WwgwjddlZddlZddlmZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZmZddlmZddlmZddlmZmZm Z dd l!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)dd l*m+Z+dd l,m-Z-dd l.m/Z/dd l0m1Z1m2Z2ddl3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mm?Z?ddl@mAZAddlBmCZCmDZDddlEmFZFddlGmHZHddlImJZJmKZKmLZLmMZMmNZNmOZOmPZPddlQmRZRmSZSmTZTmUZUgdZVejeXZYedeNZZdejdeejejdffdZ^de_fd Z`d!ejdejfd"Zbd#ejd$ejd%e ejd&e ejfd'Zf d[d(ejd!ejd)ehd*eid+e eSd,e edee_e_ffd-Zjd.ejde8fd/Zl d\d.ejd0e eid1e ed2e emd3e e-d4e e/d5e eSd6eHde eheffd7Zn d]d!ejd1ed6eHd8ee-d4e e/dd9f d:Zoeddddd;d.ejdZpeNdddddfd.ejd0e eid1e ed2e emd6e eHd5e eSdeZfd?Zpd(ejde efd@Zq d^d(ejdAe_de ejfdBZrd(ejde eifdCZsd(ejdDe ed0eifdEZt d]dFejd1e edGeid5e eSfdHZudIe ejdJejd1edee e1e ee&e%e$fffdKZwdLe ejdJejd1e edMejfdNZxddddde?jdfdOeeieejejfd.ejdPe edDe edQe ed6e eHd5e eSdeOfdRZ|edSdTUZ}edTVGdWdXe e}Z~dYee}de~e}fdZZy)_N) dataclass)datetime) IOAny AwaitableDictGenericIterableListOptionalTupleTypeTypeVarUnionoverload)algoscmscoretspx509)InvalidSignature)hashes)CancelableAsyncIteratorValidationContextfind_valid_path)DisallowedAlgorithmError ExpiredErrorInvalidCertificateErrorPathBuildingErrorPathValidationError RevokedErrorStaleRevinfoErrorValidationError)TimeSlideFailure)ValidationPath)PKIXValidationParams)ACValidationResultasync_validate_ac) CMSExtractionErrorCMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorSignedDataCertscheck_ess_certidextract_certificate_infoextract_signer_infofind_unique_cms_attributeget_pyca_cryptography_hash)misc)lift_iterable_async) AdESFailureAdESIndeterminate)errors)KeyUsageConstraints)CAdESSignerAttributeAssertionsCertifiedAttributesClaimedAttributesRevocationDetailsSignatureStatusStandardCMSSignatureStatusTimestampSignatureStatus)DEFAULT_ALGORITHM_USAGE_POLICYCMSAlgorithmUsagePolicyextract_message_digest validate_raw) validate_sig_integrityasync_validate_cms_signaturecollect_timing_infovalidate_tst_signed_dataasync_validate_detached_cmscms_basic_validationcompute_signature_tst_digestextract_tst_dataextract_self_reported_tsextract_certs_for_validationcollect_signer_attr_statusvalidate_algorithm_protectionget_signing_cert_attr StatusType)bound signed_attrsreturnc>t|d}| t|d}|S)a  Retrieve the ``signingCertificate`` or ``signingCertificateV2`` attribute (giving preference to the latter) from a signature's signed attributes. :param signed_attrs: Signed attributes. :return: The value of the attribute, if present, else ``None``. T)v2F)_grab_signing_cert_attr)rVattrs Z/var/www/horilla/myenv/lib/python3.12/site-packages/pyhanko/sign/validation/generic_cms.pyrSrScs& # KrYc0|rdnd}|rtjntj} t||}|j |j S#t $rYyt$r-}tj}tjd||d}~wwxYw)Nsigning_certificate_v2signing_certificatez3Wrong cardinality for signing certificate attributeades_subindication) rSigningCertificateV2SigningCertificater1loaddumpr,r+r8NO_SIGNING_CERTIFICATE_FOUNDr:SignatureValidationError)rVrY