U gE  @sfdZddlZddlZddlZddlmZddlmZddlmZm Z m Z m Z m Z m Z ddlZddlmZmZmZmZddlmZddlmZdd lmZdd lmZmZdd lmZdd lmZm Z dd l!m"Z"ddl#m$Z$ddl%m&Z&ddl'm(Z(ddl)m*Z*ddl+m,Z,ddl-m.Z.m/Z/ddl0m1Z1ddl2m3Z3ddl4m5Z5ddl6m7Z7m8Z8m9Z9ddl:m;Z;mZ>m?Z?m@Z@ddlAmBZBddlmCZCmDZDmEZEmFZFmGZGddlHmIZIddd d!d"d#d$d%d&d'g ZJdd(lKmLZLdd)lMmNZNmOZOePeQZRed*d+Gd,d-d-ZSed*d+Gd.d!d!eSZTd/d0ZUe eVejWfd1d2d3ZXd*e1jYdfe eeZej[ej\feVd4d5d6Z]dTe e7e ej^e_ej^d9d:d"Z`dUeZe e7ej^d<d=d#ZaGd>ddZbd?d$ZcGd@ddebZddVeOe eZdAdBd&ZedWeNe eZdCdDd'ZfGdEd d ebZgGdFdGdGe8ZhGdHdIdIehZiGdJdKdKe8ZjGdLdMdMe9ZkdNdOgZldPdQgZmejneVdRdSd%ZodS)XzV This module defines utility classes to format CMS objects for use in PDF signatures. N) dataclass)datetime)IOCallableIterableListOptionalUnion)algoscmscorekeys)pdf)x509)SignedDigestAlgorithm)hashes serialization) DSAPrivateKey)ECDSAEllipticCurvePrivateKey)Ed448PrivateKey)Ed25519PrivateKey)PKCS1v15) RSAPrivateKey)pkcs12 to_thread)CertificateStoreSimpleCertificateStore)misc) attributes)CAdESSignedAttrSpec)CMSAttributeProviderSignedAttributeProviderSpecUnsignedAttributeProviderSpec) SigningErrorget_cms_hash_algo_for_mechanismget_pyca_cryptography_hashoptimal_pss_paramsprocess_pss_paramssimple_cms_attribute) TimeStamper))_translate_pyca_cryptography_cert_to_asn1(_translate_pyca_cryptography_key_to_asn1load_cert_from_pemderload_certs_from_pemderload_private_key_from_pemder) constantsSigner SimpleSignerExternalSignerPdfCMSSignedAttributesformat_attributesformat_signed_attributesasyncify_signerselect_suitable_signing_mdsigner_from_p12_configsigner_from_pemder_config)ConfigurationError)PemDerSignatureConfigPKCS12SignatureConfigT)frozenc@s2eZdZUdZdZeeed<dZee ed<dS)CMSSignedAttributesz .. versionadded:: 0.14.0 Serialisable container class describing input for various signed attributes in a signature CMS object. N signing_timecades_signed_attrs) __name__ __module__ __qualname____doc__rCrr__annotations__rDr!rJrJ@/tmp/pip-unpacked-wheel-owvgwkas/pyhanko/sign/signers/pdf_cms.pyrBQs rBc@s$eZdZUdZdZeejed<dS)r7z .. versionadded:: 0.7.0 .. versionchanged:: 0.14.0 Split off some fields into :class:`.CMSSignedAttributes`. Serialisable container class describing input for various signed attributes in a CMS object for a PDF signature. Nadobe_revinfo_attr) rErFrGrHrLrasn1_pdfRevocationInfoArchivalrIrJrJrJrKr7fs  cCs8|p ddi}t|tjr$|dj}n |dd}||fS)N content_typedata) isinstancer Sequencenativeget)encap_content_inforOrJrJrK_ensure_content_typeys     rV)rOcCs*|rdSt|tjr|j}|dkr&dSdS)NZv4rPv1Zv3)rQr ObjectIdentifierrS)rOZhas_attribute_certsrJrJrK _cms_versions  rY) input_datadigest_algorithmc Cstt|}d}t|tjtjfrN|t|d|rHd|di}q|}nbt|trr|||sd|d}n>|s| |}||d|d}nt |}t j ||||d| } || fS)NcontentrOrPrOr\)max_read)rZHashr'rQr ContentInfoEncapsulatedContentInfoupdatebytesread bytearrayrZchunked_digestfinalize) rZr[detached chunk_sizer^hrUZ input_bytesZtemp_buf digest_bytesrJrJrK_prepare_encap_contents&      rjrJF) attr_provs other_attrsdry_runreturncsPt|}fdd|D}t|D] }|IdH}|dk r$||q$t|S)ac Format CMS attributes obtained from attribute providers. :param attr_provs: List of attribute providers. :param other_attrs: Other (predetermined) attributes to include. :param dry_run: Whether to invoke the attribute providers in dry-run mode or not. :return: A :class:`cms.CMSAttributes` value. csg|]}|jdqS)rm)Z get_attribute).0ZprovrorJrK sz%format_attributes..N)listasyncioZ as_completedappendr CMSAttributes)rkrlrmattrsjobsZ attr_coroattrrJrorKr8s  rP) data_digestrkrncs(td|td|g}t|||dIdHS)a Format signed attributes for a CMS ``SignerInfo`` value. :param data_digest: The byte string to put in the ``messageDigest`` attribute. :param attr_provs: List of attribute providers to source attributes from. :param content_type: The content type of the data being signed (default is ``data``). :param dry_run: Whether to invoke the attribute providers in dry-run mode or not. :return: A :class:`cms.CMSAttributes` value representing the signed attributes. rOmessage_digest)rmrlN)r*r8)ryrkrOrmrvrJrJrKr9sc@seZdZdZdddddddeeeeeejee e e j dddZ eeed d d Zeeejd d d Zee d ddZee e j d ddZeeedddZeeed ddZedIeeeedddZdJedddZdKeeedddZdLeed d!d"ZdMeee jeed#d$d%Z