o >eɩ@sddlZddlZddlmZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZddlmZddlmZddlmZmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(dd l)m*Z*dd l+m,Z,dd l-m.Z.dd l/m0Z0m1Z1ddl2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>ddl?m@Z@ddlAmBZBmCZCddlDmEZEddlFmGZGddlHmIZImJZJmKZKmLZLmMZMmNZNmOZOddlPmQZQmRZRmSZSmTZTgdZUeVeWZXedeMdZYdejZdeej[ej\dffddZ]d e^fd!d"Z_d#ej`dejZfd$d%Zad&ejZd'ejbd(ejcfd)d*Zd  dmd+ejed#ej`d,efd-egd.e eRd/e edee^e^ffd0d1Zhd2ejide7fd3d4Zj      dnd2ejid5e egd6e ed7e ekd8e e,d9e e.d:e eRd;eGde efeffdee,d9e e.dd?f d@dAZmedddddBd2ejidCeeYd5e egd6e ed7e ekd;e eGdeYfdDdEZnedddddBd2ejid5e egd6e ed7e ekd;e eGdeMf dFdEZneMdddddfd2ejid5e egd6e ed7e ekd;e eGd:e eRdeYfdGdEZnd+ejede efdHdIZo Jdpd+ejedKe^de ejifdLdMZpd+ejede egfdNdOZqd+ejedPe ed5egfdQdRZr dodSejid6e edTegd:e eRfdUdVZsdWe ejtdXej`d6edee e0e ee%e$e#fffdYdZZud[e ejtdXej`d6e ed\ejZfd]d^Zvddddde>jwdfd_eegeejxejyfd2ejid`e edPe edae ed;e eGd:e eRdeNfdbdcZzedddedfZ{ededgGdhdidie e{Z|djee{de|e{fdkdlZ}dS)qN) dataclass)datetime) IOAny AwaitableDictGenericIterableListOptionalTupleTypeTypeVarUnionoverload)cmscoretspx509)InvalidSignature)hashes)CancelableAsyncIteratorValidationContextfind_valid_path)DisallowedAlgorithmError ExpiredErrorInvalidCertificateErrorPathBuildingErrorPathValidationError RevokedErrorStaleRevinfoErrorValidationError)TimeSlideFailure)ValidationPath)PKIXValidationParams)ACValidationResultasync_validate_ac) CMSExtractionErrorCMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorSignedDataCertscheck_ess_certidextract_certificate_infoextract_signer_infofind_unique_cms_attributeget_pyca_cryptography_hash)misc)lift_iterable_async) AdESFailureAdESIndeterminate)errors)KeyUsageConstraints)CAdESSignerAttributeAssertionsCertifiedAttributesClaimedAttributesRevocationDetailsSignatureStatusStandardCMSSignatureStatusTimestampSignatureStatus)DEFAULT_ALGORITHM_USAGE_POLICYCMSAlgorithmUsagePolicyextract_message_digest validate_raw) validate_sig_integrityasync_validate_cms_signaturecollect_timing_infovalidate_tst_signed_dataasync_validate_detached_cmscms_basic_validationcompute_signature_tst_digestextract_tst_dataextract_self_reported_tsextract_certs_for_validationcollect_signer_attr_statusvalidate_algorithm_protectionget_signing_cert_attr StatusType)bound signed_attrsreturncCs$t|dd}|durt|dd}|S)a  Retrieve the ``signingCertificate`` or ``signingCertificateV2`` attribute (giving preference to the latter) from a signature's signed attributes. :param signed_attrs: Signed attributes. :return: The value of the attribute, if present, else ``None``. T)v2NF)_grab_signing_cert_attr)rTattrrYd/var/www/html/humari/django-venv/lib/python3.10/site-packages/pyhanko/sign/validation/generic_cms.pyrQcs  rQrVc Csx|rdnd}|r tjntj}z t||}||WSty%YdSty;}z tj }t j d|d|d}~ww)Nsigning_certificate_v2signing_certificatez3Wrong cardinality for signing certificate attributeades_subindication) rSigningCertificateV2SigningCertificater/loaddumpr*r)r6NO_SIGNING_CERTIFICATE_FOUNDr8SignatureValidationError)rTrV attr_nameclsvalueeerrrYrYrZrWus"   rWcertcCsNt|}|dur dS|dd}t||s%tj}tjd|jjd|ddS)NcertsrzWSigning certificate attribute does not match selected