U <ßôgcã @s.dZddlZddlZddlZddlZddlZddlmZddlm Z m Z mZmZm Z mZmZmZddlZddlmZmZmZddlmZddlmZddlmZdd lmZmZmZdd l m!Z!ddl"m#Z#m$Z$ddl%m&Z&z@dd lm'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-ddlm.Z/ddlm0Z1Wn.e2k rJZ3ze2de3ƒ‚W5dZ3[3XYnXdddddgZ4e 5e6¡Z7e ee1j8eee9e9fdœdd„Z:e ee1j8e;dœdd„Ze ee e1j8dœdd„Z?eddGdd „d ƒƒZ@e*jAe*jBe*jCe*jDe*jEd!œZFe*jGe*jHe*jIe*jJe*jKd!œZLe'jMe'jNe'jOe'jPe'jQd!œZRe*jSe*jTe*jUe*jVe*jWd!œZXe*jYe*jZe*j[e*j\e*j]d!œZ^e*j_e*jNe*jOe*jPe*jQd!œZ`ejae9e;e@d"œd#d„Zbd2e9e e>e e9e eee9ecdfe-d$œd%d„Zdd3e;e e9e eed&œd'd(„Zfd4e-e e9e eed)œd*d+„Zge9e;d,œd-d.„ZhGd/d„de&ƒZiGd0d„dƒZjdS)5zÐ This module provides PKCS#11 integration for pyHanko, by providing a wrapper for `python-pkcs11 `_ that can be seamlessly plugged into a :class:`~.signers.PdfSigner`. éN)Ú dataclass)ÚAnyÚCallableÚDictÚListÚOptionalÚSetÚTupleÚUnion)ÚalgosÚcoreÚx509)ÚRSASSAPSSParams)Úhashes)ÚCertificateStore)ÚPKCS11PinEntryModeÚPKCS11SignatureConfigÚ TokenCriteria)Úcoalesce)ÚSigningErrorÚget_pyca_cryptography_hash)ÚSigner)ÚMGFÚPROTECTED_AUTHÚ AttributeÚ MechanismÚObjectClassÚPKCS11ErrorÚSession)Úlib)ÚtypeszŸpyhanko.sign.pkcs11 requires pyHanko to be installed with the [pkcs11] option. You can install missing dependencies by running "pip install 'pyHanko[pkcs11]'".ÚPKCS11SignerÚopen_pkcs11_sessionÚPKCS11SigningContextÚ find_tokenÚselect_pkcs11_signing_params)ÚcriteriaÚtokenÚreturncCsd|dkrgSg}|jdk r6|j|jkr6| d|jf¡|jdk r`|j|jkr`| d|j ¡f¡|S)NÚlabelÚserial)r)Úappendr*Úhex)r&r'Z err_items©r-ú7/tmp/pip-unpacked-wheel-w101_d3s/pyhanko/sign/pkcs11.pyÚcriteria_mismatches=sr/cCst||ƒS©N)r/)r&r'r-r-r.Úcriteria_satisfied_byLsr1)ÚslotsÚslot_noÚtoken_criteriar(c Csî|dkr0|dkr0t|ƒdkr(|d ¡Stdƒ‚|dkr~|D]>}z | ¡}t||ƒr^|WSWq<tk rxYq~szfind_token..zToken in slot z does not satisfy criteria; Ú.)ÚlenÚ get_tokenrr1r/Újoin)r2r3r4Zslotr'ÚerrorsÚerr_strr-r-r.r$Rs:ÿ ÿ ÿÿT)Úfrozenc@sNeZdZUdZeeefed<ee e ge fed<ee e ge fed<dS)ÚPKCS11SignatureOperationSpeczq Internal helper class to describe how to invoke a signature operation on a key in a PKCS #11 token. Úsign_kwargsÚpre_sign_transformÚpost_sign_transformN)Ú__name__Ú __module__Ú__qualname__Ú__doc__rÚstrrÚ__annotations__rrÚbytesr-r-r-r.rBˆs rB)Úsha1Úsha224Úsha256Úsha384Úsha512)Úsignature_mechanismÚdigest_algorithmÚuse_raw_mechanismr(cCsêddlm}ddlm}d}d}i}z |j}Wntk rL|dj}YnX|dkr‚|rrtj|d<t |dd }nt ||d<nZ|d krº|r¦tj|d<t |dd }nt||d<|}n"|dkrð|rÞtj |d<t |dd }nt||d<|}nì|d krp|rtdƒ‚|d} || ddjks(t‚t||d<t|} | dddj}t|}| dj} | || f|d<nl|dkr”|rˆtdƒ‚tj|d<nH|dkrÌ|r¬tdƒ‚tj|d<t dddd¡|d<ntd|›dƒ‚t|||dS)aZ Internal helper function to set up a PKCS #11 signing operation. :param signature_mechanism: The signature mechanism to use (as an ASN.1 value) :param digest_algorithm: The digest algorithm to use :param use_raw_mechanism: Whether to attempt to use the raw mechanism on pre-hashed data. :return: r)Úencode_dsa_signature)Úencode_ecdsa_signatureNÚ algorithmZrsassa_pkcs1v15Z mechanismT)Úwrap_digest_infoÚdsaFZecdsaZ rsassa_pssz$RSASSA-PSS not available in raw modeÚ parametersÚhash_algorithmZmask_gen_algorithmÚsalt_lengthZmechanism_paramÚed25519z!Ed25519 not available in raw modeÚed448zEd448 not available in raw modez@?LPzSignature algorithm 'z' is not supported.)rCrDrE)Zpkcs11.util.dsarUZpkcs11.util.ecrVÚsignature_algoÚ ValueErrorZnativerZRSA_PKCSÚ_hash_fullyÚRSA_MECH_MAPÚDSAÚDSA_MECH_MAPÚECDSAÚECDSA_MECH_MAPÚNotImplementedErrorÚAssertionErrorÚRSASSA_PSS_MECH_MAPÚDIGEST_MECH_MAPÚMGF_MECH_MAPZEDDSAÚstructÚpackrB)rRrSrTrUrVrDrEÚkwargsr_ÚparamsZpss_digest_paramZmgf_valZ pss_mgf_paramZpss_salt_lenr-r-r.r%Ôs„ ÿ ÿ ÿ ý ÿý)Úlib_locationr3Útoken_labelr4Úuser_pinr(c Csˆt|ƒ}|dkr.|dk r.t dt¡t|d}| ¡}t|||d}|dkrht|dk rbd|›dndƒ‚i}|dk r|||d<|jf|ŽS) a³ Open a PKCS#11 session :param lib_location: Path to the PKCS#11 module. :param slot_no: Slot number to use. If not specified, the first slot containing a token labelled ``token_label`` will be used. :param token_label: .. deprecated:: 0.14.0 Use ``token_criteria`` instead. Label of the token to use. If ``None``, there is no constraint. :param token_criteria: Criteria that the token should match. :param user_pin: User PIN to use, or :attr:`.PROTECTED_AUTH`. If ``None``, authentication is skipped. .. note:: Some PKCS#11 implementations do not require PIN when the token is opened, but will prompt for it out-of-band when signing. Whether :attr:`.PROTECTED_AUTH` or ``None`` is used in this case depends on the implementation. :return: An open PKCS#11 session object. Nz9'token_label' is deprecated, use 'token_criteria' instead)r))r3r4zNo token matching criteria z foundzNo token foundrr) Úp11_libÚwarningsÚwarnÚDeprecationWarningrZ get_slotsr$rÚopen) rpr3rqr4rrrr2r'rnr-r-r.r"@s&"þ ÿý©Ú no_resultsr)Úcert_idcCs~g}|dk r| d|›d¡|dk rD| dt |¡ d¡›d¡|rXdd |¡›nd}|rnd|›d }nd |›d }|S)Nzlabel 'ú'zID 'Úasciiz with r6ÚzCould not find certr;zFound more than one cert)r+ÚbinasciiÚhexlifyÚdecoder>)ryr)rzZ info_strsZ qualifierÚerrr-r-r.