U
    <ßôgÁ‹  ã                   @   sT  d dl Z d dlZd dlmZ d dlmZ d dlmZmZmZ d dl	m
Z
mZ d dlmZ d dlmZ d dlmZmZ d d	lmZ d d
lmZmZ d dlmZmZmZmZmZ d dlmZm Z m!Z!m"Z"m#Z#m$Z$ d dl%m&Z&m'Z'm(Z(m)Z) ddl*m+Z+m,Z,m-Z- ddl.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6 ddl7m8Z8 ddl9m:Z:m;Z;m<Z< ddl=m>Z> dddddddgZ?e  @eA¡ZBeejC dœdd„ZDee  dœdd„ZEejCeFd œd!d„ZGG d"d„ dƒZHedd#d$gƒZIeeeI d%œd&d„ZJeHd'œd(d)„ZKeHeeLd*œd+d„ZMd,d-„ ZNd3eHee ee ee ee ee8 eLee> e;d/œ	d0d„ZOd4eHee ee eLe:d1œd2d„ZPdS )5é    N)Ú
namedtuple)Údatetime)ÚListÚOptionalÚUnion)ÚcmsÚx509)ÚValidationContext)ÚValidationPath)ÚgenericÚmisc)Úpdf_name)ÚPdfFileReaderÚprocess_data_at_eof)ÚDEFAULT_DIFF_POLICYÚ
DiffPolicyÚ
DiffResultÚModificationLevelÚSuspiciousModification)ÚFieldMDPSpecÚMDPPermÚSeedLockDocumentÚSigSeedSubFilterÚSigSeedValFlagsÚSigSeedValueSpec)ÚSignedDataCertsÚUnacceptableSignerErrorÚbyte_range_digestÚextract_signer_infoé   )ÚSignatureValidationErrorÚSigSeedValueValidationErrorÚValidationInfoReadingError)Úcms_basic_validationÚcollect_signer_attr_statusÚcollect_timing_infoÚcompute_signature_tst_digestÚextract_certs_for_validationÚextract_self_reported_tsÚextract_tst_dataÚvalidate_tst_signed_data)ÚKeyUsageConstraints)ÚDocumentTimestampStatusÚPdfSignatureStatusÚSignatureCoverageLevel)ÚCMSAlgorithmUsagePolicyÚEmbeddedPdfSignatureÚ
DocMDPInfoÚread_certification_dataÚasync_validate_pdf_signatureÚasync_validate_pdf_timestampÚreport_seed_value_validationÚextract_contents©Úreturnc                 C   sN   z| d }W n t k
r"   Y d S X |D ] }| ¡ }|d |kr(|  S q(d S )Nz
/Referencez/TransformMethod)ÚKeyErrorÚ
get_object)Úsignature_objÚmethodZsig_refsÚref© r>   úH/tmp/pip-unpacked-wheel-w101_d3s/pyhanko/sign/validation/pdf_embedded.pyÚ_extract_reference_dictI   s    
r@   c              
   C   sd   t | dƒ}|d krd S z|d  d¡}t|ƒW S  ttfk
r^ } ztdƒ|‚W 5 d }~X Y nX d S )Nú/DocMDPú/TransformParamsú/Pz#Failed to read document permissions)r@   Úraw_getr   Ú
ValueErrorr9   r    )r;   r=   Z	raw_permsÚer>   r>   r?   Ú_extract_docmdp_for_sigW   s    

ÿþrG   )Ú
sig_objectr8   c                 C   sX   z| j dtjjd}W n tk
r4   t d¡‚Y nX t|tjtj	fƒsRt d¡‚|j
S )zã
    Internal function to extract the (DER-encoded) signature bytes from a PDF
    signature dictionary.

