h dZddlZddlZddlZddlZddlmZddlmZddlmZddlm Z m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZddlZddlmZmZddlmZdd lmZmZdd lm Z dd l!m"Z"dd l#m$Z$dd l%m&Z&m'Z'ddl(m)Z)m*Z*ddl+m,Z,ddl-m.Z.m/Z/ddl0m1Z1ddl2m3Z3ddl4m5Z5ddl6m7Z7m8Z8ddl9m:Z:m;Z;ddlZ>ddl?m@Z@ddlAmBZBddlCmDZDmEZEddlFmGZGmHZHmIZImJZJmKZKddlLmMZMmNZNmOZOmPZPmQZQmRZRmSZSddlTmUZUmVZVmWZWmXZXddlYmZZZddl[m\Z\m]Z]m^Z^m_Z_m`Z`maZambZbmcZcdd ldmeZed!d"lWmfZfd!d#lgmhZhmiZimjZjmkZkd!d$llmmZmgd%ZnejoepZqed&e`d'(Zred')Gd*d+e erZseGd,d-Ztedddd.d/ejud0ejd1evd2eerd3ee3d4ee*d5ee ewe fd6esfd7Zxedddd.d/ejud0ejd1evd3ee3d4ee*d5ee ewe fd6esfd8Zxdddecfd/ejud0ejd1evd3ee3d4ee*d5ee ewe fd6esfd9Zxd:ejyd;e7dZ{decfd/ejud?e$d1evd5ee ewe fd6esf d@Z|dAe}dBevd6esfdCZ~dDejudEe`dFe$dGee$dHeef dIZd0ejd3e3d4e*fdJZeddddddKdDejud0ejd2eerd3ee3dLeevd4ee*dHeed5ee ewe fd6esfdMZeddddddKdDejud0ejd3ee3dLeevd4ee*dHeed5ee ewe fd6esfdNZdddddebfdDejud0ejd3ee3dLeevd4ee*dHeed5ee ewe fd6esfdOZdDejud?e$dFe$dGee$dPeZdLeevdHeed5ee ewe fdQeemd2eerd6eesetffdRZed')GdSdTesZeeIjeHjeHjeHjeHjhZeddddddKdDejud0ejd3ee3dLeevd4ee*dHeed5ee ewe fd6efdUZeddddddKdDejud0ejd2eerd3ee3dLeevd4ee*dHeed5ee ewe fd6efdVZdddddebfdDejud0ejd3ee3dLeevd4ee*dHeed5ee ewe fd6efdWZGdXdYe;ZdZe@d[ed\e.fd]Zd^eBd[ed\e.fd_Zd`ejd4e*dB":;BBB:>!67>>>+++++rhrk) timing_infovalidation_data_handlersextra_status_kwargstst_signed_datavalidation_specexpected_tst_imprintr}rrrreturnc KdSNrg)rrrr}rrrs rirUrU Crhc KdSrrg)rrrrrrs rirUrUs CrhcK|ptj}|jp|j}|t ||}|||}t |||||d{VS)uW Validate a timestamp token according to ETSI EN 319 102-1 § 5.4. :param tst_signed_data: The ``SignedData`` value of the timestamp. :param validation_spec: Validation settings to apply. :param expected_tst_imprint: The expected message imprint in the timestamp token. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :return: A :class:`.AdESBasicValidationResult`. Nspecrrhandlers)rr})r$nowts_cert_validation_policycert_validation_policyrPbuild_validation_context'_ades_timestamp_validation_from_context) rrrrrrr}rvalidation_contexts rirUrUsB;!5!9!;!;K1 2  1  '#E k$ $ $  0HH*BI9/       rh signer_info algo_policy control_time public_keyc|d}||||}|sAd|jd|d}tj||j t jn t jdS)Nsignature_algorithm)rzSignature algorithm z not allowed as of z:, which is the time of the earliest PoE for the signature.ades_subindication)signature_algorithm_allowedsignature_algor>SignatureValidationErrornot_allowed_afterr1CRYPTO_CONSTRAINTS_FAILURE!CRYPTO_CONSTRAINTS_FAILURE_NO_POE)rrrrsig_algo sig_allowedmsgs ri#_ades_signature_crypto_policy_checkr s +66K*LH99,::K    ?8#: ? ? ? ? ? - 08"<<&H       rhrcKt|pi}tj|||d{V}|||di|}|jst t j|dS|jst t j |dSt|||ddd{V}||_ t |j ||dddS)N)rrr^r_r`ac_validation_contextrmFr~rrg) rr?validate_tst_signed_datarintactrVr0 HASH_FAILUREvalidSIG_CRYPTO_FAILURE_process_basic_validationrpr^) rrrrr}rpstatus_kwargs_from_validationstatus interm_results rirr%sp,233M*5*N-1+++%%%%%%! 