hddlZddlZddlmZddlmZddlmZmZmZm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZddlmZddlmZddlmZmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'dd l(m)Z)dd l*m+Z+dd l,m-Z-dd l.m/Z/m0Z0ddl1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;ddlm?Z?ddl@mAZAmBZBddlCmDZDddlEmFZFddlGmHZHmIZImJZJmKZKmLZLmMZMmNZNddlOmPZPmQZQmRZRmSZSgdZTejUeVZWedeLZXdeYfdZZdej[dej\fd Z]d!ej\d"ej^d#ej_fd$Z` dZd%ejadej[d&ebd'ecd(e eQd)e ed*eeYeYffd+Zdd,ejed*e6fd-Zf d[d,ejed.e ecd/e ed0e egd1e e+d2e e-d3e eQd4eFd*e ebeffd5Zh d\dej[d/ed4eFd6ee+d2e e-d*d7f d8Zieddddd9d,ejed:eeXd.e ecd/e ed0e egd4e eFd*eXfd;Zjeddddd9d,ejed.e ecd/e ed0e egd4e eFd*eLf d<ZjeLdddddfd,ejed.e ecd/e ed0e egd4e eFd3e eQd*eXfd=Zjd%ejad*e efd>Zk d]d%ejad@eYd*e ejefdAZld%ejad*e ecfdBZmd%ejadCe ed.ecfdDZn d\dEejed/e edFecd3e eQfdGZodHe ejpdIej[d/ed*ee e/e ee%e$e#fffdJZqdKe ejpdIej[d/e edLej\fdMZrddddde=jsdfdNeeceejtejufd,ejedOe edCe edPe ed4e eFd3e eQd*eMfdQZvedRdSTZwedSUGdVdWe ewZxdXeewd*exewfdYZydS)^N) dataclass)datetime) IOAny AwaitableDictGenericIterableListOptionalTupleTypeTypeVarUnionoverload)cmscoretspx509)InvalidSignature)hashes)CancelableAsyncIteratorValidationContextfind_valid_path)DisallowedAlgorithmError ExpiredErrorInvalidCertificateErrorPathBuildingErrorPathValidationError RevokedErrorValidationError)TimeSlideFailure)ValidationPath)PKIXValidationParams)ACValidationResultasync_validate_ac) CMSExtractionErrorCMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorSignedDataCertscheck_ess_certidextract_certificate_infoextract_signer_infofind_unique_cms_attributeget_pyca_cryptography_hash)misc)lift_iterable_async) AdESFailureAdESIndeterminate)errors)KeyUsageConstraints)CAdESSignerAttributeAssertionsCertifiedAttributesClaimedAttributesRevocationDetailsSignatureStatusStandardCMSSignatureStatusTimestampSignatureStatus)DEFAULT_ALGORITHM_USAGE_POLICYCMSAlgorithmUsagePolicyextract_message_digest validate_raw) validate_sig_integrityasync_validate_cms_signaturecollect_timing_infovalidate_tst_signed_dataasync_validate_detached_cmscms_basic_validationcompute_signature_tst_digestextract_tst_dataextract_self_reported_tsextract_certs_for_validationcollect_signer_attr_statusvalidate_algorithm_protection StatusType)boundv2c4|rdnd}|r tjn tj} t||}||S#t $rYdSt$r(}tj }tj d||d}~wwxYw)Nsigning_certificate_v2signing_certificatez3Wrong cardinality for signing certificate attributeades_subindication) rSigningCertificateV2SigningCertificater/loaddumpr*r)r6NO_SIGNING_CERTIFICATE_FOUNDr8SignatureValidationError) signed_attrsrS attr_nameclsvalueeerrs _/var/www/html/Sam_Eipo/venv/lib/python3.11/site-packages/pyhanko/sign/validation/generic_cms.py_grab_signing_cert_attrrfas-/I((4II&( D# " "c.DC), BBxx %%% $tt $<- A"    s6A B& B/#BBcertr_ct|d}|t|d}|dS|dd}t||s0tj}t jd|jjd|dS) NT)rSFcertsrzWSigning certificate attribute does not match selected signer's certificate for subject"z".rW)rfr,r6r]r8r^subjecthuman_friendly)rgr_attrcertidrds re_check_signing_certificaternws #>> |']1 F D& ) ) <- 2, 2 2 2 #       attrsclaimed_digest_algorithm_objclaimed_signature_algorithm_objcb t|d}n*#t$rd}Ynt$rtdwxYw|n|dj}||jkrt jd|dj}|t jd||jkrt jddSdS) a+ Internal API to validate the CMS algorithm protection attribute defined in :rfc:`6211`, if present. :param attrs: A CMS attribute list. :param claimed_digest_algorithm_obj: The claimed (i.e. unprotected) digest algorithm value. :param claimed_signature_algorithm_obj: The claimed (i.e. unprotected) signature algorithm value. :raises errors.CMSStructuralError: if multiple CMS protection attributes are present :raises errors.CMSAlgorithmProtectionError: if a mismatch is detected cms_algorithm_protectionNz4Multiple CMS algorithm protection attributes presentdigest_algorithmzCDigest algorithm does not match CMS algorithm protection attribute.signature_algorithmz288:: #''))    )-A0C      "   1!k6P 1   1!$5#<    #4666 4nLL*+DE   1&#.#=   $* 0 0 01+ ++(++#.#=  1==      3!    & ((  5=sB:E F8%E<<F8%F33F8 G2HI// I>=I>rc t|}|j}n.#t$r!tjdt jwxYwt|}|d}t|||S)a Extract certificates from a CMS signed data object for validation purposes, identifying the signer's certificate in accordance with ETSI EN 319 102-1, 5.2.3.4. :param signed_data: The CMS payload. :return: The extracted certificates. z,signer certificate not included in signaturerWr_) r- signer_certr'r8r^r6r]r.rn)r cert_inforgr|r_s rerNrNps  ,[99 $    - :0M     &k22K~.Lt\222 s +A raw_digestvalidation_context status_kwargsvalidation_pathpkix_validation_paramsrkey_usage_settingsc Kt|}t|} | j} | j} d} |"|pt j|j}|j} |p t}|t}|d} | dj }|ddj }|d}|dj }|at|d}t|}tj|}|||} t#|| |||| \}}n;#t$$r.}t'jd |jzt,j |d}~wwxYwdx}x}x}}|r |j| |t5|g}n|j| }t;| |||| d{V}|j}|j}|j p|j!}|j"}n?#tF$r2}tH%d | tLj'}Yd}~nd}~wwxYw|pi}|||| |||||| |S)z Perform basic validation of CMS and PKCS#7 signatures in isolation (i.e. integrity and trust checks). Internal API. Nrvrruencap_content_inforcontent)r}r~rrzCMS structural error: rW)rpathsrz&Processing error in validation processexc_info) rr signing_certrpkcs7_signature_mechanismtrust_problem_indicrrevocation_detailserror_time_horizon)(r.rNr other_certsrB lift_policyrbest_signature_timerrArwbytesr0rHashupdatefinalizerEr(r8r^rr5rcertificate_registryregister_multipler3 path_builderasync_build_paths_lazyvalidate_cert_usageerror_subindic revo_detailssuccess_result error_pathr ValueErrorloggererrorr6!CERTIFICATE_CHAIN_GENERAL_FAILURE)rrrrrrrrr|rrgrrrv mechanismrecir}rawmd_specmdrrrc ades_statuspathrrr op_results rerJrJs%"&k22K,[99I  D'KJ%  &2"3  (; +B/@/B/B95@6$K07I12;?FL * +C/6C N##,\:: [ ! ! #[[]] .  "7$#3!     - $q'8 8*9    >BAKA$A(: N N  3 E E    *+_,=>>*7NN2"#5'= I$2K$1L+Cy/CD!*!=   N N N LLAAL N N N+MKKKKKK N"'RM!"+''-    s1D(( E 2)EE .BG33 H/=(H**H/rz,CertvalidatorOperationResult[ValidationPath]clKdtffd }t|d{VS)zE Low-level certificate validation routine. Internal API. rcdKtd{VS)N)rr)validater)rgrrrrsre_checkz#validate_cert_usage.._checks\##D)))$  1#9           roN)r#handle_certvalidator_errors)rgrrrrrs````` rerrsl .          -VVXX66 6 6 6 6 6 66ro)rrrr status_clsc KdSN)rrrrrrs rerFrFs Croc KdSrr)rrrrrs rerFrF(s CrocvK||}t||||||d{V}|di|S)a Validate a CMS signature (i.e. a ``SignedData`` object). :param signed_data: The :class:`.asn1crypto.cms.SignedData` object to validate. :param status_cls: Status class to use for the validation result. :param raw_digest: Raw digest, computed from context. :param validation_context: Validation context to validate the signer's certificate. :param status_kwargs: Other keyword arguments to pass to the ``status_class`` when reporting validation results. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :return: A :class:`.SignatureStatus` object (or an instance of a proper subclass) )rrNr)default_usage_constraintsrJ)rrrrrrreff_key_usage_settingss rerFrF4sN(AA/1) M : & & & &&rocr |d}t|d}|jS#ttf$rYdSwxYw)a Extract self-reported timestamp (from the ``signingTime`` attribute) Internal API. :param signer_info: A ``SignerInfo`` value. :return: The value of the ``signingTime`` attribute as a ``datetime``, or ``None``. r_ signing_timeN)r/rwr*r))r|sasts rerMrMjsP  ( &r> : :y %'@ Atts !66Fsignedc |r|d}t|d}n|d}t|d}|d}|S#ttf$rYdSwxYw)a Extract signed data associated with a timestamp token. Internal API. :param signer_info: A ``SignerInfo`` value. :param signed: If ``True``, look for a content timestamp (among the signed attributes), else look for a signature timestamp (among the unsigned attributes). :return: The ``SignedData`` value found, or ``None``. r_content_time_stampunsigned_attrssignature_time_stamp_tokenrN)r/r*r))r|rrtstuatst_signed_datas rerLrL~s~"   N^,B+B0DEECC-.B+B0LMMCi. %'@ Atts>K [ ! !BIIo ;;==rots_validation_contextcNKi}t|}|||d<t|d}|;t|}|Jt|||d{V}t d i|}||d<t|d} | )t| ||d{V} t d i| } | |d<|S) a Collect and validate timing information in a ``SignerInfo`` value. This includes the ``signingTime`` attribute, content timestamp information and signature timestamp information. :param signer_info: A ``SignerInfo`` value. :param ts_validation_context: The timestamp validation context to validate against. :param raw_digest: The raw external message digest bytes (only relevant for the validation of the content timestamp token, if there is one) Nsigner_reported_dtF)rtimestamp_validityT)expected_tst_imprintcontent_timestamp_validityr)rMrLrKrHr@) r|rrrrrtst_signature_digesttst_validity_kwargs tst_validitycontent_tst_signed_datacontent_tst_validity_kwargscontent_tst_validitys rerGrGs@&%'M2+>>%.@ *+&{5AAAO";KHH#///$<  ! % %        0FF2EFF .: *+.{4HHH*,D # !!+- - - ' ' ' ' ' ' # 8  )  7K 23 rorrcKd}|dd}t|tjr|j}t|tjs t jdtj |dj }tj }t||d|i||d{V}|d d j } || krJtd | d |d d|d<|S)a Validate the ``SignedData`` of a time stamp token. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to validate against. :param expected_tst_imprint: The expected message imprint value that should be contained in the encapsulated ``TSTInfo``. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :return: Keyword arguments for a :class:`.TimeStampSignatureStatus`. Nrrz'SignedData does not encapsulate TSTInforWgen_time timestamp)rrrrrhashed_messagezTimestamp token imprint is z, but expected rFr) isinstancerParsableOctetStringrrTSTInfor8r^r5rrwr@rrJrwarninghex) rrrrtst_infotst_info_bytesr ku_settingsr tst_imprints rerHrHsV>H$%9:9EN.$":;;)!( h , , - 5*9    $+I*DFFK.-"I.&) M,-.>?FK{** -+//*;*; - -#'')) - - -   #( h roacsrcKfd|D}g}g}tj|D]R} ||d{V#ttt f$r}|j|Yd}~Kd}~wwxYw||fS)Nc4g|]}t|S)) holder_cert)r&).0acrrs re z+process_certified_attrs..:s9     "0kJJJ   ro)asyncio as_completedappendrrr)r rrjobsresultsr8jobrcs `` reprocess_certified_attrsr0s        DG F#D))  NN999999 % % % %   #     FM!           F?sA  A<"A77A<sd_attr_certificatessd_signed_attrscK t|d}nM#t$rd}Yn?t$r3}tjt |t j|d}~wwxYwi}d}d}||d} tj t| tj s| nd} |d} d} t| tj sJd| D} t| t| k} |t| ||}|d{V\}}|tj|}nd}| p t|dtj  }||rt"d t'| ||| |d <|dt|||d{V\}}|r|||r||tj||d <||d <|S)Nsigner_attributes_v2rWclaimed_attributesrcertified_attributes_v2Fc2g|]}|jdk |jS) attr_cert)namechosen)rrls rerz.collect_signer_attr_status..rs19 ++ +++rosigned_assertionszCAdES signer attributes with externally certified assertions for which no validation method is available. This may affect signature semantics in unexpected ways.) claimed_attrscertified_attrsac_validation_errsunknown_attrs_presentcades_signer_attrsac_attrsr%)r/r*r)r8r^strr5rr< from_iterablerrVoidlenrr; from_resultsrrr:extend)rrrr signer_attrsrcresultcades_ac_resultscades_ac_errors claimed_asn1claimedcertified_asn1unknown_cert_attrs cades_acsval_job certified unknown_attrs ac_results ac_errorss rerOrOLs 0 3   % $- FF{'A      FO#$89 $1 *< C C KLL  &&?@".$)44 B*I "%Y3~3F3F!F !-1& ;BMMMMMM1 /  ',89IJJIII + * , -ty3 3 /   )m ) NN:   (F!%."/ ( ( ( #$%'> +/A' ' ! ! ! ! ! !  I  0   . / / /  .   _ - - -0=jIIz'0#$ Ms A A.AA input_datasigner_validation_contextac_validation_contextc |K||}t|} | ddj} tjt | } t |t r| |nvt |tj tj fr)| t |dn't|} tj | || || } t| || d{V}t!j|}t%|| ||||d{V}t'|}||j|j|t/|j|j|| d d{Vt!d i|S) a .. versionadded: 0.9.0 .. versionchanged: 0.11.0 Added ``ac_validation_context`` param. Validate a detached CMS signature. :param input_data: The input data to sign. This can be either a :class:`bytes` object, a file-like object or a :class:`cms.ContentInfo` / :class:`cms.EncapsulatedContentInfo` object. If a CMS content info object is passed in, the `content` field will be extracted. :param signed_data: The :class:`cms.SignedData` object containing the signature to verify. :param signer_validation_context: Validation context to use to verify the signer certificate's trust. :param ts_validation_context: Validation context to use to verify the TSA certificate's trust, if a timestamp token is present. By default, the same validation context as that of the signer is used. :param ac_validation_context: Validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param