U gB@sjdZddlmZddlmZddlmZmZddlmZm Z ddl m Z ddl m Z ddlmZdd lmZmZmZmZmZmZmZmZmZdd lmZdd lmZmZd d lm Z dddddgZ!edddZ"eej#dddZ$d$eeedddZ%eddGdddZ&eddGd ddZ'eddGd!ddZ(eddGd"ddZ)Gd#ddZ*dS)%z This module describes and implements the low-level :class:`.PdfCMSEmbedder` protocol for embedding CMS payloads into PDF signature objects. ) dataclass)datetime)IOOptional)genericmisc)pdf_name)BoxConstraints)BasePdfFileWriter) FieldMDPSpecMDPPerm SigFieldSpecannot_width_heightapply_sig_field_spec_propertiesensure_sig_flagsenumerate_sig_fieldsget_sig_field_annotprepare_sig_field) SigningError)BaseStampStyleTextStampStyle) PdfSignedDataPdfCMSEmbedder SigMDPSetup SigObjSetupSigAppearanceSetup SigIOSetupZpermission_levelcCsXttdtdtdtdtdttdtdtdtdtdt|jiiS) N/Type/SigRef/TransformMethod/DocMDP/TransformParams/Vz/1.2/P)rDictionaryObjectr NumberObjectvaluerr)E/tmp/pip-unpacked-wheel-owvgwkas/pyhanko/sign/signers/cms_embedder.pydocmdp_reference_dictionary's&r+)field_mdp_specdata_refc CsJt|j|j|j}ttdtdtdtdtd|td|iS)Nrr r!z /FieldMDPz/Datar#)rZIndirectObjectZidnumZ generationZpdfr&rZas_transform_params)r,r-Z data_ind_objr)r)r*fieldmdp_reference_dictionary:s r.N)pdf_outnew_field_specc Cs|j}|dkr|stdd}t|dd}zt|\}}} Wntk rXtdYnXddd|D} | rtd|| fnl|dk r|j||jd |j |j |j d } ni} t ||f||d | \}} |r|dk rt || |d t|d d|| fS)NzJNot specifying a field name is only allowed when existing_fields_only=TrueF)Z filled_statusz$There are no empty signature fields.z, css |]\}}}|dk r|VqdSNr)).0fn_r)r)r* gsz*_get_or_create_sigfield..z^There are several empty signature fields. Please specify a field name. The options are %s, %s.r)boxZinclude_on_pagecombine_annotationZinvis_settingsZvisible_settings)Z update_writerexisting_fields_only) sig_fieldZsig_field_specT)writerZlock_sig_flags)rootrrnext StopIterationjoinr6Zfind_page_for_modificationZon_pager7Zinvis_sig_settingsZvisible_sig_settingsrr get_objectr) field_namer/r8r0r; field_createdZ empty_fieldsZfound_field_namer4 sig_field_refZothersZsig_field_kwargsr)r)r*_get_or_create_sigfieldNs`      rCT)frozenc@sJeZdZUeed<dZeed<dZee ed<dZ ee ed<ddZ dS) r md_algorithmFcertifyN field_lock docmdp_permsc Cs|j}|j}|j}t}|r|dk s*t|j}z |d}Wn$tk r`t|d<}YnX||t d<| || t ||dk rt ||jd} | | |dk rt|j| dd<|r||d<dS)zy Apply the settings to a signature object. .. danger:: This method is internal API. Nz/Permsr")r-r#r%z /Reference)rFrHrGrZ ArrayObjectAssertionErrorr;KeyErrorr&rZupdate_containerappendr+r.Zroot_refr'r(r?) self sig_obj_refr:rFrHlockZreference_arrayr;ZpermsZ fieldmdp_refr)r)r*applys4      zSigMDPSetup.apply) __name__ __module__ __qualname__str__annotations__rFboolrGrr rHr rOr)r)r)r*rs  c@sNeZdZUdZeed<eed<eeed<dZ ee ed<ddZ d d Z dS) rz Signature appearance configuration. Part of the low-level :class:`.PdfCMSEmbedder` API, see :class:`SigObjSetup`. style timestampnameN text_paramscCs`t|\}}|r\|r\||t||d}||d<z|td=Wntk rZYnXdS)zt Apply the settings to an annotation. .. danger:: This method is internal API. )widthheightz/APz/ASN)r_appearance_stampr Zas_appearancesZ as_pdf_objectrrJ)rL sig_annotr:whZstampr)r)r*rOs  zSigAppearanceSetup.applycCs^|j}|j}|j}i}|dk r&||d<||jp2it|trP||j|d<| |||S)NZsignerts) rVrXrWupdaterY isinstancerstrftimeZtimestamp_formatZ create_stamp)rLr:r6rVrXrWrYr)r)r*r\s z$SigAppearanceSetup._appearance_stamp) rPrQrR__doc__rrTrrrSrYdictrOr\r)r)r)r*rs  c@s:eZdZUdZeed<dZeeed<dZ ee ed<dS)rzV Describes the signature dictionary to be embedded as the form field's value. sig_placeholderN mdp_setupappearance_setup) rPrQrRrdrrTrgrrrhrr)r)r)r*r!s  c@sDeZdZUdZeed<dZeed<ej Z e ed<dZ e eed<dS)rz I/O settings for writing signed PDF documents. Objects of this type are used in the penultimate phase of the :class:`.PdfCMSEmbedder` protocol. rEFin_place chunk_sizeNoutput)rPrQrRrdrSrTrirUrZDEFAULT_CHUNK_SIZErjintrkrrr)r)r)r*r;s  c@s:eZdZdZd eedddZd eeeddd Z dS) rab Low-level class that handles embedding CMS objects into PDF signature fields. It also takes care of appearance generation and DocMDP configuration, but does not otherwise offer any of the conveniences of :class:`.PdfSigner`. :param new_field_spec: :class:`.SigFieldSpec` to use when creating new fields on-the-fly. Nr0cCs ||_dSr1rm)rLr0r)r)r*__init__oszPdfCMSEmbedder.