o >e @szddlZddlZddlZddlZddlZddlZddlmZddlm Z m Z ddl m Z m Z mZmZmZmZddlmZmZmZmZddlmZddlmZmZddlmZmZmZdd l m!Z!m"Z"m#Z#dd l$m%Z%m&Z&m'Z'dd l$m(Z)dd l*m+Z+m,Z,m-Z-m.Z.dd l/m0Z0m1Z1ddl2m3Z3m4Z4ddl5m6Z6m7Z7ddl8m9Z9ddl:m;Z;ddlm?Z?m@Z@ddlAmBZBmCZCmDZDmEZEddlFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPddlQmRZRmSZSddlTmUZUmVZVeWeXZYeddGdddZZGdddeJej[Z\Gd d!d!e\eUZ]Gd"d#d#e\eVZ^ e?_d$Z` e?_d%Za dmd&d'Zbdmd(d)Zc ejdGd*d+d+ejeZf dnd,egd-ehfd.d/Zid0ed1ejjd2egfd3d4Zkd0ed1ejjd2egfd5d6Zld1ejjd7ejd8egfd9d:Zmd0ed;ee!jneeffdd?Zqd1ejpd@ed7ejdAegd8egf dBdCZrd2egdDejsdEeZfdFdGZt dndHe ejsd,egd-ehdEeZd;ejuf dIdJZvGdKdLdLewZxGdMdNdNZyGdOdPdPejzZ{GdQdRdRejzZ|e}dSZ~dTe!jndUejdVeegd;e9fdWdXZGdYdZdZeyeRZeRed[ejd\eyd;eegfd]d^Zd_ejud\eyd;eeegeehffd`daZdbe?jfdcddZdedfZdgdhZdidjZeNjGdkdldleNZdS)oN) dataclass)sha1sha256)DictListOptionalSetTupleUnion)algoscmscorex509)RSAESOAEPParams)KeyEncryptionAlgorithmKeyEncryptionAlgorithmId)PrivateKeyInfoPublicKeyAlgorithm PublicKeyInfo)hasheskeywrap serialization)ECDHEllipticCurvePrivateKeyEllipticCurvePublicKey)generate_private_key)MGF1OAEPAsymmetricPaddingPKCS1v15) RSAPrivateKey RSAPublicKey)X448PrivateKey X448PublicKey)X25519PrivateKeyX25519PublicKey)KeyDerivationFunction)X963KDF)pkcs12)genericmisc)aes_cbc_decryptaes_cbc_encrypt as_signed rc4_encrypt) ALL_PERMS AuthResult AuthStatus CryptFilterCryptFilterBuilderCryptFilterConfigurationIdentityCryptFilterSecurityHandlerSecurityHandlerVersionbuild_crypt_filter)SerialisableCredentialSerialisedCredential)AESCryptFilterMixinRC4CryptFilterMixinT)frozenc@s(eZdZUdZeed< dZeed<dS)RecipientEncryptionPolicyFignore_key_usage prefer_oaepN)__name__ __module__ __qualname__rAbool__annotations__rBrHrH_/var/www/html/humari/django-venv/lib/python3.10/site-packages/pyhanko/pdf_utils/crypt/pubkey.pyr@Bs  r@cseZdZUdZdZeded<ddddfdd Zed e fd d Z fd dZ e fde ejdefddZd efddZd efddZfddZZS)PubKeyCryptFiltera Crypt filter for use with public key security handler. These are a little more independent than their counterparts for the standard security handlers, since different crypt filters can cater to different sets of recipients. :param recipients: List of CMS objects encoding recipient information for this crypt filters. :param acts_as_default: Indicates whether this filter is intended to be used in ``/StrF`` or ``/StmF``. :param encrypt_metadata: Whether this crypt filter should encrypt document-level metadata. .. warning:: See :class:`.SecurityHandler` for some background on the way pyHanko interprets this value. NPubKeySecurityHandler_handlerFT) recipientsacts_as_defaultencrypt_metadatac s:||_||_||_d|_d|_|_tjdi|dS)NFrH)rMrNrO_pubkey_auth_failed _shared_key_recp_key_seedsuper__init__)selfrMrNrOkwargs __class__rHrIrTis  zPubKeyCryptFilter.