CsiC dZddlZddlZddlmZddlmZmZmZm Z m Z ddl m Z m Z mZmZddlmZddlmZmZddlmZdd lmZdd lmZmZmZmZmZdd lm Z dd l!m"Z"gd Z#ejHe%Z&Gdde'Z(Gdde(Z)Gdde(Z*dZ+Gdde,Z-Gdde'Z.dZ/dZ0dejbdejdfdZ3 d9dejbdejhfdZ5dejbde ejlejnffd Z8d!e e jrejtfdejbde;fd"Z<Gd#d$e'Z=Gd%d&e=Z>d'ede?fd(Z@dejbd)e?de jfd*ZBed+,Gd-d.ZCd/e jfd0ZEd1ZFd2e jde jfd3ZId2e jdeCfd4ZJe jfd5ed6eeLd7e?de eLeMffd8ZNy):a General tools related to Cryptographic Message Syntax (CMS) signatures, not necessarily to the extent implemented in the PDF specification. CMS is defined in :rfc:`5652`. To parse CMS messages, pyHanko relies heavily on `asn1crypto `_. N) dataclass)IOIterableListTupleUnion)algoscmstspx509)SignedDigestAlgorithm)hashes serialization)padding) RSAPublicKey)load_cert_from_pemderload_certs_from_pemderload_certs_from_pemder_dataload_private_key_from_pemder!load_private_key_from_pemder_data)misc)get_pyca_cryptography_hash)CMSExtractionErrorCMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorSignedDataCerts SigningErrorUnacceptableSignerErrorValueErrorWithMessageas_signing_certificateas_signing_certificate_v2byte_range_digestcheck_ess_certidextract_certificate_infoextract_signer_infofind_cms_attributefind_unique_cms_attributeget_cms_hash_algo_for_mechanismrrrrrmatch_issuer_serialoptimal_pss_paramssimple_cms_attributec"eZdZdZfdZxZS)r z Value error with a failure message attribute that can be conveniently extracted, instead of having to rely on extracting exception args generically. cDt||_t| |yN)strfailure_messagesuper__init__)selfr1 __class__s `/var/www/python-projects/worksol/worksolenv/lib/python3.12/site-packages/pyhanko/sign/general.pyr3zValueErrorWithMessage.__init__Ds"?3 ))__name__ __module__ __qualname____doc__r3 __classcell__r5s@r6r r =s **r7r ceZdZdZy)rz!Structural error in a CMS object.Nr8r9r:r;r7r6rrIs+r7rc eZdZy)rNr8r9r:r@r7r6rrMr7rcZtjtj||fdS)a Convenience method to quickly construct a CMS attribute object with one value. :param attr_type: The attribute type, as a string or OID. :param value: The value. :return: A :class:`.cms.CMSAttribute` object. )typevalues)r CMSAttributeCMSAttributeType) attr_typevalues r6r,r,Qs,   %%i0UHE r7c eZdZy)rNrBr@r7r6rrbrCr7rc eZdZy)rNrBr@r7r6rrfrCr7rcd}|r0|D]+}|dj|k(s|td|d|d}-||Std|d)a Find and return CMS attribute values of a given type. .. note:: This function will also check for duplicates, but not in the sense of multivalued attributes. In other words: multivalued attributes are allowed; listing the same attribute OID more than once is not. :param attrs: The :class:`.cms.CMSAttributes` object. :param name: The attribute type as a string (as defined in ``asn1crypto``). :return: The values associated with the requested type, if present. :raise NonexistentAttributeError: Raised when no such type entry could be found in the :class:`.cms.CMSAttributes` object. :raise CMSStructuralError: Raised if the given OID occurs more than once. NrEz Attribute z was duplicatedrFzUnable to locate attribute .)nativerr)attrsname found_valuesattrs r6r'r'jsz,L  .DF|""d*+,$THO< $H~  .'*EdV1(MNNr7cvt||}t|dk7rtd|dt|d|dS)a  Find and return a unique CMS attribute value of a given type. :param attrs: The :class:`.cms.CMSAttributes` object. :param name: The attribute type as a string (as defined in ``asn1crypto``). :return: The value associated with the requested type, if present. :raise NonexistentAttributeError: Raised when no such type entry could be found in the :class:`.cms.CMSAttributes` object. :raise MultivaluedAttributeError: Raised when the attribute's cardinality is not 1. zExpected single-valued z attribute, but found z valuesr)r'lenr)rPrQrFs r6r(r(sO  t ,F 6{a'%dV+A6{m7 $   !9r7certreturnc tjdtjtj|j j tjd|jig|ddddgiS)a Format an ASN.1 ``SigningCertificate`` object, where the certificate is identified by its SHA-1 digest. :param cert: An X.509 certificate. :return: A :class:`tsp.SigningCertificate` object referring to the original certificate. certsdirectory_nametbs_certificate serial_numberissuerr]) cert_hash issuer_serial) r SigningCertificate ESSCertIDhashlibsha1dumpdigestr GeneralNamer_)rWs r6r!r!s  ! !  %,\\$))+%>%E%E%G!