    :param sig_object:
        A signature dictionary.
    :return:
        The extracted contents as a byte string.
    z	/Contents)Údecryptz+Could not read /Contents entry in signaturez/Contents must be string-like)rD   r   ZEncryptedObjAccessZRAWr9   r   ÚPdfReadErrorÚ
isinstanceZTextStringObjectZByteStringObjectÚoriginal_bytes)rH   Úcms_contentr>   r>   r?   r6   d   s     ÿ
 
ÿ
c                   @   sŒ  e Zd ZU dZejed< ejed< ejed< e	eje
dœdd„Zedœd	d
„Zeeej dœdd„ƒZeeej dœdd„ƒZeejdœdd„ƒZeejdœdd„ƒZedd„ ƒZeee dœdd„ƒZeeej dœdd„ƒZd0dd„Zedœdd„Zeee  dœdd „ƒZ!eee" dœd!d"„ƒZ#eee$ dœd#d$„ƒZ%e&dœd%d&„Z'ee& dœd'd(„Z(e)dœd)d*„Z*d+d,„ Z+e,e-e.e/f d-œd.d/„Z0dS )1r0   zA
    Class modelling a signature embedded in a PDF document.
    Ú	sig_fieldrH   Úsigned_data)ÚreaderrN   Úfq_namec                 C   sn  || _ t|tjƒr| ¡ }|| _| d¡}| ¡  | _}t|tjƒsHt	‚z| d¡| _
W n tk
rv   t d¡‚Y nX t|ƒ | _}tj |¡}|d }|| _t|ƒ| _d | _| jd }	|	d j ¡ | _|d }
|
d j}|d	krî| j| _n(|d
kr|
d jd }|d d j| _| j j |j¡| _d | _ d | _!d | _"d | _#d | _$d | _%| _&d | _'d | _(d| _)|| _*d S )Nz/Vz
/ByteRangez,Could not read /ByteRange entry in signatureÚcontentZdigest_algorithmÚ	algorithmZencap_content_infoÚcontent_typeÚdataZtst_infoZmessage_imprintÚhash_algorithmF)+rP   rK   r   ZIndirectObjectr:   rN   rD   rH   ÚDictionaryObjectÚAssertionErrorÚ
byte_ranger9   r   rJ   r6   Úpkcs7_contentr   ZContentInfoÚloadrO   r   Úsigner_infoÚ_sd_cert_infoZnativeÚlowerÚmd_algorithmÚexternal_md_algorithmÚparsedÚxrefsZget_last_changeÚ	referenceÚsigned_revisionÚcoverageÚexternal_digestÚ	total_lenÚ_docmdpÚ	_fieldmdpÚ_docmdp_queriedÚ_fieldmdp_queriedÚtst_signature_digestÚdiff_resultÚ_integrity_checkedrQ   )ÚselfrP   rN   rQ   Zsig_object_refrH   rM   ÚmessagerO   Zdigest_algoZecirT   Úmir>   r>   r?   Ú__init__”   sV    
ÿ





ÿÿzEmbeddedPdfSignature.__init__r7   c                 C   s   | j d krt| jƒ| _ | j S )N)r]   r'   rO   ©ro   r>   r>   r?   Ú_init_cert_infoà   s    
z$EmbeddedPdfSignature._init_cert_infoc                 C   s   t |  ¡ jƒS )z2
        Embedded attribute certificates.
        )Úlistrt   Zattribute_certsrs   r>   r>   r?   Úembedded_attr_certså   s    z(EmbeddedPdfSignature.embedded_attr_certsc                 C   s   t |  ¡ jƒS )zQ
        Embedded X.509 certificates, excluding than that of the signer.
        )ru   rt   Zother_certsrs   r>   r>   r?   Úother_embedded_certsì   s    z)EmbeddedPdfSignature.other_embedded_certsc                 C   s
   |   ¡ jS )z,
        Certificate of the signer.
        )rt   Úsigner_certrs   r>   r>   r?   rx   ó   s    z EmbeddedPdfSignature.signer_certc                 C   s   | j  dtdƒ¡S )a  
        Returns the type of the embedded signature object.
        For ordinary signatures, this will be ``/Sig``.
        In the case of a document timestamp, ``/DocTimeStamp`` is returned.