__init__returncC|jSN)rPrUrHrHrI _auth_failedxzPubKeyCryptFilter._auth_failedcs*t|tstt|d|_|_dSr[) isinstancerK TypeErrorrS_set_security_handlerrQrR)rUhandlerrWrHrIra|s  z'PubKeyCryptFilter._set_security_handlercertspolicycCsz|js |jr td|jdurtd|_g|_|jdus#|jdur(tdt||jt |||jd}|j |dS)ay Add recipients to this crypt filter. This always adds one full CMS object to the Recipients array :param certs: A list of recipient certificates. :param policy: Encryption policy choices for the chosen set of recipients. :param perms: The permission bits to assign to the listed recipients. zCA non-default crypt filter cannot have multiple sets of recipients.NzYAdding recipients after deriving the shared key or before authenticating is not possible.)rdinclude_permissions) rNrMr+PdfErrorsecrets token_bytesrRrQconstruct_recipient_cmsr/append)rUrcrdpermsnew_cmsrHrHrIadd_recipientss&   z PubKeyCryptFilter.add_recipientscCsB|jD]}t||\}}|dur||_ttj|SqttjS)a Authenticate to this crypt filter in particular. If used in ``/StmF`` or ``/StrF``, you don't need to worry about calling this method directly. :param credential: The :class:`.EnvelopeKeyDecrypter` to authenticate with. :return: An :class:`AuthResult` object indicating the level of access obtained. N)rMread_seed_from_recipient_cmsrRr2r3USERFAILED)rU credentialrecpseedrlrHrHrI authenticates  zPubKeyCryptFilter.authenticatecCs|jdusJ|jdurtd|jjtjkrt}nt}| |j|j D] }| | q(|j s=|j r=| d|d|jS)Nz&No seed available; authenticate first.s)rLrRr+rgversionr9AES256rrupdaterMdumprOrNdigestkeylen)rUmdrsrHrHrIderive_shared_encryption_keys      z.PubKeyCryptFilter.derive_shared_encryption_keycsdt}t|jd|d<tdd|jD}|jr"||d<n|d|d<t|j |d<|S)N/Lengthcs|] }t|VqdSr[r*ByteStringObjectry.0rsrHrHrI s z2PubKeyCryptFilter.as_pdf_object.. /Recipientsr/EncryptMetadata) rS as_pdf_objectr* NumberObjectr{ ArrayObjectrMrN BooleanObjectrO)rUresultrMrWrHrIrs    zPubKeyCryptFilter.as_pdf_object)rCrDrE__doc__rLrrGrTpropertyrFr]rar1rr Certificater@rnr2rubytesr}r __classcell__rHrHrWrIrJRs&    +rJc@eZdZdZdS)PubKeyAESCryptFilterz< AES crypt filter for public key security handlers. NrCrDrErrHrHrHrIrrc@r)PubKeyRC4CryptFilterz< RC4 crypt filter for public key security handlers. NrrHrHrHrIrrrz/DefaultCryptFilterz/DefEmbeddedFilecCttt|d||dittdSNT)r{rNrMrO)default_stream_filterdefault_string_filter)r6DEFAULT_CRYPT_FILTERrr{rMrOrHrHrI_pubkey_rc4_configrcCrr)r6rrrrHrHrI_pubkey_aes_configrrc@s.eZdZdZedZedZedZdS)PubKeyAdbeSubFilterz{ Enum describing the different subfilters that can be used for public key encryption in the PDF specification. z/adbe.pkcs7.s3z/adbe.pkcs7.s4z/adbe.pkcs7.s5N) rCrDrErr* NameObjectS3S4S5rHrHrHrIr)s   rrtrlcCs*t|dksJ||rtd|SdS)NreCs