ed&d'd(Z!ee jee je j"d)d*d+Z#ed&d,d-Z$dNeeed.d/d0Z%dOeee jee jd1d2d3Z&dPeeeedd5d6Z'dQeeeee j"d7d8d9Z(dRee je j"d;dd?d@Z/dSeeee0ee1e j"dAdBdCZ2dTee je j"d;dDdEZ3ddddde*j+dfe,e-ee j"e j.feee0ee1e j"dFdGdHZ4dS)Ur4a6 Abstract signer object that is agnostic as to where the cryptographic operations actually happen. As of now, pyHanko provides two implementations: * :class:`.SimpleSigner` implements the easy case where all the key material can be loaded into memory. * :class:`~pyhanko.sign.pkcs11.PKCS11Signer` implements a signer that is capable of interfacing with a PKCS#11 device. :param prefer_pss: When signing using an RSA key, prefer PSS padding to legacy PKCS#1 v1.5 padding. Default is ``False``. This option has no effect on non-RSA signatures. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether or not additional self-signed certificates should be embedded into the CMS payload. The default is ``True``. .. note:: The signer's certificate is always embedded, even if it is self-signed. .. note:: Trust roots are configured by the validator, so embedding them doesn't affect the semantics of a typical validation process. Therefore, they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. In addition, some validators are poorly implemented, and will refuse to build paths if the roots are not present in the file. .. warning:: To be precise, if this flag is ``False``, a certificate will be dropped if (a) it is not the signer's, (b) it is self-issued and (c) its subject and authority key identifiers match (or either is missing). In other words, we never validate the actual self-signature. This heuristic is sufficiently accurate for most applications. :param signature_mechanism: The (cryptographic) signature mechanism to use for all signing operations. If unset, the default behaviour is to try to impute a reasonable one given the preferred digest algorithm and public key. :param signing_cert: See :attr:`signing_cert`. :param attribute_certs: See :attr:`attribute_certs`. :param cert_registry: Initial value for :attr:`cert_registry`. If unset, an empty certificate store will be initialised. FTNrJ) prefer_pss embed_rootssignature_mechanism signing_cert cert_registryattribute_certscCs:||_||_d|_d|_||_||_|p,t|_||_dSN) r{r|signed_attr_prov_specunsigned_attr_prov_spec_signature_mechanism _signing_certr_cert_registry_attribute_certs)selfr{r|r}r~rrrJrJrK__init__*s  zSigner.__init__)rncCs|jS)z .. versionchanged:: 0.18.0 Turned into a property instead of a class attribute. The (cryptographic) signature mechanism to use for all signing operations. )rrrJrJrKr}?s zSigner.signature_mechanismcCs|jS)a .. versionchanged:: 0.14.0 Made optional (see note) .. versionchanged:: 0.18.0 Turned into a property instead of a class attribute. The certificate that will be used to create the signature. .. note:: This is an optional field only to a limited extent. Subclasses may require it to be present, and not setting it at the beginning of the signing process implies that certain high-level convenience features will no longer work or be limited in function (e.g., automatic hash selection, appearance generation, revocation information collection, ...). However, making :attr:`signing_cert` optional enables certain signing workflows where the certificate of the signer is not known until the signature has actually been produced. This is most relevant in certain types of remote signing scenarios. )rrrJrJrKr~JszSigner.signing_certcCs|jS)a .. versionchanged:: 0.18.0 Turned into a property instead of a class attribute. Collection of certificates associated with this signer. Note that this is simply a bookkeeping tool; in particular it doesn't care about trust. )rrrJrJrKrds zSigner.cert_registrycCs|jS)z .. versionchanged:: 0.18.0 Turned into a property instead of a class attribute. Attribute certificates to include with the signature. .. note:: Only ``v2`` attribute certificates are supported. )rrrJrJrKrps zSigner.attribute_certs)r[rncCs|jdk r|jS|jdkr"td|jjj}d}|dkrR|dkrHtd|d}n|dkrt|dkrjtd|d}nf|d kr|jrd }|dkrtd t|j|}q|dk r|d }qd }n|dkr|}ntd|dd|i}|dk r||d<t|S)a Get the signature mechanism for