U d.d/Z?d0d1Z@ejAe jBd2d3d4ZCe e jBe=fd5d6d7ZDe:eN)compare_digest)AnyDict FrozenSetOptionalTupleType)algoscmscore)VOID)hasheshmackeywrap)hkdf)genericmisc)CMSStructuralErrorMultivaluedAttributeErrorNonexistentAttributeErrorValueErrorWithMessagebyte_range_digestfind_unique_cms_attributeget_pyca_cryptography_hashsimple_cms_attribute)PdfByteRangeDigestPreparedByteRangeDigest)CMSAlgorithmProtectionErrorDisallowedAlgorithmError)validate_algorithm_protection)extract_contents)DeveloperExtensionDevExtensionMultivalued)pdf_name) PdfFileReader)BasePdfFileWriter)PdfMacIntegrityInfoPdfMacTokenHandlervalidate_pdf_macadd_standalone_macISO32004ALLOWED_MD_ALGSz/ISO_z/2.0i}z:2024z'https://www.iso.org/standard/45877.htmlF)Z prefix_name base_versionZextension_levelZextension_revisionurlZcompare_by_levelZ multivaluedsha256sha3_256sha384sha3_384sha512sha3_512c@s eZdZdS)PdfMacValidationErrorN)__name__ __module__ __qualname__r;r;B/tmp/pip-unpacked-wheel-w101_d3s/pyhanko/pdf_utils/crypt/pdfmac.pyr7Jsr7c@s|eZdZdZeddiZddZee e e dddZ ee fe e ej ee d d d Zeed d dZee e e dddZe ejdddZeee ejfdddZe ee ee e fdddZeje eje ej dddZe e e ddd Zd!d"e ee eejd#d$d%Zeje d&d'd(Z eje!j"d)d*d+Z#ej d,d-d.Z$ej e%d/d0d1Z&ej e ee d2d3d4Z'd5S)6r*a: Internal utility class to create and validate PDF MAC tokens. .. warning:: This is a class to simplify local overrides for creating test documents with various defects. Instances of this class should never be created or manipulated directly during regular operation. algorithmr1cCs||_||_dSNmac_kek md_algorithm)selfr@rAr;r;r<__init__\szPdfMacTokenHandler.__init__file_encryption_keykdf_saltrAcCs|||}|||dS)Nr?)_derive_mac_kek)clsrErFrAr@r;r;r< from_key_mat`s zPdfMacTokenHandler.from_key_matrErF auth_data allowed_mdsc Cs\|d}|dj}|dkr"td|d}|dj}||krLt|tjdd|j|||dS) N mac_algorithmr=r1z:Only HMAC-SHA256 is currently supported for PDF MAC tokensdigest_algorithmT)Zoid_typeZ permanentrD)nativeNotImplementedErrorrr ZDigestAlgorithmIdrI) rHrErFrKrLZ mac_algo_objZmac_algoZdigest_algo_objZmd_algor;r;r<for_validationgs&   z!PdfMacTokenHandler.for_validation)include_signature_digestreturncCs8tt|j}|j||r"|nddd}t|S)NT)document_digestsignature_digestdry_run)r HashrrAfinalizebuild_pdfmac_tokenlendump)rBrRZ dummy_hashZ dummy_tokenr;r;r<determine_token_sizes z'PdfMacTokenHandler.determine_token_size)rErFrScCs tjtd|dd}||S)N sPDFMAC)r=lengthsaltinfo)rZHKDFr SHA256Zderive)rHrErFkdfr;r;r<rGsz"PdfMacTokenHandler._derive_mac_kek)message_digestrScCs@t|jtd|jid}ttddtd|td|gS)Nr=)rMrN content_typepdf_mac_integrity_inforcZcms_algorithm_protection)r ZCMSAlgorithmProtectionmac_algo_identDigestAlgorithmrA CMSAttributesr)rBrcZalgo_protectionr;r;r<_format_auth_attrss z%PdfMacTokenHandler._format_auth_attrs)rVrSc Csb|rtd}n