§
    ¢م h<‹  م                   َ  — d dl Z d dlZd dlmZ d dlmZ d dlmZmZmZ d dl	m
Z
mZ d dlmZ d dlmZ d dlmZmZ d d	lmZ d d
lmZmZ d dlmZmZmZmZmZ d dlmZm Z m!Z!m"Z"m#Z#m$Z$ d dl%m&Z&m'Z'm(Z(m)Z) ddl*m+Z+m,Z,m-Z- ddl.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6 ddl7m8Z8 ddl9m:Z:m;Z;m<Z< ddl=m>Z> g d¢Z? e j@        eA¦  «        ZBdeejC                 fd„ZDdee          fd„ZEdejC        deFfd„ZG G d„ d¦  «        ZH edddg¦  «        ZI	 dedeeI         fd „ZJd!eHfd"„ZKd#eHd$ed%eLfd&„ZMd'„ ZN	 	 	 	 	 	 	 d3d#eHd)ee         d*ee         d+ee         d,ee         d-ee8         d.eLd/ee>         de;fd0„ZO	 	 	 d4d#eHd1ee         d,ee         d.eLde:f
d2„ZPdS )5é    N)ع
namedtuple)عdatetime)عListعOptionalعUnion)عcmsعx509)عValidationContext)عValidationPath)عgenericعmisc)عpdf_name)عPdfFileReaderعprocess_data_at_eof)عDEFAULT_DIFF_POLICYع
DiffPolicyع
DiffResultعModificationLevelعSuspiciousModification)عFieldMDPSpecعMDPPermعSeedLockDocumentعSigSeedSubFilterعSigSeedValFlagsعSigSeedValueSpec)عSignedDataCertsعUnacceptableSignerErrorعbyte_range_digestعextract_signer_infoé   )عSignatureValidationErrorعSigSeedValueValidationErrorعValidationInfoReadingError)عcms_basic_validationعcollect_signer_attr_statusعcollect_timing_infoعcompute_signature_tst_digestعextract_certs_for_validationعextract_self_reported_tsعextract_tst_dataعvalidate_tst_signed_data)عKeyUsageConstraints)عDocumentTimestampStatusعPdfSignatureStatusعSignatureCoverageLevel)عCMSAlgorithmUsagePolicy)عEmbeddedPdfSignatureع
DocMDPInfoعread_certification_dataعasync_validate_pdf_signatureعasync_validate_pdf_timestampعreport_seed_value_validationعextract_contentsعreturnc                 َژ   — 	 | d         }n# t           $ r Y d S w xY w|D ]&}|                     ¦   «         }|d         |k    r|c S Œ'd S )Nz
/Referencez/TransformMethod)عKeyErrorع
get_object)عsignature_objعmethodعsig_refsعrefs       ْ`/var/www/html/Sam_Eipo/venv/lib/python3.11/site-packages/pyhanko/sign/validation/pdf_embedded.pyع_extract_reference_dictrA   I   sw   € ًط  ش.ˆˆّفً ً ً طˆtˆtًّّّàً ً ˆطڈnٹnرشˆطذ!ش" fز,ذ,طˆJˆJˆJً -àˆ4s   ‚ ‹
کc                 َز   — t          | d¦  «        }|€d S 	 |d                              d¦  «        }t          |¦  «        S # t          t          f$ r}t          d¦  «        |‚d }~ww xY w)Nْ/DocMDPْ/TransformParamsْ/Pz#Failed to read document permissions)rA   عraw_getr   ع
ValueErrorr:   r!   )r<   r?   ع	raw_permsعes       r@   ع_extract_docmdp_for_sigrJ   W   sƒ   € ف
! -°ر
;ش
;€Cط
€{طˆtًطذ*ش+×3ز3°Dر9ش9ˆ	فگyر!ش!ذ!ّف‌ذ!ً ً ً ف&ط1ٌ
ô 
àً	ًّّّّّّّs   –)A  ء A&ءA!ء!A&ع
sig_objectc                 َ  — 	 |                       dt          j        j        ¬¦  «        }n"# t          $ r t          j        d¦  «        ‚w xY wt          |t          j        t          j	        f¦  «        st          j        d¦  «        ‚|j
        S )zم
    Internal function to extract the (DER-encoded) signature bytes from a PDF
    signature dictionary.