        :return:
            A PDF name object describing the type of signature.
        z/Typeú/Sig)rH   Úgetr   rs   r>   r>   r?   Úsig_object_typeú   s    
z$EmbeddedPdfSignature.sig_object_typec                 C   s   | j S )zC
        :return:
            Name of the signature field.
        )rQ   rs   r>   r>   r?   Ú
field_name  s    zEmbeddedPdfSignature.field_namec                 C   sP   t | jƒ}|dk	r|S z| jd }tj|| jjdW S  tk
rJ   Y dS X dS )zÜ
        :return:
            The signing time as reported by the signer, if embedded in the
            signature's signed attributes or provided as part of the signature
            object in the PDF document.
        Nz/M)Ústrict)r(   r\   rH   r   Zparse_pdf_daterP   r}   r9   )ro   ÚtsZst_as_pdf_dater>   r>   r?   Úself_reported_timestamp  s    

 ÿz,EmbeddedPdfSignature.self_reported_timestampc                 C   s
   t | jƒS )z‹
        :return:
            The signed data component of the timestamp token embedded in this
            signature, if present.
        )r)   r\   rs   r>   r>   r?   Úattached_timestamp_data"  s    z,EmbeddedPdfSignature.attached_timestamp_dataNFc                 C   sD   |   ¡  |  ¡  |  ¡  |  ¡ | _|p(t}|s:|  |¡| _d| _dS )a«  
        Compute the various integrity indicators of this signature.

        :param diff_policy:
            Policy to evaluate potential incremental updates that were appended
            to the signed revision of the document.
            Defaults to
            :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`.
        :param skip_diff:
            If ``True``, skip the difference analysis step entirely.
        TN)	Ú_enforce_hybrid_xref_policyÚcompute_digestÚcompute_tst_digestÚevaluate_signature_coveragere   r   Úevaluate_modificationsrm   rn   )ro   Údiff_policyÚ	skip_diffr>   r>   r?   Úcompute_integrity_info+  s    
z+EmbeddedPdfSignature.compute_integrity_infoc                 C   sˆ   | j stdƒ‚| j}| j}| j}d}|dk	rdt|tƒr<|jntj	}|tj	kp^|dk	o^|j
|j
k }n|tjkrx|tjk}|||dœ}|S )a  
        Compile the integrity information for this signature into a dictionary
        that can later be passed to :class:`.PdfSignatureStatus` as kwargs.

        This method is only available after calling
        :meth:`.EmbeddedPdfSignature.compute_integrity_info`.
        zGCall compute_integrity_info() before invokingsummarise_integrity_info()N)re   Ú	docmdp_okrm   )rn   r    Údocmdp_levelrm   re   rK   r   Zmodification_levelr   ÚOTHERÚvaluer.   ÚENTIRE_REVISIONÚENTIRE_FILE)ro   Údocmdprm   re   r‰   Z	mod_levelÚstatus_kwargsr>   r>   r?   Úsummarise_integrity_infoD  s.    	ÿÿý
þ

ýz-EmbeddedPdfSignature.summarise_integrity_infoc                 C   s0   z| j d }W n tk
r$   Y d S X t |¡S )Nz/SV)rN   r9   r   Úfrom_pdf_object)ro   Zsig_sv_dictr>   r>   r?   Úseed_value_specq  s
    z$EmbeddedPdfSignature.seed_value_specc                 C   s`   | j r| jS t| jd}|dkrPz| jd }t|d ƒ}W n tk
rN   Y nX || _d| _ |S )av  
        :return:
            The document modification policy required by this signature or
            its Lock dictionary.

            .. warning::
                This does not take into account the DocMDP requirements of
                earlier signatures (if present).

                The specification forbids signing with a more lenient DocMDP
                than the one currently in force, so this should not happen
                in a compliant document.
                That being said, any potential violations will still invalidate
                the earlier signature with the stricter DocMDP policy.

