U gH @s> dZddlZddlZddlZddlZddlmZddlmZddlmZmZddl m Z m Z m Z m Z mZmZmZmZmZmZmZmZmZmZmZddlZddlmZmZddlmZdd lmZm Z dd l!m"Z"dd l#m$Z$dd l%m&Z&dd l'm(Z(m)Z)ddl*m+Z+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7ddl8m9Z9ddl:m;Z;ddlm?Z?m@Z@mAZAddlBmCZCmDZDddlEmFZFmGZGddlHmIZIddlJmKZKddlLmMZMmNZNddlOmPZPmQZQmRZRmSZSmTZTddlUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\ddl]m^Z^m_Z_m`Z`maZaddlbmcZcddldmeZemfZfmgZgmhZhmiZimjZjmkZkmlZld d!lmmnZnd"d#lompZpd"d$l`mqZqd"d%lrmsZsmtZtmuZumvZvmwZwmxZxd"d&lymzZzd'd(d)d*d+d,d-d.d/g Z{e|e}Z~ed0eid1d2Ze5eed3d4d5Ze5eed3d6d/ZGd7d8d8Zed1d9Gd:d,d,eeZeGd;d<d<Zedddd=ejeweeeee;ee,ee ee fed>d?d*Zedddd=ejeweee;ee,ee ee fed@dAd*Zdddelfejeweee;ee,ee ee fed@dBd*Zeje?eeejdCdDdEZee&e e5ddfdFdGdHZeeiedfdIdJdKZdelfeje&eee ee fedLdMdNZeeedOdPdQZejeie&ee&eedRdSdTZewe;e,dUdVdWZeddddddXejeweeee;eeee,eeee ee fedY dZd'ZeddddddXejewee;eeee,eeee ee fed[d\d'Zdddddekfejewee;eeee,eeee ee fed[d]d'Zeje&e&ee&eceeeeee ee feezeeeeefd^ d_d`Zed1d9Gdad-d-eZeeRjeQjeQjeQjeQjeQjhZeddddddXejewee;eeee,eeee ee fed[dbd(ZeddddddXejeweeee;eeee,eeee ee fedY dcd(Zdddddekfejewee;eeee,eeee ee fed[ddd(ZGdedfdfeDZeIee3dgdhdiZeKee3djdkdlZe je,eeAdmdndoZe je+e,ee=efdpdqdrZejewe3eeQeee=dsdtduZdejewe3eeQeeeTdvdwdxZed1d9GdydzdzZed1d9Gd{d|d|Zeje eddfd}d~dZejed}ddZeje eddfdddZe^e eddfdddZeNeeeneedddZdeeewee;e3dddZeeRjeQjeQjeQjeQjeQjeQjeQjhZeeQjeQjeQjeQjeQjhZed1d9Gdd.d.eZe_ewe3e;eedddZeNdddZde_etee;eeeddd)Zde_eteeeeddd+ZdS)a This module contains a number of functions to handle AdES signature validation. .. danger:: This API is incubating, and not all features of the spec have been fully implemented at this stage. There will be bugs, and API changes may still occur. N)copy) dataclass)datetimetimezone)AnyDict FrozenSet GeneratorGenericIterableIteratorListOptionalSetTupleTypeTypeVarUnionoverload)cmskeys)pdf)tspx509)CertificateList) OCSPResponse)ValidationContext)CertTrustAnchor TrustAnchor)CertValidationPolicySpecValidationDataHandlers) PathError) past_validate)KnownPOE POEManagerPOETypeValidationObjectValidationObjectTypedigest_for_poe)ades_gather_prima_facie_revinfo)ValidationTimingInfo)ValidationPath)AlgorithmUsagePolicyNonRevokedStatusAssertionRevocationCheckingRule) PathBuilder TrustManager) CRLContainer OCSPContainer) CRLOfInterest)OCSPResponseOfInterest)HistoricalResolver PdfFileReader) AdESFailureAdESIndeterminate AdESPassed AdESStatus AdESSubIndic)CMSExtractionErrorCMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorextract_certificate_infofind_cms_attributefind_unique_cms_attribute)DocumentSecurityStoreEmbeddedPdfSignatureerrors