this signer to use. If :attr:`signature_mechanism` is set, it will be used. Otherwise, this method will attempt to put together a default based on mechanism used in the signer's certificate. :param digest_algorithm: Digest algorithm to use as part of the signature mechanism. Only used if a signature mechanism object has to be put together on-the-fly. :return: A :class:`.SignedDigestAlgorithm` object. Nz/Could not set up a default signature mechanism.ecz#Digest algorithm required for ECDSAZ_ecdsadsaz!Digest algorithm required for DSAZ_dsarsa rsassa_pssz(Digest algorithm required for RSASSA-PSSZ_rsarsassa_pkcs1v15)ed25519ed448zSignature mechanism z is unsupported. algorithm parameters) r}r~r%Z public_keyr ValueErrorr{r(r)rr[algoparamsmechZ sda_kwargsrJrJrK"get_signature_mechanism_for_digest}s@      z)Signer.get_signature_mechanism_for_digestcCsx|jdkrdS|jj}z|jd}Wntk rB|jd}YnXz|jd}d||f}Wntk rrYnX|S)z :return: The subject's common name as a string, extracted from :attr:`signing_cert`, or ``None`` if no signer's certificate is available NZ common_nameZorganization_nameZ email_addressz%s <%s>)r~subjectrSKeyError)rnameresultemailrJrJrK subject_names  zSigner.subject_name)ocsp_responsescrlscCs.i}|r||d<|r||d<|r*t|SdS)z Format Adobe-style revocation information for inclusion into a CMS object. :param ocsp_responses: A list of OCSP responses to include. :param crls: A list of CRLs to include. ZocspZcrlN)rMrN)rrZ revinfo_dictrJrJrKformat_revinfoszSigner.format_revinfo) attr_settingscCsV|jdk r|jS|r&t||j||dS|r>t||j|j|dSt||j|j|dSdS)zs Internal method to select a default attribute provider spec if none is available already. Nrr~is_pades timestamperrr~r}r)r CAdESSignedAttributeProviderSpecr~%GenericPdfSignedAttributeProviderSpecr%GenericCMSSignedAttributeProviderSpec)rrr use_cades is_pdf_sigrJrJrK_signed_attr_provider_specs, z!Signer._signed_attr_provider_spec)ryr[rcCs |j||||d}|j||dS)zN Prepare "standard" signed attribute providers. Internal API. )rrrrryr[)rsigned_attr_providers)rryr[rrrrspecrJrJrK_signed_attr_providerss zSigner._signed_attr_providersrcCs|jdk r|jSt|dSdS)Nr)rDefaultUnsignedAttributesrrrJrJrK_unsigned_attr_provider_spec*s z#Signer._unsigned_attr_provider_spec)r[ signature signed_attrsrcCs||}|j|||dS)zP Prepare "standard" unsigned attribute providers. Internal API. )r[rr)runsigned_attr_providers)rr[rrrrrJrJrK_unsigned_attr_providers2s zSigner._unsigned_attr_providers)r[c Cs`td|i}|j}|dkr$tdtdtdt|j|j di|| |||d}|S)a Format the ``SignerInfo`` entry for a CMS signature. :param digest_algorithm: Digest algorithm to use. :param signed_attrs: Signed attributes (see :meth:`signed_attrs`). :param signature: The raw signature to embed (see :meth:`sign_raw`). :return: An :class:`.asn1crypto.cms.SignerInfo` object. rNzNThe signer's certificate must be available for SignerInfo assembly to proceed.rWZissuer_and_serial_number)issuer serial_number)versionZsidr[signature_algorithmrr) r DigestAlgorithmr~r%r Z SignerInfoZSignerIdentifierZIssuerAndSerialNumberrrr)rr[rrdigest_algorithm_objr~sig_inforJrJrK signer_infoCs8  zSigner.signer_info)r[rrunsigned_attrsrnc Cs|p ddi}td|i}||||}|dk r8||d<|jp@d} |jrXdd| D} ndd| D} | tjd |jd |j D]} | tjd | d q|t |f|| |gd } t t d t | dS)NrOrPrrrJcSsh|]}tjd|dqS) certificatervalue)r CertificateChoicesrpcertrJrJrK sz,Signer._package_signature..cSs$h|]}|jdkrtjd|dqS)norr)Z self_signedr rrrJrJrKrs rrZ v2_attr_cert)rZdigest_algorithmsrUZ certificatesZ signer_infos signed_datar])r rrrr|addr rr~rZDigestAlgorithmsr_Z ContentTypeZ SignedData) rr[ cms_versionrrrrUrrrcertsacrrJrJrK_package_signaturess>     zSigner._package_signaturecCsd}z|d}Wntk r*d}YnXz|dk r>t|}Wntk rTYnX|dk r|||kr|td|d|ddS)Nz6Selected signature mechanism specifies message digest z, but z was requested.)rrr&r%)rr[Zimplied_hash_algorrJrJrK_check_digest_algorithms"  zSigner._check_digest_algorithmrPr[rncstdS)aW Compute the raw cryptographic signature of the data provided, hashed using the digest algorithm provided. :param data: Data to sign. :param digest_algorithm: Digest algorithm to use. .. warning:: If :attr:`signature_mechanism` also specifies a digest, they should match. :param