signer's certificate for subject"z".r])rQr,r6rcr8rdsubjecthuman_friendly)rjrTrXcertidrirYrYrZ_check_signing_certificates  roattrsclaimed_digest_algorithm_objclaimed_signature_algorithm_objcCszt|d}Wntyd}Yn tytdw|durH|dj}||jkr0td|dj}|dur>td||jkrJtddSdS) a+ Internal API to validate the CMS algorithm protection attribute defined in :rfc:`6211`, if present. :param attrs: A CMS attribute list. :param claimed_digest_algorithm_obj: The claimed (i.e. unprotected) digest algorithm value. :param claimed_signature_algorithm_obj: The claimed (i.e. unprotected) signature algorithm value. :raises errors.CMSStructuralError: if multiple CMS protection attributes are present :raises errors.CMSAlgorithmProtectionError: if a mismatch is detected cms_algorithm_protectionNz4Multiple CMS algorithm protection attributes presentdigest_algorithmzCDigest algorithm does not match CMS algorithm protection attribute.signature_algorithmz|d}|d}|dj}|durg|j|||jd} | s=d|djd} | jdur3| d| jd 7} tj| | jdud |j||d } | sgd|djd} | jdur]| d| jd 7} tj| | jdud |d j} |d } | tj ur|d}d}|}nw|d  }| }d}z t |||dWn*t y}z tj|jtjdd}~wtjy}z tj|jtjdd}~wwt||zt|d}Wnttfytjdtjdw|j}||krtjd|d|tjdt|}zt| |||||||dd}Wn tyd}Ynw|dur||kn|}||fS)ae Validate the integrity of a signature for a particular signerInfo object inside a CMS signed data container. .. warning:: This function does not do any trust checks, and is considered "dangerous" API because it is easy to misuse. :param signer_info: A :class:`cms.SignerInfo` object. :param cert: The signer's certificate. .. note:: This function will not attempt to extract certificates from the signed data. :param expected_content_type: The expected value for the content type attribute (as a Python string, see :class:`cms.ContentType`). :param actual_digest: The actual digest to be matched to the message digest attribute. :param algorithm_usage_policy: Algorithm usage policy. :param time_indic: Time indication for the production of the signature. :return: A tuple of two booleans. The first indicates whether the provided digest matches the value in the signed attributes. The second indicates whether the signature of the digest is valid. rurt algorithmN)moment public_keyzThe algorithm z, is not allowed by the current usage policy.z Reason: .) permanent)r signaturerTTF)rqrrr] content_typezQContent type not found in signature, or multiple content-type attributes present.z Content type z did not match expected value ) prehashedalgorithm_policyr)rvsignature_algorithm_allowedrfailure_reasonr8rnot_allowed_afterdigest_algorithm_allowedrVOIDuntagrbrPr(rdfailure_messager5FORMAT_FAILURErwr6GENERICror/r*r)rCrDr)r{rjr|r}r~rrudigest_algorithm_obj md_algorithmsig_algo_allowedmsgdigest_algo_allowedrsigned_attrs_origembedded_digestr signed_datarTrhrvalidintactrYrYrZrEs'             rErcCsPz t|}|j}Wntytjdtjdwt|}|d}t|||S)a Extract certificates from a CMS signed data object for validation purposes, identifying the signer's certificate in accordance with ETSI EN 319 102-1, 5.2.3.4. :param signed_data: The CMS payload. :return: The extracted certificates. z,signer certificate not included in signaturer]rT) r- signer_certr'r8rdr6rcr.ro)r cert_inforjr{rTrYrYrZrNs   rN raw_digestvalidation_context status_kwargsvalidation_pathpkix_validation_paramsrkey_usage_settingsc s t|}t|} | j} | j} d} |dur |pt|j}|j} |p$t}|dur+t }|d} | dj }|ddj }|d}|dj }|durat |d}t |}t |}|||}n|dtjurptjdtjd zt|| |||| d \}}Wnty}z tjd |jtjd |d}~wwd}}}}|rz3|j| |durt|g}n|j| }t| ||||d IdH}|j }|j!