generic_cms)KeyUsageConstraints)DocumentTimestampStatusPdfSignatureStatusRevocationDetailsSignatureCoverageLevelSignatureStatusSignerAttributeStatusStandardCMSSignatureStatusTimestampSignatureStatus) DiffPolicy)enumerate_ocsp_certs)NoDSSFoundError)LocalKnowledgePdfSignatureValidationSpecRevinfoOnlineFetchingRuleRevocationInfoGatheringSpecSignatureValidationSpec"bootstrap_validation_data_handlers)CMSAlgorithmUsagePolicyades_basic_validationades_with_time_validationades_lta_validationades_timestamp_validation#simulate_future_ades_lta_validationAdESBasicValidationResultAdESWithTimeValidationResultAdESLTAValidationResult#derive_validation_object_identifier StatusTypeT)bound covariant)voreturncCst|jtjkr|jS|jtjkr.|jjS|jtjkrF|jjS|jtj tj fkrl|jdddj SdSdS)N signer_infosr signature) object_typer' CERTIFICATEvaluedumpCRLcrl_data OCSP_RESPONSEocsp_response_data SIGNED_DATA TIMESTAMPnative)rhrw@/tmp/pip-unpacked-wheel-owvgwkas/pyhanko/sign/validation/ades.py$derive_validation_object_binary_datas      rycCs|jtjkr t|j}nx|jtjkrBt|jj}nV|jtj krdt|jj }n4|jtj tj fkrt|jdddj }ndSd|jjd|S)Nrjrrkzvo--)rlr'rmr(rnrohexrprqrrrsrtrurv)rhmarkerrwrwrxrds    c@s<eZdZeedddZeedddZeddZ d S) ValidationObjectSetobject_collectionscs"fdd}dd|D|_dS)Nc3s*tjD]}t|}|r ||fVq dSN) itertoolschainrd)objidentr~rwrx_pairssz,ValidationObjectSet.__init__.._pairscSsi|]\}}||qSrwrw).0kvrwrwrx sz0ValidationObjectSet.__init__..)_things)selfrrrwr~rx__init__s zValidationObjectSet.__init__)ricCst|jSr)iterrvalues)rrwrwrx__iter__szValidationObjectSet.__iter__cCstdSNrw)r}rwrwrwrxemptyszValidationObjectSet.emptyN) __name__ __module__ __qualname__r r&rr r staticmethodrrwrwrwrxr}s r})frozenc@s:eZdZUdZeed<eeed<eeed<e ed<dS)rauR Result of validation of basic signatures. ETSI EN 319 102-1, § 5.3 ades_subindic api_status failure_msgvalidation_objectsN) rrr__doc__r;__annotations__rrestrr}rwrwrwrxras   c@seZdZUeed<eeed<eeed<eeed<ej e dZ e ed<dZ eeed<dZ eeed <dZeeed <dZeeed <d d ZdS)_InternalBasicValidationResultrsignature_poe_timesignature_not_before_timevalidation_path)default_factory status_kwargsNtrust_subindic_updatesignature_ts_validitycontent_ts_validitysigner_attr_statuscCs|j}|j|d<|jr |j|d<|r4|jr4|j|d<|rH|jrH|j|d<|rv|jrv|jj|d<|jj|d<|jj|d<|f|S)Nrtrust_problem_indictimestamp_validitycontent_timestamp_validityac_attrscades_signer_attrsac_validation_errs) rrrrrrrrr)r status_clswith_ts with_attrsrrwrwrxupdates        z%_InternalBasicValidationResult.update)rrrr;rrrr+ dataclassesfielddictrrrrOrrrMrrwrwrwrxrs    r) timing_infovalidation_data_handlersextra_status_kwargs)tst_signed_datavalidation_specexpected_tst_imprintrrrrricsdSrrw)rrrrrrrrwrwrxr_s )rrrrrrricsdSrrw)rrrrrrrwrwrxr_s c sR|p t}|jp|j}|dkr,t||d}|j||d}t|||||dIdHS)uW Validate a timestamp token according to ETSI EN 319 102-1 § 5.4. :param tst_signed_data: The ``SignedData`` value of the timestamp. :param validation_spec: Validation settings to apply. :param expected_tst_imprint: The expected message imprint in the timestamp token. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :return: A :class:`.AdESBasicValidationResult`. Nspecrrhandlers)rr)r*nowts_cert_validation_policycert_validation_policyrZbuild_validation_context'_ades_timestamp_validation_from_context) rrrrrrrrvalidation_contextrwrwrxr_!s(! ) signer_info algo_policy control_time public_keycCsT|d}|j|||d}|sPd|jd|d}tj||jdkrFtjntjddS)NZsignature_algorithm)rzSignature algorithm z not allowed as of z:, which is the time of the earliest PoE for the signature.ades_subindication)Zsignature_algorithm_allowedZsignature_algorESignatureValidationErrorZnot_allowed_afterr8ZCRYPTO_CONSTRAINTS_FAILURE!CRYPTO_CONSTRAINTS_FAILURE_NO_POE)rrrrZsig_algoZ sig_allowedmsgrwrwrx#_ades_signature_crypto_policy_checkYsr)rriccst|dkr dS|jD]>}t|D]}ttj|Vq t|D]}ttj|Vqtj||d}|dk r(t|||IdHSttjddtdS)Nrrrrr)rFextract_tst_datarrar8GENERICr}r)rrrrrrwrwrx_ades_process_attached_tss r) signed_data temp_statusts_validation_contextrrc s2|j}|j}t|}d}|tjtjfkrt||dt|ddj dIdH} | j t j kr| j }|dk slt|dk rt|j|}n|j}|tjkr|j} | dk st| j} tj} n|jj} tj} |dk st|| kr| }t|} tj| j| j||ddIdH}|p t j }t||||tf|d|jd|idS)NT signed_attrsZmessage_digestrr)Zsd_attr_certificates signer_certrZsd_signed_attrsvalidation_time)rrrrrrrr)rrrFextract_signer_infor8REVOKED_NO_POEOUT_OF_BOUNDS_NO_POErrBrvrr9OKrAssertionErrormax timestamprevocation_detailsrevocation_dater7ZREVOKED signing_certnot_valid_afterZEXPIREDr@Zcollect_signer_attr_statusZattribute_certsrrrMr)rrrrrrZades_trust_statusr ts_statusZcontent_ts_result revo_detailscutoffZ perm_status cert_infoZattr_status_kwargsrrwrwrxrsl           r)rrrcCsZ|jj||d}|jdk r,|jj||d}n|}|jdk rL|jj||d}nd}|||fS)Nr)rrrZac_validation_policy)rrrrrrrwrwrx _init_vcs-s(  r)r raw_digestrrr) rrrrrrrrricsdSrrwrrrrrrrrrwrwrxr\Os )rrrrrrrricsdSrrwrrrrrrrrwrwrxr\]s c s|p t}|dkr t||d}t|||\}} } t||| | |j|||||jd IdH} t| trf| S| j t ddd} t t |t | t | t | } t| j| d| dS)u Validate a CMS signature according to ETSI EN 319 102-1 § 5.3. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param raw_digest: The expected message digest attribute value. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A :class:`.AdESBasicValidationResult`. Nr) rrrrkey_usage_settingsrrrralgorithm_policyFTrr)r*rrZr_ades_basic_validationr signature_algorithm_policyrrarrNr}rrr)rrrrrrrrrrrrrrrwrwrxr\jsT$   ) rrrrr rrrr rric  st|pi} tt|t|t|} z(tj|||||dIdH} | | WnBtjk r} z"t| j plt j | j d| dWYSd} ~ XYnX| f| }|j sttj|d| dS|jsttj|d| dSt|||||dIdH}| |_|S)N)rrr r rrr)rr}rrFZcms_basic_validationrrErrarr8rfailure_messagerr7rrrrr)rrrrr rrrr rrrrerrrwrwrxr s\     r c@s"eZdZUeed<eeed<dS)rbbest_signature_timerN)rrrrrrrwrwrwrxrbs csdSrrwrrwrwrxr] s csdSrrwrrwrwrxr]s c s*|p t}|dkr t||d}t|||\}} } |dddj} |j| } t||| | |j|||||jd IdH} t | t rt t |t | t | t | j}t| j| j| j| ||dS| jtkrt | tst| j}| j|ddd }t t |t | t | t |}t| j|d| ||dSt|}| j|d dd }t|}|dkrt t |t | t | t | }ttj|d |j||dSt||d |d IdH}t t |t | t | t | t |j}|jtjkrt|j|d| ||dS|j}t |t st| dk rt!