    :param sig_object:
        A signature dictionary.
    :return:
        The extracted contents as a byte string.
    z	/Contents)عdecryptz+Could not read /Contents entry in signaturez/Contents must be string-like)rF   r   عEncryptedObjAccessعRAWr:   r   عPdfReadErrorع
isinstanceعTextStringObjectعByteStringObjectعoriginal_bytes)rK   عcms_contents     r@   r7   r7   d   s¤   € ًOط ×(ز(ط¥ش!;ش!?ً )ٌ 
ô 
ˆˆُّ ً Oً Oً Oفشذ MرNشNذNًOُّّّ ط•gش.µش0HذIٌô ً Aُ شذ ?ر@ش@ذ@طش%ذ%s	   ‚&) ©Ac                   َ‚  — e Zd ZU dZej        ed<   	 ej        ed<   	 ej        ed<   	 de	dej        de
fd„Zdefd	„Zedeej                 fd
„¦   «         Zedeej                 fd„¦   «         Zedej        fd„¦   «         Zedej        fd„¦   «         Zed„ ¦   «         Zedee         fd„¦   «         Zedeej                 fd„¦   «         Zdd„Zdefd„Zedee          fd„¦   «         Z!edee"         fd„¦   «         Z#edee$         fd„¦   «         Z%de&fd„Z'dee&         fd„Z(de)fd„Z*d„ Z+de,de-e.e/f         fd„Z0dS )r1   zA
    Class modelling a signature embedded in a PDF document.
    ع	sig_fieldrK   عsigned_dataعreaderعfq_namec                 َP  — || _         t          |t          j        ¦  «        r|                     ¦   «         }|| _        |                     d¦  «        }|                     ¦   «         x| _        }t          |t          j        ¦  «        sJ ‚	 |                     d¦  «        | _	        n"# t          $ r t          j        d¦  «        ‚w xY wt          |¦  «        x| _        }t          j                             |¦  «        }|d         }|| _        t'          |¦  «        | _        d | _        | j        d         }	|	d         j                             ¦   «         | _        |d         }
|
d         j        }|d	k    r| j        | _        n1|d
k    r+|
d         j        d         }|d         d         j        | _        | j         j                             |j        ¦  «        | _        d | _        d | _         d | _!        d | _"        d | _#        dx| _$        | _%        d | _&        d | _'        d| _(        || _)        d S )Nz/Vz
/ByteRangez,Could not read /ByteRange entry in signatureعcontentعdigest_algorithmع	algorithmعencap_content_infoعcontent_typeعdataعtst_infoعmessage_imprintعhash_algorithmF)*rY   rQ   r   عIndirectObjectr;   rW   rF   rK   عDictionaryObjectع
byte_ranger:   r   rP   r7   عpkcs7_contentr   عContentInfoعloadrX   r   عsigner_infoع_sd_cert_infoعnativeعlowerعmd_algorithmعexternal_md_algorithmعparsedعxrefsعget_last_changeع	referenceعsigned_revisionعcoverageعexternal_digestع	total_lenع_docmdpع	_fieldmdpع_docmdp_queriedع_fieldmdp_queriedعtst_signature_digestعdiff_resultع_integrity_checkedrZ   )عselfrY   rW   rZ   عsig_object_refrK   rU   عmessagerX   عdigest_algoعecir`   عmis                r@   ع__init__zEmbeddedPdfSignature.__init__”   s7  € ً ˆŒفگi¥ش!7ر8ش8ً 	/ط!×,ز,ر.ش.ˆIط"ˆŒط"×*ز*¨4ر0ش0ˆط'5×'@ز'@ر'Bش'BذBˆŒک*فک*¥gش&>ر?ش?ذ?ذ?ذ?ً	ط(×0ز0°ر>ش>ˆDŒOˆOّفً 	ً 	ً 	فش#ط>ٌô ً ً	ُّّّ ,<¸Jر+Gش+GذGˆشک[ه”/×&ز& {ر3ش3ˆطکiش(ˆط+6ˆشه.¨{ر;ش;ˆشط8<ˆشً ش&ذ'9ش:ˆط'¨ش4ش;×AزAرCشCˆشطذ.ش/ˆطک>ش*ش1ˆطک6ز!ذ!à)-ش):ˆDش&ذ&طکZز'ذ'ً گY”ش&ذ'8ش9ˆBط)+ذ,<ش)=طô*نً ش&ً  $œ{ش0×@ز@طش$ٌ 
ô  
ˆشً ˆŒط04ˆشط(,ˆŒط*.ˆŒط15ˆŒط8=ذ=ˆشکtش5ط59ˆش!àˆشط"'ˆشطˆŒˆˆs   آ
B% آ%Cr8   c                 َP   — | j         €t          | j        ¦  «        | _         | j         S )N)rl   r(   rX   ©r€   s    r@   ع_init_cert_infoz$EmbeddedPdfSignature._init_cert_infoà   s'   € طشذ%ف!=¸dش>Nر!Oش!OˆDشطش!ذ!َ    c                 َN   — t          |                      ¦   «         j        ¦  «        S )z2
        Embedded attribute certificates.
        )عlistr‰   عattribute_certsrˆ   s    r@   عembedded_attr_certsz(EmbeddedPdfSignature.embedded_attr_certsه   s!   € ُ
 گD×(ز(ر*ش*ش:ر;ش;ذ;rٹ   c                 َN   — t          |                      ¦   «         j        ¦  «        S )zQ
        Embedded X.509 certificates, excluding than that of the signer.
        )rŒ   r‰   عother_certsrˆ   s    r@   عother_embedded_certsz)EmbeddedPdfSignature.other_embedded_certsى   s!   € ُ
 گD×(ز(ر*ش*ش6ر7ش7ذ7rٹ   c                 َ4   — |                       ¦   «         j        S )z,
        Certificate of the signer.
        )r‰   عsigner_certrˆ   s    r@   r“   z EmbeddedPdfSignature.signer_certَ   s   € ً
 ×#ز#ر%ش%ش1ذ1rٹ   c                 َR   — | j                              dt          d¦  «        ¦  «        S )a  
        Returns the type of the embedded signature object.
        For ordinary signatures, this will be ``/Sig``.
        In the case of a document timestamp, ``/DocTimeStamp`` is returned.

