hK dZddlZddlZddlmZddlmZmZmZm Z m Z ddl m Z m Z mZmZddlmZddlmZmZddlmZdd lmZdd lmZdd lTdd lmZgd Zeje Z!Gdde"Z#Gdde#Z$Gdde#Z%dZ&Gdde'Z(Gdde"Z)dZ*dZ+dej,dej-fdZ. d?dej,dej/fdZ0dej,d e ej1ej2ffd!Z3d"e e j4ej5fdej,de6fd#Z7Gd$d%e"Z8Gd&d'e8Z9de ej:fd(Z; d@de ej:effd*Z d@d-e j?fd.Z@dej,d/e=de j?fd0ZAed12Gd3d4ZBd5e jCfd6ZDd7ZEd8e jFde jGfd9ZHd8e jFdeBfd:ZIejJfd;edZMdS)Aa General tools related to Cryptographic Message Syntax (CMS) signatures, not necessarily to the extent implemented in the PDF specification. CMS is defined in :rfc:`5652`. To parse CMS messages, pyHanko relies heavily on `asn1crypto `_. N) dataclass)IOIterableListTupleUnion)algoscmstspx509)SignedDigestAlgorithm)hashes serialization)padding) RSAPublicKey) Prehashed)*)misc)simple_cms_attributefind_cms_attributefind_unique_cms_attributeNonexistentAttributeErrorMultivaluedAttributeError SigningErrorUnacceptableSignerErrorSignedDataCertsextract_signer_infoextract_certificate_infoget_cms_hash_algo_for_mechanismget_pyca_cryptography_hash&get_pyca_cryptography_hash_for_signingoptimal_pss_paramsprocess_pss_paramsas_signing_certificateas_signing_certificate_v2match_issuer_serialcheck_ess_certidCMSExtractionErrorbyte_range_digestValueErrorWithMessageCMSStructuralErrorload_cert_from_pemderload_certs_from_pemderload_certs_from_pemder_dataload_private_key_from_pemder!load_private_key_from_pemder_datac"eZdZdZfdZxZS)r*z Value error with a failure message attribute that can be conveniently extracted, instead of having to rely on extracting exception args generically. crt||_t|dSN)strfailure_messagesuper__init__)selfr5 __class__s P/var/www/html/Sam_Eipo/venv/lib/python3.11/site-packages/pyhanko/sign/general.pyr7zValueErrorWithMessage.__init__Bs1"?33 ))))))__name__ __module__ __qualname____doc__r7 __classcell__r9s@r:r*r*;sB *********r;r*ceZdZdZdS)r+z!Structural error in a CMS object.Nr<r=r>r?r;r:r+r+Gs++++r;r+ceZdZdS)r(Nr<r=r>rDr;r:r(r(KDr;r(cVtjtj||fdS)a Convenience method to quickly construct a CMS attribute object with one value. :param attr_type: The attribute type, as a string or OID. :param value: The value. :return: A :class:`.cms.CMSAttribute` object. )typevalues)r CMSAttributeCMSAttributeType) attr_typevalues r:rrOs1  %i00UHEE  r;ceZdZdS)rNrFrDr;r:rr`rGr;rceZdZdS)rNrFrDr;r:rrdrGr;rcd}|r3|D]0}|dj|kr|td|d|d}1||Std|d)a Find and return CMS attribute values of a given type. .. note:: This function will also check for duplicates, but not in the sense of multivalued attributes. In other words: multivalued attributes are allowed; listing the same attribute OID more than once is not. :param attrs: The :class:`.cms.CMSAttributes` object. :param name: The attribute type as a string (as defined in ``asn1crypto``). :return: The values associated with the requested type, if present. :raise NonexistentAttributeError: Raised when no such type entry could be found in the :class:`.cms.CMSAttributes` object. :raise CMSStructuralError: Raised if the given OID occurs more than once. NrIz Attribute z was duplicatedrJzUnable to locate attribute .)nativer+r)attrsname found_valuesattrs r:rrhs,L . . .DF|"d**+,%>%E%E%G%G!% 0%5t{$C!"