z+construct_recipient_cms.. aes256_cbcrdata) content_typecontent_encryption_algorithmencrypted_contentr)rvrecipient_infosencrypted_content_infoenveloped_data)r&content) rrhrir.r EncryptionAlgorithmr EncryptionAlgorithmIdEncryptedContentInfo ContentType EnvelopedData ContentInfo) r rtrlrdrfenvelope_contentr!encrypted_envelope_content rec_infosrr*r+rHr"rIrj"s@    rjc@s eZdZdS)InappropriateCredentialErrorN)rCrDrErHrHrHrIr6isr6c @s^eZdZdZedejfddZdede j defddZ dede j d e j d edef d d Z d S)EnvelopeKeyDecrypterz General credential class for use with public key security handlers. This allows the key decryption process to happen offline, e.g. on a smart card. rYcCt)zI :return: Return the recipient's certificate rr\rHrHrIr vszEnvelopeKeyDecrypter.certr algo_paramscCr8)a Invoke the actual key decryption algorithm. Used with key transport. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :raises InappropriateCredentialError: if the credential cannot be used for key transport. :return: The decrypted payload. r9)rUrr:rHrHrIdecrypt~szEnvelopeKeyDecrypter.decryptoriginator_identifierrcCr8)a" Decrypt an envelope key using a key derived from a key exchange. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :param originator_identifier: Information about the originator necessary to complete the key exchange. :param user_keying_material: The user keying material that will be used in the key derivation. :return: The decrypted payload. r9)rUrr:r<rrHrHrIdecrypt_with_exchangesz*EnvelopeKeyDecrypter.decrypt_with_exchangeN)rCrDrErrrrr rr rr;rr=rHrHrHrIr7ns, r7c@seZdZdefdejfgZdS)_PrivKeyAndCertkeyr N)rCrDrErrr_fieldsrHrHrHrIr>sr>c@s4eZdZdefdejdddfdejddifgZd S) ECCCMSSharedInfokey_info entityUInforT)explicitoptional suppPubInforDr)N)rCrDrErr OctetStringr@rHrHrHrIrAsrAzaes(\d+)_wrap(_pad)?rrrc Cs^|dj}t|}|st|dt|d}t||dt||t d|d dS)Nr* is not a supported key wrapping algorithmr,r~z>I)rBrCrF)rlength sharedinfo) rAES_WRAP_PATTERN fullmatchrintgroupr'rArrry)rrrr wrap_match kek_bit_lenrHrHrIrs$   rc @seZdZdZedZedefddZ de fddZ ede fd d Z d e jd efd dZede jfddZedddZedddZde dejde fddZde dejdejdee de f ddZdS)SimpleEnvelopeKeyDecrypterz Implementation of :class:`.EnvelopeKeyDecrypter` where the private key is an RSA or ECC key residing in memory. :param cert: The recipient's certificate. :param private_key: The recipient's private key. z1\.3\.132\.1\.11\.(\d+)rYcCsdS)N raw_privkeyrHclsrHrHrIget_namesz#SimpleEnvelopeKeyDecrypter.get_namecCs|j|jd}t|S)N)r?r ) private_keyr r>ry)rUvaluesrHrHrI _ser_values z%SimpleEnvelopeKeyDecrypter._ser_valuer%c CsPzt|}|d}|d}Wnty!}ztd|d}~wwt||dS)Nr?r z-Failed to decode serialised pubkey credentialr rV)r>r ValueErrorr+ PdfReadErrorrQ)rTr%decodedr?r erHrHrI _deser_values   z'SimpleEnvelopeKeyDecrypter._deser_valuer rVcCs||_||_dSr[)rV_cert)rUr rVrHrHrIrTs z#SimpleEnvelopeKeyDecrypter.