        :return:
            A PDF name object describing the type of signature.
        z/Typeْ/Sig)rK   عgetr   rˆ   s    r@   عsig_object_typez$EmbeddedPdfSignature.sig_object_typeْ   s$   € ً Œ×"ز" 7­H°Vر,<ش,<ر=ش=ذ=rٹ   c                 َ   — | j         S )zC
        :return:
            Name of the signature field.
        )rZ   rˆ   s    r@   ع
field_namezEmbeddedPdfSignature.field_name  s   € ً Œ|ذrٹ   c                 َک   — t          | j        ¦  «        }|پ|S 	 | j        d         }t          j        |¦  «        S # t
          $ r Y dS w xY w)zگ
        :return:
            The signing time as reported by the signer, if embedded in the
            signature's signed attributes.
        Nz/M)r)   rk   rK   r   عparse_pdf_dater:   )r€   عtsعst_as_pdf_dates      r@   عself_reported_timestampz,EmbeddedPdfSignature.self_reported_timestamp  sb   € ُ & dش&6ر7ش7ˆطˆ>طˆIً	ط!œ_¨Tش2ˆNفش)¨.ر9ش9ذ9ّفً 	ً 	ً 	طگ4گ4ً	ّّّs   ڑ ; »
A	ءA	c                 َ*   — t          | j        ¦  «        S )z‹
        :return:
            The signed data component of the timestamp token embedded in this
            signature, if present.
        )r*   rk   rˆ   s    r@   عattached_timestamp_dataz,EmbeddedPdfSignature.attached_timestamp_data  s   € ُ   ش 0ر1ش1ذ1rٹ   NFc                 َ  — |                       ¦   «          |                      ¦   «          |                      ¦   «          |                      ¦   «         | _        |pt
          }|s|                      |¦  «        | _        d| _        dS )a«  
        Compute the various integrity indicators of this signature.

        :param diff_policy:
            Policy to evaluate potential incremental updates that were appended
            to the signed revision of the document.
            Defaults to
            :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`.
        :param skip_diff:
            If ``True``, skip the difference analysis step entirely.
        TN)	ع_enforce_hybrid_xref_policyعcompute_digestعcompute_tst_digestعevaluate_signature_coveragerv   r   عevaluate_modificationsr~   r   )r€   عdiff_policyع	skip_diffs      r@   عcompute_integrity_infoz+EmbeddedPdfSignature.compute_integrity_info(  s‡   € ً 	×(ز(ر*ش*ذ*ط×زرشذط×زر!ش!ذ!ً ×8ز8ر:ش:ˆŒط!ذ8ص%8ˆطً 	Hط#×:ز:¸;رGشGˆDشà"&ˆشذذrٹ   c                 َL  — | j         st          d¦  «        ‚| j        }| j        }| j        }d}|پNt          |t          ¦  «        r|j        nt          j	        }|t          j	        k    p|duo|j
        |j
        k     }n |t          j        k    r|t          j        k    }|||dœ}|S )a  
        Compile the integrity information for this signature into a dictionary
        that can later be passed to :class:`.PdfSignatureStatus` as kwargs.

        This method is only available after calling
        :meth:`.EmbeddedPdfSignature.compute_integrity_info`.
        zGCall compute_integrity_info() before invokingsummarise_integrity_info()N)rv   ع	docmdp_okr~   )r   r!   عdocmdp_levelr~   rv   rQ   r   عmodification_levelr   عOTHERعvaluer/   عENTIRE_REVISIONعENTIRE_FILE)r€   عdocmdpr~   rv   r«   ع	mod_levelعstatus_kwargss          r@   عsummarise_integrity_infoz-EmbeddedPdfSignature.summarise_integrity_infoA  sو   € ً ش&ً 	ف*ً-ٌô ً ً
 ش"ˆطش&ˆط”=ˆطˆ	ً ذ"ُ کk­:ر6ش6ً-گش.ذ.ه&ش,ً ً ص.ش4ز4ً Kط $ذ&ذI¨9¬?¸V¼\ز+IًˆIˆIً ص/ش?ز?ذ?ً
 !ص$:ش$FزFˆIً !ط"ط&ً
ً 
ˆً
 ذrٹ   c                 َj   — 	 | j         d         }n# t          $ r Y d S w xY wt          j        |¦  «        S )Nz/SV)rW   r:   r   عfrom_pdf_object)r€   عsig_sv_dicts     r@   عseed_value_specz$EmbeddedPdfSignature.seed_value_specn  sH   € ً	طœ.¨ش/ˆKˆKّفً 	ً 	ً 	طگ4گ4ً	ّّّهش/°ر<ش<ذ<s   ‚ گ
‌c                 َش   — | j         r| j        S t          | j        ¬¦  «        }|€4	 | j        d         }t          |d         ¦  «        }n# t          $ r Y nw xY w|| _        d| _         |S )av  
        :return:
            The document modification policy required by this signature or
            its Lock dictionary.

            .. warning::
                This does not take into account the DocMDP requirements of
                earlier signatures (if present).

                The specification forbids signing with a more lenient DocMDP
                than the one currently in force, so this should not happen
                in a compliant document.
                That being said, any potential violations will still invalidate
                the earlier signature with the stricter DocMDP policy.