dry_run: Do not actually create a signature, but merely output placeholder bytes that would suffice to contain an actual signature. :return: Signature bytes. N)NotImplementedErrorrrPr[rmrJrJrKasync_sign_rawszSigner.async_sign_raw)r[rrrncs0|j||||d}tt||dIdH}|p.dS)a .. versionchanged:: 0.9.0 Made asynchronous _(breaking change)_ .. versionchanged:: 0.14.0 Added ``signed_attrs`` parameter _(breaking change)_ Compute the unsigned attributes to embed into the CMS object. This function is called after signing the hash of the signed attributes (see :meth:`signed_attrs`). By default, this method only handles timestamp requests, but other functionality may be added by subclasses If this method returns ``None``, no unsigned attributes will be embedded. :param digest_algorithm: Digest algorithm used to hash the signed attributes. :param signed_attrs: Signed attributes of the signature. :param signature: Signature of the signed attribute hash. :param timestamper: Timestamp supplier to use. :param dry_run: Flag indicating "dry run" mode. If ``True``, only the approximate size of the output matters, so cryptographic operations can be replaced by placeholders. :return: The unsigned attributes to add, or ``None``. )rrr[rroN)rr8rr)rr[rrrrmprovsrvrJrJrKrs(zSigner.unsigned_attrsrPc s:|pt}|j||||||d} t|t| ||dIdHS)a .. versionchanged:: 0.4.0 Added positional ``digest_algorithm`` parameter _(breaking change)_. .. versionchanged:: 0.5.0 Added ``dry_run``, ``timestamper`` and ``cades_meta`` parameters. .. versionchanged:: 0.9.0 Made asynchronous, grouped some parameters under ``attr_settings`` _(breaking change)_ Format the signed attributes for a CMS signature. :param data_digest: Raw digest of the data to be signed. :param digest_algorithm: .. versionadded:: 0.4.0 Name of the digest algorithm used to compute the digest. :param use_pades: Respect PAdES requirements. :param dry_run: .. versionadded:: 0.5.0 Flag indicating "dry run" mode. If ``True``, only the approximate size of the output matters, so cryptographic operations can be replaced by placeholders. :param attr_settings: :class:`.PdfCMSSignedAttributes` object describing the attributes to be added. :param timestamper: .. versionadded:: 0.5.0 Timestamper to use when creating timestamp tokens. :param content_type: CMS content type of the encapsulated data. Default is `data`. .. danger:: This parameter is internal API, and non-default values must not be used to produce PDF signatures. :param is_pdf_sig: Whether the signature being generated is for use in a PDF document. .. danger:: This parameter is internal API. :return: An :class:`.asn1crypto.cms.CMSAttributes` object. )ryr[rrrr)rkrOrmN)r7rr9rr) rryr[rrO use_padesrrmrrrJrJrKrs:  zSigner.signed_attrs)ryr[signed_attr_settingsrnc sTt|\}} |j||||||| |dIdH} |j|| t| t|j|||dIdHS)a .. versionadded:: 0.9.0 Produce a detached CMS signature from a raw data digest. :param data_digest: Digest of the actual content being signed. :param digest_algorithm: Digest algorithm to use. This should be the same digest method as the one used to hash the (external) content. :param dry_run: If ``True``, the actual signing step will be replaced with a placeholder. In a PDF signing context, this is necessary to estimate the size of the signature container before computing the actual digest of the document. :param signed_attr_settings: :class:`.PdfCMSSignedAttributes` object describing the attributes to be added. :param use_pades: Respect PAdES requirements. :param timestamper: :class:`~.timestamps.TimeStamper` used to obtain a trusted timestamp token that can be embedded into the signature container. .. note:: If ``dry_run`` is true, the timestamper's :meth:`~.timestamps.TimeStamper.dummy_response` method will be called to obtain a placeholder token. Note that with a standard :class:`~.timestamps.HTTPTimeStamper`, this might still hit the timestamping server (in order to produce a realistic size estimate), but the dummy response will be cached. :param is_pdf_sig: Whether the signature being generated is for use in a PDF document. .. danger:: This parameter is internal API. :param encap_content_info: Data to encapsulate in the CMS object. .. danger:: This parameter is internal API, and must not be used to produce PDF signatures. :return: An :class:`~.asn1crypto.cms.ContentInfo` object. )rrrrmrOrN)rrmrrU)rVr async_sign_prescribed_attributesrYboolr) rryr[rmrrrrrUrOrrJrJrK async_signas*< zSigner.async_signrW)r[rrnc s^|}||||||IdH}|j|||||dIdH}|j||||||dS)a .. versionadded:: 0.9.0 Start the CMS signing process with the prescribed set of signed attributes. :param digest_algorithm: Digest algorithm to use. This should be the same digest method as the one used to hash the (external) content. :param signed_attrs: CMS attributes to sign. :param dry_run: If ``True``, the actual signing step will be replaced with a placeholder. In a PDF signing context, this is necessary to estimate the size of the signature container before computing the actual digest of the document. :param timestamper: :class:`~.timestamps.TimeStamper` used to obtain a trusted timestamp token that can be embedded into the signature container. .. note:: If ``dry_run`` is true, the timestamper's :meth:`~.timestamps.TimeStamper.dummy_response` method will be called to obtain a placeholder token. Note that with a standard :class:`~.timestamps.HTTPTimeStamper`, this might still hit the timestamping server (in order to produce a realistic size estimate), but the dummy response will be cached. :param cms_version: CMS version to use. :param encap_content_info: Data to encapsulate in the CMS object. .. danger:: This parameter is internal API, and must not be used to produce PDF signatures. :return: An :class:`~.asn1crypto.cms.ContentInfo` object. N)rrrm)r[rrrrrU)lowerrrdumprr) rr[rrrmrrUrrrJrJrKrs,3   z'Signer.async_sign_prescribed_attributes)rZr[rrnc s4t|||||d\} } |j| ||d|| |dIdHS)a< .. versionadded:: 0.9.0 Produce a CMS signature for an arbitrary data stream (not necessarily PDF data). :param input_data: The input data to sign. This can be either a :class:`bytes` object a file-type object, a :class:`cms.ContentInfo` object or a :class:`cms.EncapsulatedContentInfo` object. .. warning:: ``asn1crypto`` mandates :class:`cms.ContentInfo` for CMS v1 signatures. In practical terms, this means that you need to use :class:`cms.ContentInfo` if the content type is ``data``, and :class:`cms.EncapsulatedContentInfo` otherwise. .. warning:: We currently only support CMS v1, v3 and v4 signatures. This is only a concern if you need certificates or CRLs of type 'other', in which case you can change the version yourself (this will not invalidate any signatures). You'll also need to do this if you need support for version 1 attribute certificates, or if you want to sign with ``subjectKeyIdentifier`` in the ``sid`` field. :param digest_algorithm: The name of the digest algorithm to use. :param detached: If ``True``, create a CMS detached signature (i.e. an object where the encapsulated content is not embedded in the signature object itself). This is the default. If ``False``, the content to be signed will be embedded as encapsulated content. :param signed_attr_settings: :class:`.PdfCMSSignedAttributes` object describing the attributes to be added. :param use_cades: Construct a CAdES-style CMS object. :param timestamper: :class:`.PdfTimeStamper` to use to create a signature timestamp .. note:: If you want to create a *content* timestamp (as opposed to a *signature* timestamp), see :class:`.CAdESSignedAttrSpec`. :param chunk_size: Chunk size to use when consuming input data. :param max_read: Maximal number of bytes to read from the input stream. :return: A CMS ContentInfo object of type signedData. )rZr[rfrgr^F)ryr[rrrrUrN)rjr) rrZr[rfrrrgrr^rUrirJrJrKasync_sign_general_datas @ zSigner.async_sign_general_data)ryr[ timestampcades_signed_attr_metarnc Cs<tdtt|||d} |j|||||| | d} t| S)a .. deprecated:: 0.9.0 Use :meth:`async_sign` instead. The implementation of this method will invoke :meth:`async_sign` using ``asyncio.run()``. Produce a detached CMS signature from a raw data digest. :param data_digest: Digest of the actual content being signed. :param digest_algorithm: Digest algorithm to use. This should be the same