz kDrs||z|xsdzdz}t |dd||ddd d } |t| dd} | | j}| t| d z }|d z }|dkrj||dz kDrs|ddS) u3 Algorithm 2.B in ISO 32000-2 § 7.6.4.3.4 r1r@r2r8NrRFrSr)rr4updatedigestrrrrd) rIrerJ initial_hashkhashesround_no last_byte_valk1e next_hashs r6rMrM]s*(#L |  !! ! %7|r!!!G$Aff %F  H} R-=8b=8lgn- 3 #2RAbH%   <#2/0 aL   !#a&1* A  R-=8b=8 Sb6Mr8c\eZdZdZdZdZdZdZdZdZ de jfd Z e d d Zy) StandardSecuritySettingsRevisionz;Indicate the standard security handler revision to emulate.r_Nr/cp|j}|tjStj|SrL)valuer NullObject NumberObject)selfvals r6 as_pdf_objectz.StandardSecuritySettingsRevision.as_pdf_objects3jj$'KG    5<5I5I#5N r8cX t|S#t$rtjcYSwxYwrL)rt ValueErrorOTHER)r5rzs r6 from_numberz,StandardSecuritySettingsRevision.from_numbers- :3E: : :399 9 :s )))r/rt)r9r:r;__doc__ RC4_BASIC RC4_EXTENDED RC4_OR_AES128AES256AES_GCMrr PdfObjectrr>rr?r8r6rtrt{sNEILM FG E w00 ::r8rtceZdZdejfdejddifgZedefdZde fdZ ede fd Z y ) _PasswordCredential pwd_bytesid1optionalTr/cy)Nrr?r5s r6get_namez_PasswordCredential.get_namesr8c"|jSrL)dumpr}s r6 _ser_valuez_PasswordCredential._ser_valuesyy{r8rUcr tj|S#t$rtjdwxYw)Nz)Failed to deserialise password credential)rloadrr PdfReadError)r5rUs r6 _deser_valuez _PasswordCredential._deser_values< Q&++D1 1 Q##$OP P Qs6N) r9r:r;r OctetString_fieldsr>rErr<rrr?r8r6rrsq d&&'   :t"45G EQQQr8rc^eZdZUdZdZeded<edZfdZ de fdZ fd Z xZ S) StandardCryptFilterzB Crypt filter for use with the standard security handler. NStandardSecurityHandler_handlercnt|jtr|jjStrL)rDrr _auth_failedNotImplementedErrorrs r6rz StandardCryptFilter._auth_faileds' dmm%< ===-- -!!r8c^t|tstt||d|_yrL)rDr TypeErrorsuper_set_security_handler _shared_key)r}handler __class__s r6rz)StandardCryptFilter._set_security_handlers('#:;O %g.r8r/cR|jsJ|jjSrL)rget_file_encryption_keyrs r6derive_shared_encryption_keyz0StandardCryptFilter.derive_shared_encryption_keys!}}}}}4466r8cht|}tj|j|d<|S)N/Length)rrrr|keylen)r}resultrs r6rz!StandardCryptFilter.as_pdf_objects0&($00=y r8)r9r:r;rrrr=propertyrrr<rr __classcell__rs@r6rrsG59Hh018 ""  7e7r8rceZdZdZy)StandardAESCryptFilterz= AES crypt filter for the standard security handler. Nr9r:r;rr?r8r6rr  r8rceZdZdZy)StandardAESGCMCryptFilterzA AES-GCM crypt filter for the standard security handler. Nrr?r8r6rrrr8rceZdZdZy)StandardRC4CryptFilterz= RC4 crypt filter for the standard security handler. Nrr?r8r6rrrr8rz/StdCFcNttt|ittSNrdefault_stream_filterdefault_string_filter)rSTD_CFrrs r6_std_rc4_configr# # 'v67$$ r8cNttt|ittSr)rrrrs r6_std_aes_configrrr8cJtttittS)Nr)rrrr?r8r6_std_gcm_configrs! # *,-$$ r8cfdictcD|jdd}t|dzS)Nrr3rgr)getr)r_acts_as_default keylen_bitss r6#_build_legacy_standard_crypt_filterrs$**Y+K !)9 ::r8c eZdZUdZej deej ddej ddej ddej d d iZeej e fe d <e d e fd Z e dddejddfdedefdZe dejdddfdededefdZed*dZ d+dedededeedeef fd Ze dej6d efd Ze dej6fd!Zed effd" Z d#Z!d$efd%Z"d$efd&Z# d,d$eed e$fd'Z%d e&e'eeffd(Z(d efd)Z)xZ*S)-ra Implementation of the standard (password-based) security handler. You shouldn't have to instantiate :class:`.StandardSecurityHandler` objects yourself. For encrypting new documents, use :meth:`build_from_pw` or :meth:`build_from_pw_legacy`. For decrypting existing documents, pyHanko will take care of instantiating security handlers through :meth:`.SecurityHandler.build`. z/V2z/AESV2ctdS)NrRrr___s r6z StandardSecurityHandler.4J5 r8z/AESV3ctdS)Nr2rrrs r6rz StandardSecurityHandler.rr8z/AESV4ctSrL)rrs r6rz StandardSecurityHandler.s 4M4Or8z /IdentityctSrL)rrs r6rz StandardSecurityHandler.s 7J7Lr8_known_crypt_filtersr/c,tjdS)N /Standard)r NameObjectrs r6rz StandardSecurityHandler.get_names!!