U q`!n@s6ddlZddlZddlZddlZddlmZddlmZmZddl m Z ddl m Z m Z ddlmZmZmZmZmZddlmZmZmZddlmZdd lmZed d d ZGd d d eZeejedddZ eejej!ee"fdddZ#ejejdddZ$GdddeZ%GdddeZ&Gdddej'dZ(Gdddej'dZ)Gd d!d!ej'dZ*Gd"d#d#ej'dZ+de"e+d$d)d*Z.d?e"e+d$d+d,Z/d@e"e*d$d-d.Z0dAe"e*d$d/d0Z1Gd1d2d2e2Z3Gd3d4d4e2Z4Gd5d6d6e2Z5Gd7d8d8e2Z6e7d9d:d;Z8dS)BN)Enum)_PRIVATE_KEY_TYPES_PUBLIC_KEY_TYPES) _get_backend)hashes serialization)dsaeced25519ed448rsa) Extension ExtensionType Extensions)Name)ObjectIdentifiericseZdZfddZZS)AttributeNotFoundcstt||||_dSN)superr__init__oid)selfmsgr __class__=/tmp/pip-target-nv4zd3e_/lib/python/cryptography/x509/base.pyrszAttributeNotFound.__init____name__ __module__ __qualname__r __classcell__rrrrrsr) extension extensionscCs"|D]}|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError)r#r$errr_reject_duplicate_extension$s r')r attributescCs"|D]\}}||krtdqdS)Nz$This attribute has already been set.)r%)rr(Zattr_oid_rrr_reject_duplicate_attribute-s r*)timereturncCs:|jdk r2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r- utcoffsetdatetime timedeltareplace)r+offsetrrr_convert_to_naive_utc_time7s  r3c@seZdZdZdZdS)VersionrN)rr r!Zv1v3rrrrr4Esr4cseZdZfddZZS)InvalidVersioncstt||||_dSr)rr7rparsed_version)rrr8rrrrKszInvalidVersion.__init__rrrrrr7Jsr7c@sxeZdZejejedddZej e dddZ ej e dddZ ejedd d Zej ejdd d Zej ejdd dZej edddZej edddZej ejejdddZej edddZej edddZej edddZej edddZejee dddZ!ejee dd d!Z"eje dd"d#Z#eje$j%ed$d%d&Z&d'S)( Certificate algorithmr,cCsdSz4 Returns bytes using digest passed. Nrrr;rrr fingerprintQszCertificate.fingerprintr,cCsdS)z3 Returns certificate serial number Nrrrrr serial_numberWszCertificate.serial_numbercCsdS)z1 Returns the certificate version Nrr@rrrversion]szCertificate.versioncCsdSz( Returns the public key Nrr@rrr public_keycszCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) Nrr@rrrnot_valid_beforeiszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) Nrr@rrrnot_valid_afteroszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. Nrr@rrrissueruszCertificate.issuercCsdSz2 Returns the subject name object. Nrr@rrrsubject{szCertificate.subjectcCsdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nrr@rrrsignature_hash_algorithmsz$Certificate.signature_hash_algorithmcCsdSzJ Returns the ObjectIdentifier of the signature algorithm. Nrr@rrrsignature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. Nrr@rrrr$szCertificate.extensionscCsdSz. Returns the signature bytes. Nrr@rrr signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nrr@rrrtbs_certificate_bytessz!Certificate.tbs_certificate_bytesotherr,cCsdSz" Checks equality. NrrrRrrr__eq__szCertificate.__eq__cCsdSz# Checks not equal. NrrTrrr__ne__szCertificate.__ne__cCsdSz" Computes a hash. Nrr@rrr__hash__szCertificate.__hash__encodingr,cCsdS)zB Serializes the certificate to PEM or DER format. Nrrr[rrr public_bytesszCertificate.public_bytesN)'rr r!abcabstractmethodr HashAlgorithmbytesr>abstractpropertyintrAr4rBrrDr/rErFrrGrItypingOptionalrKrrMrr$rOrPobjectboolrUrWrYrEncodingr]rrrrr9PsF r9) metaclassc@sJeZdZejedddZejejdddZeje dddZ dS) RevokedCertificater?cCsdS)zG Returns the serial number of the revoked certificate. Nrr@rrrrAsz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. Nrr@rrrrevocation_datesz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nrr@rrrr$szRevokedCertificate.extensionsN) rr r!r^rbrcrAr/rkrr$rrrrrjs rjc@speZdZejejedddZeje j edddZ eje e jeddd Zeje j d d d Zejed d dZejed ddZejejd ddZejejd ddZejed ddZejed ddZejed ddZejeedddZ ejeedddZ!eje d d d!Z"ejd"d#Z#ejd$d%Z$eje%ed&d'd(Z&d)S)*CertificateRevocationListrZcCsdS)z: Serializes the CRL to PEM or DER