|j"| } n|j"} || _#| | _$| jtj%krX|j&}| |j'krt| j|d| ||dSnr| jtj(kr| |j)j*krttj+|d| ||dSn>| jtj,ks| jtj-kr| |j.krt| j|d| ||dS|dk r|| krttj/|d| ||dSd| _0d| j1d <| j|ddd }ttj|d| ||dS)u Validate a CMS signature with time according to ETSI EN 319 102-1 § 5.5. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param raw_digest: The expected message digest attribute value. :param timing_info: Data object describing the timing of the validation. Defaults to :meth:`.ValidationTimingInfo.now`. :param validation_data_handlers: Data handlers to manage validation data. :param extra_status_kwargs: Extra keyword arguments to pass to the signature status object's ``__init__`` function. :param status_cls: The class of the resulting status object in pyHanko's internal validation API. :param signature_not_before_time: Time when the signature was known _not_ to exist. :return: A :class:`.AdESBasicValidationResult`. Nrrjrrk) rrrr rrrrr )rrrrrrTrFzNo signature timestamp presentrr)2r*rrZrrv poe_managerr r r rrar}rrrrbrr_WITH_TIME_FURTHER_PROCrrrrrFrZcompute_signature_tst_digestr8ZSIG_CONSTRAINTS_FAILURErrr9rrOminrrrrrrrrnot_valid_before NOT_YET_VALIDr TRY_LATERZerror_time_horizonZTIMESTAMP_ORDER_FAILURErr)rrrrrrrrrrr sig_bytesrrrrrrrZ sig_ts_resultrrrrwrwrxr]&sX$                  c@s4eZdZejedddZejeedddZ dS) _TrustNoOne)rricCsdS)NFrwrrrwrwrxis_root sz_TrustNoOne.is_rootcCstdSr)rrrwrwrxfind_potential_issuerssz"_TrustNoOne.find_potential_issuersN) rrrr Certificateboolrr rrrwrwrwrxr srrrrcstfdd|jDS)Nc3s|]}|jjkVqdSr)rleaf)r prov_pathrrrwrx sz0_crl_issuer_cert_poe_boundary..)anyZ prov_pathsrrwr rx_crl_issuer_cert_poe_boundarysr#rrrcCs||jj|kSr)rrr$rwrwrx_ocsp_issuer_cert_poe_boundarysr%)rrrrevocation_checking_rulecsj}|jtd}tjdfdd tfdd|D}j}g}g} t} |D]} | IdH\} } | D]8}t |j |r| |qv|j j }| t|qv| D]8}t|j |r| |q|jj}| t|qq`|s| rj| j| || fS)N)r trust_manager)isscs$tt|gd}t|jdS)N)Z trust_anchorZintermr)rrevinfo_managerrr&)r+rr)r))r(Ztruncated_path)rrr&rrwrx_for_candidate_issuer6szB_find_revinfo_data_for_leaf_in_past.._for_candidate_issuercsg|] }|qSrwrw)rr()r*rwrx Bsz7_find_revinfo_data_for_leaf_in_past..) cert_registryrrrrasyncioZ as_completedrsetr#rappendrrqroaddr(r%Z ocsp_responsersr)Z evict_crlsZ evict_ocsps)rrrr&registryZcandidate_issuersZ job_futuresrrrZto_evictZ fut_resultsZnew_crlsZ new_ocspsZcrl_oiZ revinfo_dataZocsp_oirw)r*rrr&rrx#_find_revinfo_data_for_leaf_in_past#sJ        r2)rvalidation_policy_specrric st|j|jd}d}||}zd|2zX3dHW}tt|||ddIdH}|j}|j }|dkr$|dk slt ||fW Sq$6W5|IdHXd} |dk rt j | |dnt