+..r8NrRTrevpermsc ~t|}| t|n|}|tjkDrt|d|tjk(rd}n|r|tjk(rd}t |||j |} |tjk(rX|tjztjztjztjz}t|| ||\} } nt||j || ||| \} } |tjk(rtj}n4|tjk(rtj}ntj }|tjk(r||r t#d}n t%|}|d||||| | || d| }| |_t)||d|_|S)a Initialise a legacy password-based security handler, to attach to a :class:`~.pyhanko.pdf_utils.writer.PdfFileWriter`. Any remaining keyword arguments will be passed to the constructor. .. danger:: The functionality implemented by this handler is deprecated in the PDF standard. We only provide it for testing purposes, and to interface with legacy systems. :param rev: Security handler revision to use, see :class:`.StandardSecuritySettingsRevision`. :param id1: The first part of the document ID. :param desired_owner_pass: Desired owner password. :param desired_user_pass: Desired user password. :param keylen_bytes: Length of the key (in bytes). :param use_aes128: Use AES-128 instead of RC4 (default: ``True``). :param perms: Permission bits to set :param crypt_filter_config: Custom crypt filter configuration. PyHanko will supply a reasonable default if none is specified. :return: A :class:`StandardSecurityHandler` instance. z/ is not supported by this bootstrapping method.rRr)versionrevision legacy_keylen perm_flagsodataudatacrypt_filter_configencrypt_metadatarrr?)rrtrrrrrzr(ALLOW_FORM_FILLINGALLOW_ASSISTIVE_TECHNOLOGYALLOW_REASSEMBLYALLOW_HIGH_QUALITY_PRINTINGrrr"RC4_40RC4_LONGER_KEYSrrrr _credential)r5rrdesired_owner_passdesired_user_pass keylen_bytes use_aes128rrrkwargso_entryrJrTrshs r6build_from_pw_legacyz,StandardSecurityHandler.build_from_pw_legacy"sZ11CD!, 1 2#  1?? ?%FG  2<< <L 3"B"P"PPL(  1399l  2<< <%889%@@A&667&AA B .!7E3LGS/!  LGS 2@@ @,::G 4>> >,33G,<>H   +-    (,k>-JK r8c>t|t|cxk(rdk(sntjd|d|r!|rt|t|cxk(rdk(sntjd|d|rt|dk7rtjd|dy)Nr1z2/U and /O entries must be 48 bytes long in a rev. z security handlerr2z;/UE and /OE must be present and be 32 bytes long in a rev. rRz6/Perms must be present and be 16 bytes long in a rev. )r4rPdfError)rrrrrrs r6_check_r6_valuesz(StandardSecurityHandler._check_r6_valuessE c%j.B.--u-/ VCK3v;,L",L--u-/ #o"6""<--u-/ #=r8rrrrrc| |tjk(r td} ns|tjk(r t|} nT|tjk(r t } n6|tj k\r| td} ntjdt|-||| | | | ||_ ||_ |jtjz |_|t"j k\r5|j$j'||||| ||_||_| |_nIt/|t/|cxk(rdk(sntjddx|_x|_|_||_||_d|_d|_y)Nrr2z1Could not impute a reasonable crypt filter config)rcompat_entriesrzD/U and /O entries must be 32 bytes long in a legacy security handlerF)r"rrrrrrrrr r__init__rrr(r _mac_requiredrtrr!rrrr4rrrr)r}rrrrrrrrrrrr#rrs r6r$z StandardSecurityHandler.__init__,s  &0777&5a&8#2BBB&5m&D#2:::&5&7#1888'/'6b&9#mmG    -)  !  JJ,EE E  7>> > NN + +uffo !DK DK#2D J#e*22mm.