        )r<   Nz/LockrE   T)r{   ry   rJ   rK   rW   r   r:   )r€   r²   ع	lock_dicts      r@   r¬   z!EmbeddedPdfSignature.docmdp_levelv  s†   € ً$ شً 	 ط”<ذف(°t´ذGرGشGˆàˆ>ًط œN¨7ش3گ	ف  ¨4¤ر1ش1گگّفً ً ً طگًّّّàˆŒط#ˆشطˆs   §"A
 ء

AءAc                 َْ   — | j         r| j        S t          | j        d¦  «        }d| _         |€dS 	 t	          j        |d         ¦  «        }n)# t          t          f$ r}t          d¦  «        |‚d}~ww xY w|| _        |S )z¨
        :return:
            Read the field locking policy of this signature, if applicable.
            See also :class:`~.pyhanko.sign.fields.FieldMDPSpec`.
        z	/FieldMDPTNrD   z!Failed to read /FieldMDP settings)	r|   rz   rA   rK   r   r·   rG   r:   r!   )r€   عref_dictعsprI   s       r@   عfieldmdpzEmbeddedPdfSignature.fieldmdp–  s¢   € ً ش!ً 	"ط”>ذ!ف*¨4¬?¸KرHشHˆط!%ˆشطذطگ4ً	فش-¨hذ7Iش.JرKشKˆBˆBّف‌Hذ%ً 	ً 	ً 	ف*ط3ٌô àًًّّّّ	ًّّّ ˆŒطˆ	s   °A ءA1ءA,ء,A1c                 َŒ   — | j         پ| j         S t          | j        j        | j        | j        ¬¦  «        \  | _        }|| _         |S )z™
        Compute the ``/ByteRange`` digest of this signature.
        The result will be cached.

        :return:
            The digest value.
        N)rg   ro   )rw   r   rY   عstreamrg   rp   rx   ©r€   عdigests     r@   r£   z#EmbeddedPdfSignature.compute_digest­  sS   € ً شذ+طش'ذ'ه!2طŒKشط”طش3ً"
ٌ "
ô "
رˆŒکً
  &ˆشطˆrٹ   c                 َX   — | j         پ| j         S t          | j        ¦  «        x| _         }|S )a  
        Compute the digest of the signature needed to validate its timestamp
        token (if present).

        .. warning::
            This computation is only relevant for timestamp tokens embedded
            inside a regular signature.
            If the signature in question is a document timestamp (where the
            entire signature object is a timestamp token), this method
            does not apply.

        :return:
            The digest value, or ``None`` if there is no timestamp token.
        )r}   r'   rk   rآ   s     r@   r¤   z'EmbeddedPdfSignature.compute_tst_digestہ  s<   € ً  ش$ذ0طش,ذ,ف-Iطشٌ.
ô .
ً 	
ˆش! Fً ˆrٹ   c                 َ:  — | j         j        }| j         j        }t          | j        ¦  «        dk    s| j        d         dk    rt
          j        S | j        \  }}}}|                     dt          j	        ¦  «         t          | j
        ¦  «        dz  dz   }||z   |z   }|                     ¦   «         |k    }	|	rt
          j        S |||z   k    }
|
st
          j        S |                     |¦  «         | j        }	 t          |¦  «        }|                     |¦  «        }||k    rt
          j        S n!# t"          j        $ r t
          j        cY S w xY wt'          |dz   ¦  «        D ]0}|                     |¦  «        }|j        |k    rt
          j        c S Œ1t
          j        S )zک
        Internal method used to evaluate the coverage level of a signature.

        :return:
            The coverage level of the signature.
        é   r   é   r    )rY   rr   rء   عlenrg   r/   عUNCLEARعseekعosعSEEK_ENDrh   عtellr±   ru   r   عget_startxref_for_revisionعCONTIGUOUS_BLOCK_FROM_STARTr   rP   عrangeعget_xref_container_infoعend_locationr°   )r€   ع
xref_cacherء   ع_عlen1عstart2عlen2عembedded_sig_contentعsigned_zone_lenعfile_coveredع
contiguousع
signed_revع	startxrefعexpectedعrevisionع	xref_metas                   r@   r¥   z0EmbeddedPdfSignature.evaluate_signature_coverage×  sذ  € ً ”[ش&ˆ
ً ”ش#ˆُ ˆtŒرش 1ز$ذ$¨¬¸ش(:¸aز(?ذ(?ف)ش1ذ1à $¤رˆˆ4گکً 	ڈٹگA•r”{ر#ش#ذ#ُ  # 4ش#5ر6ش6¸ر:¸Qر>ذط ™+ذ(<ر<ˆط—{’{‘}”}¨ز7ˆطً 	6ف)ش5ذ5ً کtذ&:ر:ز:ˆ
طً 	2ف)ش1ذ1ً 	ڈٹگOر$ش$ذ$طش)ˆ
ً	Fف+¨Fر3ش3ˆIط!×<ز<¸ZرHشHˆHطکHز$ذ$ف-شIذIً %ّهش ً 	Fً 	Fً 	Fف)شEذEذEذEً	Fُّّّ
 کj¨1™nر-ش-ً 	Jً 	JˆHط"×:ز:¸8رDشDˆIطش%¨ز7ذ7ف-شIذIذIذIً 8ُ &ش5ذ5s   أ65D- ؤ-Eإ
Ec                 َ\   — | j         }|j        r|j        j        rt	          d¦  «        ‚d S d S )NzJSettings do not permit validation of signatures in hybrid-reference files.)rY   عstrictrr   عhybrid_xrefs_presentr!   )r€   rY   s     r@   r¢   z0EmbeddedPdfSignature._enforce_hybrid_xref_policy  sJ   € ط”ˆطŒ=ً 	کVœ\ش>ً 	ف*ً*ٌô ً ً	ً 	ً 	ً 	rٹ   r§   c                 َ  — | j         t          j        k     rt          d¦  «        S | j         t          j        k    r&t          t          j        t          ¦   «         ¦  «        S | 	                    | j
        | j        | j        | j        ¬¦  «        S )zY
        Internal method used to evaluate the modification level of a signature.
        z$Nonstandard signature coverage level)عfield_mdp_specعdoc_mdp)rv   r/   r°   r   r±   r   r   عNONEعsetعreview_filerY   ru   r؟   r¬   )r€   r§   s     r@   r¦   z+EmbeddedPdfSignature.evaluate_modifications'  sˆ   € ً Œ=ص1شAزAذAف)ط6ٌô ً ً Œ]ص4ش@ز@ذ@فص/ش4µc±e´eر<ش<ذ<à×&ز&طŒKطش طœ=طش%ً	 'ٌ 
ô 
ً 	
rٹ   )NF)1ع__name__ع
__module__ع__qualname__ع__doc__r   rf   ع__annotations__r   ع
SignedDatar   عstrr†   r   r‰   عpropertyr   عAttributeCertificateV2rژ   r	   عCertificater‘   r“   ع
NameObjectr—   r™   r   r   r‍   r    r©   عdictrµ   r   r¹   r   r¬   r   r؟   عbytesr£   r¤   r/   r¥   r¢   r   r   r   r   r¦   © rٹ   r@   r1   r1   €   s-  € € € € € € ًً ً ش'ذ'ذ'ر'ًً ش(ذ(ذ(ر(ًً ”ذذرًًJàًJً ش+ًJً ً	Jً Jً Jً JًX" ً "ً "ً "ً "ً
 ً< T¨#ش*Dش%Eً <ً <ً <ٌ „Xً<ً ً8 d¨4ش+;ش&<ً 8ً 8ً 8ٌ „Xً8ً ً2کTش-ً 2ً 2ً 2ٌ „Xً2ً ً	> ش!3ً 	>ً 	>ً 	>ٌ „Xً	>ً ًً ٌ „Xًً ً¨°(ش);ً ً ً ٌ „Xًً  ً2¨°#´.ش)Aً 2ً 2ً 2ٌ „Xً2ً'ً 'ً 'ً 'ً2+¨$ً +ً +ً +ً +ًZ ً= ذ*:ش!;ً =ً =ً =ٌ „Xً=ً ًکh wش/ً ً ً ٌ „Xًً> ًک( <ش0ً ً ً ٌ „Xًً, ً ً ً ً ً& H¨U¤Oً ً ً ً ً.F6ذ-Cً F6ً F6ً F6ً F6ًPً ً ً
ط%ً
à	ˆzذ1ذ1ش	2ً
ً 
ً 
ً 
ً 
ً 
rٹ   r1   r2   ع
permissionع
author_sigrY   c                 َŒ   — 	 | j         d         d         }n# t          $ r Y dS w xY wt          |¦  «        }t          ||¦  «        S )zî
    Read the certification information for a PDF document, if present.

