h`ddlZddlZddlmZddlmZddlmZmZddl m Z ddl m Z ddl mZddlmZdd lmZmZdd lmZdd lmZmZdd lmZdd lmZddlmZddlm Z ddl!m"Z"ddl#m$Z$ddl%m&Z&m'Z'ddl(m)Z)gdZ*ddl+m,Z,ddl-m.Z.ej/e0Z1eGddZ2dZ3GddZ4 d&d e)d!efd"Z5dd#dddej6d#fd e)d!ed$e7fd%Z8dS)'N) dataclass)field)IterableOptional)crl)ocsp)x509) Certificate)CertificateValidatorValidationContext)ValidationPath)genericmisc)pdf_name)IncrementalPdfFileWriter) get_and_apply) PdfHandler)BasePdfFileWriter)extract_certificate_info)NoDSSFoundErrorValidationInfoReadingError)EmbeddedPdfSignature)VRIDocumentSecurityStoreasync_add_validation_infocollect_validation_info)SerialisedCredential) PdfFileReaderceZdZUdZeeZeed< eeZeed< eeZ eed< de j fdZ dS) raA VRI dictionary as defined in PAdES / ISO 32000-2. These dictionaries collect data that may be relevant for the validation of a specific signature. .. note:: The data are stored as PDF indirect objects, not asn1crypto values. In particular, values are tied to a specific PDF handler. )default_factorycertsocspscrlsreturncxtjtdtdi}|jr)tj|j|td<|jr)tj|j|td<tj|j|td<|S)zT :return: A PDF dictionary representing this VRI entry. z/Type/VRIz/OCSPz/CRLz/Cert)rDictionaryObjectrr% ArrayObjectr&r$)selfvris W/var/www/html/Sam_Eipo/venv/lib/python3.11/site-packages/pyhanko/sign/validation/dss.py as_pdf_objectzVRI.as_pdf_objectAs &(9(98F;K;K'LMM : E%,%8%D%DC!! " 9 C$+$7 $B$BC  !!(!4TZ!@!@HW   N) __name__ __module__ __qualname____doc__ data_fieldsetr$__annotations__r%r&rr*r/r0r.rr&sC000E3000C000E3000 3///D#/// w7      r0rc#K|dj}|dkr6|d}|djdkr|dj}|dEd{VdSdSdS) zJ Essentially nabbed from _extract_ocsp_certs in ValidationContext response_status successfulresponse_bytes response_typebasic_ocsp_responseresponser$N)nativeparsed) ocsp_responsestatusr<r?s r.enumerate_ocsp_certsrDOs~ , - 4F &'78 / * 15J J J%j18H( ( ( ( ( ( ( ( ( (  J Jr0c jeZdZdZ ddeefdZedZdZ dZ dZ d Z e d ejfd Zd d d d dZdZd eejfdZ dd efdZeded dfdZeddddddddeded dfdZeddddddddddededeefdZdS) rz, Representation of a DSS in Python. Nwritercv||ni|_||ni|_||ng|_||ng|_||_||nt j|_i}|jD] }|j } ||| <!||_ i} |jD] } | j } | | | <!| |_ d|_ dS)NF) vri_entriesr$r%r&rFrr*backing_pdf_object get_objectdata _ocsps_seen _crls_seen _modified) r,rFr$r%r&rHrI ocsps_seenocsp_ref ocsp_bytes crls_seencrl_ref crl_bytess r.__init__zDocumentSecurityStore.__init__as+6*A;;r#/UUR #/UUR  ,DD"  "-  )++     . .H!,,..3J%-Jz " "% y + +G**,,1I#*Ii #r0c|jSN)rNr,s r.modifiedzDocumentSecurityStore.modifieds ~r0cv|js/d|_|j#|j|jdSdSdS)NT)rNrIrFupdate_containerrXs r._mark_modifiedz$DocumentSecurityStore._mark_modifiedsN~ F!DN&2 ,,T-DEEEEE F F22r0c#0K|D]}|} ||V"#t$rb|jt j|}||||<|||VYwxYwdS)N stream_data)dumpKeyErrorrF add_objectr StreamObjectr\append)r,objsseendestobj obj_bytesrefs r._cms_objects_to_streamsz-DocumentSecurityStore._cms_objects_to_streamss  C I 9o%%%%   k,,(Y???