digest method as the one used to hash the (external) content. :param timestamp: Signing time to embed into the signed attributes (will be ignored if ``use_pades`` is ``True``). .. note:: This timestamp value is to be interpreted as an unfounded assertion by the signer, which may or may not be good enough for your purposes. :param dry_run: If ``True``, the actual signing step will be replaced with a placeholder. In a PDF signing context, this is necessary to estimate the size of the signature container before computing the actual digest of the document. :param revocation_info: Revocation information to embed; this should be the output of a call to :meth:`.Signer.format_revinfo` (ignored when ``use_pades`` is ``True``). :param use_pades: Respect PAdES requirements. :param timestamper: :class:`~.timestamps.TimeStamper` used to obtain a trusted timestamp token that can be embedded into the signature container. .. note:: If ``dry_run`` is true, the timestamper's :meth:`~.timestamps.TimeStamper.dummy_response` method will be called to obtain a placeholder token. Note that with a standard :class:`~.timestamps.HTTPTimeStamper`, this might still hit the timestamping server (in order to produce a realistic size estimate), but the dummy response will be cached. :param cades_signed_attr_meta: .. versionadded:: 0.5.0 Specification for CAdES-specific signed attributes. :param encap_content_info: Data to encapsulate in the CMS object. .. danger:: This parameter is internal API, and must not be used to produce PDF signatures. :return: An :class:`~.asn1crypto.cms.ContentInfo` object. z<'Signer.sign' is deprecated, use 'Signer.async_sign' instead)rCrLrD)ryr[rmrrrrU)warningswarnDeprecationWarningr7rrsrun) rryr[rrmZrevocation_inforrrrUr sign_cororJrJrKsignMs&G z Signer.signcCs,tdt|j||||||d}t|S)a .. versionadded: 0.7.0 .. deprecated:: 0.9.0 Use :meth:`async_sign_prescribed_attributes` instead. The implementation of this method will invoke :meth:`async_sign_prescribed_attributes` using ``asyncio.run()``. Start the CMS signing process with the prescribed set of signed attributes. :param digest_algorithm: Digest algorithm to use. This should be the same digest method as the one used to hash the (external) content. :param signed_attrs: CMS attributes to sign. :param dry_run: If ``True``, the actual signing step will be replaced with a placeholder. In a PDF signing context, this is necessary to estimate the size of the signature container before computing the actual digest of the document. :param timestamper: :class:`~.timestamps.TimeStamper` used to obtain a trusted timestamp token that can be embedded into the signature container. .. note:: If ``dry_run`` is true, the timestamper's :meth:`~.timestamps.TimeStamper.dummy_response` method will be called to obtain a placeholder token. Note that with a standard :class:`~.timestamps.HTTPTimeStamper`, this might still hit the timestamping server (in order to produce a realistic size estimate), but the dummy response will be cached. :param cms_version: CMS version to use. :param encap_content_info: Data to encapsulate in the CMS object. .. danger:: This parameter is internal API, and must not be used to produce PDF signatures. :return: An :class:`~.asn1crypto.cms.ContentInfo` object. zh'Signer.sign_prescribed_attributes' is deprecated, use 'Signer.async_sign_prescribed_attributes' instead)r[rrrmrrU)rrrrrsr)rr[rrrmrrUrrJrJrKsign_prescribed_attributess8z!Signer.sign_prescribed_attributes)rZr[rrrnc Cs<tdtt||d} |j||||||| | d} t| S)aT .. versionadded:: 0.7.0 .. deprecated:: 0.9.0 Use :meth:`async_sign_general_data` instead. The implementation of this method will invoke :meth:`async_sign_general_data` using ``asyncio.run()``. Produce a CMS signature for an arbitrary data stream (not necessarily PDF data). :param input_data: The input data to sign. This can be either a :class:`bytes` object a file-type object, a :class:`cms.ContentInfo` object or a :class:`cms.EncapsulatedContentInfo` object. .. warning:: ``asn1crypto`` mandates :class:`cms.ContentInfo` for CMS v1 signatures. In practical terms, this means that you need to use :class:`cms.ContentInfo` if the content type is ``data``, and :class:`cms.EncapsulatedContentInfo` otherwise. .. warning:: We currently only support CMS v1, v3 and v4 signatures. This is only a concern if you need certificates or CRLs of type 'other', in which case you can change the version yourself (this will not invalidate any signatures). You'll also need to do this if you need support for version 1 attribute certificates, or if you want to sign with ``subjectKeyIdentifier`` in the ``sid`` field. :param digest_algorithm: The name of the digest algorithm to use. :param detached: If ``True``, create a CMS detached signature (i.e. an object where the encapsulated content is not embedded in the signature object itself). This is the default. If ``False``, the content to be signed will be embedded as encapsulated content. :param timestamp: Signing time to embed into the signed attributes (will be ignored if ``use_cades`` is ``True``). .. note:: This timestamp value is to be interpreted as an unfounded assertion by the signer, which may or may not be good enough for your purposes. :param use_cades: Construct a CAdES-style CMS object. :param timestamper: :class:`.PdfTimeStamper` to use to create a signature timestamp .. note:: If you want to create a *content* timestamp (as opposed to a *signature* timestamp), see :class:`.CAdESSignedAttrSpec`. :param cades_signed_attr_meta: Specification for CAdES-specific signed attributes. :param chunk_size: Chunk size to use when consuming input data. :param max_read: Maximal number of bytes to read from the input stream. :return: A CMS ContentInfo object of type signedData. zV'Signer.sign_general_data' is deprecated, use 'Signer.async_sign_general_data' instead)rCrD)rZr[rfrrrgrr^)rrrr7rrsr) rrZr[rfrrrrrgr^rrrJrJrKsign_general_datas&N zSigner.sign_general_data)NN)NFT)NFT)N)N)F)NF)NrPFNFT)FFNNTN)rWFNN)NFNFNNN)rWFNN)5rErFrGrHrrrr Certificaterrr AttributeCertificateV2rpropertyr}r~rrstrrr staticmethodrrrr7rrbrr+rrurrr_rrrrrrrrDEFAULT_CHUNK_SIZEr rr`rrr!rrrrJrJrJrKr4sN9     A )   3 =  5 P V O U _ Mcs"dtttdfdd }|_S)zm Decorator to turn a legacy :class:`Signer` subclass into one that works with the new async API. Frcs"tfdd}|IdHS)NcsjdS)N)rPr[rmsign_rawrJ)rPr[rmr signer_clsrJrK\s z9asyncify_signer..async_sign_raw..r)rrPr[rmcoror)rPr[rmrrKrXsz'asyncify_signer..async_sign_raw)F)rbrr)rrrJrrKr:Rs c seZdZUdZejed<dejeje e e e e e e ejdfdd Zdeeed d d Zeeed d d ZedddZedddZedddZZS)r5z_ Simple signer implementation where the key material is available in local memory. signing_keyNFT)r~rrr}r{r|rcs2||_tj|||||d|dk r.t||_dS)N)r{r|rr}r~)rsuperrrrr)rr~rrr}r{r|r __class__rJrKrts zSimpleSigner.__init__rcs |||SrrrrJrJrKrszSimpleSigner.async_sign_rawc CsF||}|j}tj|jdd}|dkrVt}t|}t|t sHt | |||S|dkr|d}t ||\}}t|t st | |||S|dkrt|}t|t st |j |t|dS|dkrt|}t|tst | ||S|d krt|tst | |S|d kr2t|ts(t | |Std |d dS) a1 Synchronous raw signature implementation. :param data: Data to be signed. :param digest_algorithm: Digest algorithm to use. :return: Raw signature encoded according to the conventions of the signing algorithm used. N)passwordrrrZecdsa)rrrrzThe signature mechanism z is unsupported by this signer.)rsignature_algorZload_der_private_keyrrrr'rQrAssertionErrorrr)rrrrrr%) rrPr[r}Z mechanismZpriv_keypaddingZ hash_algorrJrJrKrsF       zSimpleSigner.sign_rawc CsNztt|WSttfk rH}ztjd|dWYdSd}~XYnXdS)NzCould not load CA chainexc_info)setr0IOErrorrloggererror)clsca_chain_fileserJrJrK_load_ca_chains zSimpleSigner._load_ca_chainc Cs4z"t|d}|}W5QRXWn>tk r`} z tjd|d| dWYdSd} ~ XYnX|rp||nt} | dkrdSzt||\} } } Wn<tt t fk r} ztjd| dWYdSd} ~ XYnXt | }t | } tt t | } t}| | B}|dk r|t|O}||t|| |||dS)a Load certificates and key material from a PCKS#12 archive (usually ``.pfx`` or ``.p12`` files). :param pfx_file: Path to the PKCS#12 archive. :param ca_chain_files: Path to (PEM/DER) files containing other relevant certificates not included in the PKCS#12 file. :param other_certs: Other relevant certificates, specified as a list of :class:`.asn1crypto.x509.Certificate` objects. :param passphrase: Passphrase to decrypt the PKCS#12 archive, if required. :param signature_mechanism: Override