    :param reader:
        Reader representing the input document.
    :return:
        A :class:`.DocMDPInfo` object containing the relevant data, or ``None``.
    ْ/PermsrC   N)عrootr:   rJ   r2   )rY   عcertification_sigعperms      r@   r3   r3   D  s_   € ًط"œK¨ش1°)ش<ذذّفً ً ً طˆtˆtًُّّّ #ذ#4ر5ش5€Dفگdذ-ر.ش.ذ.s   ‚ –
$£$عemb_sigc                 َ  — | j         }|€d S | j        }|j        پ?	 |j                             ||¦  «         n"# t          $ r}t          |¦  «        |‚d }~ww xY w|s|j        rt          d¦  «        ‚| j        }|j        پس|j         	                    ¦   «         }	 | j
        j        d         }|                     d¦  «        }	|	|j        k    }
n$# t          t          j        t"          f$ r d}
Y nw xY w||
k    r+d„ }t          d ||¦  «        › d ||
¦  «        › d‌¦  «        ‚|r/|j        j        }| j        }||k    rt          d	|› d
|› d‌¦  «        ‚|j        }|sd S |d         }t+          |¦  «        }|t,          j        z  rR|j        پK|j        st3          d¦  «        ‚|j        d         }|پ&||k    r t          d|j        ›d
|j        ›d‌¦  «        ‚|t,          j        z  r!|j        پt:                               d¦  «         |t,          j        z  r|j         پt3          d¦  «        ‚|t,          j!        z  rv|j"        پo| j        }|j"        tF          j$        k    r|tJ          j&        k    rt          d¦  «        ‚|j"        tF          j'        k    r|tJ          j&        k    rt          d¦  «        ‚| j(        }|t,          j)        z  r”|j*        پچddl+m,} 	  ||¦  «         d}n# tZ          $ r d}Y nw xY w|j*        |k    r#t          d|j*        rdnd›d|rdnd›d‌¦  «        ‚|j*        r1|t*          j.        k    r!t          dt*          j.        j        z  ¦  «        ‚|t,          j/        z  r;|j0        پ4| j1         2                    ¦   «         }||j0        vrt          d|z  ¦  «        ‚|t,          j3        z  rT|j4        pg }| p|dgk    }| 5                    d¦  «        }|r|پt          d¦  «        ‚|s||vrt          d |›d!‌¦  «        ‚d S d S d S )"NznThe seed value dictionary requires a trusted timestamp, but none was found, or the timestamp did not validate.rû   rC   Fc                 َ   — | rdndS )Nza certificationzan approvalr÷   )عcertifys    r@   ع_typez'_validate_sv_constraints.<locals>._typeu  s   € ط,3ذFذ(ذ(¸ذFrٹ   zPThe seed value dictionary's /MDP entry specifies that this field should contain z signature, but z appears to have been used.zaThe seed value dictionary specified that this certification signature should use the MDP policy 'z', but 'z' was used in the signature.ْ
/SubFilterzPThe signature encodings mandated by the seed value dictionary are not supported.r   z.The seed value dictionary mandates subfilter 'zˆThe signature's seed value dictionary specifies the /AppearanceFilter entry as mandatory, but this constraint is impossible to validate.zپpyHanko does not support legal attestations, but the seed value dictionary mandates that they be restricted to a specific subset.z<Document must be locked, but some changes are still allowed.zGDocument must not be locked, but the DocMDP level is set to NO_CHANGES.)عretrieve_adobe_revocation_infoTz2The seed value dict mandates that revocation info ع znot zbe added, but it was zfound in the signature.zdThe seed value dict mandates that Adobe-style revocation info be added; this requires subfilter '%s'zKThe selected message digest %s is not allowed by the seed value dictionary.ْ.z/Reasonz@The seed value dictionary prohibits giving a reason for signing.zThe reason for signing "z/" is not accepted by the seed value dictionary.)6r¹   r“   عcertعsatisfied_byr   r"   عtimestamp_requiredrK   عseed_signature_typeعcertification_signaturerY   rü   عget_value_as_referenceعcontainer_refr:   r   عIndirectObjectExpectedعAttributeErrorعmdp_permr¬   عflagsr   r   ع	SUBFILTERع
subfiltersعNotImplementedErrorr¯   عAPPEARANCE_FILTERع
appearanceعloggerعwarningعLEGAL_ATTESTATIONعlegal_attestationsعLOCK_DOCUMENTعlock_documentr   عLOCKr   ع
NO_CHANGESعDO_NOT_LOCKrk   عADD_REV_INFOعadd_rev_infoعpyhanko.sign.validation.ltvr  r#   عADOBE_PKCS7_DETACHEDعDIGEST_METHODعdigest_methodsro   rn   عREASONSعreasonsr–   )rے   عvalidation_pathعtimestamp_foundعsv_specعsigning_certrI   عsig_objع
sv_certifyعpermsعcert_sig_refعwas_certifiedr  عsv_mdp_permrو   r  عselected_sf_strعselected_sfعmandated_sfrk   r  عrevinfo_foundعselected_mdr(  ع	must_omitعreason_givens                            r@   ع_validate_sv_constraintsr:  V  sؤ  € ً ش%€Gط€طˆطش&€Lط„|ذً	8طŒL×%ز% l°OرDشDذDذDّف&ً 	8ً 	8ً 	8ف-¨aر0ش0°aذ7ًّّّّ	8ًّّّ ً 
کwش9ً 
ف)ًAٌ
ô 
ً 	
ً
 ش €Gàش"ذ.طش0×HزHرJشJˆ
ً	"ط.5¬nش.Aہ(ش.KˆEط ×7ز7¸	رBشBˆLط(¨Gش,AزAˆMˆMّف‌'ش8½.ذIً 	"ً 	"ً 	"ط!ˆMˆMˆMً	"ّّّàکز&ذ&ًGً Gً Gُ .ً-ط-2¨U°:ر->ش->ً-ً -à"' %¨ر"6ش"6ً-ً -ً -ٌô ً ً ً 		ط!ش5ش>ˆKطش*ˆGطکgز%ذ%ف1ً-à#ً-ً -à-4ً-ً -ً -ٌô ً ً ŒM€Eطً طˆàکlش+€Oف" ?ر3ش3€Kط•ش)ر)ً ¨wش/Aذ/Màش!ً 	ف%ً0ٌô ً ً
 )0ش(:¸1ش(=ˆطذ" {°kز'Aذ'Aف-ذ-ً ش$ذ$ذ$ kش&7ذ&7ذ&7ً9ٌô ً ً 	•ش1ر1ً
à
ش
ذ
(فڈٹً)ٌ	
ô 	
ً 	
ً 	•ش1ر1ً
à
ش
$ذ
0ف!ًPٌ
ô 
ً 	
ً 	•ش-ر-ًà
ش
ذ
+طش&ˆàش!ص%5ش%:ز:ذ:ط‌7ش-ز-ذ-ه-طNٌô ً ً ش!ص%5ش%AزAذAط‌7ش-ز-ذ-ه-ًٌô ً ً ش%€Kà•ش,ر,ًà
ش
ذ
*طNذNذNذNذNذNً	"ط*ذ*¨;ر7ش7ذ7ط ˆMˆMّف)ً 	"ً 	"ً 	"ط!ˆMˆMˆMً	"ًّّّ ش =ز0ذ0ف-ذ-ً "ش.ذ:گBگB°Fذ:ذ:ط'ذ3گBگB¨Vذ3ذ3ً	ٌô ً ً ش ً	àص/شDزDذDه-ً>ه#ش8ش>ٌ@ٌô ً ً 	•ش-ر-ًà
ش
 ذ
,طش*×0ز0ر2ش2ˆطکgش4ذ4ذ4ف-ً)ط+6ٌ7ٌô ً ً
 چش&ر&ً ً ”/ذ' RˆطگKذ3 7¨s¨eز#3ˆ	ط—{’{ 9ر-ش-ˆطً 	کذ1ف-ًٌô ً ً ً 	ک\°ذ8ذ8ف-ذ-à,8¨L¨Lً;ٌô ً ًً ً	ً 	ذ8ذ8s9   ›7 ·
AءAءAآ2C أC-أ,C-ثK! ث!K0ث/K0عembedded_sigr)  r*  c                 َ°   — 	 t          | ||¬¦  «         d}n5# t          $ r(}t                               d|¬¦  «         |}Y d}~nd}~ww xY w| j        du|dœS )aژ  
    Internal API function to enforce seed value constraints (if present)
    and report on the result(s).