Ú_format_pull_err_msg{sr‚)Úpkcs11_sessionr)rzcCs„tjtji}|dk r||tj<|dk r0||tj<| |¡}t|ƒ}t|ƒdkrh|d}t j |tj¡St |||d}t|ƒ‚dS)Nr5rrx)rÚCLASSrÚCERTIFICATEÚLABELZIDÚget_objectsÚlistr<r ÚCertificateÚloadÚVALUEr‚r)rƒr)rzZquery_paramsÚqÚresultsÚcert_objrr-r-r.Ú _pull_certs ÿr)rSrXcs$tˆƒ‰ttdœ‡‡‡fdd„}|S)N)Údatar(csJt ˆ¡}| |¡| ¡}ˆrBt ˆ ¡t ¡dœ|dœ¡ ¡S|SdS)N)rWrZ)rSÚdigest) rÚHashÚupdateÚfinalizerZ DigestInfoÚlowerrZNullÚdump)rÚhr‘©rSZmd_specrXr-r.Ú_h©s þûÿ z_hash_fully.._h)rrL)rSrXr™r-r˜r.ra¦sracsÆeZdZdZdeeeeejeeee ee ee jdœ‡fdd„ Zd d „Z eedœdd „ƒZedd„ƒZeedœdd„Zde ee dœdd„Zeejdœdd„Zdd„Zdd„Zdd„Z‡ZS) r!a Signer implementation for PKCS11 devices. :param pkcs11_session: The PKCS11 session object to use. :param cert_label: The label of the certificate that will be used for signing, to be pulled from the PKCS#11 token. :param cert_id: ID of the certificate object that will be used for signing, to be pulled from the PKCS#11 token. :param signing_cert: The signer's certificate. If the signer's certificate is provided via this parameter, the ``cert_label`` and ``cert_id`` parameters will not be used to retrieve the signer's certificate. :param ca_chain: Set of other relevant certificates (as :class:`.asn1crypto.x509.Certificate` objects). :param key_label: The label of the key that will be used for signing. Defaults to the value of ``cert_label`` if left unspecified and ``key_id`` is also unspecified. .. note:: At least one of ``key_id``, ``key_label`` and ``cert_label`` must be supplied. :param key_id: ID of the private key object (optional). :param other_certs_to_pull: List labels of other certificates to pull from the PKCS#11 device. Defaults to the empty tuple. If ``None``, pull *all* certificates. :param bulk_fetch: Boolean indicating the fetching strategy. If ``True``, fetch all certs and filter the unneeded ones. If ``False``, fetch the requested certs one by one. Default value is ``True``, unless ``other_certs_to_pull`` has one or fewer elements, in which case it is always treated as ``False``. :param use_raw_mechanism: Use the 'raw' equivalent of the selected signature mechanism. This is useful when working with tokens that do not support a hash-then-sign mode of operation. .. note:: This functionality is only available