o >el @sdddlZddlZddlZddlZddlmZddlmZmZm Z ddl m Z m Z m Z mZddlmZddlmZmZmZddlmZmZdd lmZmZmZmZmZdd lmZm Z m!Z!m"Z"dd l#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-dd l.m/Z/m0Z0dd l1m2Z2m3Z3eGdddZ4dee5e6fde6fddZ7 d9de6de4de e6fddZ8 d9de6de4de6de e6fddZ9dddZ:de6fd d!Z; d9de6d"e6de e6de6fd#d$ZZ?Gd'd(d(ej@e/ZAGd)d*d*e'ejBZCGd+d,d,eCe2ZDGd-d.d.eCe3ZEeFd/ZGd0d1ZHd2d3ZId4ejJfd5d6ZKe,jLGd7d8d8e,ZMe/LeAdS):N) dataclass)sha256sha384sha512)DictOptionalTupleUnion)core)Cipher algorithmsmodes)genericmisc)compute_o_value_legacycompute_o_value_legacy_prepcompute_u_value_r2compute_u_value_r34legacy_normalise_pw)aes_cbc_decryptaes_cbc_encrypt as_signed rc4_encrypt) ALL_PERMS AuthResult AuthStatus CryptFilterCryptFilterBuilderCryptFilterConfigurationIdentityCryptFilterPdfKeyNotAvailableErrorSecurityHandlerSecurityHandlerVersion)SerialisableCredentialSerialisedCredential)AESCryptFilterMixinRC4CryptFilterMixinc@s<eZdZUeed<eed<eed<ededdfddZdS) _R6KeyEntry hash_valuevalidation_saltkey_saltentryreturncCs4t|dksJt|dd|dd|ddS)N0 ()lenr()clsr,r3a/var/www/html/humari/django-venv/lib/python3.10/site-packages/pyhanko/pdf_utils/crypt/standard.py from_bytes,s$z_R6KeyEntry.from_bytesN)__name__ __module__ __qualname__bytes__annotations__ classmethodr5r3r3r3r4r(&s r(passwordr-cCs8t|tr|s dSddlm}||d}|ddS)Nr)saslprepzutf-8) isinstancestr _saslprepr>encode)r<r>r3r3r4_r6_normalise_pw2s   rDpw_bytesr,u_entrycCst||j|}||jkSN) _r6_hash_algor*r))rEr,rFpurported_hashr3r3r4_r6_password_authenticate=s rJe_entrycCs2t||j|}t|dksJt||tdddS)Nr/Fkeydataiv use_padding)rHr+r1rr9)rEr,rKrF interm_keyr3r3r4_r6_derive_file_keyDs  rSTF)TF input_bytescCstdd|DdS)Ncss|]}|dVqdS)Nr3.0br3r3r4 Vz_bytes_mod_3..rW)sum)rVr3r3r4 _bytes_mod_3Tsr^ current_saltc Cst|}t|dks J|||r t|dksJ|||}tttf}d}}|dks7||dkry|||p=dd}t|dd||ddd d d } |t| dd} | | }| t| d }|d 7}|dks7||dks7|ddS) u3 Algorithm 2.B in ISO 32000-2 § 7.6.4.3.4 r.r@r/r=NrLFrMr)rr1updatedigestrrrr^) rEr_rF initial_hashkhashesround_no last_byte_valk1e next_hashr3r3r4rHYs,     rHc@sDeZdZdZdZdZdZdZdZ de j fdd Z e d d d Z dS) StandardSecuritySettingsRevisionz;Indicate the standard security handler revision to emulate.rWNr-cCs |j}|dur tSt|SrG)valuer NullObject NumberObject)selfvalr3r3r4 as_pdf_objects z.StandardSecuritySettingsRevision.as_pdf_objectcCs$zt|WStytjYSwrG)rl ValueErrorOTHER)r2rpr3r3r4 from_numbers    z,StandardSecuritySettingsRevision.from_number)r-rl)r6r7r8__doc__ RC4_BASIC RC4_EXTENDED RC4_OR_AES128AES256rwr PdfObjectrur;rxr3r3r3r4rlwsrlc@sXeZdZdejfdejddifgZedefddZde fdd Z ed e fd d Z d S)_PasswordCredential pwd_bytesid1optionalTr-cCsdS)Nrr3r2r3r3r4get_namesz_PasswordCredential.get_namecCs|SrG)dumprsr3r3r4 _ser_valuesz_PasswordCredential._ser_valuerOcCs&zt|WStytdw)Nz)Failed to deserialise password credential)rloadrvr PdfReadError)r2rOr3r3r4 _deser_values    z _PasswordCredential._deser_valueN) r6r7r8r OctetString_fieldsr;rArr9rrr3r3r3r4rsrcsXeZdZUdZdZeded<eddZfddZ d e fd d Z fd d Z Z S)StandardCryptFilterzB Crypt filter for use with the standard security handler. NStandardSecurityHandler_handlercCst|jtr |jjStrG)r@rr _auth_failedNotImplementedErrorrr3r3r4rs z StandardCryptFilter._auth_failedcs$t|tstt|d|_dSrG)r@r TypeErrorsuper_set_security_handler _shared_key)rshandler __class__r3r4rs   z)StandardCryptFilter._set_security_handlerr-cCs|jsJ|jSrG)rget_file_encryption_keyrr3r3r4derive_shared_encryption_keys  z0StandardCryptFilter.derive_shared_encryption_keycst}t|j|d<|S)N/Length)rrurrrkeylenrsresultrr3r4rus z!StandardCryptFilter.as_pdf_object)r6r7r8ryrrr:propertyrrr9rru __classcell__r3r3rr4rs   rc@eZdZdZdS)StandardAESCryptFilterz= AES crypt filter for the standard security handler. Nr6r7r8ryr3r3r3r4rrc@r)StandardRC4CryptFilterz= RC4 crypt filter for the standard security handler. Nrr3r3r3r4rrrz/StdCFcCttt|dittdSNr)default_stream_filterdefault_string_filter)rSTD_CFrrr3r3r4_std_rc4_config  rcCrr)rrrrr3r3r4_std_aes_configrrcfdictcCs|dd}t|ddS)Nrr0r`r)getr)r_acts_as_default keylen_bitsr3r3r4#_build_legacy_standard_crypt_filters rc szeZdZUdZedeedddedddedd diZeeje fe d <e d e fd d Z e dddeddfdedefddZe dedfddZed2ddZ      d3dedededeeffdd Ze d ejd efd!d"Ze d ejfd#d$Zd%d&Zd'efd(d)Zd'efd*d+Z d4d'eed e!fd,d-Z"d e#e$eeffd.d/Z%d efd0d1Z&Z'S)5ra Implementation of the standard (password-based) security handler. You shouldn't have to instantiate :class:`.StandardSecurityHandler` objects yourself. For encrypting new documents, use :meth:`build_from_pw` or :meth:`build_from_pw_legacy`. For decrypting existing documents, pyHanko will take care of instantiating security handlers through :meth:`.SecurityHandler.build`. z/V2z/AESV2cC tddS)NrLrr___r3r3r4z StandardSecurityHandler.z/AESV3cCr)Nr/rrrr3r3r4rrz /IdentitycCstSrG)r rr3r3r4rs_known_crypt_filtersr-cCs tdS)N /Standard)r NameObjectrr3r3r4rs z StandardSecurityHandler.get_nameNrLTrevpermsc  KsFt|}|dur t|n|}|tjkrt|d|tjkr"d}n |r+|tjkr+d}t|||j|} t|d@}|tjkrNt|dB}t|| ||\} } n t ||j|| ||| \} } |tjkrdt j}n |tjkrmt j }nt j }|tjkr|dur|rt dd}nt|d}|d ||||| | || d| }| |_t||d |_|S) a Initialise a legacy password-based security handler, to attach to a :class:`~.pyhanko.pdf_utils.writer.PdfFileWriter`. Any remaining keyword arguments will be passed to the constructor. .. danger:: The functionality implemented by this handler is deprecated in the PDF standard. We only provide it for testing purposes, and to interface with legacy systems. :param rev: Security handler revision to use, see :class:`.StandardSecuritySettingsRevision`. :param id1: The first part of the document ID. :param desired_owner_pass: Desired owner password. :param desired_user_pass: Desired user password. :param keylen_bytes: Length of the key (in bytes). :param use_aes128: Use AES-128 instead of RC4 (default: ``True``). :param perms: Permission bits to set (defined as an integer) :param crypt_filter_config: Custom crypt filter configuration. PyHanko will supply a reasonable default if none is specified. :return: A :class:`StandardSecurityHandler` instance. Nz/ is not supported by this bootstrapping method.rLlr)versionrevision legacy_keylen perm_flagsodataudatacrypt_filter_configencrypt_metadatarrr3)rrlr|rvrzrrprrrr#RC4_40RC4_LONGER_KEYSrrrr _credential)r2rrdesired_owner_passdesired_user_pass keylen_bytes use_aes128rrrkwargso_entryrFrNrshr3r3r4build_from_pw_legacy sx-               z,StandardSecurityHandler.build_from_pw_legacyc Kst|}|dur t|n|}td}td} td} t|| } | | | } t|| } t| |tddd\}}t|dksAJtd}td}t||| }|||}t||| }t||tddd\}}t|dksqJtd|d@}|d |rd nd d td }t t |t }|}|||}|dtjtjd||| ||||d |}||_td|i|_|S)a Initialise a password-based security handler backed by AES-256, to attach to a :class:`~.pyhanko.pdf_utils.writer.PdfFileWriter`. This handler will use the new PDF 2.0 encryption scheme. Any remaining keyword arguments will be passed to the constructor. :param desired_owner_pass: Desired owner password. :param desired_user_pass: Desired user password. :param perms: Desired usage permissions. :param encrypt_metadata: Whether to set up the security handler for encrypting metadata as well. :return: A :class:`StandardSecurityHandler` instance. Nr/r`rLF)rQz._get_bytes/PNr./OE/UE/Perms/EncryptMetadataT)default)rrrrrrrr) rrrKeyErrorrr~r9dictrrr get_and_applybool)r2rrrrrrr3r3r4gather_encryption_metadata)s.          z2StandardSecurityHandler.gather_encryption_metadatacCs>t|d}t|d}td||||d||S)N/V/R)rrrr3)r#rxrlrprocess_crypt_filtersr )r2rvrr3r3r4instantiate_from_pdf_objectSsz3StandardSecurityHandler.instantiate_from_pdf_objectcCst}td|d<t|j|d<t|j|d<tt|j|d<|j s.|j t j kr8t|j d|d<|j |d<|j|d <|j t j kr\t|j|d <||j|jtjkrzt|j|d <t|j|d <t|j|d <|S)Nrz/Filterrrrr`rr rrrrr)rDictionaryObjectrrrrrrrr_compat_entriesrr#rrrur BooleanObjectrrbrrlr}rrrrr3r3r4ru`s*   z%StandardSecurityHandler.as_pdf_objectrcCst|j}|j}|tjkrt||j|j|\}}nt||j|j |j|j||j \}}|dd}|dd}||k|fS)NrL) rrrlrzrrrrrprr)rsrr<r user_tokenuser_tok_suppliedrNr3r3r4_auth_user_password_legacyzs$     z2StandardSecurityHandler._auth_user_password_legacyc st||d}|j}t||j|j}|tjkrt||j}n|j}t dddD]t fdd|D}t||}q'|}| ||\} }| rN||_ t j|fS| ||\} }| r`||_ t j|fSt jdfS)Nrc3s|]}|AVqdSrGr3rXir3r4r[r\z?StandardSecurityHandler._authenticate_legacy..)rrrrprrlrzrrranger9rrrOWNERUSERFAILED) rsrr<credrrN prp_userpassrtnew_keyowner_password user_passwordr3rr4_authenticate_legacys&     z,StandardSecurityHandler._authenticate_legacycCst|tr t|}t|tttfstdt |dt|tr,|dj }|dj }|j }|t j kr<||\}}n|durEtdt|}|||\}}|durY||_nd|_t||jdS) a Authenticate a user to this security handler. :param credential: The credential to use (a password in this case). :param id1: First part of the document ID. This is mandatory for legacy encryption handlers, but meaningless otherwise. :return: An :class:`AuthResult` object indicating the level of access obtained. z]Standard authentication credential must be a string, byte string or _PasswordCredential, not .rrNz+id1 must be specified for legacy encryptionT)statuspermission_flags)r@r%r$ deserialiserrAr9rrrnativerrlr}_authenticate_r6rr&rrrr)rs credentialrrresrNr3r3r4 authenticates0      z$StandardSecurityHandler.authenticatec Cs.t|}t|j}t|j}t|||jr$tj}t|||j |j}nt||r4tj }t|||j }ntj dfSt t|t}|}||j|} | dddk} | |jtd| dddkM} zt| d} | | |jkM} Wn tyd} Ynw| std td |i|_||fS) N rzs  0         *