6777 Z ( (- ( (F =  (%2    \ (%8    4""& M#0M $#1 '' %(      rhsigned tst_digestcKtj||}|t|||d{VSttjddS)Nrr^r`r_)r?extract_tst_datarrVr1GENERIC)rrrrrs ri_ades_process_attached_tsrRs"2;vNNNO"<            %'/   rh signed_data temp_statusts_validation_contextrrmc K|j}tj|}d}|tjtjfvrt ||dtj|ddjd{V}|j tj kr}|j }|J|t|j|}n|j}|tjkr|j} | J| j} t"j} n|jj} tj} |J|| kr| }tj|} tj| j| j||dd{V} |p tj }t5||||t7di| d|jS)NT signed_attrsmessage_digestrr)sd_attr_certificates signer_certrsd_signed_attrs)r^rqrsrmrtrlrnrg)rvr?extract_signer_infor1REVOKED_NO_POEOUT_OF_BOUNDS_NO_POErr;nativer^r2OKr_max timestamprevocation_detailsrevocation_dater0REVOKED signing_certnot_valid_afterEXPIREDr9collect_signer_attr_statusattribute_certsrrkrFrn)rrrrrmades_trust_statusr ts_statuscontent_ts_result revo_detailscutoff perm_status cert_infoattr_status_kwargsr^s rirrcs 1<0O1+>>K48I(.#<  !"<N+-= # # #         *jm ; ;)4I((((4,/')B--))-6,?)!$5$DDD*= #///%5)1 $1A/7 -888(F22$/!4[AAI +E&6)0#N3     &6M )#/%";0FF3EFF#3   rhc|j||}|j|j||}n|}|j|j||}nd}|||fS)Nr)rrrac_validation_policy)rrrrrrs ri _init_vcsrs .GG#.F H   0<  5 N N'2J O    !3+7  0 I I'2J J    !% 46K KKrh)r raw_digestrrmrrc KdSrrgrrr}rrrrmrs rirRrR Crhc KdSrrgrrrrrrmrs rirRrRrrhc dK|ptj}|t||}t|||\}} } t ||| | |j|||||j d{V} t| tr| St| j | tdddS)u Validate a CMS signature according to ETSI EN 319 102-1 § 5.3. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param raw_digest: The expected message digest attribute value. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A :class:`.AdESBasicValidationResult`. Nr) rrrrkey_usage_settingsrrmrr}algorithm_policyFTrr) r$rrPr_ades_basic_validationrsignature_algorithm_policy isinstancerVr^rrG) rrrrrrmrr}rrrrs rirRrRsH;!5!9!;!;K'#E k$ $ $   /;0HII 1-33*=";/(C         M-!:;; $#1 '' &$(      rhrrc Kt|pi} tj|||||d{V} | | nD#tj$r2} t | jp tj | j dcYd} ~ Sd} ~ wwxYw| di| } | j st tj | dS| jst tj| dSt!|| |||d{V}| |_|S)N)rrrrrrrrg)rr?cms_basic_validationrr>rrVrr1rfailure_messagerr0rrrrrp)rrrrrrrmrrr}rprerrs rirr;s,233M .9.N !11- / / / ) ) ) ) ) ) % :;;;;  *   (.K2C2K)          )j99=99F =  (%2    \ (%8    43"; M#0M s4A B 'BB B c0eZdZUeed<eeed<dS)rWbest_signature_timermN)rarbrcrrer rgrhrirWrWrs/!!!!'111111rhrWc KdSrrgrs rirSrSrrhc KdSrrgrs rirSrSrrhc K|ptj}|t||}t|||\}} } |dddj} |j| } t ||| | |j|||||j d{V} t| tr#t| j | j | j| |S| j tvrOt| t sJ| j}| |dd }t| j |d| |St'j|}| |d d }t'j|}|#tt,j|d |j|St3||d | d{V}|j t4jkrt| j |d| |S|j }t|t8sJ| t;|j| } n|j} || _| | _ | j t,j!kr,|j"}| |j#krt| j |d| |Sn}| j t,j$kr/| |j%j&krtt,j'|d| |Sn9| j t,j(kr$| |j)krt| j |d| |S|$|| krtt,j*|d| |Sd| _+d| j,d <| |dd }tt4j|d| |S)u Validate a CMS signature with time according to ETSI EN 319 102-1 § 5.5. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param raw_digest: The expected message digest attribute value. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A :class:`.AdESBasicValidationResult`. Nr signer_infosr signature) rrrrrrmrr}r)r^r_r`rrmTrFzNo signature timestamp presentrrv)-r$rrPrr poe_managerrrrrrVrWr^r_r`_WITH_TIME_FURTHER_PROCrkrmrr?rcompute_signature_tst_digestr1SIG_CONSTRAINTS_FAILURErrr2rrHminrrrrlrrrrrnot_valid_before NOT_YET_VALIDrerror_time_horizonTIMESTAMP_ORDER_FAILURErqrp)rrrrrrmrr}rrr sig_bytesrlrr_rrr sig_ts_resultrrrs rirSrSszH;!5!9!;!;K'#E k$ $ $   /;0HII N+A.{;BI1=iH0-33*=";/(C         M-!:;; +'5$/%1 2&?       $,C C C-)GHHHHH$1$K!")) *  ,'5! 2&?     1+>>K&&Ed'K 9+FFJ,+C"8 + ?&?     4'*M"jm33+'5" 2&?     (I i!9 : ::: :% !46HII&0*3M''9M$"&7&FFF*5*H != = =/+9& $6*C   >  $(9(N N N  8 I I I//=& $6*C   J #  > ? ? !? ? ?/+9& $6*C   "- %(: : :++C" 2&?     +/M'9=M 56  ! !*dt ! L LF ' m.";    rhcNeZdZdejdefdZdejdeefdZ dS) _TrustNoOnecertrcdS)NFrgr|r s riis_rootz_TrustNoOne.is_rootdsurhc tdS)Nrg)iterr s rifind_potential_issuersz"_TrustNoOne.find_potential_issuersgsBxxrhN) rarbrcr Certificateboolr r rrrgrhrir r cseD,$ + rhr crlrrcHtfd|jDS)Nc3DK|]}|jjkVdSr)pathleaf).0 prov_pathrrs ri z0_crl_issuer_cert_poe_boundary..psF  IN'(F2rh)any prov_paths)rrrs ``ri_crl_issuer_cert_poe_boundaryrmsE   rhocspc.||jj|kSr)rr)rrrs ri_ocsp_issuer_cert_poe_boundaryr vs t~* +v 55rhr revocation_checking_rulec\Kj}|t}dtjffd t jfd|D}j}g}g} t} |D]} | d{V\} } | D]n}t|j |r| |.|j j }| t!|o| D]n}t#|j |r| |.|jj}| t!|o|s| r4j| j| || fS)N)r  trust_managerisscrtt|g}t|jS)N) trust_anchorintermr)rrevinfo_managerrr!)r%rr#r()r$truncated_pathr rr!rs ri_for_candidate_issuerzB_find_revinfo_data_for_leaf_in_past.._for_candidate_issuersN'(--bt   /4D%%=     rhc&g|] }|Srgrg)rr$r*s ri z7_find_revinfo_data_for_leaf_in_past..s%AAA  s # #AAArh) cert_registryrr rrasyncio as_completedrsetrrappendrcrl_datadumpaddr"r  ocsp_responseocsp_response_datar( evict_crls evict_ocsps)r rrr!registrycandidate_issuers job_futuresrcrlsocspsto_evict fut_resultsnew_crls new_ocspscrl_oi revinfo_dataocsp_oir*s```` @ri#_find_revinfo_data_for_leaf_in_pastrE|s#(5H 77 8  4#3          &AAAA/@AAAK+6K "D*,E55H";; $///////) ; ;F,,k ; F####%z27799  ^L99::::  ; ;G--{ ; W%%%%&4GLLNN  ^L99:::: ; GuG 0;;HEEE 0<rr1NO_CERTIFICATE_CHAIN_FOUND) r rFrrG path_buildercurrent_subindicationpaths cand_path past_resultvalidation_timers ri_build_and_past_validate_certrVs ,:)7L !  / / 5 5E$ 2 2 2 2 2 2 2) + G"+A-E&7 !!K%0$> !)8O$,&222 /111llnn - %u llnnellnn >C(-4I    -"FFF0K    sB<BAB<B<<Ccurrent_time_sub_indic is_timestampcbKt|d|}|dddj}||} t|} | j} |j| jn.#t$r!tj dtj wxYw|r|j p|j } n|j } t| ||| jjjd{V\t%| | | d{V\} } fd }|| kr|tjkr || S|tjtjfvr| S|tjtjfvrB|| jkr tj d t2j || jkr || Stjd | )NT) is_historicalpoe_manager_overriderrrz,signer certificate not included in signaturer)rr!)rFrcntps"tj}tjd|dS)N)zoPOE for signature available, but could not obtain sufficient POE for the issuance of the revocation informationrI)rr1REVOCATION_OUT_OF_BOUNDS_NO_POEr>r)r leaf_crls leaf_ocspss ri(_pass_contingent_on_revinfo_issuance_poezQ_ades_past_signature_validation.._pass_contingent_on_revinfo_issuance_poe&sNI+,, &FF1! $*    rhz'Signature predates cert validity periodrIzHPast signature validation did not manage to improve current time result.)rPrr9rr-register_multiple other_certsr5r>rr1NO_SIGNING_CERTIFICATE_FOUNDrrrErevinfo_policyrevocation_checking_policyee_certificate_rulerVrREVOKED_CA_NO_POErrOUT_OF_BOUNDS_NOT_REVOKEDrr0rrSigSeedValueValidationError)rrrrWrGrXrsignature_bytesrrr r cert_pathrUr`r^r_s @@ri_ades_past_signature_validationrls Bt+   ".1!4[AHO%o6  ,[99 $ .@@  !        - :0M     H  5 65  "1!G"E  & " 1 L ` ###Iz(E 5!9(((""""""I      o-- !%6%E E E 4 4 6 6 6  #  /  ?(     #  2  7(   #T%:::5$M'2'@%(<<<88:::    , .2    s 5A//+BcjK|d}|djdk}|&tjtj} t ||||||d{Vt jS#tj $r7}t ||j p tjcYd}~Sd}~wwxYw)u Validate a CMS signature in the past according to ETSI EN 319 102-1 § 5.6.2.4. This is internal API. .. danger:: The notion of "past validation" used here is only valid in the narrow technical sense in which it is used within AdES. It should _never_ be relied upon as a standalone validation routine. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param poe_manager: The POE manager from which to source existence proofs. :param current_time_sub_indic: The AdES subindication from validating the signature at the current time with the relevant settings. :param init_control_time: Initial value for the control time parameter. :return: An AdES subindication indicating the validation result after going through the past validation process. encap_content_info content_typetst_infoNtzrrrrWrGrX)rrrtzlocal get_localzonerlr2rr>rloggerwarningrr1r)rrrrWrGecirXrs riades_past_signature_validationryUsD * +C~&-;L $LG,A,C,CDDD A-#+##9/%           }  *AAAq#@'8'@@@@@@@As&A,,B2;,B-'B2-B2cneZdZUeed<eed<eeed<ej ed<eed<e ed<de fdZ d S) PrimaFaciePOE pdf_revision timestamp_dtdigests_coveredtimestamp_token_signed_data doc_digest forensic_infomanagercR|jD]}|||jdS)N)digestdt)r~register_by_digestr})r|rthings riadd_to_poe_managerz PrimaFaciePOE.add_to_poe_managersA) K KE  & &e8I & J J J J K KrhN) rarbrcintrerrbytesr SignedDatarr!rrgrhrir{r{su%%%%!