@D CDK C$+(<  ,0!r8 encrypt_dictc~|jdd}|dzdk7rtjd|dz} |d}|d}d tj d t fd }d tj d tfd }t||jd |tj|jdd|jdd|jd||jd||jd||jdtd|jdd S#t$rtjdwxYw)a Gather and preprocess the "easy" metadata values in an encryption dictionary, and turn them into constructor kwargs. This function processes ``/Length``, ``/P``, ``/Perms``, ``/O``, ``/U``, ``/OE``, ``/UE`` and ``/EncryptMetadata``. rr3rgrz"Key length must be a multiple of 8/O/Uz!/O and /U entries must be presentxr/ct|tjtjfs!t j dt ||jS)NzExpected string, but got )rDrTextStringObjectByteStringObjectrrtypeoriginal_bytesr*s r6 _get_byteszFStandardSecurityHandler.gather_encryption_metadata.._get_bytessKG,,g.F.FG''*CDG9(MNN## #r8ct|tjrtj|St j d|d)Nz Cannot parse z as a permission indicator)rDrr|r( from_sint32rrr0s r6_parse_permissionszNStandardSecurityHandler.gather_encryption_metadata.._parse_permissionssC!W112*66q99''#A3&@Ar8/P)defaultNr1/OE/UE/Perms/EncryptMetadataT/KDFSaltcrt|tjtjfr |jSdSrL)rDrr,r-r/r0s r6rzDStandardSecurityHandler.gather_encryption_metadata..s:!G44g6N6NO$$  r8) rrrrrrrrr) rrr KeyErrorrrr<r(dict get_and_applyallow_everythingr/bool)r5r&rrrrr1r4s r6gather_encryption_metadataz2StandardSecurityHandler.gather_encryption_metadatansg#&&y"5 !O !-- DE E! E &E &E $'++ $ $ '"3"3 8K  #11"+<<>2 &&s+&&s+--eZ@--eZ@(66xL)77"D$8"//   % E-- CD D Es DD<ctj|d}tj|d}td|||j |d|j |S)N/V/R)rrrr?)r"rrtrprocess_crypt_filtersrB)r5r&vrs r6instantiate_from_pdf_objectz3StandardSecurityHandler.instantiate_from_pdf_objectsi # . .|D/A B , 8 8d9K L&  # 9 9, G ,,\:   r8c4t|xs |jSrL)rpdf_mac_enabledr%)r}rs r6rKz'StandardSecurityHandler.pdf_mac_enabledsw&<$*<*<>!(!9!9$..!IF:   ||5EEE ' 4 4T[[1_ EF9 ||113t }}224t <<0@@ @)0)>)>%%*F% & MM$22@@B C ==<CC C#44T[[AF5M#44T[[AF5M&778L8LMF8  r8rc R|j}|j}|tjk(r&t ||j |j |\}}nPt||j|j|j |j ||j\}}|dd}|dd}||k(|fS)NrR) rrrtrrrrrrzrr)r}rr@r user_tokenuser_tok_suppliedrTs r6_auth_user_password_legacyz2StandardSecurityHandler._auth_user_password_legacysmmZZ 2<< <%7$**djj#& " s&9    %%& " s!2#2 6 #CRJ J.33r8c2 t||d}|j}t||j|j}|t j k(rt||j}n@|j}tdddD]" t fd|D}t||}$|}|j||\} }| r||_ tj|fS|j||\} }| r||_ tj|fStj dfS)Nrrc3(K|] }|z  ywrLr?)r`rais r6rbz?StandardSecurityHandler._authenticate_legacy..s3!A3s)rrrrzrrtrrrranger<rUrrOWNERUSERFAILED) r}rr@credrrT prp_userpassr~new_keyowner_password user_passwordrYs @r6_authenticate_legacyz,StandardSecurityHandler._authenticate_legacys "##FGmm)(CIIt{{K 2<< <&sDJJ7L**C2r2& 03s33!'3/ 0L"==c<P #D ##S( ("<d tAd |i|_!||fS#t:$rd} Y:wxYw) N rzrErr(r@rtrrAr staticmethodr!r"rrr<r$rMr>rBrIrrKrrUrcrrmr rrjrrrs@r6rrs  5!#F8$'  8$'  8$&O;')L J$w113EEF /// %I%8%I%I%K x -x#xxt%I%8%I%I%Kz# z  zzzx2BF$(@"'@"3@" ( @"&&>?@"5/@"D= "33= = = ~  "33    ===84e4,''626*C'*C *CZ-E*huo2M,N-^r8rrL)Qabcenumrrs dataclassesrhashlibrrrtypingrrr r asn1cryptor &cryptography.hazmat.primitives.ciphersr r rpyhanko.pdf_utilsrr_legacyrrrrr_utilrrrapirrrrrrr r!r"cred_serr#r$ filter_mixinsr%r&r' permissionsr(r*rEr<rHrOrYrurdrMunique VersionEnumrtSequencerABCrrrrrrrrrrMrregisterrr?r8r6rs)  !**//LL+A@   C - CC CuS%Z0UEI..'.2:5/. $     e_  u-/e/ FJ#(3;E? <:t'7'7: :6Q$--)?Q*+sww> 02E  35K  02E    H %;  $ $;r or r j  34r8