    :param embedded_sig:
        The embedded signature.
    :param validation_path:
        The validation path for the signer's certificate.
    :param timestamp_found:
        Flag indicating whether a valid timestamp was found or not.
    :return:
        A ``status_kwargs`` dict.
    )r*  NzError in seed value validation.)عexc_info)عhas_seed_valuesعseed_value_constraint_error)r:  r"   r  r  r¹   )r;  r)  r*  عsv_errrI   s        r@   r6   r6      s’   € ً&ف طک/¸?ً	
ٌ 	
ô 	
ً 	
ً ˆˆّف&ً ً ً فڈٹذ8ہ1ˆرEشEذEطˆˆˆˆˆˆًّّّّًّّّ (ش7¸tذCط'-ًً ً s   ‚ —
A	،AءA	c                 َ|   — 	 ddl m}  || ¦  «        |v }n# t          $ r d}Y nw xY w|st          || z  ¦  «        ‚d S )Nr   )r   F)عpyhanko.sign.fieldsr   rG   r!   )عsubfilter_strعpermitted_subfiltersعerr_msgr   عsubfilter_oks        r@   ع_validate_subfilterrG  !  s   € ًط8ذ8ذ8ذ8ذ8ذ8à'ذ'¨ر6ش6ذ:NذNˆˆّفً ً ً طˆˆˆًًّّّ ً @ف& w°ر'>ر?ش?ذ?ً@ً @s   ‚ –%¤%Fعsigner_validation_contextعts_validation_contextعac_validation_contextr§   عkey_usage_settingsr¨   عalgorithm_policyc           	   ƒ   َآ  K  — | j         }| j        dk    rt          d¦  «        ‚|                     dd¦  «        }	t	          |	t
          j        t
          j        fd¦  «         |€|}|                      ||¬¦  «         |  	                    ¦   «         }
t          | j        ||                      ¦   «         ¬¦  «        ƒ d{V —†}|
                     |¦  «         d|
vr| j        }|پ||
d<   t          j        |¦  «        }t#          | j        | j        ||
||¬	¦  «        ƒ d{V —†}
|
                     d
d¦  «        }|duo|j        o|j        }t-          | |
d         |¦  «        }|
                     |¦  «         |پ|j                             | j        ¦  «         |
                     t5          | j        | j        || j        d         ¬¦  «        ƒ d{V —†¦  «         t          di |
¤ژS )a  
    .. versionadded:: 0.9.0