$///K*KKKKKKrhr{sdc#K|dD]3}|jdvr(t|jV4dS)N certificates) certificate v2_attr_set)namer"chosenr3)r cert_choices ri&_extract_cert_digests_from_signed_datarsW.)<<  = = = !3!8!8!:!:;; ; ; ;<tj |} | dtj| j| j| jD| ||} |t,jk}|rg|t3|jt5| t7|| | |t}| t;| | t;| |j d }| sg t=|d }| d tj|d |d Dn#t>t@f$rYnwxYw|j dj!}|"tG| tI|d}n#t@tJf$rd}YnwxYw tI|j dd}n#t@tJf$rd}YnwxYwtj||D]B}|ddD]1}|dj!}|"tG|2C5|S)N) skip_diff)revisionFz /DocTimeStampTrc3bK|]*}t|jV+dSr)r" get_objectdataritems rirzC_build_prima_facie_poe_index_from_pdf_timestamps..sK$$t00566$$$$$$rh)r|r}r~rrrradobe_revocation_info_archivalc3XK|]%}t|V&dSr)r"r3rs rirzC_build_prima_facie_poe_index_from_pdf_timestamps.."sF###499;;//######rhrrrcontent_time_stamprgunsigned_attrssignature_time_stamprr)&r0 enumerateembedded_signaturescompute_integrity_infor.signed_revisionrsig_object_typer?rrr<read_dssr itertoolschainr<r=certsvaluescompute_digestevaluate_signature_coveragerDENTIRE_REVISIONr1r{r frozensetsummarise_integrity_inforr;r7r8rr4r"r:r6)rrrcollected_so_far for_next_tsprima_facie_poe_setsix embedded_sig hist_handlerrts_signed_data is_doc_tsdssrcoverage_normalr revinfo_attrr content_tsessignature_tsests_datats_signer_info ts_sig_bytess ri0_build_prima_facie_poe_index_from_pdf_timestampsrs2<$'55"eeK13 &a&;<<s>s>L++ !T) ,   * 4   '3&> 37  '? : :(NII  (9(N  %'0>>C  # #$$%OHci)9)9););$$$     # #K 0 0 0%4466J88::)9:  $$++!%1%A%7%G%G(12B(C(C4B#-&2&K&K&M&M    "ee   6~FF    A+NNOOO $/?   -$&F ""## )$U+\&-A!!### ./HI     !,[9@ y11222 -2LL*+=>   LLL  /()9:&NN*+=>   NNN !~|DD > >G"))"4^"D > >-k:A | < <==== > > s7AI""I65I6.J??KKK55L  L rcur_timing_infoc Kt|d}|p%tjtj}t }|j|t|D]e\}}t|}|t|dz kr ||dz}||t|||} t|j |||j| |jt d{V} | j} | jt&jkr||| jt&jkrt-jd| t1| t2sJt5|j ||| |j d{V} | jt&jkr||Qt-jd | |S) Nc|jSrr|)ps riz+_validate_prima_facie_poe..Rsrh)keyrqrKrr[)rrrrrrr}z9Permanent failure while evaluating timestamp in PoE chainr)rrrrWrGzZCould not validate timestamp in PoE chain at current time, and past validation also failed)sortedr$rrtrur!local_knowledgerrrlenrPrUrrrrAr^rr3PASSEDFAILEDr>rrr1ryrU) rrrcandidate_poesresulting_poesrpoetemporary_poesnext_poercur_time_result sub_indicrTs ri_validate_prima_facie_poerHsV06N6NOOON%)=)A  " "***O \\N#66~FFF^,,22Cn-- N##a' ' '%b1f-H  ' ' 7 7 7#E '!/$ $ $  !:;+'!$%= # 1.! ! !       $1  z0 0 0  " "> 2 2 2 2  !2 2 21K#,  i):;; ; ;; >; /*'0"1"A !!!K!Z%666&&~66665<'0 rhcBeZdZUdZeeed< eeed<dS)rXu Result of a PAdES validation for a signature providing long-term availability and integrity of validation material. See ETSI EN 319 102-1, § 5.6.3. oldest_evidence_record_timestampsignature_timestamp_statusN)rarbrcrdr rrerVrgrhrirXrXsL '/x&8888!))B CCCCrhrXrc ,K|jdj}|j}|jp|j}|j}|dS|}|Jt||||t|||d{V} | j } t| tr| tvr t|||| |jdd{V} tt jt%j| j| d} nA#t*j$r-} t| jp| | j| j} Yd} ~ n d} ~ wwxYw| } |d d j}|K||d d |j r#|dj}|||| S)Nrr)rrrrrTrs)rnrrrnrmessage_imprinthash_algorithm)momentr)rrattached_timestamp_datarralgorithm_usage_policycompute_tst_digestrUrPr^rr1_LTA_TS_FURTHER_PROCrlrUrVr2rrreplacer_r>rrrrdigest_algorithm_allowedregister)rrrrrj signature_tsrrrsignature_ts_prelim_resultts_current_time_sub_indicrnsignature_ts_resultrrpsignature_ts_dts ri_process_signature_tsrs_ #.{;BO#/#GL1 2  1)?Kt'::<<  + + +'@$'1!C #!," " " ( ( ( " " " " " "!; H ,.?@@9 %)= = = %D( /''@"-"=! %%%O#<(m&..9$3!###  .   ";2O6O-5@###       901)<CH;#G#G"#$45*$H$$#:.5_o>>> sAC33D/#D**D/pdf_validation_specc K|p%tjtj}t jd|j}|j}|j} tj j}d|j D}d|j D} t|} t|j|z|j| z|j| z|j} n#t($r|} YnwxYwt+j|| } d} d} t/|| | d{V} t1t3fd |d d }||j}nt6d n8#t:j$r&}t6d|Yd}~nd}~wwxYw|#t?} | | | JtC| |tE| }tGj$| ||%|&tNd{V}|j(}|tRvr+d|d}tU||j+||j,|j-|dSj.dj/}| 0||j,tc| tE| |d{V}te|tfrtE| } tij$| |||j5dd{V|} nP#t:j$r>}||}tU|j6p||j7|j+||j-||cYd}~Sd}~wwxYw| |}| j8j9} j:}|twj.|||j<tzj>}d}n,#t:j$r}|j6p|}|j7}Yd}~nd}~wwxYwtU||j+|||j-||S)u Validate a PAdES signature providing long-term availability and integrity of validation material. See ETSI EN 319 102-1, § 5.6.3. For the purposes of PAdES validation, the chain of document time stamps in the document serves as the unique Evidence Record (ER). :param embedded_sig: The PDF signature to validate. :param pdf_validation_spec: PDF signature validation settings. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A validation result. rqT)rrcg|]D}tjtj|jD]}|ESrg)r+ load_multirloadrr)rrespconts rir,z'ades_lta_validation..8sg   %0!$//"3"3"899       rhcg|];}ttj|j.?sK    /"6s~~7G7G7L"M"M N N N   rh) known_ocsps known_crls known_certs known_poes)rN)rrc$|jjkSr)r|r)rrs rirz%ades_lta_validation..]sC,|/KKrhc|jSrr)rs rirz%ades_lta_validation..`s C,rh)rdefaultzRNo document timestamps after signature; proceeding without past proof of existencezXDocument timestamp chain failed to validate; proceeding without past proof of existence.)exc_info)rrr[)rrrrrrmrr}z?Validation of signature at current time failed with indication z!. Past validation not applicable.)r^r_r`rrmrrr)rrrFrs)r^r`r_rrmrr)rrr)r^r_r`rrmrr)?r$rrtrurreaderrsignature_validation_specrr<rr=r<list load_certsrMrrrrrLrrrrfilterr}rvrwr>rr!rrPrrSrrrrBr^_LTA_FURTHER_PROCrXr_rrmrrrrrr1rlrUrrrrrrrr2r)rrrrmpoe_listrinit_local_knowledger dss_ocspsdss_crls dss_certsraugmented_validation_specupdated_poe_managerroldest_docts_recordrwith_time_data_handlerssignature_prelim_resultrWr`rjrpast_sig_poe_managersig_poerlrr r^s` rirTrT s4!5!9  " """"K @'3H *CO*:/#,\-@AA        x   ))** (,89D+6A,89D+6     ///./!, 3!!!'