U
    <ßôgw­  ã                   @   s   d dl Z d dlZd dlmZ d dlmZ d dlmZmZmZm	Z	m
Z
mZmZmZmZmZmZmZmZ d dlmZmZmZmZmZ d dlmZ d dlmZ d dlmZmZm Z  d d	l!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z) d d
l*m+Z+ d dl,m-Z- d dl.m/Z/ d dl0m1Z1m2Z2 d dl3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;m<Z<m=Z= ddl>m?Z? ddl@mAZA ddlBmCZCmDZD ddlEmFZF ddlGmHZH ddlImJZJmKZKmLZLmMZMmNZNmOZOmPZP ddlQmRZRmSZSmTZTmUZU dddddddd d!d"d#d$d%gZVe WeX¡ZYed&eNd'ZZej[eej\ej]df d(œd)d%„Z^e_d*œd+d,„Z`ejaej[d-œd.d/„Zbej[ejceejd eeje d0œd1d$„Zfd]ejgejaeheieeS ee ee_e_f d2œd3d„Zjejke8d4œd5d"„Zld^ejkeei ee eem ee- ee/ eeS eHe	ehef d6œ	d7d„Znd_ejaeeHee- ee/ d8d9œd:d;„Zoeddddd<œejkeeZ eei ee eem eeH eZd=œd>d„ƒZpeddddd<œejkeei ee eem eeH eNd?œd@d„ƒZpeNdddddfejkeei ee eem eeH eeS eZdAœdBd„Zpejgee dCœdDd!„Zqd`ejge_eejk dFœdGd „Zrejgeei dCœdHd„Zsejgee eidIœdJd„Ztdaejkee eieeS dKœdLd„Zueejv ejaeeee1 eee&e%e$f  f dMœdNdO„Zweejv ejaee ej[dPœdQd#„Zxddddde?jydfeeieejzej{f ejkee ee ee eeH eeS eOdRœdSd„Z|edTdUdVZ}edUdWG dXdY„ dYe
e} ƒƒZ~ee} e~e} dZœd[d\„ZdS )bé    N)Ú	dataclass)Údatetime)ÚIOÚAnyÚ	AwaitableÚDictÚGenericÚIterableÚListÚOptionalÚTupleÚTypeÚTypeVarÚUnionÚoverload)ÚalgosÚcmsÚcoreÚtspÚx509)ÚInvalidSignature)Úhashes)ÚCancelableAsyncIteratorÚValidationContextÚfind_valid_path)ÚDisallowedAlgorithmErrorÚExpiredErrorÚInvalidCertificateErrorÚPathBuildingErrorÚPathValidationErrorÚRevokedErrorÚStaleRevinfoErrorÚValidationError)ÚTimeSlideFailure)ÚValidationPath)ÚPKIXValidationParams)ÚACValidationResultÚasync_validate_ac)
ÚCMSExtractionErrorÚCMSStructuralErrorÚMultivaluedAttributeErrorÚNonexistentAttributeErrorÚSignedDataCertsÚcheck_ess_certidÚextract_certificate_infoÚextract_signer_infoÚfind_unique_cms_attributeÚget_pyca_cryptography_hashé   )Úmisc)Úlift_iterable_asyncé   )ÚAdESFailureÚAdESIndeterminateé   )Úerrors)ÚKeyUsageConstraints)ÚCAdESSignerAttributeAssertionsÚCertifiedAttributesÚClaimedAttributesÚRevocationDetailsÚSignatureStatusÚStandardCMSSignatureStatusÚTimestampSignatureStatus)ÚDEFAULT_ALGORITHM_USAGE_POLICYÚCMSAlgorithmUsagePolicyÚextract_message_digestÚvalidate_rawÚvalidate_sig_integrityÚasync_validate_cms_signatureÚcollect_timing_infoÚvalidate_tst_signed_dataÚasync_validate_detached_cmsÚcms_basic_validationÚcompute_signature_tst_digestÚextract_tst_dataÚextract_self_reported_tsÚextract_certs_for_validationÚcollect_signer_attr_statusÚvalidate_algorithm_protectionÚget_signing_cert_attrÚ
StatusType)Úbound)Úsigned_attrsÚreturnc                 C   s$   t | dd}|dkr t | dd}|S )a   
    Retrieve the ``signingCertificate`` or ``signingCertificateV2`` attribute
    (giving preference to the latter) from a signature's signed attributes.

