U ccU @sddlZddlmZddlmZddlmZmZmZddl m Z ddl m Z ddl mZddlmZmZmZdd lmZd d lmZd d lmZmZmZd dlmZd dlmZmZm Z d dl!m"Z"m#Z#m$Z$m%Z%d dl&m'Z'm(Z(d dl)m*Z*d dl+m,Z,m-Z-m.Z.ddddddgZ/e0e1Z2ede-dZ3GdddeZ4eeej5ej5dZ6eeej7ej7dZ8ddZ9e j:ee;d d!dZe'd&d'd(Z?d)d*Z@d2e'e4eeeeee*eAe,d,d-dZBe jCd.d/dZDd3e jCed0d1dZEdS)4N) dataclass)Enum)IteratorOptionalTypeVar)cms)pdf)ValidationContext)CertRevTrustPolicyRevocationCheckingPolicyRevocationCheckingRule) PdfFileReader) DiffPolicy)MultivaluedAttributeErrorNonexistentAttributeErrorfind_unique_cms_attribute)DocumentSecurityStore)NoDSSFoundErrorSignatureValidationErrorValidationInfoReadingError)async_validate_cms_signaturecms_basic_validationcollect_signer_attr_statusvalidate_tst_signed_data)EmbeddedPdfSignaturereport_seed_value_validation)KeyUsageConstraints)PdfSignatureStatusSignatureStatusTimestampSignatureStatusRevocationInfoValidationTypeapply_adobe_revocation_inforetrieve_adobe_revocation_infoget_timestamp_chain async_validate_pdf_ltv_signatureestablish_timestamp_trust StatusType)boundc@s(eZdZdZdZdZdZeddZdS)r"zP Indicates a validation profile to use when validating revocation info. adobeZpadesz pades-ltacCstdd|DS)Ncss|] }|jVqdSN)value).0mr/U/var/www/html/project/venv/lib/python3.8/site-packages/pyhanko/sign/validation/ltv.py Rsz8RevocationInfoValidationType.as_tuple..)tuple)clsr/r/r0as_tuplePsz%RevocationInfoValidationType.as_tupleN) __name__ __module__ __qualname____doc__ ADOBE_STYLEPADES_LT PADES_LTA classmethodr4r/r/r/r0r"8s )Zee_certificate_ruleZintermediate_ca_cert_rulecCsrd|d<||d<|dd}|dkrZ|dd}|rL|dkrLtt|}qf|dkrft}n |jjsft}||d<dS)NFallow_fetchingmomentrevinfo_policyrevocation_modez soft-fail)getpopr r Z from_legacy DEFAULT_LTV_INTERNAL_REVO_POLICYZrevocation_checking_policyZ essential) timestampvalidation_context_kwargsr?Z legacy_rmr/r/r0_strict_vc_context_kwargsds   rF)tst_signed_datavalidation_contextexpected_tst_imprintcsDt|||IdH}tf|}|jr(|js@td|td|S)a Wrapper around :func:`validate_tst_signed_data` for use when analysing timestamps for the purpose of establishing a timestamp chain. Its main purpose is throwing/logging an error if validation fails, since that amounts to lack of trust in the purported validation time. This is internal API. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to apply to the timestamp. :param expected_tst_imprint: The expected message imprint for the ``TSTInfo`` value. :return: A :class:`.TimestampSignatureStatus` if validation is successful. :raises: :class:`SignatureValidationError` if validation fails. Nz0Could not validate embedded timestamp token: %s.z\Could not establish time of signing, timestamp token did not validate with current settings.)rr!ZvalidZtrustedloggerwarningsummaryr)rGrHrIZtimestamp_status_kwargstimestamp_statusr/r/r0r's   )readerreturncCstddt|jS)a: Get the document timestamp chain of the associated reader, ordered from new to old. :param reader: A :class:`.PdfFileReader`. :return: An iterable of :class:`~pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature` objects representing document timestamps. cSs|jdddkS)Nz/Typez /DocTimeStamp)Z sig_objectrA)sigr/r/r0z%get_timestamp_chain..)filterreversedZembedded_signatures)rNr/r/r0r%s c@s.eZdZUeed<eed<eed<eed<dS)_TimestampTrustData latest_dtsearliest_ts_statusts_chain_lengthcurrent_signature_vcN)r5r6r7r__annotations__r!intr r/r/r/r0rUs rU) emb_timestampcCsHz$|j|j}t|}||WStk rBtf|YSXdSr+)rNZget_historical_resolversigned_revisionrread_dssas_validation_contextrr )r\rEZ hist_resolverdssr/r/r0_instantiate_ltv_vcs rac st|}t|}|}d}d}d}t|D]J\}}|j|kr>qt|t|j||jIdH}t|j |t ||}q(t |||d|dS)Nr)rVrWrXrY) r%dict enumerater]compute_digestr' signed_dataexternal_digestrFrDrarU) rNbootstrap_validation_contextrEuntil_revisionZ timestamps current_vcZ ts_statusZts_countr\r/r/r0_establish_timestamp_trust_ltas:  rkF) embedded_sigvalidation_typerh diff_policykey_usage_settings skip_diffrOc sRt|pi}|dd|r6t|d<|dk r^t|d<n(d|kr^|dt|dk r^|dt|j} |tjkrd} |p~tf|} n@t | } |dkr| j |dd} n|} | D]} | j | q||d} d}|tjkrFt| | ||jdIdH} | j} | jdkr$|tjkr$td |tjks@| jd ks@t| j}|j}|dk rlt|| |jIdH}n |tjkr| jd krtd |dkrtd t|j|d}|tjkrt|j\}}||d <||d<tf|}|dk r^||d <||d<tf|}nV|tjkr4| |}|dk r^| |}n*|j| _ | }|dk r^t!