U ^Ph`@sddlZddlZddlmZddlmZddlmZmZddl m Z ddl m Z ddl mZddlmZdd lmZmZdd lmZdd lmZmZdd lmZdd lmZddlmZddlm Z ddl!m"Z"ddl#m$Z$ddl%m&Z&m'Z'ddl(m)Z)dddddgZ*ddl+m,Z,ddl-m.Z.e/e0Z1eGdddZ2ddZ3Gd ddZ4d'e)ed"d#dZ5d!d$d!dd!ej6d$fe)ee7d%d&dZ8dS)(N) dataclass)field)IterableOptional)crl)ocsp)x509) Certificate)CertificateValidatorValidationContext)ValidationPath)genericmisc)pdf_name)IncrementalPdfFileWriter) get_and_apply) PdfHandler)BasePdfFileWriter)extract_certificate_info)NoDSSFoundErrorValidationInfoReadingError)EmbeddedPdfSignatureVRIDocumentSecurityStoreasync_add_validation_infocollect_validation_infoenumerate_ocsp_certs)SerialisedCredential) PdfFileReaderc@sXeZdZUdZeedZeed<eedZeed<eedZ eed<e j dddZ d S) raA VRI dictionary as defined in PAdES / ISO 32000-2. These dictionaries collect data that may be relevant for the validation of a specific signature. .. note:: The data are stored as PDF indirect objects, not asn1crypto values. In particular, values are tied to a specific PDF handler. )default_factorycertsocspscrlsreturncCsbttdtdi}|jr0t|j|td<|jrJt|j|td<t|j|td<|S)zT :return: A PDF dictionary representing this VRI entry. z/Type/VRIz/OCSPz/CRLz/Cert)r DictionaryObjectrr$ ArrayObjectr%r#)selfvrir-N/var/www/ecomprj/mb/lib/python3.8/site-packages/pyhanko/sign/validation/dss.py as_pdf_objectBszVRI.as_pdf_objectN) __name__ __module__ __qualname____doc__ data_fieldsetr#__annotations__r$r%r r)r/r-r-r-r.r's  ccsD|dj}|dkr@|d}|djdkr@|dj}|dEdHdS) zJ Essentially nabbed from _extract_ocsp_certs in ValidationContext Zresponse_statusZ successfulresponse_bytesZ response_typeZbasic_ocsp_responseresponser#N)nativeparsed)Z ocsp_responsestatusr7r8r-r-r.rPs   c @seZdZdZd*eedddZeddZdd Z d d Z d d Z ddZ e ejdddZddddddZddZeejdddZd+edddZeedddd Zeddddddd!eedd"d#d$Zedddddd%dddd& eeeeed'd(d)ZdS),rz, Representation of a DSS in Python. Nwriterc Cs|dk r |ni|_|dk r|ni|_|dk r0|ng|_|dk rB|ng|_||_|dk rZ|nt|_i}|jD]}|j } ||| <qn||_ i} |jD]} | j } | | | <q| |_ d|_ dS)NF) vri_entriesr#r$r%r=r r)backing_pdf_object get_objectdata _ocsps_seen _crls_seen _modified) r+r=r#r$r%r>r?Z ocsps_seenocsp_refZ ocsp_bytesZ crls_seencrl_refZ crl_bytesr-r-r.__init__bs(       zDocumentSecurityStore.__init__cCs|jSN)rDr+r-r-r.modifiedszDocumentSecurityStore.modifiedcCs(|js$d|_|jdk r$|j|jdS)NT)rDr?r=Zupdate_containerrIr-r-r._mark_modifieds z$DocumentSecurityStore._mark_modifiedc csn|D]d}|}z||VWqtk rf|jtj|d}||||<|||VYqXqdS)NZ stream_data)dumpKeyErrorr= add_objectr StreamObjectrKappend)r+ZobjsseendestobjZ obj_bytesrefr-r-r._cms_objects_to_streamss  z-DocumentSecurityStore._cms_objects_to_streamscs fdd}fdd|DS)Nc3sD]}t|EdHqdSrH)r)respr$r-r. extra_certsszADocumentSecurityStore._embed_certs_from_ocsp..extra_certscsg|]}|qSr- _embed_cert).0Zcert_rIr-r. sz@DocumentSecurityStore._embed_certs_from_ocsp..r-)r+r$rYr-)r$r+r._embed_certs_from_ocsps z,DocumentSecurityStore._embed_certs_from_ocspcCsf|jdkrtdz|j|jWStk r4YnX|jtj|d}| ||j|j<|S)N"This DSS does not support updates.rL) r= TypeErrorr# issuer_serialrNrOr rPrMrK)r+certrUr-r-r.r[s  z!DocumentSecurityStore._embed_certr&cCs"t|}td|S)a Hash the contents of a signature object to get the corresponding VRI identifier. This is internal API. :param contents: Signature contents. :return: A name object to put into the DSS. /)hashlibsha1digesthexupperr)contentsidentr-r-r.sig_content_identifiers z,DocumentSecurityStore.sig_content_identifierr-r#r$r%c sjdkrtdt|}t|}t}t}fdd|D}|rZt|jj}|rtt|jj}| t ||dk rt |||d}j | j|<dS)a Register validation information for a set of signing certificates associated with a particular signature. :param identifier: Identifier of the signature object (see `sig_content_identifier`). If ``None``, only embed the data into the DSS without associating it with any VRI. :param certs: Certificates to add. :param ocsps: OCSP responses to add. :param crls: CRLs to add. Nr_csh|]}|qSr-rZ)r\rbrIr-r. sz5DocumentSecurityStore.register_vri..rl)r=r`listr5rVrBr$rCr%updater^rrOr/r>rK) r+ identifierr#r$r% ocsp_refscrl_refs cert_refsr,r-rIr. register_vris4  z"DocumentSecurityStore.register_vricCsl|j}tt|j|d<|jr4t|j|d<|jrNt|j|t d<|j rht|j |t d<|S)z Convert the :class:`.DocumentSecurityStore` object to a python dictionary. This method also handles DSS updates. :return: A PDF object representing this DSS. /Certsr(/OCSPs/CRLs) r?r r*rnr#valuesr>r)r$rr%)r+Zpdf_dictr-r-r.r/sz#DocumentSecurityStore.as_pdf_objectccs.