    .. versionchanged: 0.11.0
        Added ``ac_validation_context`` param.


    Validate a PDF signature.

    :param embedded_sig:
        Embedded signature to evaluate.
    :param signer_validation_context:
        Validation context to use to validate the signature's chain of trust.
    :param ts_validation_context:
        Validation context to use to validate the timestamp's chain of trust
        (defaults to ``signer_validation_context``).
    :param ac_validation_context:
        Validation context to use to validate attribute certificates.
        If not supplied, no AC validation will be performed.

        .. note::
            :rfc:`5755` requires attribute authority trust roots to be specified
            explicitly; hence why there's no default.
    :param diff_policy:
        Policy to evaluate potential incremental updates that were appended
        to the signed revision of the document.
        Defaults to
        :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`.
    :param key_usage_settings:
        A :class:`.KeyUsageConstraints` object specifying which key usages
        must or must not be present in the signer's certificate.
    :param skip_diff:
        If ``True``, skip the difference analysis step entirely.
    :param algorithm_policy:
        The algorithm usage policy for the signature validation.

        .. warning::
            This is distinct from the algorithm usage policy used for
            certificate validation, but the latter will be used as a fallback
            if this parameter is not specified.

            It is nonetheless recommended to align both policies unless
            there is a clear reason to do otherwise.
    :return:
        The status of the PDF signature in question.
    r•   z"Signature object type must be /Sigr  Nz4%s is not a recognized SubFilter type in signatures.©r§   r¨   )ع
raw_digestعsigner_reported_dt)rO  عvalidation_contextr´   rK  rL  عtimestamp_validityr)  عsigned_attrs)عsd_attr_certificatesr“   rQ  عsd_signed_attrsr÷   )rK   r—   r!   r–   rG  r   r$  عPADESr©   rµ   r&   rk   r£   عupdater‍   r.   عdefault_usage_constraintsr$   rX   rw   عvalidعtrustedr6   عcertificate_registryعregister_multipler‘   r%   rژ   r“   )r;  rH  rI  rJ  r§   rK  r¨   rL  rK   rC  r´   عts_status_kwargsrP  عtst_validityr*  ع	sv_updates                   r@   r4   r4   -  s   è è € ًr ش(€Jطش# vز-ذ-ف&ذ'KرLشLذLً —N’N <°ر6ش6€Mفطف	ش	.ص0@ش0FذGط>ٌô ً ً ذ$ط 9ذà×'ز'ط¨9ً (ٌ ô ً ً !×9ز9ر;ش;€Mه0طش طط×.ز.ر0ش0ًٌ ô ً ً ً ً ً ً ذً
 ×زذ)ر*ش*ذ*ط =ذ0ذ0à)شAذطذ)ط2DˆMذ.ر/ه+شEطٌô ذُ /طش طش/ط4ط#ط-ط)ًٌ ô ً ً ً ً ً ً €Mً !×$ز$ذ%9¸4ر@ش@€LàکDذ ذP \ش%7ذP¸Lش<Pً ُ -طگmذ$5ش6¸ٌô €Iً ×زکر#ش#ذ#طذ(طش2×DزDطش-ٌ	
ô 	
ً 	
ً ×زف(ط!-ش!Aط$ش0ط4ط(ش4°^شDً	
ٌ 
ô 
ً 	
ً 	
ً 	
ً 	
ً 	
ً 	
ٌô ً ُ ذ.ذ. ذ.ذ.ذ.rٹ   rQ  c              ƒ   َr  K  — | j         dk    rt          d¦  «        ‚| j                             dd¦  «        }t	          |t
          j        fd¦  «         |                      ||¬¦  «         t          | j	        ||  
                    ¦   «         ¦  «        ƒ d{V —†}| j        |d<   | j        |d<   t          d	i |¤ژS )
a{  
    .. versionadded:: 0.9.0

