U g\ @s.ddlZddlmZddlmZddlmZddlmZmZm Z ddl m Z ddl m Z ddlmZdd lmZmZmZdd lmZd d lmZd d lmZmZmZddlmZddlmZm Z m!Z!ddl"m#Z#m$Z$m%Z%m&Z&ddl'm(Z(m)Z)ddl*m+Z+ddl,m-Z-m.Z.m/Z/ddddddgZ0e1e2Z3e de.dZ4GdddeZ5eej6ej6dZ7dd Z8eej9ej9dZ:d!d"Z;eeee?d&d'dZ@eee(d(d)dZAeGd*d+d+ZBe(d,d-d.ZCeBd/d0d1ZDd9e(e5ee<eeeeee+eEe-d3d4dZFe jGd5d6dZHd:e jGed7d8dZIdS);N) dataclass)datetime)Enum)IteratorOptionalTypeVar)cms)pdf)ValidationContext)CertRevTrustPolicyRevocationCheckingPolicyRevocationCheckingRule) PdfFileReader) DiffPolicy)MultivaluedAttributeErrorNonexistentAttributeErrorfind_unique_cms_attribute)DocumentSecurityStore)NoDSSFoundErrorSignatureValidationErrorValidationInfoReadingError)async_validate_cms_signaturecms_basic_validationcollect_signer_attr_statusvalidate_tst_signed_data)EmbeddedPdfSignaturereport_seed_value_validation)KeyUsageConstraints)PdfSignatureStatusSignatureStatusTimestampSignatureStatusRevocationInfoValidationTypeapply_adobe_revocation_inforetrieve_adobe_revocation_infoget_timestamp_chain async_validate_pdf_ltv_signatureestablish_timestamp_trust StatusType)boundc@s(eZdZdZdZdZdZeddZdS)r#zP Indicates a validation profile to use when validating revocation info. adobeZpadesz pades-ltacCstdd|DS)Ncss|] }|jVqdS)N)value).0mr/?/tmp/pip-unpacked-wheel-owvgwkas/pyhanko/sign/validation/ltv.py Usz8RevocationInfoValidationType.as_tuple..)tuple)clsr/r/r0as_tupleSsz%RevocationInfoValidationType.as_tupleN) __name__ __module__ __qualname____doc__ ADOBE_STYLEPADES_LT PADES_LTA classmethodr4r/r/r/r0r#;s )Zee_certificate_ruleZintermediate_ca_cert_rulecKstfdti|SNrevocation_checking_policy)r &DEFAULT_LTV_INTERNAL_REVO_CHECK_POLICYkwargsr/r/r0!_default_ltv_internal_revo_policy^s rBcKstfdti|Sr=)r %STRICT_LTV_INTERNAL_REVO_CHECK_POLICYr@r/r/r0 _strict_ltv_internal_revo_policyks rD) timestampvalidation_context_kwargscCsd|d<||d<|dd}|dd}|dkrl|dd}|rX|dkrXtt|}q~|dkr~t|d}n|jjs~t|d}||d<dS) NFallow_fetchingmomentrevinfo_policyretroactive_revinforevocation_modez soft-failrJ) getpopr r Z from_legacyrBr>Z essentialrD)rErFrI retroactiveZ legacy_rmr/r/r0_strict_vc_context_kwargsrs,   rP)tst_signed_datavalidation_contextexpected_tst_imprintcsDt|||IdH}tf|}|jr(|js@td|td|S)a Wrapper around :func:`validate_tst_signed_data` for use when analysing timestamps for the purpose of establishing a timestamp chain. Its main purpose is throwing/logging an error if validation fails, since that amounts to lack of trust in the purported validation time. This is internal API. :param tst_signed_data: The ``SignedData`` value to validate; must encapsulate a ``TSTInfo`` value. :param validation_context: The validation context to apply to the timestamp. :param expected_tst_imprint: The expected message imprint for the ``TSTInfo`` value. :return: A :class:`.TimestampSignatureStatus` if validation is successful. :raises: :class:`SignatureValidationError` if validation fails. Nz0Could not validate embedded timestamp token: %s.z\Could not establish time of signing, timestamp token did not validate with current settings.)rr"ZvalidZtrustedloggerwarningsummaryr)rQrRrSZtimestamp_status_kwargstimestamp_statusr/r/r0r(s   )readerreturncCstddt|jS)a: Get the document timestamp chain of the associated reader, ordered from new to old. :param reader: A :class:`.PdfFileReader`. :return: An iterable of :class:`~pyhanko.sign.validation.pdf_embedded.EmbeddedPdfSignature` objects representing document timestamps. cSs|jdddkS)Nz/Typez /DocTimeStamp)Z sig_objectrM)sigr/r/r0z%get_timestamp_chain..)filterreversedZembedded_signatures)rXr/r/r0r&sc@s2eZdZUeed<eeed<eed<eed<dS)_TimestampTrustData latest_dtsearliest_ts_statusts_chain_lengthcurrent_signature_vc_kwargsN) r5r6r7r__annotations__rr"intdictr/r/r/r0r_s  r_) emb_timestampcCs`z$|j|j}t|}||WStk rZ|dd|ddtf|YSXdS)Ncrlsr/ocsps) rXZget_historical_resolversigned_revisionrread_dssas_validation_contextr setdefaultr )rgrFZ hist_resolverdssr/r/r0_instantiate_ltv_vcs    ro)rYc st|}t|}|}d}d}d}t|D]H\}}|j|kr>qr|} t|j|| IdH}t|j|t ||}q(t |||d|dS)Nr)r`rarbrc) r&rf enumeraterjcompute_digestr( signed_datarPrEror_) rXbootstrap_validation_contextrFuntil_revisionZ timestamps current_vcZ ts_statusZts_countrgexternal_digestr/r/r0_establish_timestamp_trust_ltas:  rxF) embedded_sigvalidation_typerFrt diff_policykey_usage_settings skip_diffrYc st|pi} | dd| dd| d} |rVt| d| d<|dk rt| d|d<n4d| kr| dt| d|dk r|dt| d|j} |tjkrd} |ptf| } n6t | } |dkr| j | dd } n|} | j | ||d}d}d }|tjkrt| | | |jd IdH}|j}|j} |jrDt|j| } |jdkrd|tjkrdtd |tjks|jd kst|j}|j}|j}|dk r|j}|dk stt|| |IdH}|dk st|j}|| d<|dk r||d<n|tjkr|d krtd|dkr"tdt|j| d}|tjkrt |j!