    :param signed_attrs:
        Signed attributes.
    :return:
        The value of the attribute, if present, else ``None``.
    T©Úv2NF)Ú_grab_signing_cert_attr)rU   Úattr© r[   úG/tmp/pip-unpacked-wheel-w101_d3s/pyhanko/sign/validation/generic_cms.pyrR   c   s    rW   c              
   C   sˆ   |rdnd}|rt jnt j}zt| |ƒ}| | ¡ ¡W S  tk
rL   Y d S  tk
r‚ } ztj	}t
jd|d|‚W 5 d }~X Y nX d S )NZsigning_certificate_v2Zsigning_certificatez3Wrong cardinality for signing certificate attribute©Zades_subindication)r   ÚSigningCertificateV2ÚSigningCertificater0   ÚloadÚdumpr+   r*   r7   ÚNO_SIGNING_CERTIFICATE_FOUNDr9   ÚSignatureValidationError)rU   rX   Ú	attr_nameÚclsÚvalueÚeÚerrr[   r[   r\   rY   u   s    
þýrY   )ÚcertrU   c                 C   sN   t |ƒ}|d krd S |d d }t| |ƒsJtj}tjd| jj› d|d‚d S )NÚcertsr   zWSigning certificate attribute does not match selected signer's certificate for subject"z".r]   )rR   r-   r7   rb   r9   rc   ÚsubjectZhuman_friendly)ri   rU   rZ   Zcertidrh   r[   r[   r\   Ú_check_signing_certificate‹   s    
ürl   )ÚattrsÚclaimed_digest_algorithm_objÚclaimed_signature_algorithm_objÚclaimed_mac_algorithm_objc                 C   sà   zt | dƒ}W n2 tk
r&   d}Y n tk
r@   tdƒ‚Y nX |dk	rÜ|d j}||jkrht d¡‚|dk	r¢|d j}|dkrŽt d¡‚n||jkr¢t d¡‚|dk	rÜ|d	 j}|dkrÈt d
¡‚n||jkrÜt d¡‚dS )a  
    Internal API to validate the CMS algorithm protection attribute
    defined in :rfc:`6211`, if present.

    :param attrs:
        A CMS attribute list.
    :param claimed_digest_algorithm_obj:
        The claimed (i.e. unprotected) digest algorithm value.
    :param claimed_signature_algorithm_obj:
        The claimed (i.e. unprotected) signature algorithm value.
    :param claimed_mac_algorithm_obj:
        The claimed (i.e. unprotected) MAC algorithm value.
    :raises errors.CMSStructuralError:
        if multiple CMS protection attributes are present
    :raises errors.CMSAlgorithmProtectionError:
        if a mismatch is detected
    Zcms_algorithm_protectionNz4Multiple CMS algorithm protection attributes presentÚdigest_algorithmzCDigest algorithm does not match CMS algorithm protection attribute.Úsignature_algorithmz<CMS algorithm protection attribute not valid for signed datazFSignature mechanism does not match CMS algorithm protection attribute.Zmac_algorithmzCCMS algorithm protection attribute not valid for authenticated dataz@MAC mechanism does not match CMS algorithm protection attribute.)r0   r+   r*   r)   Únativer9   ÚCMSAlgorithmProtectionError)rm   rn   ro   rp   Zcms_algid_protectionZauth_digest_algorithmZauth_sig_algorithmZauth_mac_algorithmr[   r[   r\   rQ   ¤   sN     ÿÿ