format. Nrr\rrrr]sz&CertificateRevocationList.public_bytesr:cCsdSr<rr=rrrr>sz%CertificateRevocationList.fingerprint)rAr,cCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr)rrArrr(get_revoked_certificate_by_serial_numberszBCertificateRevocationList.get_revoked_certificate_by_serial_numberr?cCsdSrJrr@rrrrKsz2CertificateRevocationList.signature_hash_algorithmcCsdSrLrr@rrrrMsz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. Nrr@rrrrGsz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. Nrr@rrr next_updatesz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. Nrr@rrr last_updatesz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nrr@rrrr$sz$CertificateRevocationList.extensionscCsdSrNrr@rrrrO sz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nrr@rrrtbs_certlist_bytessz,CertificateRevocationList.tbs_certlist_bytesrQcCsdSrSrrTrrrrUsz CertificateRevocationList.__eq__cCsdSrVrrTrrrrWsz CertificateRevocationList.__ne__cCsdS)z< Number of revoked certificates in the CRL. Nrr@rrr__len__"sz!CertificateRevocationList.__len__cCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr)ridxrrr __getitem__(sz%CertificateRevocationList.__getitem__cCsdS)z8 Iterator over the revoked certificates Nrr@rrr__iter__.sz"CertificateRevocationList.__iter__)rDr,cCsdS)zQ Verifies signature of revocation list against given public key. Nr)rrDrrris_signature_valid4sz,CertificateRevocationList.is_signature_validN)'rr r!r^r_rrhrar]rr`r>rcrdrerjrmrbrKrrMrrGr/rnrorr$rOrprfrgrUrWrqrsrtrrurrrrrlsH  rlc@seZdZejeedddZejeedddZeje dddZ eje dd d Z ej edd d Zej ejdd dZej edddZej edddZejejedddZej edddZej edddZej edddZejeedddZdS) CertificateSigningRequestrQcCsdSrSrrTrrrrU<sz CertificateSigningRequest.__eq__cCsdSrVrrTrrrrWBsz CertificateSigningRequest.__ne__r?cCsdSrXrr@rrrrYHsz"CertificateSigningRequest.__hash__cCsdSrCrr@rrrrDNsz$CertificateSigningRequest.public_keycCsdSrHrr@rrrrITsz!CertificateSigningRequest.subjectcCsdSrJrr@rrrrKZsz2CertificateSigningRequest.signature_hash_algorithmcCsdSrLrr@rrrrMasz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. Nrr@rrrr$gsz$CertificateSigningRequest.extensionsrZcCsdS)z; Encodes the request to PEM or DER format. Nrr\rrrr]msz&CertificateSigningRequest.public_bytescCsdSrNrr@rrrrOssz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nrr@rrrtbs_certrequest_bytesysz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nrr@rrrrusz,CertificateSigningRequest.is_signature_valid)rr,cCsdS)z: Get the attribute value for a given OID. Nr)rrrrrget_attribute_for_oidsz/CertificateSigningRequest.get_attribute_for_oidN)rr r!r^r_rfrgrUrWrcrYrrDrbrrIrr`rKrrMrr$rrhrar]rOrwrurxrrrrrv;s4rv)datar,cCst|}||Sr)rload_pem_x509_certificaterybackendrrrrzsrzcCst|}||Sr)rload_der_x509_certificater{rrrr}sr}cCst|}||Sr)rload_pem_x509_csrr{rrrr~sr~cCst|}||Sr)rload_der_x509_csrr{rrrrsrcCst|}||Sr)rload_pem_x509_crlr{rrrrsrcCst|}||Sr)rload_der_x509_crlr{rrrrsrc@s`eZdZdggfddZedddZeeddd Ze e d d d Z de e jed ddZdS) CertificateSigningRequestBuilderNcCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_name _extensions _attributes)r subject_namer$r(rrrrsz)CertificateSigningRequestBuilder.__init__namecCs4t|tstd|jdk r$tdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.) isinstancer TypeErrorrr%rrrrrrrrrs  z-CertificateSigningRequestBuilder.subject_nameextvalcriticalcCsDt|tstdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rrrr rr'rrrrrrrr#rrr add_extensions   z.CertificateSigningRequestBuilder.add_extension)rvaluecCsLt|tstdt|ts$tdt||jt|j|j|j||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytes) rrrrar*rrrr)rrrrrr add_attributes   z.CertificateSigningRequestBuilder.add_attribute private_keyr;r,cCs(t|}|jdkrtd||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rrr%Zcreate_x509_csrrrr;r|rrrsigns  z%CertificateSigningRequestBuilder.sign)N)rr r!rrrrrgrrrarrrr`rvrrrrrrs rc@seZdZddddddgfddZedddZedddZed d d Ze d d dZ e j dddZ e j dddZ eedddZdeejedddZdS)CertificateBuilderNcCs6tj|_||_||_||_||_||_||_||_ dSr) r4r6_version _issuer_namer _public_key_serial_number_not_valid_before_not_valid_afterr)r issuer_namerrDrArErFr$rrrrs zCertificateBuilder.