|jD]}|}t|j}|Vq dS)z Return a generator that parses and yields all certificates in the DSS. :return: A generator yielding :class:`.Certificate` objects. N)r#rxr@r loadrA)r+cert_ref cert_streamrbr-r-r. load_certs s z DocumentSecurityStore.load_certsTc Cst|}|dg}t||}|rt|dd}|jD]$}|}tj|j }| |q>||d<t|dd} |j D]$} | } t j | j } | | q| |d<tfd|i|S)ag Construct a validation context from the data in this DSS. :param validation_context_kwargs: Extra kwargs to pass to the ``__init__`` function. :param include_revinfo: If ``False``, revocation info is skipped. :return: A validation context preloaded with information from this DSS. other_certsr$r-r%)dictpoprnr|r$r@ asn1_ocsp OCSPResponseryrArQr%asn1_crlCertificateListr ) r+Zvalidation_context_kwargsZinclude_revinforYr#r$rE ocsp_streamrWr%rF crl_streamrr-r-r.as_validation_contexts"     z+DocumentSecurityStore.as_validation_context)handlerr'c CsLz|jd}Wn*tk r8}z t|W5d}~XYnXi}t|dtgd}|D]"}|}t|j}|||j <qRt|dtgd} g} | D]$} | } t j | j} | | qt|dtgd}g}|D]$}|}t j|j}| |qzt|d}Wntk rd}YnXt|tr0|}nd}|||| |||d}|S) a Read a DSS record from a file and add the data to a validation context. :param handler: PDF handler from which to read the DSS. :return: A DocumentSecurityStore object describing the current state of the DSS. /DSSNru)defaultrvrwr()r=r#r$r>r%r?)rootrNrrrnr@r ryrArarrrQrrr~ isinstancer)clsrdss_dictersZ cert_ref_listrzr{rbrqr$rErrWrrr%rFrrr>r=dssr-r-r.read_dss8sL       zDocumentSecurityStore.read_dssr#r$r%pathsvalidation_context embed_roots)pdf_outrr'csz||} d} Wn"tk r4d} ||d} YnX|dk rJt|} nd} ttjdfdd } fdd } fd d }| j| | | |d | }| r| |}||j t d <| | S)aD Add or update a DSS, and optionally associate the new information with a VRI entry tied to a signature object. You can either specify the CMS objects to include directly, or pass them in as output from `pyhanko_certvalidator`. :param pdf_out: PDF writer to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :return: a :class:`DocumentSecurityStore` object containing both the new and existing contents of the DSS (if any). FTr<Nr&c3s>pdEdHpdD]"}t|}s.t||EdHqdSNr-)iternext)path path_parts)r#rrr-r._certss  z:DocumentSecurityStore.supply_dss_in_writer.._certsc3s&pdEdHdk r"jEdHdSrrXr-)r$rr-r._ocspssz:DocumentSecurityStore.supply_dss_in_writer.._ocspsc3s&pdEdHdk r"jEdHdSr)r%r-)r%rr-r._crlssz9DocumentSecurityStore.supply_dss_in_writer.._crlsrlr) rrrrkrrr rtr/rOrrZ update_root)rr sig_contentsr#r$r%rrrrcreatedrprrrrZdss_refr-)r#r%rr$rrr.supply_dss_in_writervs4:   z*DocumentSecurityStore.supply_dss_in_writerF) r#r$r%rr force_writerfile_credentialstrict)rrrrc  CsZt|| d} | jdk r*| dk r*| j| |j| ||||||| d} |sN| jrV| dS)a Wrapper around :meth:`supply_dss_in_writer`. The result is applied to the output stream as an incremental update. :param output_stream: Output stream to write to. :param sig_contents: Contents of the new signature (used to compute the VRI hash), as a hexadecimal string, including any padding. If ``None``, the information will not be added to any VRI dictionary. :param certs: Certificates to include in the VRI entry. :param ocsps: OCSP responses to include in the VRI entry. :param crls: CRLs to include in the VRI entry. :param paths: Validation paths that have been established, and need to be added to the DSS. :param force_write: Force a write even if the DSS doesn't have any new content. :param validation_context: Validation context from which to draw OCSP responses and CRLs. :param embed_roots: .. versionadded:: 0.9.0 Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. .. warning:: This only applies to paths, not the ``certs`` parameter. :param file_credential: .. versionadded:: 0.13.0 Serialised file credential, to update encrypted