ÿÿÿ
ÿ
ÿ
ÿ)Úsigner_infori   Úexpected_content_typeÚactual_digestÚalgorithm_usage_policyÚ
time_indicrV   c              
   C   sf  | d }| d }|d j }|dk	rÎ|j|||jd}	|	szd|d j › d}
|	jdk	rf|
d|	j› d	7 }
tj|
|	jdkd
‚|j||d}|sÎd|d j › d}
|jdk	rº|
d|j› d	7 }
tj|
|jdkd
‚| d j }| d }|tj	krúd}d}|}n| d  
¡ }| ¡ }d}zt|||dd W nl tk
r\ } ztj|jtjd‚W 5 d}~X Y n8 tjk
r’ } ztj|jtjd‚W 5 d}~X Y nX t||ƒ zt|dƒ}W n* ttfk
rÖ   tjdtjd‚Y nX |j }||krtjd|› d|› tjd‚t| ƒ}z t||||||||d d}W n tk
rF   d}Y nX |dk	rZ||kn|}||fS )ae  
    Validate the integrity of a signature for a particular signerInfo object
    inside a CMS signed data container.

    .. warning::
        This function does not do any trust checks, and is considered
        "dangerous" API because it is easy to misuse.

    :param signer_info:
        A :class:`cms.SignerInfo` object.
    :param cert:
        The signer's certificate.

        .. note::
            This function will not attempt to extract certificates from
            the signed data.
    :param expected_content_type:
        The expected value for the content type attribute (as a Python string,
        see :class:`cms.ContentType`).
    :param actual_digest:
        The actual digest to be matched to the message digest attribute.
    :param algorithm_usage_policy:
        Algorithm usage policy.
    :param time_indic:
        Time indication for the production of the signature.
    :return:
        A tuple of two booleans. The first indicates whether the provided
        digest matches the value in the signed attributes.
        The second indicates whether the signature of the digest is valid.
    rr   rq   Ú	algorithmN)ÚmomentÚ
public_keyzThe algorithm z, is not allowed by the current usage policy.z	 Reason: Ú.)Z	permanent)r{   Ú	signaturerU   TF)rn   ro   rp   r]   Úcontent_typezQContent type not found in signature, or multiple content-type attributes present.zContent type z did not match expected value )Ú	prehashedÚalgorithm_policyry   )rs   Zsignature_algorithm_allowedr|   Zfailure_reasonr9   r   Znot_allowed_afterZdigest_algorithm_allowedr   ÚVOIDZuntagra   rQ   r)   rc   Úfailure_messager6   ÚFORMAT_FAILURErt   r7   ZGENERICrl   r0   r+   r*   rD   rE   r   )ru   ri   rv   rw   rx   ry   rr   Zdigest_algorithm_objÚmd_algorithmZsig_algo_allowedÚmsgZdigest_algo_allowedr~   Zsigned_attrs_origZembedded_digestr€   Úsigned_datarU   rg   r   ÚvalidÚintactr[   r[   r\   rF   ê   sÀ    'ÿ
  ÿÿ
 ÿþÿ
 ÿ

	ü
 ÿû
 ÿý
ýø

ÿý)r‡   rV   c                 C   sV   zt | ƒ}|j}W n$ tk
r6   tjdtjd‚Y nX t| ƒ}|d }t||ƒ |S )a  
    Extract certificates from a CMS signed data object for validation purposes,
    identifying the signer's certificate in accordance with ETSI EN 319 102-1,
    5.2.3.4.