for ECDSA at this time. Support for other signature schemes will be added on an as-needed basis. NFTr-)rƒÚ cert_labelÚsigning_certÚ key_labelÚkey_idrzrRcsÜt||s|ndƒ|_t| |s |ndƒ|_t||s4| ndƒ|_t|| sH|ndƒ|_||_||_d|_|dk r~t|ƒdkr~d|_ n| |_ ||_ d|_d|_d|_ tƒj|||| d|dk rÄ|j |¡|dk rØ|j |¡dS)z- Initialise a PKCS11 signer. NFr5)Ú prefer_pssÚembed_rootsr›rR)rršrrzrœrƒÚother_certsÚ_other_certs_loadedr<Ú bulk_fetchrTÚ_key_handleÚ_loadedÚ_PKCS11Signer__loading_eventÚsuperÚ__init__Ú_cert_registryÚregister_multipleÚregister)Úselfrƒršr›Úca_chainrœržrŸÚother_certs_to_pullr¢rrzrTrR©Ú __class__r-r.r§ñs6 ÿüzPKCS11Signer.__init__cCs&|js | ¡}|j |¡d|_|jS)NT)r¡Ú_load_other_certsr¨r©)r«Úcertsr-r-r.Ú_init_cert_registry s z PKCS11Signer._init_cert_registry©r(cCs| ¡Sr0)r²©r«r-r-r.Ú cert_registry)szPKCS11Signer.cert_registrycCs| ¡|jSr0)Ú _load_objectsÚ _signing_certr´r-r-r.r›/szPKCS11Signer.signing_cert)rSr(cCs| ¡}t| |¡||jdS)N)rT)r•r%Z"get_signature_mechanism_for_digestrT)r«rSr-r-r.Ú_select_pkcs11_signing_params4sýz*PKCS11Signer._select_pkcs11_signing_params)rrSr(cƒsp|rdS| ¡IdHddlm}|j‰| |¡‰ˆjdk rFˆ ˆ¡‰‡‡‡fdd„}t ¡}| d|¡IdHS)Ns00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000r)Ú SignMixincs(ˆjˆfˆjŽ}ˆjdk r$ˆ |¡}|Sr0)ÚsignrCrE)Ú signature©rÚkhÚspecr-r.Ú_perform_signatureNs z7PKCS11Signer.async_sign_raw.._perform_signature) Úensure_objects_loadedÚpkcs11r¹r£r¸rDÚasyncioÚget_running_loopÚrun_in_executor)r«rrSÚdry_runr¹r¿Úloopr-r¼r.Úasync_sign_raw>s zPKCS11Signer.async_sign_rawcCst| ¡ƒSr0)ÚsetÚ_PKCS11Signer__pullr´r-r-r.r°WszPKCS11Signer._load_other_certsccsÌ|j}|dk rt|ƒdkrdS|dks,|jrš|j tjtji¡}t d¡|D]H}|tj}|dksl||krNd|›d}t |¡tj |tj¡VqNn.|D](}d|›d}t |¡t|j|ƒVqždS)Nrz.Pulling all certificates from PKCS#11 token...zFound certificate with label 'z' on token.z Pulling certificate with label 'z' from PKCS#11 token...)r r<r¢rƒr‡rr„rr…ÚloggerÚdebugr†r r‰rŠr‹r)r«Zother_cert_labelsrŒrŽr)Úmsgr-r-r.Z__pullZs& ÿ ÿ zPKCS11Signer.__pullcÃs\|jr dS|jdkrHt ¡|_}t ¡}| d|j¡IdH| ¡n|j ¡IdHdS)aÎ Async method that, when awaited, ensures that objects (relevant certificates, key handles, ...) are loaded. This coroutine is guaranteed to be called & awaited in :meth:`sign_raw`, but some property implementations may cause object loading to be triggered synchronously (for backwards compatibility reasons). This blocks the event loop the first time it happens. To avoid this behaviour, asynchronous