attr_nameclsvalueeerrs r\rZrZus-/(4II&(# " "c.D.DC), Bxx %% $ $<<-- A"  s*A B B((BBcertct|}|y|dd}t||s?tj}t j d|j jd|y)NcertsrzWSigning certificate attribute does not match selected signer's certificate for subject"z".ra)rSr.r8rgr:rhsubjecthuman_friendly)rnrVr[certidrms r\_check_signing_certificatertst ! .D |']1 F D& )<<--,,-S 2 #    *r]attrsclaimed_digest_algorithm_objclaimed_signature_algorithm_objclaimed_mac_algorithm_objc t|d}||dj}||jk7rt j d|J|dj}|t j d||jk7rt j d|K|d j}|t j d ||jk7rt j d yyy#t$rd}Yt$r tdwxYw) a Internal API to validate the CMS algorithm protection attribute defined in :rfc:`6211`, if present. :param attrs: A CMS attribute list. :param claimed_digest_algorithm_obj: The claimed (i.e. unprotected) digest algorithm value. :param claimed_signature_algorithm_obj: The claimed (i.e. unprotected) signature algorithm value. :param claimed_mac_algorithm_obj: The claimed (i.e. unprotected) MAC algorithm value. :raises errors.CMSStructuralError: if multiple CMS protection attributes are present :raises errors.CMSAlgorithmProtectionError: if a mismatch is detected cms_algorithm_protectionNz4Multiple CMS algorithm protection attributes presentdigest_algorithmzCDigest algorithm does not match CMS algorithm protection attribute.signature_algorithmz?  ..:#3#B#B"C1EE11/AATI 5MM N # !5k!B!I!I JK>? #11=#6#E#E"FaHH112DDL K(//I+6~+FDII% # #>288: #'')    )-A0C*.  2 #46 4nL$** 0 011 ~-K()+#.#=#=  1=      3!   & (  5=}" 11!!k6P6P 11 11!!$5#<#<   **+DE 11&#.#=#=  8 sBG * I%>J I")/HI"./II"%5J J+*J+rc t|}|j}t|}|d}t|||S#t$r&tjdt j wxYw)a Extract certificates from a CMS signed data object for validation purposes, identifying the signer's certificate in accordance with ETSI EN 319 102-1, 5.2.3.4. :param signed_data: The CMS payload. :return: The extracted certificates. z,signer certificate not included in signaturerarV) r/ signer_certr)r:rhr8rgr0rt)r cert_infornrrVs r\rPrPsr  ,[9 $$ &k2K~.Lt\2   -- :0MM   s 7/A& raw_digestvalidation_context status_kwargsvalidation_pathpkix_validation_paramsrkey_usage_settingsc jKt|}t|} | j} | j} d} |/|xst j |j }|j} |xs t}|t}|d} | dj}|ddj}|d}|dj}|Pt|d}t|}tj|}|j||j!}n:|dt"j$ur%t'j(dt*j,  t/|| |||| \}}dx}x}x}}|r |j4j7| | t9|g}n|j:j=| }t?| |||| d{}|j@}|jB}|jDxs |jF}|jH}|xsi}|dn |jT|d<|j||| |||||| |S#t0$r8}t'j(d |j2zt*j, |d}~wwxYw7#tJ$r1}tLjOd |tPjR}Yd}~d}~wwxYww)z Perform basic validation of CMS and PKCS#7 signatures in isolation (i.e. integrity and trust checks). Internal API. Nr|rr{encap_content_inforcontentzKCMS structural error: detached signatures should not have encapsulated datara)rrrrzCMS structural error: )rpathsrz&Processing error in validation processexc_infovalidation_time) rr signing_certrpkcs7_signature_mechanismtrust_problem_indicrrevocation_detailserror_time_horizon)+r0rPr other_certsrD lift_policyrbest_signature_timerrCr~bytesr2rHashupdatefinalizerrr:rhr7rrGr*rcertificate_registryregister_multipler5 path_builderasync_build_paths_lazyvalidate_cert_usageerror_subindic revo_detailssuccess_result error_pathr ValueErrorloggererrorr8!CERTIFICATE_CHAIN_GENERAL_FAILUREr)rrrrrrrrrrrnrrr| mechanismrecirrawmd_specmdrrrl ades_statuspathrrr op_results r\rLrLs "&k2K,[9I  D''KJ%  &22"33  (;; +B/@/B95@6$K077I12;?FFL * +C/66C N#,\: [[ ! #[[] Ytyy (-- *99   .  "7$#3!  >BAKA$A(:  N  3 3 E E  *+_,=>*77NN2"#5'= I$22K$11L++Cy/C/CD!*!=!=  "'RM"*0B0I0I#$!"+''-  i -- $q'8'8 8*99  , N LLAAL N+MMK NshD>J3H0 J3 AI68I49AI6;5J30 I193I,,I11J34I66 J0?'J+&J3+J00J3rz,CertvalidatorOperationResult[ValidationPath]chKdtffd }t|d{S7w)zE Low-level certificate validation routine. Internal API. rWc`Kjtd{S7w)N)rr)validater)rnrrrrsr\_checkz#validate_cert_usage.._check9s8##D)$  1#9     s $.,.N)r%handle_certvalidator_errors)rnrrrrrs````` r\rr-s- .  -VX6 66 6s $202)rrrr status_clsc KywN)rrrrrrs r\rHrHFs c Kywrr)rrrrrs r\rHrHRs rcrK|j|}t||||||d{}|di|S7 w)a Validate a CMS signature (i.e. a ``SignedData`` object). :param signed_data: The :class:`.asn1crypto.cms.SignedData` object to validate. :param status_cls: Status class to use for the validation result. :param raw_digest: Raw digest, computed from context. :param validation_context: Validation context to validate the signer's certificate. :param status_kwargs: Other keyword arguments to pass to the ``status_class`` when reporting validation results. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :return: A :class:`.SignatureStatus` object (or an instance of a proper subclass) )rrNr)default_usage_constraintsrL)rrrrrrreff_key_usage_settingss r\rHrH]sUN(AA/1) M  & &&s &75 7ch |d}t|d}|jS#ttf$rYywxYw)a Extract self-reported timestamp (from the ``signingTime`` attribute) Internal API. :param signer_info: A ``SignerInfo`` value. :return: The value of the ``signingTime`` attribute as a ``datetime``, or ``None``. rV signing_timeN)r1r~r,r+)rsasts r\rOrOs?  ( &r> :yy %'@ As 11signedc |r|d}t|d}n|d}t|d}|d}|S#ttf$rYywxYw)a Extract signed data associated with a timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :param signed: If ``True``, look for a content timestamp (among the signed attributes), else look for a signature timestamp (among the unsigned attributes). :return: The ``SignedData`` value found, or ``None``. rVcontent_time_stampunsigned_attrssignature_time_stamp_tokenrN)r1r,r+)rrrtstuatst_signed_datas r\rNrNs`"  ^,B+B0DEC-.B+B0LMCi. %'@ As+.AAct|}|y|d}|djd}|ddj}|dj}t|}t j |}|j ||jS)a. Compute the digest of the signature according to the message imprint algorithm information in a signature timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :return: The computed digest, or ``None`` if there is no signature timestamp. Nrrmessage_imprinthash_algorithmrr)rNparsedr~r2rrrr)rtst_datarmitst_md_algorithmsignature_bytes tst_md_specrs r\rMrMs ,H ' (C Y  0 1B*+K8??!