    :param signed_data:
        The CMS payload.
    :return:
        The extracted certificates.
    z,signer certificate not included in signaturer]   rU   )	r.   Úsigner_certr(   r9   rc   r7   rb   r/   rl   )r‡   Ú	cert_infori   ru   rU   r[   r[   r\   rO   ’  s    
þ
)	r‡   Ú
raw_digestÚvalidation_contextÚstatus_kwargsÚvalidation_pathÚpkix_validation_paramsr   Úkey_usage_settingsrV   c                Ã   s4  t | ƒ}t| ƒ}	|	j}
|	j}d}|dk	r>|p6t |j¡}|j}|pFtƒ }|dkrTt	}|d }|d j
}|d d j
}| d }|d j
}|dkrÀt|d ƒ}t|ƒ}t |¡}| |¡ | ¡ }n|d tjk	rÞtjdtjd	‚zt||
||||d
\}}W n< tk
r6 } ztjd|j tjd	|‚W 5 d}~X Y nX d } } }}|ròzj|j |¡ |dk	rrt|gƒ}n|j |
¡}t|
||||dI dH }|j }|j!}|j"p®|j#}|j$}W n8 t%k
rð } zt&j'd|d t(j)}W 5 d}~X Y nX |púi }|dkr
dn|j*|d< |j|||
||||||d	 |S )z†
    Perform basic validation of CMS and PKCS#7 signatures in isolation
    (i.e. integrity and trust checks).

    Internal API.
    Nrr   rz   rq   Úencap_content_infor   ÚcontentzKCMS structural error: detached signatures should not have encapsulated datar]   )rv   rw   rx   ry   zCMS structural error: )r‘   Úpathsr   z&Processing error in validation process©Úexc_infoÚvalidation_time)	r‰   rˆ   Zsigning_certr…   Zpkcs7_signature_mechanismZtrust_problem_indicr   Zrevocation_detailsÚerror_time_horizon)+r/   rO   rŠ   Úother_certsrC   Zlift_policyr   Zbest_signature_timer   rB   rs   Úbytesr1   r   ÚHashÚupdateÚfinalizer   r‚   r9   rc   r6   r„   rF   r)   rƒ   Úcertificate_registryÚregister_multipler4   Zpath_builderZasync_build_paths_lazyÚvalidate_cert_usageÚerror_subindicÚrevo_detailsÚsuccess_resultÚ
error_pathr˜   Ú
ValueErrorÚloggerÚerrorr7   Ú!CERTIFICATE_CHAIN_GENERAL_FAILUREr{   )r‡   rŒ   r   rŽ   r   r   r   r‘   ru   r‹   ri   r™   ry   rr   Z	mechanismr…   Úecirv   ÚrawZmd_specÚmdr‰   rˆ   rg   Úades_statusÚpathr¢   r˜   r”   Ú	op_resultr[   r[   r\   rK   ±  s²    ÿþ
ÿ




ý
úþýÿ
ÿû

ÿ÷z,CertvalidatorOperationResult[ValidationPath])ri   r   r‘   r”   r   rV   c                 ƒ   s*   t dœ‡ ‡‡‡‡fdd„}t|ƒ ƒI dH S )zE
    Low-level certificate validation routine.
    Internal API.
    )rV   c                   “   s    ˆ  ˆ ¡ tˆ ˆˆˆdI d H S )N)r   r   )Úvalidater   r[   ©ri   r‘   r”   r   r   r[   r\   Ú_check9  s    
üz#validate_cert_usage.<locals>._checkN)r$   Úhandle_certvalidator_errors)ri   r   r‘   r”   r   r±   r[   r°   r\   r    -  s    
r    )rŒ   r   rŽ   r‘   )r‡   Ú
status_clsrŒ   r   rŽ   r‘   rV   c                Ã   s   d S ©Nr[   )r‡   r³   rŒ   r   rŽ   r‘   r[   r[   r\   rG   F  s    	)r‡   rŒ   r   rŽ   r‘   rV   c                Ã   s   d S r´   r[   )r‡   rŒ   r   rŽ   r‘   r[   r[   r\   rG   R  s    )r‡   rŒ   r   rŽ   r‘   r   rV   c                 Ã   s.   |  |¡}t| |||||dI dH }|f |ŽS )aÓ  
    Validate a CMS signature (i.e. a ``SignedData`` object).

