U ccy @s"ddlZddlZddlmZddlmZmZmZmZmZm Z m Z m Z ddl m Z mZmZmZddlmZddlmZddlmZmZddlmZmZdd lmZmZdd lmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(d d l)m*Z*d dl+m,Z,m-Z-ddl.m/Z/ddl0m1Z1ddl2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8ddl9m:Z:m;Z;me?Z@e d e6d!ZAejBe jCd"d#d$ZDe jCe jEe jFd%d&dZGe:fe jHejBeIeJeeKeKfd'd(dZLe jMe#d)d*dZNe6ddddd+fe jMe eAeJeeOe1d,d-dZPe6ddddd+fe jMe eAeJeeOe1d,d.dZQe jHeed/d0dZRd?ee jMd1d2dZSe jHeeJd/d3dZTe jHeeJd4d5dZUe jMeeJd6d7dZVee jWejBeeeeeeXfd8d9d:ZYee jWejBeee jCd;ddZ^dS)@N)datetime)IOIterableListOptionalTupleTypeTypeVarUnion)cmscoretspx509)InvalidSignature)hashes)CertificateValidatorValidationContext)PathBuildingErrorPathValidationError)ACValidationResultasync_validate_ac) CMSExtractionErrorCMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorSignedDataCertscheck_ess_certidextract_certificate_infoextract_signer_infofind_unique_cms_attributeget_pyca_cryptography_hash)misc) AdESFailureAdESIndeterminate)errors)KeyUsageConstraints)CAdESSignerAttributeAssertionsCertifiedAttributesClaimedAttributesSignatureStatusStandardCMSSignatureStatusTimestampSignatureStatus)DEFAULT_WEAK_HASH_ALGORITHMSextract_message_digest validate_rawvalidate_sig_integrityasync_validate_cms_signaturecollect_timing_infovalidate_tst_signed_dataasync_validate_detached_cmscms_basic_validationcompute_signature_tst_digestextract_tst_dataextract_self_reported_tsextract_certs_for_validationcollect_signer_attr_statusvalidate_algorithm_protection StatusType)bound)cert signed_attrscsnfdd}|dtj}|dkr,|dtj}|dkr8dS|dd}t||sjtjd|jjdtj d dS) Nc sbzt|}||WStk r0YdStk r\}ztd|W5d}~XYnXdS)Nz3Wrong cardinality for signing certificate attribute)rloaddumprrr'SignatureValidationError) attr_nameclsvalueerA]/var/www/html/project/venv/lib/python3.8/site-packages/pyhanko/sign/validation/generic_cms.py_grab>s z)_check_signing_certificate.._grabZsigning_certificate_v2Zsigning_certificatecertsrzWSigning certificate attribute does not match selected signer's certificate for subject"z".Zades_subindication) r ZSigningCertificateV2ZSigningCertificaterr'rDsubjectZhuman_friendlyr%NO_SIGNING_CERTIFICATE_FOUND)r@rArLattrZcertidrJrIrK_check_signing_certificate:s     rR)attrsclaimed_digest_algorithm_objclaimed_signature_algorithm_objcCszt|d}Wn2tk r&d}Yntk r@tdYnX|dk r|dj}||jkrhtd|dj}|dkrtdn||jkrtddS) a+ Internal API to validate the CMS algorithm protection attribute defined in :rfc:`6211`, if present. :param attrs: A CMS attribute list. :param claimed_digest_algorithm_obj: The claimed (i.e. unprotected) digest algorithm value. :param claimed_signature_algorithm_obj: The claimed (i.e. unprotected) signature algorithm value. :raises errors.CMSStructuralError: if multiple CMS protection attributes are present :raises errors.CMSAlgorithmProtectionError: if a mismatch is detected Zcms_algorithm_protectionNz4Multiple CMS algorithm protection attributes presentdigest_algorithmzCDigest algorithm does not match CMS algorithm protection attribute.signature_algorithmzasz+process_certified_attrs..)asyncio as_completedappendrr)rrhrljobsresultsr'ZjobrHrJrrKprocess_certified_attrs\s