__init__F)r@r:ccs|s |jnd}t||||d\}}|V}t|ts6t|}|j} | dk r`t|} | | ||j } | | } | |t d<|s| ||j } | dk r| | || V}t|tst| j||j|j|j|jdEdHdS)a .. versionadded:: 0.3.0 .. versionchanged:: 0.7.0 Digest wrapped in :class:`~pyhanko.sign.signers.pdf_byterange.PreparedByteRangeDigest` in step 3; ``output`` returned in step 3 instead of step 4. This method returns a generator coroutine that controls the process of embedding CMS data into a PDF signature field. Can be used for both timestamps and regular signatures. .. danger:: This is a very low-level interface that performs virtually no error checking, and is intended to be used in situations where the construction of the CMS object to be embedded is not under the caller's control (e.g. a remote signer that produces full-fledged CMS objects). In almost every other case, you're better of using :class:`.PdfSigner` instead, with a custom :class:`.Signer` implementation to handle the cryptographic operations if necessary. The coroutine follows the following specific protocol. 1. First, it retrieves or creates the signature field to embed the CMS object in, and yields a reference to said field. 2. The caller should then send in a :class:`.SigObjSetup` object, which is subsequently processed by the coroutine. For convenience, the coroutine will then yield a reference to the signature dictionary (as embedded in the PDF writer). 3. Next, the caller should send a :class:`.SigIOSetup` object, describing how the resulting document should be hashed and written to the output. The coroutine will write the entire document with a placeholder region reserved for the signature and compute the document's hash and yield it to the caller. It will then yield a ``prepared_digest, output`` tuple, where ``prepared_digest`` is a :class:`.PreparedByteRangeDigest` object containing the document digest and the relevant offsets, and ``output`` is the output stream to which the document to be signed was written. From this point onwards, **no objects may be changed or added** to the :class:`.IncrementalPdfFileWriter` currently in use. 4. Finally, the caller should pass in a CMS object to place inside the signature dictionary. The CMS object can be supplied as a raw :class:`bytes` object, or an :mod:`asn1crypto`-style object. The coroutine's final yield is the value of the signature dictionary's ``/Contents`` entry, given as a hexadecimal string. .. caution:: It is the caller's own responsibility to ensure that enough room is available in the placeholder signature object to contain the final CMS object. :param field_name: The name of the field to fill in. This should be a field of type ``/Sig``. :param writer: An :class:`.IncrementalPdfFileWriter` containing the document to sign. :param existing_fields_only: If ``True``, never create a new empty signature field to contain the signature. If ``False``, a new field may be created if no field matching ``field_name`` exists. :return: A generator coroutine implementing the protocol described above. Nrmr$)rirkrj)r0rCrbrrIr?rhrrOrf add_objectrZ mark_updatergrfillrErirkrj)rLr@r:r8r0rArBZ sig_obj_setupr9rhr]Zsig_objrMrgZsig_ior)r)r* write_cmsrs@M       zPdfCMSEmbedder.write_cms)N)F) rPrQrRrdrr rnrSr rqr)r)r)r*rbs )N)+rdZ dataclassesrrtypingrrZpyhanko.pdf_utilsrrZpyhanko.pdf_utils.genericrZpyhanko.pdf_utils.layoutr Zpyhanko.pdf_utils.writerr Zpyhanko.sign.fieldsr r r rrrrrrZpyhanko.sign.generalrZ pyhanko.stamprrZ pdf_byteranger__all__r+Z Referencer.rCrrrrrr)r)r)r*sF     ,     BLC&