    :param signed_data:
        The :class:`.asn1crypto.cms.SignedData` object to validate.
    :param status_cls:
        Status class to use for the validation result.
    :param raw_digest:
        Raw digest, computed from context.
    :param validation_context:
        Validation context to validate the signer's certificate.
    :param status_kwargs:
        Other keyword arguments to pass to the ``status_class`` when reporting
        validation results.
    :param key_usage_settings:
        A :class:`.KeyUsageConstraints` object specifying which key usages
        must or must not be present in the signer's certificate.
    :param algorithm_policy:
        The algorithm usage policy for the signature validation.

        .. warning::
            This is distinct from the algorithm usage policy used for
            certificate validation, but the latter will be used as a fallback
            if this parameter is not specified.

            It is nonetheless recommended to align both policies unless
            there is a clear reason to do otherwise.
    :return:
        A :class:`.SignatureStatus` object (or an instance of a proper subclass)
    )r‘   r   N)Údefault_usage_constraintsrK   )r‡   r³   rŒ   r   rŽ   r‘   r   Zeff_key_usage_settingsr[   r[   r\   rG   ]  s    'ÿú	)ru   rV   c              	   C   s:   z| d }t |dƒ}|jW S  ttfk
r4   Y dS X dS )a  
    Extract self-reported timestamp (from the ``signingTime`` attribute)

    Internal API.

    :param signer_info:
        A ``SignerInfo`` value.
    :return:
        The value of the ``signingTime`` attribute as a ``datetime``, or
        ``None``.
    rU   Zsigning_timeN)r0   rs   r+   r*   )ru   ÚsaÚstr[   r[   r\   rN   “  s    
F)ru   ÚsignedrV   c              	   C   sX   z8|r| d }t |dƒ}n| d }t |dƒ}|d }|W S  ttfk
rR   Y dS X dS )a‡  
    Extract signed data associated with a timestamp token.

    Internal API.

    :param signer_info:
        A ``SignerInfo`` value.
    :param signed:
        If ``True``, look for a content timestamp (among the signed
        attributes), else look for a signature timestamp (among the unsigned
        attributes).
    :return:
        The ``SignedData`` value found, or ``None``.
    rU   Zcontent_time_stampZunsigned_attrsZsignature_time_stamp_tokenr“   N)r0   r+   r*   )ru   r¸   r¶   ZtstZuaÚtst_signed_datar[   r[   r\   rM   §  s    
c                 C   sf   t | ƒ}|dkrdS |d }|d jd }|d d j}| d j}t|ƒ}t |¡}| |¡ | ¡ S )a.  
    Compute the digest of the signature according to the message imprint
    algorithm information in a signature timestamp token.

    Internal API.

    :param signer_info:
        A ``SignerInfo`` value.
    :return:
        The computed digest, or ``None`` if there is no signature timestamp.
    Nr’   r“   Úmessage_imprintÚhash_algorithmrz   r~   )rM   Úparsedrs   r1   r   r›   rœ   r   )ru   Ztst_datar©   ÚmiZtst_md_algorithmZsignature_bytesZtst_md_specr«   r[   r[   r\   rL   Å  s    


)ru   Úts_validation_contextrŒ   c                 Ã   s¦   i }t | ƒ}|dk	r||d< t| dd}|dk	rht| ƒ}|dk	sDt‚t|||ƒI dH }tf |Ž}||d< t| dd}	|	dk	r¢t|	||dI dH }
tf |
Ž}||d< |S )	aý  
    Collect and validate timing information in a ``SignerInfo`` value.
    This includes the ``signingTime`` attribute, content timestamp information
    and signature timestamp information.

    :param signer_info:
        A ``SignerInfo`` value.
    :param ts_validation_context:
        The timestamp validation context to validate against.
    :param raw_digest:
        The raw external message digest bytes (only relevant for the
        validation of the content timestamp token, if there is one)
    NÚsigner_reported_dtF)r¸   Ztimestamp_validityT)Úexpected_tst_imprintZcontent_timestamp_validity)rN   rM   rL   ÚAssertionErrorrI   rA   )ru   r¾   rŒ   rŽ   r¿   r¹   Ztst_signature_digestZtst_validity_kwargsZtst_validityZcontent_tst_signed_dataZcontent_tst_validity_kwargsZcontent_tst_validityr[   r[   r\   rH   æ  s6    ý

ýÿ)r¹   r   rÀ   r   c           
      Ã   s®   d}| d d }t |tjƒr"|j}t |tjƒs>tjdtj	d‚|d j
}t ¡ }t| |d|i||dI dH }|d	 d
 j
}	||	krªt d|	 ¡ › d| ¡ › d¡ d|d< |S )a  
    Validate the ``SignedData`` of a time stamp token.