files. :param strict: If ``True``, enforce strict validation of the input stream. Default is ``True``. )rNr)rZsecurity_handlerZ authenticaterrJwrite_in_place)rZ output_streamrr#r$r%rrrrrrrrr-r-r.add_dsss@   zDocumentSecurityStore.add_dss)NNNNN)T) r0r1r2r3rrrGpropertyrJrKrVr^r[ staticmethodr Z NameObjectrkrtr/rrr r|r r classmethodrrboolrr rr-r-r-r.r]sl " 1  #=h F) embedded_sigrcs\jj}|jstdgfdd}||jIdH|sX|jdk rX||jIdHS)a Query revocation info for a PDF signature using a validation context, and store the results in a validation context. This works by validating the signer's certificate against the provided validation context, which causes revocation info to be cached for later retrieval. .. warning:: This function does *not* actually validate the signature, but merely checks the signer certificate's chain of trust. :param embedded_sig: Embedded PDF signature to operate on. :param validation_context: Validation context to use. :param skip_timestamp: If the signature has a time stamp token attached to it, also collect revocation information for the timestamp. :return: A list of validation paths. zfRevocation mode is set to soft-fail/tolerant mode; collected revocation information may be incomplete.csDt|}|j}|j}t||d}|jtdIdH}|dS)N)Zintermediate_certsr)Z key_usage)rZ signer_certr}r Zasync_validate_usager5rQ) signed_dataZ cert_inforbr} validatorrrrr-r._validate_signed_dataWsz6collect_validation_info.._validate_signed_dataN)Zrevinfo_policyZrevocation_checking_policyZ essentialloggerwarningrZattached_timestamp_data)rrskip_timestampZrevinfo_fetch_policyrr-rr.r0s T)rrrc s|j} |r | j} }t|n t|} t|||dIdH} |rT|jd} nd} t | } || _ t j | | || |d}|s|jr|r| q| | n$|s| jdtt|| j| t|| S)aY .. versionadded: 0.9.0 Add validation info (CRLs, OCSP responses, extra certificates) for a signature to the DSS of a document in an incremental update. This is a wrapper around :func:`collect_validation_info`. :param embedded_sig: The signature for which the revocation information needs to be collected. :param validation_context: The validation context to use. :param skip_timestamp: If ``True``, do not attempt to validate the timestamp attached to the signature, if one is present. :param add_vri_entry: Add a ``/VRI`` entry for this signature to the document security store. Default is ``True``. :param output: Write the output to the specified output stream. If ``None``, write to a new :class:`.BytesIO` object. Default is ``None``. :param in_place: Sign the original input stream in-place. This parameter overrides ``output``. :param chunk_size: Chunk size parameter to use when copying output to a new stream (irrelevant if ``in_place`` is ``True``). :param force_write: Force a new revision to be written, even if not necessary (i.e. when all data in the validation context is already present in the DSS). :param embed_roots: Option that controls whether the root certificate of each validation path should be embedded into the DSS. The default is ``True``. .. note:: Trust roots are configured by the validator, so embedding them typically does nothing in a typical validation process. Therefore they can be safely omitted in most cases. Nonetheless, embedding the roots can be useful for documentation purposes. :return: The (file-like) output object to which the result was written. )rNascii)rrrr)readerstreamrZ!assert_writable_and_random_accessZprepare_rw_output_streamrZ pkcs7_contentrgencoderZ from_readerZ IO_CHUNK_SIZErrrJrwriteseekZ chunked_write bytearrayZfinalise_output)rrrZ add_vri_entryZin_placeoutputr chunk_sizerrZworking_outputrrrZ resulting_dssr-r-r.rks<8         )F)9rdlogging dataclassesrrr4typingrrZ asn1cryptorrrrrZasn1crypto.x509r Zpyhanko_certvalidatorr r Zpyhanko_certvalidator.pathr Zpyhanko.pdf_utilsr rZpyhanko.pdf_utils.genericrZ$pyhanko.pdf_utils.incremental_writerrZpyhanko.pdf_utils.miscrZpyhanko.pdf_utils.rw_commonrZpyhanko.pdf_utils.writerrZgeneralrerrorsrrZ pdf_embeddedr__all__Zpdf_utils.cryptr Zpdf_utils.readerr! getLoggerr0rrrrrZDEFAULT_CHUNK_SIZErrr-r-r-r.sh                 ( Y >