__init__cCrZr[)r_r\rHrHrIr r^zSimpleEnvelopeKeyDecrypter.certNc Csxddlm}z|||d}ddlm}||}Wntttfy5}ztjd|dWYd}~dSd}~wwt||dS) a Load a key decrypter using key material from files on disk. :param key_file: File containing the recipient's private key. :param cert_file: File containing the recipient's certificate. :param key_passphrase: Passphrase for the key file, if applicable. :return: An instance of :class:`.SimpleEnvelopeKeyDecrypter`. r)load_private_key_from_pemder) passphrase)load_cert_from_pemderz%Could not load cryptographic materialexc_infoNrY) keysr`rbIOErrorrZr`loggererrorrQ)key_file cert_filekey_passphraser`rVrbr r]rHrHrIrs    zSimpleEnvelopeKeyDecrypter.loadc Csz4t|d }|}Wdn1swYt||\}}}ddlm}m} ||}| |}Wn!ttt fyU} zt j d|d| dWYd} ~ dSd} ~ wwt ||dS) aZ Load a key decrypter using key material from a PKCS#12 file on disk. :param pfx_file: Path to the PKCS#12 file containing the key material. :param passphrase: Passphrase for the private key, if applicable. :return: An instance of :class:`.SimpleEnvelopeKeyDecrypter`. rbNr))_translate_pyca_cryptography_cert_to_asn1(_translate_pyca_cryptography_key_to_asn1zCould not open PKCS#12 file .rcrY) openreadr(load_key_and_certificatesrermrnrfrZr`rgrhrQ) rTpfx_fileraf pfx_bytesrVr  other_certsrmrnr]rHrHrI load_pkcs12s      z&SimpleEnvelopeKeyDecrypter.load_pkcs12rr:c Cs|dj}|dkr t}nD|dkrIddlm}|d}|d}|dj}|dkr0td |d tt||ddjd ||d djd d}ntd|dtj|j d d} t | t sdt d| j||dS)a Decrypt the payload using RSA with PKCS#1 v1.5 padding or OAEP. Other schemes are not (currently) supported by this implementation. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. Must use ``rsaes_pkcs1v15`` or ``rsaes_oaep``. :return: The decrypted payload. rrrrrrrrz#Only MGF1 is implemented, but got 'r)rrNrzSOnly 'rsaes_pkcs1v15' and 'rsaes_oaep' are supported for envelope decryption, not 'z'.passwordz5The loaded key does not seem to be an RSA private keyr)rrrrrrrrload_der_private_keyrVryr_r r6r;) rUrr:rrr oaep_paramsrmgf_namepriv_keyrHrHrIr;<sH         z"SimpleEnvelopeKeyDecrypter.decryptr<rcCs|d}|j|j}d}|r%ttttd| dd}|s+t dt j |d}|dj} t| sFt | d| drNtjntj} t|||d } |jd krat d |j} t| } tj|jdd }d }t|trt| tr| j j|j jkrt!||j"t#| d}n,t|t$rt| t%st!||"| }nt|t&rt| t'st!||"| }nt(d| )|}| ||dS)am Decrypt the payload using a key agreed via ephemeral-static standard (non-cofactor) ECDH with X9.63 key derivation. Other schemes aer not supported at this time. :param encrypted_key: Payload to decrypt. :param algo_params: Specification of the encryption algorithm as a CMS object. :param originator_identifier: The originator info, which must be an EC key. :param user_keying_material: The user keying material that will be used in the key