    :param tst_signed_data:
        The ``SignedData`` value to validate; must encapsulate a ``TSTInfo``
        value.
    :param validation_context:
        The validation context to validate against.
    :param expected_tst_imprint:
        The expected message imprint value that should be contained in
        the encapsulated ``TSTInfo``.
    :param algorithm_policy:
        The algorithm usage policy for the signature validation.

        .. warning::
            This is distinct from the algorithm usage policy used for
            certificate validation, but the latter will be used as a fallback
            if this parameter is not specified.

            It is nonetheless recommended to align both policies unless
            there is a clear reason to do otherwise.
    :return:
        Keyword arguments for a :class:`.TimeStampSignatureStatus`.
    Nr’   r“   z'SignedData does not encapsulate TSTInfor]   Zgen_timeÚ	timestamp)r   rŽ   r‘   r   rº   Zhashed_messagezTimestamp token imprint is z, but expected r}   Fr‰   )Ú
isinstancer   ZParsableOctetStringr¼   r   ZTSTInfor9   rc   r6   r„   rs   rA   rµ   rK   r¦   ÚwarningÚhex)
r¹   r   rÀ   r   Ztst_infoZtst_info_bytesrÂ   Zku_settingsrŽ   Ztst_imprintr[   r[   r\   rI     s2    þ
û	ÿ)ÚacsrŠ   r   rV   c                 ƒ   s|   ‡ ‡fdd„| D ƒ}g }g }t  |¡D ]L}z| |I d H ¡ W q& tttfk
rp } z| |¡ W 5 d }~X Y q&X q&||fS )Nc                    s   g | ]}t |ˆˆ d ‘qS ))Zholder_cert)r'   )Ú.0Úac©rŠ   r   r[   r\   Ú
<listcomp>c  s   ÿz+process_certified_attrs.<locals>.<listcomp>)ÚasyncioZas_completedÚappendr   r   r   )rÆ   rŠ   r   ÚjobsÚresultsr9   Zjobrg   r[   rÉ   r\   Úprocess_certified_attrsY  s    
þýrÏ   ©Úsd_attr_certificatesrŠ   r   Úsd_signed_attrsc              
   Ã   s¨  zt |dƒ}W nN tk
r&   d }Y n8 tk
r\ } ztjt|ƒtjd|‚W 5 d }~X Y nX i }d }d }|d k	rN|d }	t 	t
|	tjƒs|	nd¡}
|d }d}t
|tjƒsîdd„ |D ƒ}t|ƒt|ƒk}|d k	rît|||ƒ}|I d H \}}|d k	rt |¡}nd }|pt
|d	 tjƒ }|d k	r:|r:t d
¡ t|
|||d|d< |d k	r¤t| ||ƒI d H \}}|r~| |¡ |rŽ| |¡ t |¡|d< ||d< |S )NZsigner_attributes_v2r]   Zclaimed_attributesr[   Zcertified_attributes_v2Fc                 S   s   g | ]}|j d kr|j‘qS )Z	attr_cert)ÚnameZchosen)rÇ   rZ   r[   r[   r\   rÊ   ›  s   
þz.collect_signer_attr_status.<locals>.<listcomp>Zsigned_assertionsz¡CAdES signer attributes with externally certified assertions for which no validation method is available. This may affect signature semantics in unexpected ways.)Zclaimed_attrsZcertified_attrsÚac_validation_errsZunknown_attrs_presentZcades_signer_attrsZac_attrsrÔ   )r0   r+   r*   r9   rc   Ústrr6   r„   r=   Úfrom_iterablerÃ   r   ZVoidÚlenrÏ   r<   Zfrom_resultsr¦   rÄ   r;   Úextend)rÑ   rŠ   r   rÒ   Zsigner_attrsrg   ÚresultZcades_ac_resultsZcades_ac_errorsZclaimed_asn1ZclaimedZcertified_asn1Zunknown_cert_attrsZ	cades_acsZval_jobZ	certifiedZunknown_attrsZ
ac_resultsZ	ac_errorsr[   r[   r\   rP   u  s„     ÿ ÿþ
ÿþý
 ÿÿü