j | dt jddS)N)r'r1)rr3rinit_control_timez2Unable to construct plausible past validation pathr rz": no prima facie paths constructed)r/r'r,Zasync_build_paths_lazycancelrFZhandle_certvalidator_errorsr"Zerror_subindicZsuccess_resultrrErr8ZNO_CERTIFICATE_CHAIN_FOUND) rr3rZ path_builderZcurrent_subindicationpathsZ cand_path past_resultrrrwrwrx_build_and_past_validate_certjs@   r9)rrrcurrent_time_sub_indicr4 is_timestampricsbt|d|d}|dddj}||}z t|} | j} |j| jWn$tk rltj dt j dYnX|r|j p||j } n|j } t| ||| jjjdIdH\t| | |d IdH\} } fd d }|| krP|t jks|t jkr|| S|t jt jfkr | S|t jt jfkrP|| jkr:tj d tjd n|| jkrP|| Stjd|d dS)NT)Z is_historicalpoe_manager_overriderjrrkz,signer certificate not included in signaturer)rr&)r3rcs$tps tj}tjd|ddS)N)zoPOE for signature available, but could not obtain sufficient POE for the issuance of the revocation informationr5)rr8REVOCATION_OUT_OF_BOUNDS_NO_POErErrZ leaf_crlsZ leaf_ocspsrwrx(_pass_contingent_on_revinfo_issuance_poes  zQ_ades_past_signature_validation.._pass_contingent_on_revinfo_issuance_poez'Signature predates cert validity periodr5zHPast signature validation did not manage to improve current time result.)rZrvr@rr,Zregister_multipleZ other_certsr<rErr8ZNO_SIGNING_CERTIFICATE_FOUNDrrr2Zrevinfo_policyZrevocation_checking_policyZee_certificate_ruler9rrREVOKED_CA_NO_POErrOUT_OF_BOUNDS_NOT_REVOKEDrr7rrZSigSeedValueValidationError)rrrr:r4r;rsignature_bytesrrrrZ cert_pathrr?rwr>rx_ades_past_signature_validations~     rC)rrrr:r4ric s|d}|djdk}|dkr.tjtd}z"t||||||dIdHtjWStj k r}zt ||j pxt jWYSd}~XYn6tk r}zt |t jWYSd}~XYnXdS)u Validate a CMS signature in the past according to ETSI EN 319 102-1 § 5.6.2.4. This is internal API. .. danger:: The notion of "past validation" used here is only valid in the narrow technical sense in which it is used within AdES. It should _never_ be relied upon as a standalone validation routine. :param signed_data: The ``SignedData`` value. :param validation_spec: Validation settings to apply. :param poe_manager: The POE manager from which to source existence proofs. :param current_time_sub_indic: The AdES subindication from validating the signature at the current time with the relevant settings. :param init_control_time: Initial value for the control time parameter. :return: An AdES subindication indicating the validation result after going through the past validation process. encap_content_info content_typetst_infoNtzrrrr:r4r;)rvrrtzlocal get_localzonerCr9rrErloggerwarningrr8rr!Z!CERTIFICATE_CHAIN_GENERAL_FAILURE)rrrr:r4Zecir;rrwrwrxades_past_signature_validations("    rNc@seZdZUeed<eed<dS)_PrimaFaciePOEItemdigestvalidation_objectN)rrrbytesrr&rwrwrwrxrO7s rOc@sReZdZUeed<eed<eeed<ej ed<e ed<e ed<e ddd Z d S) _PrimaFaciePOEFromTimeStamp pdf_revision timestamp_dt poes_impliedtimestamp_token_signed_data doc_digest forensic_info)managerc Cs.