code should ideally perform `await signer.ensure_objects_loaded()` after instantiating the signer. .. note:: The asynchronous context manager on :class:`PKCS11SigningContext` takes care of that automatically. N) r¤r¥rÂÚEventrÃrÄr¶rÈÚwait)r«ÚeventrÆr-r-r.rÀ}s z"PKCS11Signer.ensure_objects_loadedcCsZ|jr dS| ¡|jdkr2t|j|j|jd|_|jjtj |j |jd}||_d|_dS)N)r)rz)r)ÚidT) r¤r²r·rrƒršrzÚget_keyrZPRIVATE_KEYrœrr£)r«r½r-r-r.r¶›s ÿÿzPKCS11Signer._load_objects)NNNNFTr-TNNFN)F)rFrGrHrIrrrJr r‰rLrÚSignedDigestAlgorithmr§r²Úpropertyrrµr›rBr¸rÇrr°rÉrÀr¶Ú __classcell__r-r-r®r.r!ÀsP3òò/ þÿþ#c@s\eZdZdZdeeedœdd„Zdd„Ze dœd d „Z dd„Zd d„Zdd„Z dd„ZdS)r#z+Context manager for PKCS#11 configurations.N)ÚconfigrrcCs||_d|_||_dSr0)rÕÚ_sessionÚ _user_pin)r«rÕrrr-r-r.r§°szPKCS11SigningContext.__init__cCs<|jp|jj}|dk r t|ƒ}n|jjtjkr4t}nd}|Sr0)r×rÕrrrJZ prompt_pinrZDEFERr)r«Úpinr-r-r.Ú_handle_pin·s z PKCS11SigningContext._handle_pinr³cCs®|j}| ¡}z t|j|j|j|d|_}WnHtjk rv}z(t d|j›dt |ƒj›d|›ƒ|‚W5d}~XYnXt||j |j|j|j|j|j|j|j|j|j|jdS)N)r3r4rrz'PKCS#11 error while opening session to z: [z] ) r¬rœržrTrr¢rrzr›rR)rÕrÙr"Úmodule_pathr3r4rÖrÁrrÚtyperFr!ršr rœržZ raw_mechanismrr¢rrzZsigning_certificaterR)r«rÕrØÚsessionÚexr-r-r.Ú_instantiateÂs:üÿþôz!PKCS11SigningContext._instantiatecCs| ¡Sr0)rÞr´r-r-r.Ú __enter__àszPKCS11SigningContext.__enter__cÃs.t ¡}| d|j¡IdH}| ¡IdH|Sr0)rÂrÃrÄrÞrÀ)r«rÆZsignerr-r-r.Ú __aenter__ãszPKCS11SigningContext.__aenter__cCs|j ¡dSr0©rÖÚclose©r«Úexc_typeÚexc_valÚexc_tbr-r-r.Ú__exit__észPKCS11SigningContext.__exit__cÃs|j ¡dSr0rárãr-r-r.Ú __aexit__ìszPKCS11SigningContext.__aexit__)N)rFrGrHrIrrrJr§rÙr!rÞrßràrçrèr-r-r-r.r#sÿÿ)NN)NNNN)NN)NN)krIrÂr~ÚloggingrlrtÚdataclassesrÚtypingrrrrrrr r rÁZ asn1cryptorrr Zasn1crypto.algosrZcryptography.hazmat.primitivesrZpyhanko_certvalidator.registryrZpyhanko.config.pkcs11rrrZpyhanko.pdf_utils.miscrZpyhanko.sign.generalrrZpyhanko.sign.signersrrrrrrrrrrsr Z p11_typesÚImportErrorÚeÚ__all__Ú getLoggerrFrÊÚTokenrJr/Úboolr1ZSlotÚintr$rBZ SHA1_RSA_PKCSZSHA224_RSA_PKCSZSHA256_RSA_PKCSZSHA384_RSA_PKCSZSHA512_RSA_PKCSrbZSHA1_RSA_PKCS_PSSZSHA224_RSA_PKCS_PSSZSHA256_RSA_PKCS_PSSZSHA384_RSA_PKCS_PSSZSHA512_RSA_PKCS_PSSriÚSHA1ÚSHA224ÚSHA256ÚSHA384ÚSHA512rkZ ECDSA_SHA1ZECDSA_SHA224ZECDSA_SHA256ZECDSA_SHA384ZECDSA_SHA512rfZDSA_SHA1Z DSA_SHA224Z DSA_SHA256Z DSA_SHA384Z DSA_SHA512rdZSHA_1rjrÒr%Úobjectr"rLr‚rrar!r#r-r-r-r.Úsò($ üû þþýü6û û û û ÷ û ünûú=ýýýýn