        )r;   Nz/LockrC   T)rj   rh   rG   rH   rN   r   r9   )ro   r   Z	lock_dictr>   r>   r?   rŠ   y  s    
z!EmbeddedPdfSignature.docmdp_levelc              
   C   sx   | j r| jS t| jdƒ}d| _ |dkr*dS zt |d ¡}W n0 ttfk
rl } ztdƒ|‚W 5 d}~X Y nX || _|S )z¨
        :return:
            Read the field locking policy of this signature, if applicable.
            See also :class:`~.pyhanko.sign.fields.FieldMDPSpec`.
        z	/FieldMDPTNrB   z!Failed to read /FieldMDP settings)	rk   ri   r@   rH   r   r’   rE   r9   r    )ro   Zref_dictÚsprF   r>   r>   r?   Úfieldmdp™  s     ÿþzEmbeddedPdfSignature.fieldmdpc                 C   s6   | j dk	r| j S t| jj| j| jd\| _}|| _ |S )z™
        Compute the ``/ByteRange`` digest of this signature.
        The result will be cached.

        :return:
            The digest value.
        N)rY   r_   )rf   r   rP   ÚstreamrY   r`   rg   ©ro   Údigestr>   r>   r?   r‚   °  s    
ýz#EmbeddedPdfSignature.compute_digestc                 C   s$   | j dk	r| j S t| jƒ | _ }|S )a  
        Compute the digest of the signature needed to validate its timestamp
        token (if present).

        .. warning::
            This computation is only relevant for timestamp tokens embedded
            inside a regular signature.
            If the signature in question is a document timestamp (where the
            entire signature object is a timestamp token), this method
            does not apply.

        :return:
            The digest value, or ``None`` if there is no timestamp token.
        N)rl   r&   r\   r—   r>   r>   r?   rƒ   Ã  s    
ÿ
z'EmbeddedPdfSignature.compute_tst_digestc                 C   s"  | j j}| j j}t| jƒdks,| jd dkr2tjS | j\}}}}| dtj	¡ t| j
ƒd d }|| | }| ¡ |k}	|	r‚tjS ||| k}
|
s˜tjS | |¡ | j}z&t|ƒ}| |¡}||krÌtjW S W n tjk
rê   tj Y S X t|d ƒD ]"}| |¡}|j|krøtj  S qøtjS )z˜
        Internal method used to evaluate the coverage level of a signature.

        :return:
            The coverage level of the signature.
        é   r   é   r   )rP   rb   r–   ÚlenrY   r.   ZUNCLEARÚseekÚosÚSEEK_ENDrZ   ÚtellrŽ   rd   r   Zget_startxref_for_revisionZCONTIGUOUS_BLOCK_FROM_STARTr   rJ   ÚrangeZget_xref_container_infoZend_locationr   )ro   Z
xref_cacher–   Ú_Zlen1Zstart2Zlen2Zembedded_sig_contentZsigned_zone_lenZfile_coveredÚ
contiguousZ
signed_revZ	startxrefÚexpectedÚrevisionZ	xref_metar>   r>   r?   r„   Ú  s8    





z0EmbeddedPdfSignature.evaluate_signature_coveragec                 C   s    | j }|jr|jjrtdƒ‚d S )NzJSettings do not permit validation of signatures in hybrid-reference files.)rP   r}   rb   Zhybrid_xrefs_presentr    )ro   rP   r>   r>   r?   r   "  s
    ÿz0EmbeddedPdfSignature._enforce_hybrid_xref_policy)r†   r8   c                 C   sH   | j tjk rtdƒS | j tjkr.ttjtƒ ƒS |j	| j
| j| j| jdS )zY
        Internal method used to evaluate the modification level of a signature.
        z$Nonstandard signature coverage level)Zfield_mdp_specÚdoc_mdp)re   r.   r   r   rŽ   r   r   ÚNONEÚsetZreview_filerP   rd   r•   rŠ   )ro   r†   r>   r>   r?   r…   *  s    ÿüz+EmbeddedPdfSignature.evaluate_modifications)NF)1Ú__name__Ú
__module__Ú__qualname__Ú__doc__r   rW   Ú__annotations__r   Z
SignedDatar   Ústrrr   r   rt   Úpropertyr   ZAttributeCertificateV2rv   r   ÚCertificaterw   rx   Z
NameObjectr{   r|   r   r   r   r€   rˆ   Údictr‘   r   r“   r   rŠ   r   r•   Úbytesr‚   rƒ   r.   r„   r   r   r   r   r   r…   r>   r>   r>   r?   r0   €   sL   



üL

-H	
þZ
permissionZ
author_sig)rP   r8   c                 C   s<   z| j d d }W n tk
r(   Y dS X t|ƒ}t||ƒS )zî
    Read the certification information for a PDF document, if present.