td}tj|j|d}td|t ddit ddid}|t d|ifS) Nr]) wrapping_keyZ key_to_wraprr=pdf_mac_wrap_kdf aes256_wrap)version encrypted_keykey_derivation_algorithmkey_encryption_algorithmpwri) bytessecretsZ token_bytesrZ aes_key_wrapr@r PasswordRecipientInfor Z KdfAlgorithmZKeyEncryptionAlgorithm RecipientInfo)rBrVmac_keyrnrqr;r;r<_get_mac_keying_infos*  z'PdfMacTokenHandler._get_mac_keying_info)rTrUrSc Cs^d|i}|dk r||d<d|d<t|}|}t|j}t|}|||}||fS)N data_digestrUrrm)r)r[rrAr rWupdaterX) rBrTrUZmessage_kwargsmessage message_bytesmd_specZmd_funrcr;r;r<_format_messages   z"PdfMacTokenHandler._format_message)recipient_infor{ auth_attrsmacrSc CsDtd|gtdditd|jitdt|d||dS)Nrr=r1rerdcontent)rmrecipient_infosrMrNencap_content_inforr)r AuthenticatedData HmacAlgorithmrgrAZEncapsulatedContentInfor ParsableOctetString)rBr~r{rrr;r;r<_format_auth_datas  z$PdfMacTokenHandler._format_auth_data)rv data_to_macrScCs$tj|td}|||S)N)keyr=)rHMACr raryrX)rBrvrZhmac_funr;r;r< compute_macs zPdfMacTokenHandler.compute_macFrV)rTrUrVrSc Csb|j|d\}}|||\}}||}|j||d} |j|||| d} td| dS)Nr)rvr)r~r{rrauthenticated_datar) rwr}riruntagr[rr ContentInfo) rBrTrUrVrvrir{rcrrZ authed_datar;r;r<rYs&  z%PdfMacTokenHandler.build_pdfmac_token) recp_infosrScCsd}z|\}|j}Wntk r(YnXt|tjs>td|d}|tks\|djdkrdtd|dd}|jdkrtd|j d |d j}zt j |j |d }Wnt j k rtd YnX|S) NzWPDF MAC requires exactly one recipientInfo, which must be of PasswordRecipientInfo typeror=rkz_PDF MAC tokens must have their key derivation algorithm explicitly identified as pdfMacWrapKdf.rprlzPPDF MAC only supports unpadded 256-bit AES key wrapping for key encryption; not .rn)rjZ wrapped_keyzFailed to unwrap MAC key)Zchosen ValueError isinstancer rtr7r rOrPdottedrZaes_key_unwrapr@Z InvalidUnwrap)rBrrqZrecprbZkea_objrnrvr;r;r<_retrieve_mac_keys:       z$PdfMacTokenHandler._retrieve_mac_key)attrs encap_contentc Cspt|j}t|}|t||}z t|d}|j|krHt dWn t t fk rjt dYnXdS)NrczMValue of messageDigest attribute does not match hash of encapsulated content.zcMessage digest not found in authenticated attributes, or multiple messageDigest attributes present.) rrAr rWryrrrXrrOr7rr)rBrrr|ZmdrcZclaimed_message_digestr;r;r<_validate_message_digestDs"   z+PdfMacTokenHandler._validate_message_digest)rKc Cs~|d}t|zt|d|d|ddWn2tk r^}ztd|j|W5d}~XYnX|dd}|j||ddS) NrrNrM)Zclaimed_signature_algorithm_objZclaimed_digest_algorithm_objZclaimed_mac_algorithm_objz%CMS alg protection validation error: rr)r)_validate_content_type_attrr rr7failure_messager)rBrKreZ int_info_objr;r;r<_validate_auth_attrsZs"  z'PdfMacTokenHandler._validate_auth_attrs)rKrSc Cs|d}|tk rtd|d}|d}||}|j||d}t||djs`tdz||Wn2t k r}ztd|j |W5d}~XYnX|d d j}|d krtd |d d j S)N unauth_attrsz5PDF MAC tokens cannot have unauthenticated attributesrr)rrzPDF MAC token has invalid