!"' .22C-D /. * *     r;sha256c nt|}tj|}|||}t jdt jd|i|tj d|j ig|ddddgiS)a Format an ASN.1 ``SigningCertificateV2`` value, where the certificate is identified by the hash algorithm specified. :param cert: An X.509 certificate. :param hash_algo: Hash algorithm to use to digest the certificate. Default is SHA-256. :return: A :class:`tsp.SigningCertificateV2` object referring to the original certificate. r^ algorithmr_r`rarb)hash_algorithmrdre) r rHashupdaterjfinalizer SigningCertificateV2 ESSCertIDv2r rlrc)r[ hash_algo hash_specmd digest_values r:r%r%s$+955I Y  BIIdiikk;;==L  # +6 *B%1!% 0%5t{$C!"!"' .22C-D /. * *     r;certidc~t|tjrd}n|ddj}t |}t j|}||| }|dj}||krdS|d}| pt||S)a Match an ``ESSCertID`` value against a certificate. :param cert: The certificate to match against. :param certid: The ``ESSCertID`` value. :return: ``True`` if the ``ESSCertID`` matches the certificate, ``False`` otherwise. rirprordFre) isinstancer rgrSr rrqrrrjrsr&)r[rzrvrwrxryexpected_digest_valueexpected_issuer_serials r:r'r's&#-((A +,[9@ *955I Y  BIIdiikk;;==L";/6,,,u/5o/F% % )<**r;r~c|dd}|d}t|tjr3t|dks|djdkrdS|dj} ||jkp ||jk}n#t$rd}YnwxYw|o |d|kS)a~ Match the issuer and serial number of an X.509 certificate against some expected identifier. :param expected_issuer_serial: A certificate identifier, either :class:`cms.IssuerAndSerialNumber` or :class:`tsp.IssuerSerial`. :param cert: An :class:`x509.Certificate`. :return: ``True`` if there's a match, ``False`` otherwise. r`rarcrYrr_F) r|r GeneralNamesrZrUchosenrjrc ValueError)r~r[ serial_asn1expected_issuer issuer_matchs r:r&r&s&()/:K,X6O /4#4554  A % %q!&*:::5)!,3  " "dk&6&6&8&8 8 .$+-     O/@KOs%:B B/.B/c(eZdZdZdeffd ZxZS)rz1 Error encountered while signing a file. msgcJ||_tj|g|RdSr3)rr6r7)r8rargsr9s r:r7zSigningError.__init__Qs/$t$$$$$$r;)r<r=r>r?r4r7r@rAs@r:rrLsN%C%%%%%%%%%%r;rceZdZdZdS)rz= Error raised when a signer was judged unacceptable. NrCrDr;r:rrVs Dr;rc|dkrtjdStt|S)Nshake256@) digest_size)lowerrSHAKE256getattrupperros r:r r ^sLJ&&2....1wvy0011333r;FcFt|}|rt|n|Sr3)r r)ro prehashedrvs r:r!r!fs)+955I#, ;9Y   );r;mechc>|j}|dkrdS|dkrdS|jS)a% Internal function that takes a :class:`.SignedDigestAlgorithm` instance and returns the name of the digest algorithm that has to be used to compute the ``messageDigest`` attribute. :param mech: A signature mechanism. :return: A digest algorithm name. ed25519sha512ed448r)signature_algorv)rsig_algos r:rrms4"H9x W  z~r;paramsc$|d}|dj}||krtd|d|d|d}|djdkstd|d dj}||kr!td |d |d |d j}t |}t||} tj tj ||} | | fS)zs Extract PSS padding settings and message digest from an ``RSASSAPSSParams`` value. Internal API. rprozPSS MD 'z ' must agree with signature MD 'z'.mask_gen_algorithmmgf1zOnly MFG1 is supported parameterszMessage digest for MGF1 is z", and the one used for signing is zL. If these do not agree, some software may refuse to validate the signature. salt_length)rr)mgfr) rScasefoldrNotImplementedErrorloggerwarningr r!rPSSMGF1) rdigest_algorithmrrvmd_namemga mgf_md_namesalt_lenmgf_mdrx pss_paddings r:r#r#s\(..>'?I $+G-668888 (w ( (# ( ( (   #))=">C {  "f , ,!":;;;l#K07Kg 1+ 1 1! 