    :param reader:
        Reader representing the input document.
    :return:
        A :class:`.DocMDPInfo` object containing the relevant data, or ``None``.
    ú/PermsrA   N)Úrootr9   rG   r1   )rP   Zcertification_sigÚpermr>   r>   r?   r2   G  s    	)Úemb_sigc              
   C   s¬  | j }|d krd S | j}|jd k	rbz|j ||¡ W n, tk
r` } zt|ƒ|‚W 5 d }~X Y nX |st|jrttdƒ‚| j}|jd k	r:|j 	¡ }z$| j
jd }| d¡}	|	|jk}
W n  ttjtfk
rÔ   d}
Y nX ||
krdd„ }td||ƒ› d||
ƒ› d	ƒ‚|r:|jj}| j}||kr:td
|› d|› dƒ‚|j}|sJd S |d }t|ƒ}|tj@ r´|jd k	r´|js‚tdƒ‚|jd }|d k	r´||kr´td|j|jf ƒ‚|tj@ rÖ|jd k	rÖt d¡ |tj@ rö|j d k	rötdƒ‚|tj!@ rX|j"d k	rX| j}|j"t#j$kr6|t%j&kr6tdƒ‚|j"t#j'krX|t%j&krXtdƒ‚| j(}|tj)@ r|j*d k	rddl+m,} z||ƒ d}W n t-k
r¬   d}Y nX |j*|kràtd|j*rÊdnd|rÖdndf ƒ‚|j*r|tj.krtdtj.j ƒ‚|tj/@ r>|j0d k	r>| j1 2¡ }||j0kr>td| ƒ‚|tj3@ r¨|j4pTg }| pf|dgk}| 5d¡}|rŠ|d k	rŠtdƒ‚|s¨||kr¨td|f ƒ‚d S ) NznThe seed value dictionary requires a trusted timestamp, but none was found, or the timestamp did not validate.r²   rA   Fc                 S   s   | rdS dS )Nza certificationzan approvalr>   )Zcertifyr>   r>   r?   Ú_typex  s    z'_validate_sv_constraints.<locals>._typezPThe seed value dictionary's /MDP entry specifies that this field should contain z signature, but z appears to have been used.zaThe seed value dictionary specified that this certification signature should use the MDP policy 'z', but 'z' was used in the signature.ú
/SubFilterzPThe signature encodings mandated by the seed value dictionary are not supported.r   zVThe seed value dictionary mandates subfilter '%s', but '%s' was used in the signature.zˆThe signature's seed value dictionary specifies the /AppearanceFilter entry as mandatory, but this constraint is impossible to validate.zpyHanko does not support legal attestations, but the seed value dictionary mandates that they be restricted to a specific subset.z<Document must be locked, but some changes are still allowed.zGDocument must not be locked, but the DocMDP level is set to NO_CHANGES.)Úretrieve_adobe_revocation_infoTzbThe seed value dict mandates that revocation info %sbe added, but it was %sfound in the signature.Ú znot zdThe seed value dict mandates that Adobe-style revocation info be added; this requires subfilter '%s'zKThe selected message digest %s is not allowed by the seed value dictionary.Ú.z/Reasonz@The seed value dictionary prohibits giving a reason for signing.zIThe reason for signing "%s" is not accepted by the seed value dictionary.)6r“   rx   ÚcertÚsatisfied_byr   r!   Ztimestamp_requiredrH   Zseed_signature_typeZcertification_signaturerP   r³   Zget_value_as_referenceZcontainer_refr9   r   ZIndirectObjectExpectedÚAttributeErrorZmdp_permrŠ   Úflagsr   r   Z	SUBFILTERZ
subfiltersÚNotImplementedErrorrŒ   ZAPPEARANCE_FILTERZ
appearanceÚloggerÚwarningZLEGAL_ATTESTATIONZlegal_attestationsZLOCK_DOCUMENTZlock_documentr   ZLOCKr   Z
NO_CHANGESZDO_NOT_LOCKr\   ZADD_REV_INFOZadd_rev_infoZpyhanko.sign.validation.ltvr¸   r"   ÚADOBE_PKCS7_DETACHEDZDIGEST_METHODZdigest_methodsr_   r^   ZREASONSÚreasonsrz   )rµ   Úvalidation_pathÚtimestamp_foundZsv_specZsigning_certrF   Zsig_objZ
sv_certifyZpermsZcert_sig_refZwas_certifiedr¶   Zsv_mdp_permr¥   r¾   Zselected_sf_strZselected_sfZmandated_sfr\   r¸   Zrevinfo_foundZselected_mdrÃ   Z	must_omitZreason_givenr>   r>   r?   Ú_validate_sv_constraintsY  s   