algorithm_policy: The algorithm usage policy for the signature validation. .. warning:: This is distinct from the algorithm usage policy used for certificate validation, but the latter will be used as a fallback if this parameter is not specified. It is nonetheless recommended to align both policies unless there is a clear reason to do otherwise. :param key_usage_settings: Key usage parameters for the signer. :param chunk_size: Chunk size to use when consuming input data. :param max_read: Maximal number of bytes to read from the input stream. :return: A description of the signature's status. Nrurr)max_read)rr)rrrrrr_)rrrrr)r.rwrrr0rrrr ContentInfoEncapsulatedContentInfo bytearrayr2chunked_digestrrGr?rrJr-rrrrOattribute_certsr)r=rr>rr?rr chunk_sizerAr|ruhtemp_buf digest_bytesrrs rerIrIs0z$ 9%k22K"#56{CJ ./?@@AAA*e$$H  J#2M N O OH z),--....Z(( Hj!hGGGG::<}|j }t|j|t j}Yd}~nGd}~wt:$r7}t|j|t j}Yd}~nd}~wwxYwtd||||S) z Internal error handling function that maps certvalidator errors to AdES status indications. :param coro: :return: N)rrF) ca_revokedrevocation_daterevocation_reasonTzFailed to build path)rrrrr)rOrrr failure_msgr6CHAIN_CONSTRAINTS_FAILUREr"NO_POEr original_path banned_sinceCRYPTO_CONSTRAINTS_FAILURE!CRYPTO_CONSTRAINTS_FAILURE_NO_POEr revocation_dtis_side_validationr is_ee_certREVOKED_NO_POEr=reasonREVOKED_CA_NO_POErNO_CERTIFICATE_CHAIN_FOUNDr expired_dtOUT_OF_BOUNDS_NO_POErr!)rU time_horizonrrrcrs rerr,s<(,LL4@J+::::::FFFF "BBBq}q111'A ///q}q111'. # * * *q}q111 > !+FKK,MK>L q}%%%  +MKK \ +:K, !"#(LL ,=K, !"#(L CCC-:::'B  N N Nq}%%%| # N  N ,@KK+MK BBBq}q111'A JJJq}q111'I J (!'"    sk K-A K*-B K*AC?? K BF++ K8(G%% K2AI  K4J K-KK)NN)NNNNNNr)F)zrlogging dataclassesrrtypingrrrrr r r r r rrrr asn1cryptorrrrcryptography.exceptionsrcryptography.hazmat.primitivesrpyhanko_certvalidatorrrrpyhanko_certvalidator.errorsrrrrrr r! pyhanko_certvalidator.ltv.errorsr"pyhanko_certvalidator.pathr#!pyhanko_certvalidator.policy_declr$pyhanko_certvalidator.validater%r&pyhanko.sign.generalr'r(r)r*r+r,r-r.r/r0 pdf_utilsr2pdf_utils.miscr3 ades.reportr5r6r8settingsr9statusr:r;r<r=r>r?r@utilsrArBrCrD__all__ getLoggerrPrrQboolrf Certificate CMSAttributesrnDigestAlgorithmSignedDigestAlgorithmrP SignerInfor)rrE SignedDatarNdictrJrrFrMrLrKrGrHAttributeCertificateV2rrODEFAULT_CHUNK_SIZErBrCrIrKrOrrrorers !!!!!! ,+++++++++++444444111111 >=====555555BBBBBBPPPPPPPP                        11111188888888))))))     8 $ $ W\ 9 9 9 d,   *-*;    83  3"%"53&)%>3333vAE%) ddd  dd d %%<= d " d 4:ddddNB#'6:$(04=A:>pppp!!23pD> p n- p %%9: p67p,p #s(^ppppp>B 77  7)7,7 #> 2 7 %%9: 7 4 77772 #'6:$(8<    Z    !!23  D> !!45       #'6:$(8< !!23  D>  !!45  "&6:$(8<:>3'3'3'3'!!23 3' D> 3' !!45 3'673'3'3'3'3'l#.Xh=O*16)- cn< e_B22#$5622222r;? ;;^; !23; ;67 ;;;;| #, -!*   !#46MMN 8b"3#=>b!b!!23b& bbbbP>B9=9=8<:>& h7h7eR#2MMNh7h7 ((9:h7$$56 h7 $$56 h7 !!45 h767h7 h7h7h7h7VW\T 2 2 2  $ 7 7 7 7 77:#6 7 7 7T J T!*-TTTTTTro