derivation. :return: The decrypted payload. rN)0123r,zGOnly dhSinglePass-stdDH algorithms from SEC 1 / RFC 5753 are supported.rrH_padrrz Only originator_key is supportedrxzCOriginator's public key is not compatible with selected private key)peer_public_keyz4The loaded key does not seem to be an EC private key)r wrapped_key)*dhsinglepass_stddh_arc_patternrLdottedrSHA224rrrgetrNrr rrryrrKendswithraes_key_unwrap_with_paddingaes_key_unwraprrchosenuntagrrrzrVr_rrrrZrrr$r%r"r#r6r)rUrr:r<roidmatchrrr unwrap_keyroriginator_pub_key_infooriginator_pub_keyr} mismatch_msgr derived_kekrHrHrIr=rs              z0SimpleEnvelopeKeyDecrypter.decrypt_with_exchanger[)rCrDrErrecompiler classmethodstrrUrrXr^rrrrTrr  staticmethodrrwr rr;rrr=rHrHrHrIrQsB      6rQed decrypterc Cs|dD]}|jdkra|j}|dj}t|tjstd|d}|dj}|jj|kr`|jj |kr`z| |dj|dWSt yN}z|d}~wt y_}zt d |d}~wwq|jd kr|j}|d D]^} | dj}t|tjs~td|d}|dj}|jj|kr|jj |krz|j| dj|d|d |d jdWSt y}z|d}~wt y}zt d |d}~wwqmqtddS)Nr)rrz;Recipient identifier must be of type IssuerAndSerialNumber.r r rrzFailed to decrypt envelope keyrrrr)r<rzLRecipientInfo must be of type KeyTransRecipientInfo or KeyAgreeRecipientInfo)rrr_r rrrr r r r;r6 Exceptionr+r[r=) rrrec_inforissuer_and_serialr serialr]rrecipient_enc_keyrHrHrIread_envelope_keys               r recipient_cmsc Cs^|dj}|dkrtd||d}|d}t||}|dur#dS|d}|dj}z|j}WnttfyA|d j}Ynwd ti} zd d lm } | | j | j | j d Wntyk|d vritdYnw|| vr~| |} |j} | ||| } n|dkrt||} n td|d| dd}d}t| dkrtd| ddd }||fS)Nr&r+z7Recipient CMS content type must be enveloped data, not r,r*)NNr'r(raesr) symmetric)des tripledesrc2z0DES, 3DES and RC2 require oscrypto to be presentrc4zCipher z is not allowed in PDF 2.0.rer)rr+r[rencryption_cipherrZKeyErrorr-oscryptorrxdes_cbc_pkcs5_decrypttripledes_cbc_pkcs5_decryptrc2_cbc_pkcs5_decrypt ImportErrorr encryption_ivr0rrunpack)rrr&rr*rrr4 cipher_namewith_ivrdecryption_funr!r,rtrlrHrHrIro"sn         rocfdictcCs\z|d}Wn tytdwt|tjr|f}dd|D}|dd}||dS)Nrz.PubKey CF dictionary must have /Recipients keycSg|] }tj|jqSrHr r2roriginal_bytesrxrHrHrIr#usz0_read_generic_pubkey_cf_info..rTrMrO)rr+r[r_r*rr)rrMrecipient_objsrOrHrHrI_read_generic_pubkey_cf_infols     rcCs(|dd}td|d|dt|S)Nr(r~r{rNrH)rrr)rrN keylen_bitsrHrHrI_build_legacy_pubkey_cf|s rcCtdd|dt|S)NrrrHrrrrNrHrHrI_build_aes128_pubkey_cf rcCr)Nr rrHrrrHrHrI_build_aes256_pubkey_cfrrc seZdZUdZedeedeedeedddiZ e eje fe d<e d ejd d ed efd eejd ed eddfddZ   d3dedededdeeffdd Ze defddZe deefddZe dejde de!fdd Z"e d!ejdedffd"d# Z#e d!ejfd$d%Z$e d!ejfd&d'Z%e d!ejfd(d)Z&d*d+Z'eefd eejd efd,d-Z( d4d.e)e*e+fde,fd/d0Z-de.fd1d2Z/Z0S)5rKz Security handler for public key encryption in PDF. As with the standard security handler, you essentially shouldn't ever have to instantiate these yourself (see :meth:`build_from_certs`). z/V2z/AESV2z/AESV3z /IdentitycCstSr[)r7)___rHrHrIszPubKeySecurityHandler._known_crypt_filtersrTrcrlrdrYc Ksp|rtjntj} d} |tjkr |rtd|dd} nt|d|d} ||| |f|| dd| } | j|||d| S)a Create a new public key security handler. This method takes many parameters, but only ``certs`` is mandatory. The default behaviour is to create a public key encryption handler where the underlying symmetric encryption is provided by AES-256. Any remaining keyword arguments will be passed to the constructor. :param certs: The recipients' certificates. :param keylen_bytes: The key length (in bytes). This is only relevant for legacy security handlers. :param version: The security handler version to use. :param use_aes: Use AES-128 instead of RC4 (only meaningful if the ``version`` parameter is :attr:`~.SecurityHandlerVersion.RC4_OR_AES128`). :param use_crypt_filters: Whether to use crypt filters. This is mandatory for security handlers of version :attr:`~.SecurityHandlerVersion.RC4_OR_AES128` or higher. :param perms: Permission flags (as a 4-byte signed integer). :param encrypt_metadata: Whether to encrypt document metadata. .. warning:: See :class:`.SecurityHandler` for some background on the way pyHanko interprets this value. :param policy: Encryption policy choices for the chosen set of recipients. :return: An instance of :class:`.PubKeySecurityHandler`. Nr)rOrMr)rOcrypt_filter_configrrlrd)rrrr9 RC4_OR_AES128rrrn) rTrc keylen_bytesrvuse_aesuse_crypt_filtersrlrOrdrV subfiltercfcshrHrHrIbuild_from_certss82  z&PubKeySecurityHandler.build_from_certsNrvpubkey_handler_subfilterrr6rcs|tjkr|tjkrtd|dur?|tjkr td||d}n|tjkr-t|||d}n|tj kr:t d||d}ntdt j |||||d||_ ||_d|_dS)NzESubfilter /adbe.pkcs7.s5 is required for security handlers beyond V4.)r{rOrMr z1Failed to impute a reasonable crypt filter config)rOcompat_entries)r9rrrr+rgRC4_40rRC4_LONGER_KEYSrwrrSrTrrOrQ)rUrvr legacy_keylenrOrrrrWrHrIrTsJ      zPubKeySecurityHandler.__init__cCs tdS)Nz /Adobe.PubSec)r*rrSrHrHrIrU/s zPubKeySecurityHandler.get_namecCsddtDS)NcSsh|]}|jqSrH)rrrHrHrI 5szCPubKeySecurityHandler.support_generic_subfilters..)rrSrHrHrIsupport_generic_subfilters3sz0PubKeySecurityHandler.support_generic_subfiltersrrNcCs$t|j||}|durtd|S)NzJAn absent CFM or CFM of /None doesn't make sense in a PubSec CF dictionary)r:rr+r[)rTrrNcfrHrHrIread_cf_dictionary7sz(PubKeySecurityHandler.read_cf_dictionary encrypt_dictcsRt|}||}|dur|tjkrtd|dur'|tjkr'td|S)Nz=Crypt filters require /adbe.pkcs7.s5 as the declared handler.z./adbe.pkcs7.s5 handler requires crypt filters.)rSprocess_crypt_filters_determine_subfilterrrr+r[)rTrrrrWrHrIrEs  z+PubKeySecurityHandler.process_crypt_filterscCsZ|dd}|ddkrtd|d}t|ddd}|jd td d }t|||d S) Nrrr~rz"Key length must be a multiple