  ÿ

)Ú
input_datar‡   Úsigner_validation_contextr¾   Úac_validation_contextr‘   r   rV   c	                 Ã   s  |dkr|}t |ƒ}	|	d d j}
t t|
ƒ¡}t| tƒrF| | ¡ n@t| tj	tj
fƒrl| t| d ƒ¡ nt|ƒ}tj|| ||d | ¡ }t|	||dI dH }t |¡}t||||||dI dH }t|ƒ}|dk	rä|j |j¡ | t|j|j||	d d	I dH ¡ tf |ŽS )
a¨  
    .. versionadded: 0.9.0

    .. versionchanged: 0.11.0
        Added ``ac_validation_context`` param.

    Validate a detached CMS signature.

    :param input_data:
        The input data to sign. This can be either a :class:`bytes` object,
        a file-like object or a :class:`cms.ContentInfo` /
        :class:`cms.EncapsulatedContentInfo` object.

        If a CMS content info object is passed in, the `content` field
        will be extracted.
    :param signed_data:
        The :class:`cms.SignedData` object containing the signature to verify.
    :param signer_validation_context:
        Validation context to use to verify the signer certificate's trust.
    :param ts_validation_context:
        Validation context to use to verify the TSA certificate's trust, if
        a timestamp token is present.
        By default, the same validation context as that of the signer is used.
    :param ac_validation_context:
        Validation context to use to validate attribute certificates.
        If not supplied, no AC validation will be performed.

        .. note::
            :rfc:`5755` requires attribute authority trust roots to be specified
            explicitly; hence why there's no default.
    :param algorithm_policy:
        The algorithm usage policy for the signature validation.

        .. warning::
            This is distinct from the algorithm usage policy used for
            certificate validation, but the latter will be used as a fallback
            if this parameter is not specified.

            It is nonetheless recommended to align both policies unless
            there is a clear reason to do otherwise.
    :param key_usage_settings:
        Key usage parameters for the signer.
    :param chunk_size:
        Chunk size to use when consuming input data.
    :param max_read:
        Maximal number of bytes to read from the input stream.
    :return:
        A description of the signature's status.
    Nrq   rz   r“   )Úmax_read)r¾   rŒ   )rŒ   r   rŽ   r‘   r   rU   rÐ   )r/   rs   r   r›   r1   rÃ   rš   rœ   r   ÚContentInfoÚEncapsulatedContentInfoÚ	bytearrayr3   Zchunked_digestr   rH   r@   rµ   rK   r.   rž   rŸ   r™   rP   Zattribute_certsrŠ   )rÚ   r‡   rÛ   r¾   rÜ   r‘   r   Ú
chunk_sizerÝ   ru   rq   ÚhZtemp_bufZdigest_bytesrŽ   r‹   r[   r[   r\   rJ   Ú  sT    =
ýÿúÿü
ÿÚ
ResultTypeT)Ú	covariant)Úfrozenc                   @   s^   e Zd ZU dZee ed< dZee ed< dZ	ee
 ed< dZee ed< dZee ed< dS )ÚCertvalidatorOperationResultzB
    Internal class to inspect error data from certvalidator.
    r£   Nr¢   r˜   r¤   r¡   )Ú__name__Ú
__module__Ú__qualname__Ú__doc__r   rã   Ú__annotations__r¢   r>   r˜   r   r¤   r$   r¡   r7   r[   r[   r[   r\   ræ   H  s   
ræ   )ÚcororV   c              
   Ã   sÆ  d}d }}zt | I dH dW S  tk
rX } ztj|j|d tj}W 5 d}~X Y n\ tk
r } ztj|j|d tj}W 5 d}~X Y n$ t	k
rÎ } z tj|j|d tj
}|j}W 5 d}~X Y næ tk
r( } z:tj|j|d |j}|jdkr
tj}ntj}|j}W 5 d}~X Y nŒ tk
r® } zf|j}t |j¡ |j}|jrbtj}n:|jr„tj}td|j|jd}ntj}td|j|jd}W 5 d}~X Y n tk
rä } ztjd|d tj}W 5 d}~X Y nÐ tk
r< } z:|j}t |j¡ |j}|js&|jr&tj}ntj}W 5 d}~X Y nx tk
rz } z |j}tj|j|d tj}W 5 d}~X Y n: t k
r² } ztj|j|d tj}W 5 d}~X Y nX t d||||dS )	zˆ
    Internal error handling function that maps certvalidator errors
    to AdES status indications.