% 0 0%5t{{$C!"' .22C-D /. *   r7c Tt|}tj|}|j|j |j }t jdt jd|i|tjd|jig|ddddgiS)a Format an ASN.1 ``SigningCertificateV2`` value, where the certificate is identified by the hash algorithm specified. :param cert: An X.509 certificate. :param hash_algo: Hash algorithm to use to digest the certificate. Default is SHA-256. :return: A :class:`tsp.SigningCertificateV2` object referring to the original certificate. rZ algorithmr[r\r]r^)hash_algorithmr`ra) rrHashupdaterffinalizer SigningCertificateV2 ESSCertIDv2r rhr_)rW hash_algo hash_specmd digest_values r6r"r"s$+95I Y BIIdiik;;=L  # # +6 *B%1!% 0 0%5t{{$C!"' .22C-D /. *   r7certidcTt|tjrd}n|ddj}t |}t j |}|j|j|j}|dj}||k7ry|d}| xs t||S)a Match an ``ESSCertID`` value against a certificate. :param cert: The certificate to match against. :param certid: The ``ESSCertID`` value. :return: ``True`` if the ``ESSCertID`` matches the certificate, ``False`` otherwise. rerkrjr`Fra) isinstancer rcrOrrrlrmrfrnr*)rWrurqrrrsrtexpected_digest_valueexpected_issuer_serials r6r$r$s&#--( +,[9@@ *95I Y BIIdiik;;=L";/66,,/5o/F% % )<*r7rycd|dd}|d}t|tjr0t|dk7s|djdk7ry|dj } |j |jj k(xs||jk(}|xr|d|k(S#t$rd}YwxYw)a~ Match the issuer and serial number of an X.509 certificate against some expected identifier. :param expected_issuer_serial: A certificate identifier, either :class:`cms.IssuerAndSerialNumber` or :class:`tsp.IssuerSerial`. :param cert: An :class:`x509.Certificate`. :return: ``True`` if there's a match, ``False`` otherwise. r\r]r_rUrr[F) rwr GeneralNamesrVrQchosenrfr_ ValueError)ryrW serial_asn1expected_issuer issuer_matchs r6r*r*s&()/:K,X6O /4#4#45  A %q!&&*::)!,33  "dkk&6&6&8 8 .$++-  O/@KO  sz'_get_signer_predicate..s,SZZ;r7subject_key_identifierzThe signature in this SignedData value seems to be identified by a subject key identifier --- this is legal in CMS, but many PDF viewers and SDKs do not support this feature.c"|jk(Sr/)key_identifier)rskis r6rz'_get_signer_predicate..s))S0r7)rQr|rOloggerwarningNotImplementedError)rrs`@r6_get_signer_predicatersS xx--;; - -jj < 10 r7ct|d}d}g}|D]}||r|}|j| | td||fS)Nrz,signer certificate not included in signature)rappendr)rZ signer_info predicaterWrrs r6_partition_certsrsd &k%&89I DK " Q<D   q ! "  | !OPP  r7 signed_datacF |d\}|S#t$r tdwxYw)a5 Extract the unique ``SignerInfo`` entry of a CMS signed data value, or throw a ``ValueError``. :param signed_data: A CMS ``SignedData`` value. :return: A CMS ``SignerInfo`` value. :raises ValueError: If the number of ``SignerInfo`` values is not exactly one. signer_infosz-signer_infos should contain exactly one entry)r}r)rrs r6r&r&s8 $^4   ;   s  c*g}g}|dD]^}|jj}|jdk(r|j|>|jdk(sN|j|`t |}t ||\}}t |||}|S)a Extract and classify embedded certificates found in the ``certificates`` field of the signed data value. :param signed_data: A CMS ``SignedData`` value. :return: A :class:`SignedDataCerts` object containing the embedded certificates. certificates certificate v2_attr_cert)rrr)r|untagrQrr&rr) rrZ attr_certsrrWrrr cert_infos r6r%r%s EJ  ($xx~~ 66] " LL  VV~ %   d # $ &k2K/{CK"I r7stream byte_range md_algorithmct|}tj|}d}t|}t j |D]4\}} |j |t j|||| || z }6||jfS)a  Internal API to compute byte range digests. Potentially dangerous if used without due caution. :param stream: Stream over which to compute the digest. Must support seeking and reading. :param byte_range: The byte range, as a list of (offset, length) pairs, flattened. :param md_algorithm: The message digest algorithm to use. :param chunk_size: The I/O chunk size to use. :return: A tuple of the total digested length, and the actual digest. r)max_read) rrrl bytearrayr pair_iterseekchunked_digestrn) rrr chunk_sizemd_specrs total_len chunk_buflo chunk_lens r6r#r# s,)6G W B I*%I 3 I B IvrIFY  bkkm ##r7)sha256)Or;rdlogging dataclassesrtypingrrrrr asn1cryptor r r r asn1crypto.algosr cryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricr-cryptography.hazmat.primitives.asymmetric.rsar pyhanko.keysrrrrrpyhanko.pdf_utilsrpyhanko_certvalidator.utilr__all__ getLoggerr8rr}r rrr,KeyErrorrrr'r(rrbr!ror"rcrpr$IssuerAndSerialNumber IssuerSerialboolr*rrr0r)rr+rSignerIdentifierrr SignedData SignerInfor&r%DEFAULT_CHUNK_SIZEintbytesr#r@r7r6rsY!33,,2@=F#A :   8 $ *J *,., . "    #OL2 !1!1 c6L6L H'/+   ++\   $)#--*H$I@1!#";";S=M=M"MN1   1 1h%:% l *?C.&   &.1& &R $* s33  $ S^^  *#.._B&& #$ #$ #$#$  3: #$r7