|jD]"}|ttj|j|j|jdqdSN)poe_typerPZpoe_timerQ)rVZregister_known_poer#r% VALIDATIONrPrUrQ)rrZthingrwrwrxadd_to_poe_managerGs z._PrimaFaciePOEFromTimeStamp.add_to_poe_managerN)rrrintrrrrOr SignedDatarRrr$r_rwrwrwrxrS=s   rS)sdriccsd|dD]V}|j}|}|jdkr,tj}n|jdkrtj}nqt|}t|t||ddVqdS)NZ certificatesZ certificateZ v2_attr_certrlrnrPrQ) Zchosenronamer'rmOTHERr(rOr&)rbZ cert_choicerdataZvo_typerPrwrwrx&_extract_cert_digests_from_signed_dataSs    rhcCs|ddj}|djS)NrDcontentgen_time)parsedrv)rbrFrwrwrx_get_tst_timestampmsrl)revinfo_archivalriccsh|dD](}tt|ttjt|ddVq|dD](}tt|ttjt|ddVq:dS)Nrrcrdr) rOr(ror&r'rpr1rrr2)rmrrrwrwrx._read_validation_objects_from_revinfo_archivalrs      rn)dssric cs|jD]4}|j}tt|ttjtt |ddVq|j D]4}|j}tt|ttj t t |ddVqB|jD]2}|j}tt|ttjtj |ddVqdS)Nrcrd)r get_objectrgrOr(r&r'rpr1rloadrrrr2rcertsrrmrr)roZcrl_objrgZocsp_objZcert_objrwrwrx!_read_validation_objects_from_dsss6          rs)rinclude_content_ts diff_policyric CsZt}t}g}t|jD]8\}}|j||dkdt||jd}|j} d} d} |jdkrf| } d} n|rztj |j dd} | dk rzt |} | t| Wntk rYnX| ||} |tjk}|r |t|jt| t|| | |dt}| t| | t| |j d}| snzt|d }| t|Wnttfk rlYnX|j d j}|t t!|t"t#j$|jd d zt%|d }Wntt&fk rd}YnXzt%|j dd}Wntt&fk rd}YnXt'(||D]H}|d}|dD]0}|d j}|t t!|t"t#j)|d d qq q|S)N)Z skip_diff)revisionFz /DocTimeStampTr)rTrUrVrWrXrYrZadobe_revocation_info_archivalrkrcrdZcontent_time_stamprwZunsigned_attrsZsignature_time_stamprirj)*r. enumerateZembedded_signaturesZcompute_integrity_infor5signed_revisionrZsig_object_typerFrrrCread_dssrrsrTcompute_digestZevaluate_signature_coveragerKZENTIRE_REVISIONr/rSrl frozensetsummarise_integrity_inforhrBrnr>r?rvr0rOr(r&r'rtrAr=rrru)rtrurvZcollected_so_farZ for_next_tsprima_facie_poe_setsix embedded_sigZ hist_handlerrZts_signed_dataZ is_doc_tsrorXZcoverage_normalrZ revinfo_attrrZ content_tsesZsignature_tsesZts_dataZts_data_contentZts_signer_infoZ ts_sig_bytesrwrwrx0_build_prima_facie_poe_index_from_pdf_timestampss           r)r~rcur_timing_inforic s6t|ddd}|p"tjtd}t}|j|t|D]\}}t |}|t |dkrt||d}||t |||d} t |j |||j| |jtdIdH} | j} | jtjkr||q>| jtjkrtjd| d q>t| tstt|j ||| |jd IdH} | jtjkr"||q>tjd | d q>|S) NcSs|jSrrT)prwrwrxhz+_validate_prima_facie_poe..)keyrGrRrr<)rrrrrrrz9Permanent failure while evaluating timestamp in PoE chainr)rrrr:r4zZCould not validate timestamp in PoE chain at current time, and past validation also failed)sortedr*rrJrKr$local_knowledger_rxrlenrZr_rWrXrYrHrrr:ZPASSEDZFAILEDrErrr8rrNr) r~rrZcandidate_poesZresulting_poesrpoeZtemporary_poesZnext_poerZcur_time_resultZ sub_indicr8rwrwrx_validate_prima_facie_poe^s`          rc@s*eZdZUdZeeed<eeed<dS)rcu Result of a PAdES validation for a signature providing long-term availability and integrity of validation