rsd_attr_certificatesrhrlsd_signed_attrsc szt|d}WnHtk r&d}Yn2tk rV}ztt||W5d}~XYnXi}d}d}|dk rF|d} tt| t j s| nd} |d} d} t| t j sdd| D} t | t | k} |dk rt | ||}|IdH\}}|dk rt |}nd}| pt|dt j  }|dk r2|r2td t| |||d |d <|dk rt |||IdH\}}|rv|||r||t ||d <||d <|S)NZsigner_attributes_v2Zclaimed_attributesrJZcertified_attributes_v2FcSsg|]}|jdkr|jqS)Z attr_cert)nameZchosen)rrQrJrJrKrs z.collect_signer_attr_status..Zsigned_assertionszCAdES signer attributes with externally certified assertions for which no validation method is available. This may affect signature semantics in unexpected ways.)Z claimed_attrsZcertified_attrsac_validation_errsZunknown_attrs_presentZcades_signer_attrsZac_attrsr)rrrr'rDstrr+ from_iterablerr ZVoidlenrr*Z from_resultsryrr)extend)rrhrlrZ signer_attrsrHresultZcades_ac_resultsZcades_ac_errorsZ claimed_asn1ZclaimedZcertified_asn1Zunknown_cert_attrsZ cades_acsZval_jobZ certifiedZ unknown_attrsZ ac_resultsZ ac_errorsrJrJrKr<ost"       ) input_dataresigner_validation_contextrac_validation_contextrnr]cs|dkr |}t|}|ddj} tt| } t|trF| |n@t|tj tj frl| t|dnt |} t j | || |d| } t||| dIdH} t|t| || |dIdH} t|}|dk r|j|j| t|j|j||dd IdHtf| S) a .. versionadded: 0.9.0 .. versionchanged: 0.11.0 Added ``ac_validation_context`` param. Validate a detached CMS signature. :param input_data: The input data to sign. This can be either a :class:`bytes` object, a file-like object or a :class:`cms.ContentInfo` / :class:`cms.EncapsulatedContentInfo` object. If a CMS content info object is passed in, the `content` field will be extracted. :param signed_data: The :class:`cms.SignedData` object containing the signature to verify. :param signer_validation_context: Validation context to use to verify the signer certificate's trust. :param ts_validation_context: Validation context to use to verify the TSA certificate's trust, if a timestamp token is present. By default, the same validation context as that of the signer is used. :param ac_validation_context: Validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param key_usage_settings: Key usage parameters for the signer. :param chunk_size: Chunk size to use when consuming input data. :param max_read: Maximal number of bytes to read from the input stream. :return: A description of the signature's status. NrVr^rp)max_read)rrk)rjrkrlrmrnrAr)rrXrrur rrtrvr ContentInfoEncapsulatedContentInfo bytearrayr"Zchunked_digestrwr4r7r-rZcertificate_registryZregister_multiplerrr<Zattribute_certsrh)rrerrrrn chunk_sizerrZrVhZtemp_bufZ digest_bytesrmrirJrJrKr6sN2     )F)_rloggingrtypingrrrrrrr r Z asn1cryptor r r rZcryptography.exceptionsrZcryptography.hazmat.primitivesrZpyhanko_certvalidatorrrZpyhanko_certvalidator.errorsrrZpyhanko_certvalidator.validaterrZpyhanko.sign.generalrrrrrrrrrr Z pdf_utilsr"Z ades.reportr$r%r'settingsr(statusr)r*r+r,r-r.utilsr/r0r1__all__ getLogger__name__ryr>Z CertificateZ CMSAttributesrRZDigestAlgorithmZSignedDigestAlgorithmr=Z SignerInforrtboolr2Z SignedDatar;dictr7r3r:r9r8r4r5ZAttributeCertificateV2 Exceptionrr<ZDEFAULT_CHUNK_SIZErrr6rJrJrJrKs (  0       ( 9   R +  0 0  a