}|j"p|j#}|j$}Wnt%y}zt&j'd |dt(j)}WYd}~nd}~ww|pi}|durdn|j*|d<|j||| ||||||d |S)z Perform basic validation of CMS and PKCS#7 signatures in isolation (i.e. integrity and trust checks). Internal API. Nrurrtencap_content_inforcontentzKCMS structural error: detached signatures should not have encapsulated datar])r|r}r~rzCMS structural error: )rpathsrz&Processing error in validation processexc_infovalidation_time) rr signing_certrpkcs7_signature_mechanismtrust_problem_indicrrevocation_detailserror_time_horizon)+r.rNr other_certsrB lift_policyrbest_signature_timerrArvbytesr0rHashupdatefinalizerrr8rdr5rrEr(rcertificate_registryregister_multipler3 path_builderasync_build_paths_lazyvalidate_cert_usageerror_subindic revo_detailssuccess_result error_pathr ValueErrorloggererrorr6!CERTIFICATE_CHAIN_GENERAL_FAILUREr)rrrrrrrrr{rrjrrru mechanismrecir|rawmd_specmdrrrh ades_statuspathrrr op_resultrYrYrZrJs             rJrz,CertvalidatorOperationResult[ValidationPath]cs,dtffdd }t|IdHS)zE Low-level certificate validation routine. Internal API. rUcs"tdIdHS)N)rr)validaterrYrjrrrrrYrZ_check(s  z#validate_cert_usage.._checkN)r#handle_certvalidator_errors)rjrrrrrrYrrZrs  r)rrrr status_clscdSNrY)rrrrrrrYrYrZrF5s rFcrrrY)rrrrrrYrYrZrFBs cs4||}t||||||dIdH}|di|S)a Validate a CMS signature (i.e. a ``SignedData`` object). :param signed_data: The :class:`.asn1crypto.cms.SignedData` object to validate. :param status_cls: Status class to use for the validation result. :param raw_digest: Raw digest, computed from context. :param validation_context: Validation context to validate the signer's certificate. :param status_kwargs: Other keyword arguments to pass to the ``status_class`` when reporting validation results. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :return: A :class:`.SignatureStatus` object (or an instance of a proper subclass) )rrNrY)default_usage_constraintsrJ)rrrrrrreff_key_usage_settingsrYrYrZrFNs'  c Cs4z |d}t|d}|jWSttfyYdSw)a Extract self-reported timestamp (from the ``signingTime`` attribute) Internal API. :param signer_info: A ``SignerInfo`` value. :return: The value of the ``signingTime`` attribute as a ``datetime``, or ``None``. rT signing_timeN)r/rvr*r))r{sastrYrYrZrMs  rMFsignedc CsRz|r |d}t|d}n |d}t|d}|d}|WSttfy(YdSw)a Extract signed data associated with a timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :param signed: If ``True``, look for a content timestamp (among the signed attributes), else look for a signature timestamp (among the unsigned attributes). :return: The ``SignedData`` value found, or ``None``. rTcontent_time_stampunsigned_attrssignature_time_stamp_tokenrN)r/r*r))r{rrtstuatst_signed_datarYrYrZrLs  rLcCsft|}|dur dS|d}|djd}|ddj}|dj}t|}t|}|||S)a. Compute the digest of the signature according to the message imprint algorithm information in a signature timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :return: The computed digest, or ``None`` if there is no signature timestamp. Nrrmessage_imprinthash_algorithmrr)rLparsedrvr0rrrr)r{tst_datarmitst_md_algorithmsignature_bytes tst_md_specrrYrYrZrKs   rKts_validation_contextc si}t|}|dur||d<t|dd}|dur7t|}|dus#Jt|||IdH}td i|}||d<t|dd} | durVt| ||dIdH} td i| } | |d<|S) a Collect and validate timing information in a ``SignerInfo`` value. This includes the ``signingTime`` attribute, content timestamp information and signature timestamp information. :param signer_info: A ``SignerInfo`` value. :param ts_validation_context: The timestamp validation context to validate against. :param raw_digest: The raw external message digest bytes (only relevant for the validation of the content timestamp token, if there is one) Nsigner_reported_dtF)rtimestamp_validityT)expected_tst_imprintcontent_timestamp_validityrY)rMrLrKrHr@) r{rrrrrtst_signature_digesttst_validity_kwargs tst_validitycontent_tst_signed_datacontent_tst_validity_kwargscontent_tst_validityrYrYrZrGs8     rGrrc sd}|dd}t|tjr|j}t|tjs tjdtj d|dj }t }t ||d|i||dIdH}|d d j } || krVtd | d |d d|d<|S)a Validate the ``SignedData`` of a time stamp token. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to validate against. :param expected_tst_imprint: The expected message imprint value that should be contained in the encapsulated ``TSTInfo``. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :return: Keyword arguments for a :class:`.TimeStampSignatureStatus`. Nrrz'SignedData does not encapsulate TSTInfor]gen_time timestamp)rrrrrhashed_messagezTimestamp token imprint is z, but expected rFr) isinstancerParsableOctetStringrrTSTInfor8rdr5rrvr@rrJrwarninghex) rrrrtst_infotst_info_bytesr ku_settingsr tst_imprintrYrYrZrH s8       rHacsrc s~fdd|D}g}g}t|D]&}z ||IdHWqtttfy:}z ||WYd}~qd}~ww||fS)Ncsg|] }t|dqS)) holder_cert)r&).0acrrrYrZ Ts z+process_certified_attrs..)asyncio as_completedappendrrr)rrrjobsresultsr8jobrhrYrrZprocess_certified_attrsJs$  r sd_attr_certificatessd_signed_attrsc szt|d}Wn!tyd}Ynty)}z tjt|tjd|d}~wwi}d}d}|dur|d} t t | t j sB| nd} |d} d} t | t j sqdd| D} t | t | k} |durqt| ||}|IdH\}}|dur{t|}nd}| pt |d t j  }|dur|rtd t| |||d |d <|durt|||IdH\}}|r|||r||t||d <||d<|S)Nsigner_attributes_v2r]claimed_attributesrYcertified_attributes_v2FcSsg|] }|jdkr|jqS) attr_cert)namechosen)rrXrYrYrZrs  z.collect_signer_attr_status..signed_assertionszCAdES signer attributes with externally certified assertions for which no validation method is available. This may affect signature semantics in unexpected ways.) claimed_attrscertified_attrsac_validation_errsunknown_attrs_presentcades_signer_attrsac_attrsr)r/r*r)r8rdstrr5rr< from_iterablerrVoidlenr r; from_resultsrrr:extend)r rrr  signer_attrsrhresultcades_ac_resultscades_ac_errors claimed_asn1claimedcertified_asn1unknown_cert_attrs cades_acsval_job certified unknown_attrs ac_results ac_errorsrYrYrZrOfs         rO input_datasigner_validation_contextac_validation_contextc s|dur|}t|} | ddj} tt| } t|tr$| |n t|tj tj fr7| t|dn t |} t j | || |d| } t| || dIdH}t|}t|| ||||dIdH}t|}|durs|j|j|t|j|j|| dd IdHtd i|S) a .. versionadded: 0.9.0 .. versionchanged: 0.11.0 Added ``ac_validation_context`` param. Validate a detached CMS signature. :param input_data: The input data to sign. This can be either a :class:`bytes` object, a file-like object or a :class:`cms.ContentInfo` / :class:`cms.EncapsulatedContentInfo` object. If a CMS content info object is passed in, the `content` field will be extracted. :param signed_data: The :class:`cms.SignedData` object containing the signature to verify. :param signer_validation_context: Validation context to use to verify the signer certificate's trust. :param ts_validation_context: Validation context to use to verify the TSA certificate's trust, if a timestamp token is present. By default, the same validation context as that of the signer is used. :param ac_validation_context: Validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :param key_usage_settings: Key usage parameters for the signer. :param chunk_size: Chunk size to use when consuming input data. :param max_read: Maximal number of bytes to read from the input stream. :return: A description of the signature's status. Nrtrr)max_read)rr)rrrrrrT)r rrr rY)r.rvrrr0rrrr ContentInfoEncapsulatedContentInfo bytearrayr2chunked_digestrrGr?rrJr-rrrrOattribute_certsr)r-rr.rr/rr chunk_sizer0r{rthtemp_buf digest_bytesrrrYrYrZrIsV=     rI ResultTypeT) covariant)frozenc@s^eZdZUdZeeed<dZeeed<dZ ee ed<dZ ee ed<dZ eeed<dS)CertvalidatorOperationResultzB Internal class to inspect error data from certvalidator. rNrrrr)__name__ __module__ __qualname____doc__r r:__annotations__rr=rrrr#rr6rYrYrYrZr=9s  r=coroc sd}d}}z t|IdHdWSty.}ztj|j|dtj}WYd}~n1d}~wtyK}ztj|j|dtj}WYd}~nd}~wt yj}ztj|j|dtj }|j }WYd}~nd}~wt y}z tj|j|d|j }|jdurtj}ntj}|j}WYd}~nd}~wty}z5|j }t|j|j}|jrtj}n|jrtj}td|j|jd}n tj}td|j|jd}WYd}~nd}~wty}ztjd|dtj}WYd}~nod}~wty}z!|j }t|j|j}|js|jrtj}ntj}WYd}~nBd}~wty=}z|j }tj|j|dtj}WYd}~n"d}~wt yZ}ztj|j|dtj}WYd}~nd}~wwtd||||dS) z Internal error handling function that maps certvalidator errors to AdES status indications. :param coro: :return: N)rrF) ca_revokedrevocation_daterevocation_reasonTzFailed to build path)rrrrr)!r=rrr failure_msgr6CHAIN_CONSTRAINTS_FAILUREr"NO_POEr TRY_LATER time_cutoffr original_path banned_sinceCRYPTO_CONSTRAINTS_FAILURE!CRYPTO_CONSTRAINTS_FAILURE_NO_POEr revocation_dtis_side_validationr is_ee_certREVOKED_NO_POEr=reasonREVOKED_CA_NO_POErNO_CERTIFICATE_CHAIN_FOUNDr expired_dtOUT_OF_BOUNDS_NO_POErr!)rC time_horizonrrrhrrYrYrZrFs    r)NN)NNNNNNr)F)~rlogging dataclassesrrtypingrrrrrr r r r r rrr asn1cryptorrrrcryptography.exceptionsrcryptography.hazmat.primitivesrpyhanko_certvalidatorrrrpyhanko_certvalidator.errorsrrrrrrr r! pyhanko_certvalidator.ltv.errorsr"pyhanko_certvalidator.pathr#!pyhanko_certvalidator.policy_declr$pyhanko_certvalidator.validater%r&pyhanko.sign.generalr'r(r)r*r+r,r-r.r/r0 pdf_utilsr2pdf_utils.miscr3 ades.reportr5r6r8settingsr9statusr:r;r<r=r>r?r@utilsrArBrCrD__all__ getLoggerr>rrR CMSAttributesr`r_rQboolrW CertificateroDigestAlgorithmSignedDigestAlgorithmrP SignerInforrrE SignedDatarNdictrJrrFrMrLrKrGrHAttributeCertificateV2r rODEFAULT_CHUNK_SIZEr1r2rIr:r=rrYrYrYrZs  <  (  0   $      ;  ( !        6  ! 9 >   h k