+.55O,-=>K [ !BIIo ;;=r]ts_validation_contextc.Ki}t|}|||d<t|d}|4t|}|Jt|||d{}t d i|}||d<t|d} | &t| ||d{} t d i| } | |d<|S7K7w) a Collect and validate timing information in a ``SignerInfo`` value. This includes the ``signingTime`` attribute, content timestamp information and signature timestamp information. :param signer_info: A ``SignerInfo`` value. :param ts_validation_context: The timestamp validation context to validate against. :param raw_digest: The raw external message digest bytes (only relevant for the validation of the content timestamp token, if there is one) Nsigner_reported_dtF)rtimestamp_validityT)expected_tst_imprintcontent_timestamp_validityr)rOrNrMrJrB) rrrrrrtst_signature_digesttst_validity_kwargs tst_validitycontent_tst_signed_datacontent_tst_validity_kwargscontent_tst_validitys r\rIrIs&%'M2+>%.@ *+&{5AO";KH#///$<  ! %   0F2EF .: *+.{4H*,D # !!+- ' # 8 ) 7K 23 ) ' s$ABB4B:B;BBrrcKd}|dd}t|tjr |j}t|tj s%t jdtj|dj}tj}t||d|i||d{}|d d j} || k7r=tjd | j!d |j!d d|d<|S7Zw)a Validate the ``SignedData`` of a time stamp token. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to validate against. :param expected_tst_imprint: The expected message imprint value that should be contained in the encapsulated ``TSTInfo``. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :return: Keyword arguments for a :class:`.TimeStampSignatureStatus`. Nrrz'SignedData does not encapsulate TSTInforagen_time timestamp)rrrrrhashed_messagezTimestamp token imprint is z, but expected rFr) isinstancerParsableOctetStringrrTSTInfor:rhr7rr~rBrrLrwarninghex) rrrrtst_infotst_info_bytesr ku_settingsr tst_imprints r\rJrJs>H$%9:9EN.$":":;!(( h ,-- 5*99  $++I*DDFK.-"I.&) M,-.>?FFK{*)+//*;) from_iterabler rVoidnamechosenlenrr= from_resultsrr r<extend)rrrr signer_attrsrlresultcades_ac_resultscades_ac_errors claimed_asn1claimedcertified_asn1unknown_cert_attrsr[ cades_acsval_job certified unknown_attrs ac_results ac_errorss r\rQrQus8 0 3  FO#$89 $11 *< CL &&?@".$))4 +99 + I "%Y3~3F!F !-1& ;BM1 /  ',889IJII + * , -tyy3 /   )m NN: (F!%."/ ( #$%'> +/A' !  I    . /    _ -0==jIz'0#$ Mo % $-- F{'A'A  25BF! s`G( FA$G(4"G-G(G#BG(G&A G( GG(G'/GG G(&G( input_datasigner_validation_contextac_validation_contextc LK||}t|} | ddj} tjt | } t |t r| j|nlt |tjtjfr| jt |dn$t|} tj| || || j} t| || d{}t!j"|}t%|| ||||d{}t'|}|%|j(j+|j,|jt/|j0|j2|| d d{t!d i|S777w) a .. versionadded: 0.9.0 .. versionchanged: 0.11.0 Added ``ac_validation_context`` param. Validate a detached CMS signature. :param input_data: The input data to sign. This can be either a :class:`bytes` object, a file-like object or a :class:`cms.ContentInfo` / :class:`cms.EncapsulatedContentInfo` object. If a CMS content info object is passed in, the `content` field will be extracted. :param signed_data: The :class:`cms.SignedData` object containing the signature to verify. :param signer_validation_context: Validation context