+$ $= 5'% % %       " KKKK  -,      */B/O , , NN2     *    /          (/(ll**+>???  * * * A &!"566 %> ,1!8..00";(AACC% % % %      5B%666 0     '0.9# 7 K'A.N'+    #.{;BO  0D !61,-- !!!(*;<< $$788 1(4 90'="-"="        #7  .   *?;G*2L6L-2=$++E+>4          $-_= "8O (!-!9  " /('/?      #   *(((,F0F ' ( ##*5. # =#6*J    sbB C$$ C32C3A E22F'F""F'0'LM%'3M M% M%=4N22OOOr)NN)rdr.rrloggingrrrtypingrrrr r r r r rrrrrrrt asn1cryptorrrasn1_pdfrrasn1crypto.crlrasn1crypto.ocsprpyhanko_certvalidatorrpyhanko_certvalidator.authorityrrpyhanko_certvalidator.contextrr#pyhanko_certvalidator.ltv.ades_pastr pyhanko_certvalidator.ltv.poer!r"$pyhanko_certvalidator.ltv.time_slider#pyhanko_certvalidator.ltv.typesr$pyhanko_certvalidator.pathr%!pyhanko_certvalidator.policy_declr&r'pyhanko_certvalidator.registryr(r)&pyhanko_certvalidator.revinfo.archivalr*r+*pyhanko_certvalidator.revinfo.validate_crlr,+pyhanko_certvalidator.revinfo.validate_ocspr-pyhanko.pdf_utils.readerr.r/pyhanko.sign.ades.reportr0r1r2r3r4pyhanko.sign.generalr5r6r7r8r9r:r;pyhanko.sign.validationr<r=r>r? pyhanko.sign.validation.settingsr@pyhanko.sign.validation.statusrArBrCrDrErFrGrH diff_analysisrJrL policy_declrMrNrOrPutilsrQ__all__ getLoggerrarvrYrVrkrrrfrU SignerInfo PublicKeyInforrrrrrrRrrWrrrrrgrrrSr rr rrErVrlryr{rrrrrhr]rrrXrrTrgrhrir5sS!!!!!!" &&&&&& ******((((((333333HHHHHHHH>=====DDDDDDDDPPPPPP@@@@@@555555EDDDDDDDNNNNNNNNDDDDDDNNNNNNFFFFFFFF A@@@@@                    '&&&&&###### +*****     8 $ $ W\D I I I  $ 34 !+!+!+!+!+!+!+ !+H 37AE48   ^ ,    Z  ./ ''=> "$sCx.1       37AE48   ^ ,    ./  ''=> "$sCx.1       37AE48'55^5,5 5./ 5 ''=> 5 "$sCx.1 55555p  %  +,     <59' **^*)* *"$sCx.1 *  ****Z-1?D"OO O-O$$56 O (1 OOOOdL,L%L5LLLLD 37"&AE4848    , Z  ./   ''=>  (1 "$sCx.1       37"&AE4848    , ./    ''=>  (1 "$sCx.1       37"&AE4848)DDD,D./D D ''=> D (1 D"$sCx.1DDDDDN44)4-4$$56 4 , 4  4 (14"$sCx.14674Z 4 $&D DE4444n $22222#<222 $) ;(+ .   37"&AE4848    , ./    ''=>  (1 "$sCx.1 "      37"&AE4848    , Z  ./   ''=>  (1 "$sCx.1 "     "37"&AE4848)~~~,~./~ ~ ''=> ~ (1 ~"$sCx.1~"~~~~B,  (7A6 6*26AK6666 D  D4DD5 DDDDV-1 ) )  ) 4) 5)  ) )  >8 #$ ) ) ) ) Xcc,cc%%67 c  c  cccccV-1 2A2A2A,2A2A%%67 2A  ) 2A  2A2A2A2Aj $ K K K K K K K K'h'''' ` ` ` *%` ` ` ` R7; FF}-F - F 23 FFFFFRI (+.3;9  !y+.3;9  $:,K&K,KK& K '( KKKKb3748 bb&b3b./b (1 b  bbbbbbrh