| j"|}|j|_ |dk st|tjkr|dk r|}n| j"j#}t$|t%|d|jid}|IdH}n|}|j&||d|'}|(|j|dt)|j#t*|j+|||dIdH}t,||ddd|dk r"|j -|j.|(t/|j0|j1||jddIdHt*f|S)a  .. versionadded:: 0.9.0 Validate a PDF LTV signature according to a particular profile. :param embedded_sig: Embedded signature to evaluate. :param validation_type: Validation profile to use. :param validation_context_kwargs: Keyword args to instantiate :class:`.pyhanko_certvalidator.ValidationContext` objects needed over the course of the validation. :param ac_validation_context_kwargs: Keyword arguments for the validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param bootstrap_validation_context: Validation context used to validate the current timestamp. :param force_revinfo: Require all certificates encountered to have some form of live revocation checking provisions. :param diff_policy: Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param skip_diff: If ``True``, skip the difference analysis step entirely. :return: The status of the signature. r=Tr?Nr@F)Zinclude_revinfo)rEriz>Purported PAdES-LTA signature does not have a timestamp chain.rzlPAdES-LTA signature requires separate timestamps protecting the signature & the rest of the revocation info.z+LTV signatures require a trusted timestamp.ocspscrlsrD) status_clsrH status_kwargs)rnrp)Zsigner_reported_dtZtimestamp_validity)rsZ raw_digestrHrtroZvalidation_path)Ztimestamp_found signed_attrs)Zsd_attr_certificates signer_certrHZsd_signed_attrs)2rc setdefaultSTRICT_LTV_INTERNAL_REVO_POLICYrCrNr"r9r rr^r_Z load_certsZcertificate_registryZadd_other_certreZcompute_tst_digestrkr]rYrWr;rr:rXAssertionErrorZattached_timestamp_datar'Ztst_signature_digestrFrDr$ signer_infor>rarVrfrr!Zcompute_integrity_infoZsummarise_integrity_infoupdaterrrgrZregister_multipleZother_embedded_certsrZembedded_attr_certsrv)rlrmrErhZac_validation_context_kwargsZ force_revinfornrorprNr`rjcertZ ts_trust_dataZearliest_good_timestamp_strGZ stored_ac_vcrqrrZ stored_vcZts_to_validateZts_status_cororMrtr/r/r0r&s23                              )rzc Cslzt|dd}Wn0ttfk rB}ztd|W5d}~XYnXt|dpPd}t|dp`d}||fS)a' Retrieve Adobe-style revocation information from a ``SignerInfo`` value, if present. Internal API. :param signer_info: A ``SignerInfo`` value. :return: A tuple of two (potentially empty) lists, containing OCSP responses and CRLs, respectively. ruZadobe_revocation_info_archivalz@No revocation info archival attribute found, or multiple presentNZocspr/Zcrl)rrrrlist)rzZrevinfoerqrrr/r/r0r$s )rzrOcCs(|pi}t|\}}tf||d|S)ag Read Adobe-style revocation information from a CMS object, and load it into a validation context. :param signer_info: Signer info CMS object. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :return: A validation context preloaded with the relevant revocation information. )rqrr)r$r )rzrErqrrr/r/r0r#s )NNNFNNF)N)Flogging dataclassesrenumrtypingrrrZ asn1cryptorrZasn1_pdfZpyhanko_certvalidatorr Zpyhanko_certvalidator.contextr r r Zpyhanko.pdf_utils.readerr Z diff_analysisrZgeneralrrrr`rerrorsrrrZ generic_cmsrrrrZ pdf_embeddedrrsettingsrstatusrr r!__all__ getLoggerr5rJr(r"ZCHECK_IF_DECLAREDrCZCRL_OR_OCSP_REQUIREDrxrFZ SignedDatabytesr'r%rUrarkboolr&Z SignerInfor$r#r/r/r/r0s            )  ,