of 8rcSsdd|DS)NcSrrHrrrHrHrIr#aszSPubKeySecurityHandler.gather_pub_key_metadata....rH)lstrHrHrIrasz?PubKeySecurityHandler.gather_pub_key_metadata..rTdefault)rrrO)rr+rg get_and_applyrFdict)rTrrr{rMrOrHrHrIgather_pub_key_metadataWs"   z-PubKeySecurityHandler.gather_pub_key_metadatacCsLztj|dtd|vrtjdWStjdWSty%td|dw)N /SubFilterz/CFrz8Invalid /SubFilter in public key encryption dictionary: )r+rrrrrZr[)rTrrHrHrIros" z*PubKeySecurityHandler._determine_subfiltercCs6t|d}td|||||d||S)N/V)rvrrrH)r9 from_numberrKrrr)rTrvrHrHrIinstantiate_from_pdf_objectsz1PubKeySecurityHandler.instantiate_from_pdf_objectcCst}t||d<|jj|d<|j|d<|js#|jt j kr-t |j d|d<|jt j kr;t |j|d<|jtjkrK||j|S|}t|tsVttdd|jD|d <|S) Nz/Filterrrr~rrcsrr[rrrHrHrIrs  z6PubKeySecurityHandler.as_pdf_object..r)r*DictionaryObjectrrUrrrvr_compat_entriesr9rrr{rrOrrrxrget_stream_filterr_rJr`rrM)rUr default_cfrHrHrIrs,        z#PubKeySecurityHandler.as_pdf_objectcCs0|jD]}t|ts q|j|||dqdS)Nr)rstandard_filtersr_rJrn)rUrcrlrdrrHrHrIrns  z$PubKeySecurityHandler.add_recipientsrrcCst|trt|}t|tstdt|d|}n|}d}|j D]!}t|t s.q&| |}|j t jkr=|S|jdurG||jM}q&t|trP||_tt jt|S)a Authenticate a user to this security handler. :param credential: The credential to use (an instance of :class:`.EnvelopeKeyDecrypter` in this case). :param id1: First part of the document ID. Public key encryption handlers ignore this key. :return: An :class:`AuthResult` object indicating the level of access obtained. zRPubkey authentication credential must be an instance of EnvelopeKeyDecrypter, not rolN)r_r<r; deserialiser7r+r[typerrrJrustatusr3rqpermission_flags _credentialr2rpr/)rUrrid1deser_credentialactual_credentialrlrrrHrHrIrus.         z"PubKeySecurityHandler.authenticatecCs |jjSr[)rget_for_stream shared_keyr\rHrHrIget_file_encryption_keys z-PubKeySecurityHandler.get_file_encryption_key)TNNTr[)1rCrDrErr*rrrrrrr5rGrr9rwr1r@rrrrMrrrlistrTrrUrrrrFr4rrrrrrrnr r7r<r2rurrrrHrHrWrIrKs      T:       0rK)NT)T)abcenumloggingrrhr dataclassesrhashlibrrtypingrrrrr r asn1cryptor r r rasn1crypto.algosrasn1crypto.cmsrrasn1crypto.keysrrrcryptography.hazmat.primitivesrrr,cryptography.hazmat.primitives.asymmetric.ecrrrrr1cryptography.hazmat.primitives.asymmetric.paddingrrrr-cryptography.hazmat.primitives.asymmetric.rsar r!.cryptography.hazmat.primitives.asymmetric.x448r"r#0cryptography.hazmat.primitives.asymmetric.x25519r$r%"cryptography.hazmat.primitives.kdfr&*cryptography.hazmat.primitives.kdf.x963kdfr',cryptography.hazmat.primitives.serializationr(r*r+_utilr-r.r/r0apir1r2r3r4r5r6r7r8r9r:cred_serr;r< filter_mixinsr=r> getLoggerrCrgr@ABCrJrrrrDEF_EMBEDDED_FILErruniqueEnumrrrMrrrrr HashAlgorithmrrrrrrr2rjr`r6r7Sequencer>rArrKrrQregisterr1rrorrrrrrKrHrHrHrIs6       0          !   ! :  0 G;    B J