__init__rcCsDt|tstd|jdk r$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rrrrr%rrrrrrrrrrrrs  zCertificateBuilder.issuer_namecCsDt|tstd|jdk r$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rrrrr%rrrrrrrrrrrrs  zCertificateBuilder.subject_name)keycCsXt|tjtjtjtjt j fs&t d|j dk r8t dt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zhExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey or Ed448PublicKey.Nz$The public key may only be set once.)rrZ DSAPublicKeyr Z RSAPublicKeyr ZEllipticCurvePublicKeyr ZEd25519PublicKeyr ZEd448PublicKeyrrr%rrrrrrr)rrrrrrD)s.  zCertificateBuilder.public_keynumbercCsht|tstd|jdk r$td|dkr4td|dkrHtdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rrcrrr% bit_lengthrrrrrrrrrrrrrAKs&   z CertificateBuilder.serial_numberr+cCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rr/rrr%r3_EARLIEST_UTC_TIMErrrrrrrrr+rrrrEfs,  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.ztd|jdkrPtd|jdkrbtd|jdkrttd||||S)zC Signs the certificate using the CA's private key. Nz&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public key) rrr%rrrrrZcreate_x509_certificaterrrrrs       zCertificateBuilder.sign)N)rr r!rrrrrrDrcrAr/rErFrrgrrrr`r9rrrrrrs,  " rc@seZdZdddggfddZedddZejddd Zejd d d Ze e d ddZ e dddZ deejedddZdS) CertificateRevocationListBuilderNcCs"||_||_||_||_||_dSr)r _last_update _next_updater_revoked_certificates)rrrornr$Zrevoked_certificatesrrrrs z)CertificateRevocationListBuilder.__init__)rcCs<t|tstd|jdk r$tdt||j|j|j|j S)Nrr) rrrrr%rrrrr)rrrrrrs  z,CertificateRevocationListBuilder.issuer_name)rocCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rr/rrr%r3rrrrrr)rrorrrros(  z,CertificateRevocationListBuilder.last_update)rncCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rr/rrr%r3rrrrrr)rrnrrrrns(  z,CertificateRevocationListBuilder.next_updatercCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. r) rrrr rr'rrrrrrrrrrrs   z.CertificateRevocationListBuilder.add_extension)revoked_certificatecCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rrjrrrrrrr)rrrrradd_revoked_certificate/s  z8CertificateRevocationListBuilder.add_revoked_certificatercCsLt|}|jdkrtd|jdkr,td|jdkr>td||||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rrr%rrZcreate_x509_crlrrrrr>s   z%CertificateRevocationListBuilder.sign)N)rr r!rrrr/rornrrgrrjrrrr`rlrrrrrrs"  rc@sZeZdZddgfddZedddZejddd Zee d d d Z de d ddZ dS)RevokedCertificateBuilderNcCs||_||_||_dSr)r_revocation_dater)rrArkr$rrrrRsz"RevokedCertificateBuilder.__init__rcCsXt|tstd|jdk r$td|dkr4td|dkrHtdt||j|jS)Nrrrz$The serial number should be positiverr) rrcrrr%rrrrrrrrrAYs   z'RevokedCertificateBuilder.serial_numberrcCsNt|tjstd|jdk r&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rr/rrr%r3rrrrrrrrrkks  z)RevokedCertificateBuilder.revocation_datercCsDt|tstdt|j||}t||jt|j|j |j|gS)Nr) rrrr rr'rrrrrrrrrys   z'RevokedCertificateBuilder.add_extensionr?cCs6t|}|jdkrtd|jdkr,td||S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rrr%rZcreate_x509_revoked_certificate)rr|rrrbuilds  zRevokedCertificateBuilder.build)N) rr r!rrcrAr/rkrrgrrjrrrrrrQs  rr?cCsttddd?S)Nbigr)rc from_bytesosurandomrrrrrandom_serial_numbersr)N)N)N)N)N)N)9r^r/rrdenumrZcryptography.hazmat._typesrrZcryptography.hazmat.backendsrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrr r r r Zcryptography.x509.extensionsr rrZcryptography.x509.namerZcryptography.x509.oidrr ExceptionrListr'Tuplerar*r3r4r7ABCMetar9rjrlrvrzr}r~rrrrfrrrrrcrrrrrsL      klRFf{@