\}}|| d<|| d<tf| }|dk r||d<||d<tf|}nf|tjkr| dk st| | }|dk r| |}n,|dk stt|| }|dk rt||}|dk s|tjkrN|dk r|}n|dk s&t|j"}t#|t$|d|jid}|IdH}n|}|j%||d|&}|'|j|dt()|}t*|j"|j+|||dIdH}t,||ddd|dk r|j |j-|'t.|j/|j0||j!ddIdHt(f|S)a  .. versionadded:: 0.9.0 Validate a PDF LTV signature according to a particular profile. :param embedded_sig: Embedded signature to evaluate. :param validation_type: Validation profile to use. :param validation_context_kwargs: Keyword args to instantiate :class:`.pyhanko_certvalidator.ValidationContext` objects needed over the course of the validation. :param ac_validation_context_kwargs: Keyword arguments for the validation context to use to validate attribute certificates. If not supplied, no AC validation will be performed. .. note:: :rfc:`5755` requires attribute authority trust roots to be specified explicitly; hence why there's no default. :param bootstrap_validation_context: Validation context used to validate the current timestamp. :param force_revinfo: Require all certificates encountered to have some form of live revocation checking provisions. :param diff_policy: Policy to evaluate potential incremental updates that were appended to the signed revision of the document. Defaults to :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`. :param key_usage_settings: A :class:`.KeyUsageConstraints` object specifying which key usages must or must not be present in the signer's certificate. :param skip_diff: If ``True``, skip the difference analysis step entirely. :return: The status of the signature. rGTrJFrLrINrK)Zinclude_revinfor)rFruz>Purported PAdES-LTA signature does not have a timestamp chain.rrHzlPAdES-LTA signature requires separate timestamps protecting the signature & the rest of the revocation info.z+LTV signatures require a trusted timestamp.rirhrE)Z status_clsrR status_kwargs)r{r})Zsigner_reported_dtZtimestamp_validity)Z raw_digestrRr~r|Zvalidation_path)Ztimestamp_found signed_attrs)Zsd_attr_certificates signer_certrRZsd_signed_attrs)1rfrmrBrDrXr#r9r rrkrlZcertificate_registryZregister_multipleZ load_certsrrZcompute_tst_digestrxrjrbrcr`rorar;rr:AssertionErrorZattached_timestamp_datatst_signature_digestr(rErPr% signer_inforsrr"Zcompute_integrity_infoZsummarise_integrity_infoupdater Zdefault_usage_constraintsrrwrZother_embedded_certsrZembedded_attr_certsr)ryrzrFrtZac_validation_context_kwargsZ force_revinfor{r|r}Z vc_kwargsrOrXrnrvZearliest_good_timestamp_str`rbZ ts_trust_datarQrZ signature_poeZ stored_ac_vcrirhZ stored_vcZts_to_validateZts_status_cororWr~r/r/r0r's^4                                )rc Cslzt|dd}Wn0ttfk rB}ztd|W5d}~XYnXt|dpPd}t|dp`d}||fS)a' Retrieve Adobe-style revocation information from a ``SignerInfo`` value, if present. Internal API. :param signer_info: A ``SignerInfo`` value. :return: A tuple of two (potentially empty) lists, containing OCSP responses and CRLs, respectively. rZadobe_revocation_info_archivalz@No revocation info archival attribute found, or multiple presentNZocspr/Zcrl)rrrrlist)rZrevinfoerirhr/r/r0r%Ds )rrYcCs(|pi}t|\}}tf||d|S)ag Read Adobe-style revocation information from a CMS object, and load it into a validation context. :param signer_info: Signer info CMS object. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :return: A validation context preloaded with the relevant revocation information. )rirh)r%r )rrFrirhr/r/r0r$_s )NNNFNNF)N)JloggingZ dataclassesrrenumrtypingrrrZ asn1cryptorr Zasn1_pdfZpyhanko_certvalidatorr Z!pyhanko_certvalidator.policy_declr r r Zpyhanko.pdf_utils.readerrZ diff_analysisrZgeneralrrrrnrerrorsrrrZ generic_cmsrrrrZ pdf_embeddedrrsettingsrstatusr r!r"__all__ getLoggerr5rTr)r#ZCHECK_IF_DECLAREDr?rBZCRL_OR_OCSP_REQUIREDrCrDrfrPZ SignedDatabytesr(r&r_rorxboolr'Z SignerInfor%r$r/r/r/r0s             & +   0 -