    Validate a PDF document timestamp.

    :param embedded_sig:
        Embedded signature to evaluate.
    :param validation_context:
        Validation context to use to validate the timestamp's chain of trust.
    :param diff_policy:
        Policy to evaluate potential incremental updates that were appended
        to the signed revision of the document.
        Defaults to
        :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`.
    :param skip_diff:
        If ``True``, skip the difference analysis step entirely.
    :return:
        The status of the PDF timestamp in question.
    z/DocTimeStampz+Signature object type must be /DocTimeStampr  Nz5%s is not a recognized SubFilter type for timestamps.rN  rv   r~   r÷   )r—   r!   rK   r–   rG  r   عETSI_RFC3161r©   r+   rX   r£   rv   r~   r-   )r;  rQ  r§   r¨   rC  r´   s         r@   r5   r5   ¨  s  è è € ً4 ش# ز6ذ6ف&ط9ٌ
ô 
ً 	
ً
 !ش+×/ز/°¸dرCشC€Mفطف	ش	&ذ(ط?ٌô ً ً ×'ز'ط¨9ً (ٌ ô ً ُ 3طش طط×#ز#ر%ش%ٌô ً ً ً ً ً ً €Mً !-ش 5€Mگ*رط#/ش#;€Mگ-ر ف"ذ3ذ3 ]ذ3ذ3ذ3rٹ   )NNNNNFN)NNF)Qعloggingrث   عcollectionsr   r   عtypingr   r   r   ع
asn1cryptor   r	   عpyhanko_certvalidatorr
   عpyhanko_certvalidator.pathr   عpyhanko.pdf_utilsr   r   عpyhanko.pdf_utils.genericr   عpyhanko.pdf_utils.readerr   r   عpyhanko.sign.diff_analysisr   r   r   r   r   rB  r   r   r   r   r   r   عpyhanko.sign.generalr   r   r   r   عerrorsr!   r"   r#   عgeneric_cmsr$   r%   r&   r'   r(   r)   r*   r+   عsettingsr,   عstatusr-   r.   r/   عutilsr0   ع__all__ع	getLoggerrê   r  rf   rA   rJ   rِ   r7   r1   r2   r3   r:  عboolr6   rG  r4   r5   r÷   rٹ   r@   ْ<module>ru     s  ًط €€€ط 	€	€	€	ط "ذ "ذ "ذ "ذ "ذ "ط ذ ذ ذ ذ ذ ط (ذ (ذ (ذ (ذ (ذ (ذ (ذ (ذ (ذ (à  ذ  ذ  ذ  ذ  ذ  ذ  ذ  ط 3ذ 3ذ 3ذ 3ذ 3ذ 3ط 5ذ 5ذ 5ذ 5ذ 5ذ 5à +ذ +ذ +ذ +ذ +ذ +ذ +ذ +ط .ذ .ذ .ذ .ذ .ذ .ط Gذ Gذ Gذ Gذ Gذ Gذ Gذ Gًً ً ً ً ً ً ً ً ً ً ً ً ً ًً ً ً ً ً ً ً ً ً ً ً ً ً ً ً ًً ً ً ً ً ً ً ً ً ً ً ًً ً ً ً ً ً ً ً ً ً
	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً 	ً *ذ )ذ )ذ )ذ )ذ )ًً ً ً ً ً ً ً ً ً ً
 +ذ *ذ *ذ *ذ *ذ *ًً ً €ً 
ˆش	ک8ر	$ش	$€ًàˆgش&ش'ًً ً ً ً
¨h°wش.?ً 
ً 
ً 
ً 
ً& ش!9ً &¸eً &ً &ً &ً &ً8z
ً z
ً z
ً z
ً z
ٌ z
ô z
ً z
ًz ˆZک |°\ذ&BرCشC€
ًً/ Mً /°h¸zش6Jً /ً /ً /ً /ً$gط!ًgً gً gً gًTط&ًà#ًً ًً ً ً ًB	@ً 	@ً 	@ً >Bط9=ط9=ط(,ط8<طط:>ًx/ً x/ط&ًx/à'ذ(9ش:ًx/ً $ذ$5ش6ًx/ً $ذ$5ش6ً	x/ً
 ک*ش%ًx/ً !ذ!4ش5ًx/ً ًx/ً ذ6ش7ًx/ً ًx/ً x/ً x/ً x/ًz 7;ط(,طً	34ً 34ط&ً34à ذ!2ش3ً34ً ک*ش%ً34ً ً	34ً
 ً34ً 34ً 34ً 34ً 34ً 34rٹ   