##%%%"%Y C       s 'A)BBc<fd}fd|DS)Nc3@KD]}t|Ed{VdSrW)rD)respr%s r. extra_certszADocumentSecurityStore._embed_certs_from_ocsp..extra_certssC 6 6/5555555555 6 6r0c:g|]}|Sr8 _embed_cert).0cert_r,s r. z@DocumentSecurityStore._embed_certs_from_ocsp..s'CCCE  ''CCCr0r8)r,r%ros`` r._embed_certs_from_ocspz,DocumentSecurityStore._embed_certs_from_ocsps@ 6 6 6 6 6DCCC[[]]CCCCr0c<|jtd |j|jS#t$rYnwxYw|jt j|}| ||j|j<|S)N"This DSS does not support updates.r^) rF TypeErrorr$ issuer_serialrarbrrcr`r\)r,certrjs r.rrz!DocumentSecurityStore._embed_certs ; @AA A :d01 1    D k$$  TYY[[ 9 9 9   ), 4%& s * 77r'ctj|}t d|zS)a Hash the contents of a signature object to get the corresponding VRI identifier. This is internal API. :param contents: Signature contents. :return: A name object to put into the DSS. /)hashlibsha1digesthexupperr)contentsidents r.sig_content_identifierz,DocumentSecurityStore.sig_content_identifiersI X&&--//3355;;==e $$$r0r8r$r%r&cjtdt|}t|}t}t}fd|D}|r.t|jj}|r.t|jj}| t ||\t|||}j | j|<dSdS)a Register validation information for a set of signing certificates associated with a particular signature. :param identifier: Identifier of the signature object (see `sig_content_identifier`). If ``None``, only embed the data into the DSS without associating it with any VRI. :param certs: Certificates to add. :param ocsps: OCSP responses to add. :param crls: CRLs to add. Nrxc:h|]}|Sr8rq)rsr{r,s r. z5DocumentSecurityStore.register_vri..s'>>>T%%d++>>>r0r)rFrylistr6rkrLr%rMr&updatervrrbr/rHr\) r, identifierr$r%r& ocsp_refscrl_refs cert_refsr-s ` r. register_vriz"DocumentSecurityStore.register_vris]" ; @AA AU DzzEE 55>>>>>>>  ,,4+TZI  ,,T4?DINNH T88??@@AAA  !IYXFFFC+/;+A+A!!##,,D Z (    ! ! ! ! ! " !r0c|j}tjt|j|d<|jrtj|j|d<|jr)tj|j|td<|j r)tj|j |td<|S)z Convert the :class:`.DocumentSecurityStore` object to a python dictionary. This method also handles DSS updates. :return: A PDF object representing this DSS. /Certsr)/OCSPs/CRLs) rIrr+rr$valuesrHr*r%rr&)r,pdf_dicts r.r/z#DocumentSecurityStore.as_pdf_objects*$0dj6G6G6I6I1J1JKK   J&78HIIHV  : K+2+>tz+J+JHXh'' ( 9 I*1*=di*H*HHXg&& 'r0c#K|jD]3}|}tj|j}|V4dS)z Return a generator that parses and yields all certificates in the DSS. :return: A generator yielding :class:`.Certificate` objects. N)r$rrJr loadrK)r,cert_ref cert_streamr{s r. load_certsz DocumentSecurityStore.load_certss^ ))++  H080C0C0E0EK#K$455DJJJJ  r0Tct|}|dg}t||z}|rt|dd}|jD]O}|}t j|j }| |P||d<t|dd} |j D]O} | } tj | j } | | P| |d<tdd|i|S)ag Construct a validation context from the data in this DSS. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :param include_revinfo: If ``False``, revocation info is skipped. :return: A validation context preloaded with information from this DSS. other_certsr%r8r&)dictpoprrr%rJ asn1_ocsp OCSPResponserrKrdr&asn1_crlCertificateListr ) r,validation_context_kwargsinclude_revinforor$r%rP ocsp_streamrnr&rS crl_streamrs r.as_validation_contextz+DocumentSecurityStore.as_validation_contextsW%))B$C$C!/33M2FF T__&&''+5  5266wCCDDE J # #4<4G4G4I4I  -22;3CDD T""""16 %g .155fbAABBD9 ! !3:3E3E3G3G .33JODD C    04 %f - PPUP6OPPPr0handlercj |jd}n!#t$r}t|d}~wwxYwi}t|dtg}|D]9}|}t j|j}|||j <:t|dtg} g} | D]O} | } tj | j} | | Pt|dtg}g}|D]O}|}tj|j}| |P t|d}n#t$rd}YnwxYwt!|t"r|}nd}|||| |||}|S) a Read a DSS record from a file and add the data to a validation context. :param handler: PDF handler from which to read the DSS. :return: A DocumentSecurityStore object describing the current state of the DSS. /DSSNr)defaultrrr))rFr$r%rHr&rI)rootrarrrrJr rrKrzrrrdrrr isinstancer)clsrdss_dicter cert_ref_listrrr{rr%rPrrnrr&rSrrrHrFdsss r.read_dsszDocumentSecurityStore.read_dss7s +|F+HH + + +!