    :param coro:
    :return:
    N)r£   r•   F)Z
ca_revokedÚrevocation_dateÚrevocation_reasonTzFailed to build path)r£   r¢   r˜   r¤   r¡   )!ræ   r   r¦   rÄ   Zfailure_msgr7   ZCHAIN_CONSTRAINTS_FAILUREr#   ZNO_POEr!   Z	TRY_LATERZtime_cutoffr   Zoriginal_pathZbanned_sinceZCRYPTO_CONSTRAINTS_FAILUREZ!CRYPTO_CONSTRAINTS_FAILURE_NO_POEr    Zrevocation_dtZis_side_validationr¨   Z
is_ee_certZREVOKED_NO_POEr>   ÚreasonZREVOKED_CA_NO_POEr   ZNO_CERTIFICATE_CHAIN_FOUNDr   Z
expired_dtZOUT_OF_BOUNDS_NO_POEr   r"   )rì   Ztime_horizonr¢   r­   rg   r¬   r[   r[   r\   r²   U  s€    
ýýûr²   )NN)NNNNNN)N)F)N)€rË   ÚloggingÚdataclassesr   r   Útypingr   r   r   r   r   r	   r
   r   r   r   r   r   r   Z
asn1cryptor   r   r   r   r   Úcryptography.exceptionsr   Zcryptography.hazmat.primitivesr   Zpyhanko_certvalidatorr   r   r   Zpyhanko_certvalidator.errorsr   r   r   r   r   r    r!   r"   Z pyhanko_certvalidator.ltv.errorsr#   Zpyhanko_certvalidator.pathr$   Z!pyhanko_certvalidator.policy_declr%   Zpyhanko_certvalidator.validater&   r'   Zpyhanko.sign.generalr(   r)   r*   r+   r,   r-   r.   r/   r0   r1   Z	pdf_utilsr3   Zpdf_utils.miscr4   Zades.reportr6   r7   Ú r9   Úsettingsr:   Ústatusr;   r<   r=   r>   r?   r@   rA   ÚutilsrB   rC   rD   rE   Ú__all__Ú	getLoggerrç   r¦   rS   ZCMSAttributesr_   r^   rR   ÚboolrY   ÚCertificaterl   ZDigestAlgorithmZSignedDigestAlgorithmZHmacAlgorithmrQ   Z
SignerInforÕ   rš   rF   Z
SignedDatarO   ÚdictrK   r    rG   rN   rM   rL   rH   rI   ZAttributeCertificateV2rÏ   rP   ZDEFAULT_CHUNK_SIZErÞ   rß   rJ   rã   ræ   r²   r[   r[   r[   r\   Ú<module>   s‚  <(
0$	ó
þ ÿüK  ú
ù *þ!      ù
ö  ûúùøúùùø6 ÿ þþ"ý9 üü?ÿÿÿüüh÷ökþ