to use to verify the signer certificate's trust. :param ts_validation_context: Validation context to use to verify the TSA certificate's trust, if a timestamp token is present. By default, the same validation context as that of the signer is used. :param ac_validation_context: Validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :param key_usage_settings: Key usage parameters for the signer. :param chunk_size: Chunk size to use when consuming input data. :param max_read: Maximal number of bytes to read from the input stream. :return: A description of the signature's status. Nr{rr)max_read)rr)rrrrrrV)rrrrr)r0r~rrr2r rrr ContentInfoEncapsulatedContentInfo bytearrayr4chunked_digestrrIrArrLr/rrrrQattribute_certsr)rBrrCrrDrr chunk_sizerFrr{htemp_buf digest_bytesrrs r\rKrKsz$ 9%k2K"#56{CJJ ./?@AA*e$  J#2M2M N O z),-.Z( Hj!hG::$rG}|j}tj|j|t j(}Yd}~nJd}~wt@$r;}tj|j|t j(}Yd}~nd}~wwxYwtd||||Sw) z Internal error handling function that maps certvalidator errors to AdES status indications. :param coro: :return: N)rrF) ca_revokedrevocation_daterevocation_reasonTzFailed to build path)rrrrr)!rTrrr  failure_msgr8CHAIN_CONSTRAINTS_FAILUREr$NO_POEr" TRY_LATER time_cutoffr original_path banned_sinceCRYPTO_CONSTRAINTS_FAILURE!CRYPTO_CONSTRAINTS_FAILURE_NO_POEr! revocation_dtis_side_validationr is_ee_certREVOKED_NO_POEr?reasonREVOKED_CA_NO_POErNO_CERTIFICATE_CHAIN_FOUNDr expired_dtOUT_OF_BOUNDS_NO_POEr r#)rZ time_horizonrrrlrs r\rrUs(,LL4FJ+:FF: "Bq}}q1'AA /q}}q1'.. %q}}q1(11 }} # *q}}q1 >> !+FFK,MMK>>L q}}%  +MMK \\+::K, !"#((L ,==K, !"#((L C-:'BB  Nq}}%|| ## ,@@K+MMK Jq}}q1'II Jq}}q1'II J (!'"  sN#  N# N1A N# N,1B#N## N/=C2,N#2 N>A&E*$N#* N6CI;N# N 'I:4N#: NA0K;6N#; N=M N# N1N N# NN#)NN)NNNNNNr)F)rlogging dataclassesrrtypingrrrrr r r r r rrrr asn1cryptorrrrrcryptography.exceptionsrcryptography.hazmat.primitivesrpyhanko_certvalidatorrrrpyhanko_certvalidator.errorsrrrrr r!r"r# pyhanko_certvalidator.ltv.errorsr$pyhanko_certvalidator.pathr%!pyhanko_certvalidator.policy_declr&pyhanko_certvalidator.validater'r(pyhanko.sign.generalr)r*r+r,r-r.r/r0r1r2 pdf_utilsr4pdf_utils.miscr5 ades.reportr7r8r:settingsr;statusr<r=r>r?r@rArButilsrCrDrErF__all__ getLoggerrUrrT CMSAttributesrdrcrSboolrZ CertificatertDigestAlgorithmSignedDigestAlgorithm HmacAlgorithmrR SignerInfor,rrG SignedDatarPdictrLrrHrOrNrMrIrJAttributeCertificateV2rrQDEFAULT_CHUNK_SIZErGrHrKrPrTrrr]r\rs! 3241   >5BP   18)    8 $ \ 9 ## 3 ! !3#;#;T AB$d,    *-*;*; 2C   C"%"5"5C&.e.I.I%JC ((;(;< CVAE%) ee   ee e %%<= e " e 4:ePB#'6:$(04=A:>yyy!!23yD> y n- y %%9: y67y,y #s(^yB>B 7   7)7,7 #> 2 7 %%9: 7 4 72 #'6:$(8<Z   !!23  D> !!45  #'6:$(8< !!23  D>  !!45  "&6:$(8<:>3'3'3'!!23 3' D> 3' !!45 3'673'3'l#..Xh=O*16)- cnn< e_B22#$5622r;? ;^^; !23; ;67 ;| #,, -!!*   !#46MMN 8b"3#=#=>b!!b!!23b&& bP>B9=9=8<:>&& h7eR#2M2MMNh7h7 ((9:h7$$56 h7 $$56 h7 !!45 h767h7 h7V\T 2  $ 77:#6 7 7Z J Z!*-Zr]