## * + %h$KKK % 5 5H080C0C0E0EK + 01A B BD,4Id( ) )!(HdBGGG !  H080C0C0E0EK)..{/?@@D LL     7D"EEE  G/6/A/A/C/CJ*// @@C KK     x/00KK   KKK  g0 1 1 FFF c#'     s"  .). E66 FFr$r%r&pathsvalidation_context embed_rootspdf_outrc" ||} d} n#t$rd} ||} YnwxYw|t|} nd} dtt jffd } fd} fd}| | | | | | }| r@| |}||j td <| | S) aD Add or update a DSS, and optionally associate the new information with a VRI entry tied to a signature object. You can either specify the CMS objects to include directly, or pass them in as output from `pyhanko_certvalidator`. :param pdf_out: PDF writer to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :return: a :class:`DocumentSecurityStore` object containing both the new and existing contents of the DSS (if any). FT)rFNr'c3~KpdEd{VpdD]*}t|}st||Ed{V+dSNr8)iternext)path path_partsr$rrs r._certsz:DocumentSecurityStore.supply_dss_in_writer.._certss|{ " " " " " " "  & &!$ZZ "%$$$%%%%%%%%%  & &r0c3BKpdEd{VjEd{VdSdSr)r%)r%rsr._ocspsz:DocumentSecurityStore.supply_dss_in_writer.._ocspssR{ " " " " " " "!--3333333333.-r0c3BKpdEd{VjEd{VdSdSr)r&)r&rsr._crlsz9DocumentSecurityStore.supply_dss_in_writer.._crlssRzr ! ! ! ! ! ! !!--2222222222.-r0rr) rrrrrr r rr/rbrr update_root)rr sig_contentsr$r%r&rrrrcreatedrrrrrdss_refs `````` r.supply_dss_in_writerz*DocumentSecurityStore.supply_dss_in_writerust &,,w''CGG) & & &G#W%%%CCC &  #.EEJJJ &!12 & & & & & & & & 4 4 4 4 4 4  3 3 3 3 3 3  ffhhffhhUUWW    $$&&  "((22G-4GL&)) *    ! ! ! s  ;;F)r$r%r&rr force_writerfile_credentialrrc t|} | j| | j| || ||||||| } |s| jr| dSdS)a$ Wrapper around :meth:`supply_dss_in_writer`. The result is applied to the output stream as an incremental update. :param output_stream: Output stream to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param force_write: Force a write even if the DSS doesn't have any new content. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :param file_credential: .. versionadded:: 0.13.0 Serialised file credential, to update encrypted files. Nr)rsecurity_handler authenticaterrYwrite_in_place) r output_streamrr$r%r&rrrrrrrs r.add_dsszDocumentSecurityStore.add_dsssx+=99  # /O4O  $ 1 1/ B B B&&  1#'     %#, %  " " $ $ $ $ $ % %r0)NNNNN)T) r1r2r3r4rrrUpropertyrYr\rkrvrr staticmethodr NameObjectrrr/rr r rr r classmethodrrboolrr rr8r0r.rr\sg   *+    DXFFF   DDD  %G,> % % %\ %13"2/"/"/"/"/"b* HT%56    :>!Q!Q !Q!Q!Q!QF;z;.E;;;[;z   fff"ff !fff[fP  ! :>I%I%I%I%I%""67I%I%I%[I%I%I%r0rF embedded_sigrcKjj}|jstdgfd}||jd{V|s|j||jd{VS)a Query revocation info for a PDF signature using a validation context, and store the results in a validation context. This works by validating the signer's certificate against the provided validation context, which causes revocation info to be cached for later retrieval. .. warning:: This function does *not* actually validate the signature, but merely checks the signer certificate's chain of trust. :param embedded_sig: Embedded PDF signature to operate on. :param validation_context: Validation context to use. :param skip_timestamp: If the signature has a time stamp token attached to it, also collect revocation information for the timestamp. :return: A list of validation paths. zfRevocation mode is set to soft-fail/tolerant mode; collected revocation information may be incomplete.cKt|}|j}|j}t||}|t d{V}|dS)N)intermediate_certsr) key_usage)r signer_certrr async_validate_usager6rd) signed_data cert_infor{r validatorrrrs r._validate_signed_dataz6collect_validation_info.._validate_signed_dataRs,[99 $+ ( *1   33cee3DDDDDDDD Tr0N)revinfo_policyrevocation_checking_policy essentialloggerwarningrattached_timestamp_data)rrskip_timestamprevinfo_fetch_policyrrs ` @r.rr+s: )D )  8   E        8 9 99999999 JlBN##L$HIIIIIIIII Lr0Trc K|j} |r| jx} }tj|ntj|} t |||d{V} |r-|jd} nd} tj | } || _ t | | || |}|s|jr-|r| nZ| | nD|sB| jdtjt'|| j| tj|| S)aY .. versionadded: 0.9.0 Add validation info (CRLs, OCSP responses, extra certificates) for a signature to the DSS of a document in an incremental update. This is a wrapper around :func:`collect_validation_info`. :param embedded_sig: The signature for which the revocation information needs to be collected. :param validation_context: The validation context to use. :param skip_timestamp: If ``True``, do not attempt to validate the timestamp attached to the signature, if one is present. :param add_vri_entry: Add a ``/VRI`` entry for this signature to the document security store. Default is ``True``. :param output: Write the output to the specified output stream. If ``None``, write to a new :class:`.BytesIO` object. Default is ``None``. :param in_place: Sign the original input stream in-place. This parameter overrides ``output``. :param chunk_size: Chunk size parameter to use when copying output to a new stream (irrelevant if ``in_place`` is ``True``). :param force_write: Force a new revision to be written, even if not necessary (i.e. when all data in the validation context is already present in the DSS). :param embed_roots: Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. :return: The (file-like) output object to which the result was written. )rNascii)rrrr)readerstreamr!assert_writable_and_random_accessprepare_rw_output_streamr pkcs7_contentrencoder from_reader IO_CHUNK_SIZErrrYrwriteseek chunked_write bytearrayfinalise_output)rrr add_vri_entryin_placeoutputr chunk_sizerrworking_outputrrr resulting_dsss r.rrfsp)/F ?"(-/ .v66666v>>)(      E#15577>>wGG  &26::G&G)>>- ?M Qm, Q  *  " " $ $ $ $ MM. ) ) ) ) Q  1 9Z00&-PPP   7 77r0)F)9r~logging dataclassesrrr5typingrr asn1cryptorrrrr asn1crypto.x509r pyhanko_certvalidatorr r pyhanko_certvalidator.pathr pyhanko.pdf_utilsrrpyhanko.pdf_utils.genericr$pyhanko.pdf_utils.incremental_writerrpyhanko.pdf_utils.miscrpyhanko.pdf_utils.rw_commonrpyhanko.pdf_utils.writerrgeneralrerrorsrr pdf_embeddedr__all__pdf_utils.cryptr pdf_utils.readerr! getLoggerr1rrrDrrDEFAULT_CHUNK_SIZErrr8r0r.rs!!!!!!++++++%%%%%%%%&&&&&&((((((''''''IIIIIIII555555++++++++......IIIIII000000222222666666......????????......   433333------  8 $ $ %%%%%%% %P ) ) )L%L%L%L%L%L%L%L%d88&8)8888|  &c8c8&c8)c8c8c8c8c8c8c8r0