ÿ



ÿ
ÿÿ

þÿÿþÿÿþÿÿþ
ÿþÿ
ÿþÿÿþ
þþÿ	ÿþþÿÿþ
ÿÿ
ÿÿÿrÆ   )Úembedded_sigrÄ   rÅ   c              
   C   s\   zt | ||d d}W n4 tk
rJ } ztjd|d |}W 5 d}~X Y nX | jdk	|dœS )aŽ  
    Internal API function to enforce seed value constraints (if present)
    and report on the result(s).

    :param embedded_sig:
        The embedded signature.
    :param validation_path:
        The validation path for the signer's certificate.
    :param timestamp_found:
        Flag indicating whether a valid timestamp was found or not.
    :return:
        A ``status_kwargs`` dict.
    )rÅ   NzError in seed value validation.)Úexc_info)Zhas_seed_valuesZseed_value_constraint_error)rÆ   r!   rÀ   rÁ   r“   )rÇ   rÄ   rÅ   Zsv_errrF   r>   r>   r?   r5     s      ÿþc                 C   sJ   zddl m} || ƒ|k}W n tk
r4   d}Y nX |sFt||  ƒ‚d S )Nr   )r   F)Úpyhanko.sign.fieldsr   rE   r    )Úsubfilter_strZpermitted_subfiltersÚerr_msgr   Zsubfilter_okr>   r>   r?   Ú_validate_subfilter$  s    
rÌ   F)	rÇ   Úsigner_validation_contextÚts_validation_contextÚac_validation_contextr†   Úkey_usage_settingsr‡   Úalgorithm_policyr8   c                 Ã   sF  | j }| jdkrtdƒ‚| dd¡}	t|	tjtjfdƒ |dkrD|}| j||d |  	¡ }
t
| j||  ¡ dI dH }|
 |¡ d|
krœ| j}|dk	rœ||
d< t |¡}t| j| j||
||d	I dH }
|
 d
d¡}|dk	oâ|joâ|j}t| |
d |ƒ}|
 |¡ |dk	r|j | j¡ |
 t| j| j|| jd dI dH ¡ tf |
ŽS )a  
    .. versionadded:: 0.9.0

    .. versionchanged: 0.11.0
        Added ``ac_validation_context`` param.


    Validate a PDF signature.

    :param embedded_sig:
        Embedded signature to evaluate.
    :param signer_validation_context:
        Validation context to use to validate the signature's chain of trust.
    :param ts_validation_context:
        Validation context to use to validate the timestamp's chain of trust
        (defaults to ``signer_validation_context``).
    :param ac_validation_context:
        Validation context to use to validate attribute certificates.
        If not supplied, no AC validation will be performed.