the signature mechanism to use. :param prefer_pss: Prefer PSS signature mechanism over RSA PKCS#1 v1.5 if there's a choice. :return: A :class:`.SimpleSigner` object initialised with key material loaded from the PKCS#12 file provided. rbzCould not open PKCS#12 file .rNz-Could not load key material from PKCS#12 file)rr~rr}r{)openrcrrrrrrZload_key_and_certificatesr TypeErrorr.r-maprregister_multipler5)rpfx_filer other_certs passphraser}r{fZ pfx_bytesrca_chainZ private_keyrZother_certs_pkcs12ZkinfocsZcerts_to_registerrJrJrK load_pkcs12sP#     zSimpleSigner.load_pkcs12c Cszt||d}t|} Wn<tttfk rT} ztjd| dWYdSd} ~ XYnX|rd||ng} | dkrtdS|dkr| n| |}t} | |t | || ||dS)a Load certificates and key material from PEM/DER files. :param key_file: File containing the signer's private key. :param cert_file: File containing the signer's certificate. :param ca_chain_files: File containing other relevant certificates. :param key_passphrase: Passphrase to decrypt the private key (if required). :param other_certs: Other relevant certificates, specified as a list of :class:`.asn1crypto.x509.Certificate` objects. :param signature_mechanism: Override the signature mechanism to use. :param prefer_pss: Prefer PSS signature mechanism over RSA PKCS#1 v1.5 if there's a choice. :return: A :class:`.SimpleSigner` object initialised with key material loaded from the files provided. )rz%Could not load cryptographic materialrN)r~rrr}r{) r1r/rrr rrrrr r5) rkey_file cert_filerkey_passphraser r}r{rr~rrZcert_regrJrJrKloads."  zSimpleSigner.load)NFTN)F)N)NNNNF)NNNNF)rErFrGrHr ZPrivateKeyInforIrrrrrrrr rrrbrrr classmethodrrr __classcell__rJrJrrKr5isL    2  L)configprovided_pfx_passphrasecCs6|jp|}tj|j||j|jd}|dkr2td|S)N)r rr r{ Error while loading key material)Zpfx_passphraser5rr r r{r>)rrrrrJrJrKr<Ts )rprovided_key_passphrasecCs:|jp|}tj|j|j|j|j|d}|dkr6td|S)N)rrr r{rr)rr5rrrr r{r>)rrrrrJrJrKr=ds cs^eZdZdZd eejeeee e dfee e e dfdd Z d e ee dd d ZZS) r6a) Class to help formatting CMS objects for use with remote signing. It embeds a fixed signature value into the CMS, set at initialisation. Intended for use with :ref:`interrupted-signing`. :param signing_cert: The signer's certificate. :param cert_registry: The certificate registry to use in CMS generation. :param signature_value: The value of the signature as a byte string, a placeholder length, or ``None``. :param signature_mechanism: The signature mechanism used by the external signing service. :param prefer_pss: Switch to prefer PSS when producing RSA signatures, as opposed to RSA with PKCS#1 v1.5 padding. :param embed_roots: Whether to embed relevant root certificates into the CMS payload. NFT)r~rsignature_valuer}r{r|cs:t|tr||_nt|pd|_tj|||||ddS)N)r{r|r~rr})rQrb_signature_valuerr)rr~rrr}r{r|rrJrKrs zExternalSigner.__init__rcs|jS)z1 Return a fixed signature value. )rrrJrJrKrszExternalSigner.async_sign_raw)NNFT)F)rErFrGrHrrrrr rbintrrrrrrrJrJrrKr6us& c@sXeZdZdZeeejee e ge j fdfee dddZee eedddZdS) rzD Signed attribute provider spec for generic CMS signatures. NrcCs||_||_||_||_dSr)r~rr}rrrr~r}rrJrJrKrs z.GenericCMSSignedAttributeProviderSpec.__init__ryr[rnccs|j}|jdk r tj|jdV|j}|dk r._with_thresholdsrrrr/rZshake256)rZbit_sizeRSA_THRESHOLDSECC_THRESHOLDSr3Z DEFAULT_MD)r.r1Zkey_algorJrJrKr;Ds   )rJF)rPF)N)N)prHrsloggingrZ dataclassesrrtypingrrrrrr r+Z asn1cryptor r r r rrMrZasn1crypto.algosrZcryptography.hazmat.primitivesrrZ-cryptography.hazmat.primitives.asymmetric.dsarZ,cryptography.hazmat.primitives.asymmetric.ecrrZ/cryptography.hazmat.primitives.asymmetric.ed448rZ1cryptography.hazmat.primitives.asymmetric.ed25519rZ1cryptography.hazmat.primitives.asymmetric.paddingrZ-cryptography.hazmat.primitives.asymmetric.rsarZ,cryptography.hazmat.primitives.serializationrZ%pyhanko_certvalidator._asyncio_compatrZpyhanko_certvalidator.registryrrZpyhanko.pdf_utilsrZ pyhanko.signr Zpyhanko.sign.ades.apir!Zpyhanko.sign.attributesr"r#r$Zpyhanko.sign.generalr%r&r'r(r)r*Zpyhanko.sign.timestampsr+r-r.r/r0r1r3__all__Z config.errorsr>Zconfig.local_keysr?r@ getLoggerrErrBr7rVrrXrYrrbr_r`rjrurr8r9r4r:r5r<r=r6rrrrr2r3Z PublicKeyInfor;rJrJrJrKs                       '  gn  50 %)