1 1 1   =)0H ' 4 4F /9 M M MB+ L6 * * *K ?r;rc |}tj|j}t |t stdt|t|}tj ||}tj tjd|itjdtjd|id|dS)a" Figure out the optimal RSASSA-PSS parameters for a given certificate. The subject's public key must be an RSA key. :param cert: An RSA X.509 certificate. :param digest_algorithm: The digest algorithm to use. :return: RSASSA-PSS parameters. z&Expected RSA key, but got key of type ror)ror)rprr)rrload_der_public_key public_keyrjr|rrrIr rcalculate_max_pss_salt_lengthr RSASSAPSSParamsDigestAlgorithmMaskGenAlgorithm)r[rkeyrxoptimal_salt_lens r:r"r"s(--//  +DO,@,@,B,B C CC c< ( (QODIIOOPPP #$4 5 5Br?r Certificate__annotations__rr AttributeCertificateV2rDr;r:rrsg!!!!d&''''#45555r;rsidcjdkrfdSjdkr+jjtdfdSt )Nissuer_and_serial_numberc.tj|Sr3)r&r)crs r:z'_get_signer_predicate..s,SZ;;r;subject_key_identifierzThe signature in this SignedData value seems to be identified by a subject key identifier --- this is legal in CMS, but many PDF viewers and SDKs do not support this feature.c|jkSr3)key_identifier)rskis r:rz'_get_signer_predicate..s)S0r;)rUrrSrrr)rrs`@r:_get_signer_predicatersm x---;;;;; - - -j <   10000 r;ct|d}d}g}|D]%}||r|}||&|td||fS)Nrz,signer certificate not included in signature)rappendr()r^ signer_info predicater[rrs r:_partition_certsrs| &k%&899I DK "" 9Q<< "DD   q ! ! ! ! | !OPPP  r; signed_datacV |d\}|S#t$rtdwxYw)a5 Extract the unique ``SignerInfo`` entry of a CMS signed data value, or throw a ``ValueError``. :param signed_data: A CMS ``SignedData`` value. :return: A CMS ``SignerInfo`` value. :raises ValueError: If the number of ``SignerInfo`` values is not exactly one. signer_infosz-signer_infos should contain exactly one entry)rr()rrs r:rr sI $^4     ;    s (c@g}g}|dD]\}|j}|jdkr||<|jdkr||]t |}t ||\}}t |||}|S)a Extract and classify embedded certificates found in the ``certificates`` field of the signed data value. :param signed_data: A CMS ``SignedData`` value. :return: A :class:`SignedDataCerts` object containing the embedded certificates. certificates certificate v2_attr_cert)rrr)runtagrUrrrr) rr^ attr_certsrr[rrr cert_infos r:rr"s EJ  ($$x~~ 6] " " LL     V~ % %   d # # #%k22K/{CCK"I r;stream byte_range md_algorithmc.t|}tj|}d}t|}t j|D]7\}} ||t j|||| || z }8||fS)a  Internal API to compute byte range digests. Potentially dangerous if used without due caution. :param stream: Stream over which to compute the digest. Must support seeking and reading. :param byte_range: The byte range, as a list of (offset, length) pairs, flattened. :param md_algorithm: The message digest algorithm to use. :param chunk_size: The I/O chunk size to use. :return: A tuple of the total digested length, and the actual digest. r)max_read) r rrq bytearrayr pair_iterseekchunked_digestrs) rrr chunk_sizemd_specrx total_len chunk_buflo chunk_lens r:r)r)?s,)66G W  B I*%%I 33 I B IvrIFFFFY bkkmm ##r;)rm)F)Nr?rhlogging dataclassesrtypingrrrrr asn1cryptor r r r asn1crypto.algosr cryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricr-cryptography.hazmat.primitives.asymmetric.rsar/cryptography.hazmat.primitives.asymmetric.utilsr pyhanko.keyspyhanko.pdf_utilsr__all__ getLoggerr<rrr*r+r(rKeyErrorrrrrrrfr$rtr%rgrur'IssuerAndSerialNumber IssuerSerialboolr&rr HashAlgorithmr r!r4rrr#r"rSignerIdentifierrr SignedData SignerInforrDEFAULT_CHUNK_SIZEintbytesr)rDr;r:rsD!!!!!!33333333333333,,,,,,,,,,,,222222@@@@@@@@======FFFFFFEEEEEE""""""   @  8 $ $ * * * * *J * * *,,,,,.,,,     .   "                #O#O#OL2 !1 c6L    H'/++  +++++\  $)#-*H$I@1!#";S=M"MN1  1 1111h%%%%%:%%%     l   4U63G-H4444<< 6  *+<<<<*?C0@E$$  !$$$$N'  '.1' ''''T $* s3     $ S^     *#._B& #$#$ #$ #$#$  3: #$#$#$#$#$#$r;