        .. note::
            :rfc:`5755` requires attribute authority trust roots to be specified
            explicitly; hence why there's no default.
    :param diff_policy:
        Policy to evaluate potential incremental updates that were appended
        to the signed revision of the document.
        Defaults to
        :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`.
    :param key_usage_settings:
        A :class:`.KeyUsageConstraints` object specifying which key usages
        must or must not be present in the signer's certificate.
    :param skip_diff:
        If ``True``, skip the difference analysis step entirely.
    :param algorithm_policy:
        The algorithm usage policy for the signature validation.

        .. warning::
            This is distinct from the algorithm usage policy used for
            certificate validation, but the latter will be used as a fallback
            if this parameter is not specified.

            It is nonetheless recommended to align both policies unless
            there is a clear reason to do otherwise.
    :return:
        The status of the PDF signature in question.
    ry   z"Signature object type must be /Sigr·   Nz4%s is not a recognized SubFilter type in signatures.©r†   r‡   )Ú
raw_digestÚsigner_reported_dt)rÓ   Úvalidation_contextr   rÐ   rÑ   Ztimestamp_validityrÄ   Zsigned_attrs)Zsd_attr_certificatesrx   rÕ   Zsd_signed_attrs)rH   r{   r    rz   rÌ   r   rÂ   ZPADESrˆ   r‘   r%   r\   r‚   Úupdater   r-   Zdefault_usage_constraintsr#   rO   rf   ÚvalidZtrustedr5   Zcertificate_registryZregister_multiplerw   r$   rv   rx   )rÇ   rÍ   rÎ   rÏ   r†   rÐ   r‡   rÑ   rH   rÊ   r   Zts_status_kwargsrÔ   Ztst_validityrÅ   Z	sv_updater>   r>   r?   r3   0  sv    9

ý ÿý
ÿúÿ  ÿ

ÿü
ÿ)rÇ   rÕ   r†   r‡   r8   c                 Ã   st   | j dkrtdƒ‚| j dd¡}t|tjfdƒ | j||d t| j	||  
¡ ƒI dH }| j|d< | j|d< tf |ŽS )	a{  
    .. versionadded:: 0.9.0

    Validate a PDF document timestamp.

    :param embedded_sig:
        Embedded signature to evaluate.
    :param validation_context:
        Validation context to use to validate the timestamp's chain of trust.
    :param diff_policy:
        Policy to evaluate potential incremental updates that were appended
        to the signed revision of the document.
        Defaults to
        :const:`~pyhanko.sign.diff_analysis.DEFAULT_DIFF_POLICY`.
    :param skip_diff:
        If ``True``, skip the difference analysis step entirely.
    :return:
        The status of the PDF timestamp in question.
    z/DocTimeStampz+Signature object type must be /DocTimeStampr·   Nz5%s is not a recognized SubFilter type for timestamps.rÒ   re   rm   )r{   r    rH   rz   rÌ   r   ZETSI_RFC3161rˆ   r*   rO   r‚   re   rm   r,   )rÇ   rÕ   r†   r‡   rÊ   r   r>   r>   r?   r4   «  s,    
ÿý ÿý


)NNNNNFN)NNF)QÚloggingr   Úcollectionsr   r   Útypingr   r   r   Z
asn1cryptor   r   Zpyhanko_certvalidatorr	   Zpyhanko_certvalidator.pathr
   Zpyhanko.pdf_utilsr   r   Zpyhanko.pdf_utils.genericr   Zpyhanko.pdf_utils.readerr   r   Zpyhanko.sign.diff_analysisr   r   r   r   r   rÉ   r   r   r   r   r   r   Zpyhanko.sign.generalr   r   r   r   Úerrorsr    r!   r"   Zgeneric_cmsr#   r$   r%   r&   r'   r(   r)   r*   Úsettingsr+   Ústatusr,   r-   r.   Úutilsr/   Ú__all__Ú	getLoggerr¨   rÀ   rW   r@   rG   r±   r6   r0   r1   r2   rÆ   Úboolr5   rÌ   r3   r4   r>   r>   r>   r?   Ú<module>   s’    (
ù
þ   Cÿ ,ý!       ø÷}   üû