material. See ETSI EN 319 102-1, § 5.6.3. oldest_evidence_record_timestampsignature_timestamp_statusN)rrrrrrrrarwrwrwrxrcs  )rrrrric sX|jdj}|j}|jp|j}|j}|dkr0dS|}|dk sDtt||||t |||ddIdH} | j } t | t r| t krz@t|||| |jddIdH} ttjtj| j| dd| jd} WnBtjk r} z t| jp| | j| j| jd} W5d} ~ XYnXn| } |d d j}|dk rT|j|d d |jd rT|dj}|||| S)Nrkr)rrrrrTrI)rrrrDriZmessage_imprintZhash_algorithm)Zmomentrj)rrvZattached_timestamp_datarralgorithm_usage_policyZcompute_tst_digestrr_rZrrr8_LTA_TS_FURTHER_PROCrCrrar9rrreplacerrrErrr rkZdigest_algorithm_allowedregister)rrrrrBZ signature_tsrrrZsignature_ts_prelim_resultZts_current_time_sub_indicrsignature_ts_resultrrFZsignature_ts_dtrwrwrx_process_signature_tssx        rreadercCshzHt|}dd|jD}dd|jD}t|}t|||d}Wntk rbt}YnX|S)NcSs,g|]$}tt|jD]}|qqSrw)r2rrrqrprg)rresprrwrwrxr++s z+_dss_to_local_knowledge..cSs"g|]}tt|jdqS))rq)r1rrqrprg)rrrwrwrxr+2s) known_ocsps known_crls known_certs)rCrzrrlistZ load_certsrUrT)rroZ dss_ocspsZdss_crlsZ dss_certsrrwrwrx_dss_to_local_knowledge&s"    r)rpdf_validation_specrrric s|ptjtd}tjd|jd}|j}|j}t jd}t |j |j |j |j |j |j |j|jd}tj||d} d} d} zXt|| |dIdH} ttfd d |d d dd } | dk r| j} n|jstd Wn4tjk r} ztjd| dW5d} ~ XYnX| dkr*t} || | dk s8tt| |t| d}tj | ||!|"t#dIdH}|j$}|t%krd|d}t&||j'||j(|j)| d|j*dSj+dj,}| j-|t.j/|j(dt0| t| |dIdH}t1|t2r~t| }z&t3j | |||j4ddIdH|} WnZtjk r|} z8||}t&| j5pL|| j6|j'||j)|| |j*dWYSd} ~ XYnX| |}| j7j8}z2j9}|dk rt:j+|||j;dt.cSs|jSrrrrwrwrxrr)rdefaultzRNo document timestamps after signature; proceeding without past proof of existencezXDocument timestamp chain failed to validate; proceeding without past proof of existence.)exc_info)rrr<)rrrrrrrrz?Validation of signature at current time failed with indication z!. Past validation not applicable.)rrrrrrrrrk)r\dt)rrrFrI)rrrrrrrr)rrr)rrrrrrrr)>r*rrJrKrrrvsignature_validation_specrrrUrrrrrrrrrfilterrUrLrMrErr$r_rrZrr]rr{r}rIr_LTA_FURTHER_PROCrcrrrrrrvrr%r]rrr8rCrrr rrrrrr9r)rrrrZpoe_listrZinit_local_knowledgeZ dss_factsrZaugmented_validation_specZupdated_poe_managerrZoldest_docts_recordrZwith_time_data_handlersZsignature_prelim_resultr:rrBrZpast_sig_poe_managerZsig_poerrrrrwrrxr^As"                  )rrfuture_validation_timecurrent_reference_timeric s|ptjtjdt|d|d}t|jddd|j}|jt |jt j }z&|jj d}| t|jj|dWntk rYnXfdd }tjt ||d } tj|tj|ttj| d d } t|| |d IdHS)a .. versionadded:: 0.21.0 Simulate a future LTA validation of a PDF signature, assuming perfect timestamp maintenance until the specified point in time. .. warning:: This is experimental API. The purpose of this utility function is to act as a sanity check for signers and signature archivists. It takes validation spec, a future validation time and a current reference time (defaults to the current time), and, by fiat, generates proofs of existence for all