MACzCMS structural error: rrdrez_The content type of the encapsulated content in a PDF MAC token must be id-pdfMacIntegrityInfo.r) r r7rrrr[rrOrrrparsed) rBrKrrrrvZ computed_macrZeci_ctr;r;r<#_validate_and_extract_encap_contentqs8  z6PdfMacTokenHandler._validate_and_extract_encap_contentrKrTrUcCs||}t|||dSr>)r _validate_pdf_mac_integrity_info)rBrKrTrUrr;r;r<validate_pdfmac_token_cmss  z,PdfMacTokenHandler.validate_pdfmac_token_cmsN)(r8r9r:__doc__r rrfrC classmethodrrstrrIr.rrrQboolintr\rGrhrirrurwrr}rrrrYZRecipientInfosrr rrrr)rrr;r;r;r<r*Nsp         '  +)int_inforTrUcCsf|dj}||krtd|d}|dkr<|tk rbtdn&|j}|dkrRtd||krbtddS)Nrxz;Document digest does not match value in PdfMacIntegrityInforUz;PdfMacIntegrityInfo contains an unexpected signature digestz6Could not find signature digest in PdfMacIntegrityInfoztdt|tjsRtdd}d}z4|d}t|tjr|dkrd}n |dkrd}Wntk rYnX|j d t j }|rt ||}|d } d} n|rXz|d } Wn<tjk rtd Yntk r td YnX| } t| tjs@tdt| |\}} | d } ntd|djdkrxtd|j} | dk st|d}|ddj}t|j | |d\}}| dk rtt|}|| |}nd}z | }Wn0tjk r&}ztd|W5d}~XYnX|j| |||dj!|||ddS)N /AuthCodez&AuthCode dictionary cannot be indirectz$Failed to locate AuthCode dictionaryF /MACLocation /StandaloneTz/AttachedToSigrrz /SigObjRefz7Value of /SigObjRef entry must be an indirect referencez"/AttachedToSig requires /SigObjRefz)/SigObjRef does not point to a dictionaryz Failed to locate MAC in documentrdrz0MAC tokens must be of CMS type AuthenticatedDatarrNr=)rrAzError retrieving saltrJr)"Z trailer_viewrrrrZIndirectObjectr7DictionaryObjectZ NameObjectstreamseekosSEEK_ENDrZget_value_as_referenceZIndirectObjectExpectedZ get_objectrrOZsecurity_handlerAssertionErrorlowerrr rWrryrXZ get_kdf_saltrrrQZget_file_encryption_keyr)rrLrrZ is_standaloneZis_in_signatureZ mac_locationrrrZsignature_valueZsig_refrshrKrA_rTZsig_mdrUr_rr;r;r<r+&s            cseZdZfddZZS)StandalonePdfMaccs$tjtd|dtd|d<dS)Nr)Zdata_keybytes_reservedrr)superrCr%)rBr __class__r;r<rCs zStandalonePdfMac.__init__)r8r9r:rC __classcell__r;r;rr<r~sr)wrAc Cs|j|d}|jdd}td|d}|td||j||j|||d}t|\} } |j| j dd} | j | | d t || S) N)rAF)rRr")rr)rAin_place chunk_sizeoutput)rTrU)Zcms_data) Z_init_mac_handlerr\rZset_custom_trailer_entryr%fillrAnextrYrTZ fill_with_cmsrZfinalise_output) rrArrrhandlerZtok_sizeZmac_dictZ cms_writerZprepared_br_digestZ res_outputZ pdfmac_tokenr;r;r<r,s(  )JrrsrrtypingrrrrrrZ asn1cryptor r r Zasn1crypto.corer Zcryptography.hazmat.primitivesr rZ"cryptography.hazmat.primitives.kdfrZpyhanko.pdf_utilsrrZ sign.generalrrrrrrrrZsign.signers.pdf_byterangerrZsign.validation.errorsrrZsign.validation.generic_cmsr Zsign.validation.pdf_embeddedr! extensionsr#r$r%rr&writerr'Z_iso32004_asn1r)__all__ZALWAYSr- frozensetr.r7r*rrrrrrrrrrr+rZDEFAULT_CHUNK_SIZEr,r;r;r;r<s    (         \  $ X