relevant objects in the PDF for that reference time. It then executes the PAdES LTA validation algorithm with that set of PoEs against the future validation time, with all remote fetching functionality disabled. The idea is that this allows the caller to assess whether a signature is "LTA maintainable", i.e. whether it contains the necessary information for the signature to remain validatable if the timestamp chain is extended properly. If this check fails but the signature validates at the current time, it may indicate a lack of contemporaneous revocation information. :param embedded_sig: The signature under scrutiny. :param pdf_validation_spec: The validation spec against which the simulated validation should be executed. :param future_validation_time: The future validation time at which the validation should be simulated. :param current_reference_time: The reference time at which all relevant objects in the PDF are presumed to have been proven to exist for the purposes of the (future) validation being simulated. Defaults to the current time. :return: An AdES LTA validation result. rGT)rZpoint_in_time_validationrNr)atc3sREdHEdHD](}|jD]}ttj|j|jdVq.q$dSr[)Zassert_existence_known_atrVr#r%ZPROVIDEDrPrQ)Zprima_facie_poeitemZ dss_knowledgerZorig_local_knowledgeZprima_facie_poesrwrx_poescs z2simulate_future_ades_lta_validation.._poes)rr)Zrevinfo_gathering_policyr)r)r)rrrutcr*rrrrrrrZembedded_timestamp_signaturesr/r-rsha256 IndexErrorrrrXrWZ LOCAL_ONLYr^) rrrrrZorig_sig_validation_specZnew_nonrevoked_assertionsZlast_tsrZupdated_local_knowledgeZupdated_pdf_validation_specrwrrxr`s\,    )N)N)NN)N)rr-rrloggingrrrrtypingrrrr r r r r rrrrrrrrJZ asn1cryptorrrZasn1_pdfrrZasn1crypto.crlrZasn1crypto.ocsprZpyhanko_certvalidatorrZpyhanko_certvalidator.authorityrrZpyhanko_certvalidator.contextrr Zpyhanko_certvalidator.errorsr!Z#pyhanko_certvalidator.ltv.ades_pastr"Zpyhanko_certvalidator.ltv.poer#r$r%r&r'r(Z$pyhanko_certvalidator.ltv.time_slider)Zpyhanko_certvalidator.ltv.typesr*Zpyhanko_certvalidator.pathr+Z!pyhanko_certvalidator.policy_declr,r-r.Zpyhanko_certvalidator.registryr/r0Z&pyhanko_certvalidator.revinfo.archivalr1r2Z*pyhanko_certvalidator.revinfo.validate_crlr3Z+pyhanko_certvalidator.revinfo.validate_ocspr4Zpyhanko.pdf_utils.readerr5r6Zpyhanko.sign.ades.reportr7r8r9r:r;Zpyhanko.sign.generalr<r=r>r?r@rArBZpyhanko.sign.validationrCrDrErFZ pyhanko.sign.validation.settingsrGZpyhanko.sign.validation.statusrHrIrJrKrLrMrNrOZ diff_analysisrQrorSrTZ policy_declrUrVrWrXrYrZutilsr[__all__ getLoggerrrLrerRryrrdr}rarrar_Z SignerInfoZ PublicKeyInforrrrrrrrr\r rbr|rrrr@rrrr]rr#r%rr2r9rCrNrOrSrhrlZRevocationInfoArchivalrnrsrrrAr=rrrcrrr^r`rwrwrwrxs   D            $  (       $  9    6  U "  Q ?   e    H , o 8   ! > I   Q  b