a bӃ@sddlZddlZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZddlmZmZmZddlmZmZmZmZddlmZmZdd l m!Z!ed d d Z"Gd d d e#Z$eeej%eeddddZ&e!ej%ej'e!e(ej)e*fddddZ+ejejdddZ,GdddZ-GdddZ.Gdddej/Z0Gddde#Z1Gdd d ej2d!Z3e34ej3Gd"d#d#ej2d!Z5e54ej5Gd$d%d%e5Z6Gd&d'd'ej2d!Z7e74ej7Gd(d)d)ej2d!Z8e84ej8dBe(ej9e3d*d+d,Z:dCe(ej9e3d*d-d.Z;dDe(ej9e8d*d/d0ZdGe(ej9e7d*d5d6Z?Gd7d8d8Z@Gd9d:d:ZAGd;d<d<ZBGd=d>d>ZCe*d?d@dAZDdS)HN)utils)x509)hashes serialization)dsaeced25519ed448rsax25519x448)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESCERTIFICATE_PRIVATE_KEY_TYPESCERTIFICATE_PUBLIC_KEY_TYPES) Extension ExtensionType Extensions_make_sequence_methods)Name _ASN1Type)ObjectIdentifierics&eZdZeeddfdd ZZS)AttributeNotFoundN)msgoidreturncstt||||_dSN)superr__init__r)selfrr __class__=/tmp/pip-target-98j97qn4/lib/python/cryptography/x509/base.pyr*szAttributeNotFound.__init__)__name__ __module__ __qualname__strrr __classcell__r"r"r r#r)sr) extension extensionsrcCs"|D]}|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError)r)r*er"r"r#_reject_duplicate_extension/s r-)r attributesrcCs$|D]\}}}||krtdqdS)Nz$This attribute has already been set.)r+)rr.Zattr_oid_r"r"r#_reject_duplicate_attribute9sr0timercCs:|jdur2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r3 utcoffsetdatetime timedeltareplace)r2offsetr"r"r#_convert_to_naive_utc_timeEs  r9c@sxeZdZejjfeeeddddZ e edddZ e eddd Ze dd d Z eed d dZedddZdS) AttributeN)rvalue_typercCs||_||_||_dSr)_oid_valuer<)rrr;r<r"r"r#rTszAttribute.__init__rcCs|jSr)r=rr"r"r#r^sz Attribute.oidcCs|jSr)r>r@r"r"r#r;bszAttribute.valuecCsd|j|jS)Nz)formatrr;r@r"r"r#__repr__fszAttribute.__repr__otherrcCs2t|tstS|j|jko0|j|jko0|j|jkSr) isinstancer:NotImplementedrr;r<rrDr"r"r#__eq__is    zAttribute.__eq__cCst|j|j|jfSr)hashrr;r<r@r"r"r#__hash__sszAttribute.__hash__)r$r%r&rZ UTF8Stringr;rbytesintrpropertyrr'rBobjectboolrHrJr"r"r"r#r:Ss  r:c@sNeZdZejeddddZed\ZZ Z e dddZ e ed d d ZdS) AttributesN)r.rcCst||_dSr)list _attributes)rr.r"r"r#rxszAttributes.__init__rRr?cCs d|jS)Nz)rArRr@r"r"r#rBszAttributes.__repr__rrcCs0|D]}|j|kr|Sqtd||dS)NzNo {} attribute was found)rrrA)rrattrr"r"r#get_attribute_for_oids  z Attributes.get_attribute_for_oid)r$r%r&typingIterabler:rr__len____iter__ __getitem__r'rBrrUr"r"r"r#rPws  rPc@seZdZdZdZdS)VersionrN)r$r%r&v1v3r"r"r"r#r[sr[cs&eZdZeeddfdd ZZS)InvalidVersionN)rparsed_versionrcstt||||_dSr)rr_rr`)rrr`r r"r#rszInvalidVersion.__init__)r$r%r&r'rLrr(r"r"r r#r_sr_c@sbeZdZejejedddZej e dddZ ej e dddZ ejedd d Zej ejdd d Zej ejdd dZej edddZej edddZej ejejdddZej edddZej edddZej edddZej edddZejee dddZ!eje dd d!Z"eje#j$ed"d#d$Z%d%S)& Certificate algorithmrcCsdSz4 Returns bytes using digest passed. Nr"rrcr"r"r# fingerprintszCertificate.fingerprintr?cCsdS)z3 Returns certificate serial number Nr"r@r"r"r# serial_numberszCertificate.serial_numbercCsdS)z1 Returns the certificate version Nr"r@r"r"r#versionszCertificate.versioncCsdSz( Returns the public key Nr"r@r"r"r# public_keyszCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) Nr"r@r"r"r#not_valid_beforeszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) Nr"r@r"r"r#not_valid_afterszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. Nr"r@r"r"r#issuerszCertificate.issuercCsdSz2 Returns the subject name object. Nr"r@r"r"r#subjectszCertificate.subjectcCsdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr"r@r"r"r#signature_hash_algorithmsz$Certificate.signature_hash_algorithmcCsdSzJ Returns the ObjectIdentifier of the signature algorithm. Nr"r@r"r"r#signature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. Nr"r@r"r"r#r*szCertificate.extensionscCsdSz. Returns the signature bytes. Nr"r@r"r"r# signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr"r@r"r"r#tbs_certificate_bytessz!Certificate.tbs_certificate_bytesrCcCsdSz" Checks equality. Nr"rGr"r"r#rHszCertificate.__eq__cCsdSz" Computes a hash. Nr"r@r"r"r#rJszCertificate.__hash__encodingrcCsdS)zB Serializes the certificate to PEM or DER format. Nr"rrzr"r"r# public_bytesszCertificate.public_bytesN)&r$r%r&abcabstractmethodr HashAlgorithmrKrfabstractpropertyrLrgr[rhrrjr5rkrlrrmrorVOptionalrqrrsrr*rurvrNrOrHrJrEncodingr|r"r"r"r#rasB ra) metaclassc@sJeZdZejedddZejejdddZeje dddZ dS) RevokedCertificater?cCsdS)zG Returns the serial number of the revoked certificate. Nr"r@r"r"r#rgsz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. Nr"r@r"r"r#revocation_datesz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr"r@r"r"r#r* szRevokedCertificate.extensionsN) r$r%r&r}rrLrgr5rrr*r"r"r"r#rs rc@sXeZdZeejedddZeedddZeejdddZ eedd d Z d S) _RawRevokedCertificatergrr*cCs||_||_||_dSr_serial_number_revocation_date _extensionsrrgrr*r"r"r#rsz_RawRevokedCertificate.__init__r?cCs|jSr)rr@r"r"r#rg"sz$_RawRevokedCertificate.serial_numbercCs|jSr)rr@r"r"r#r&sz&_RawRevokedCertificate.revocation_datecCs|jSr)rr@r"r"r#r**sz!_RawRevokedCertificate.extensionsN) r$r%r&rLr5rrrMrgrr*r"r"r"r#rs rc@seZdZejejedddZeje j edddZ eje e jeddd Zeje je j d d d Zejed d dZejed ddZeje jejd ddZejejd ddZejed ddZejed ddZejed ddZejeedddZ eje d ddZ!e j"e ed d!d"Z#e j"e$e j%ed d#d"Z#eje j&e e$fe j&ee j%efd d$d"Z#eje j'ed d%d&Z(eje)ed'd(d)Z*d*S)+CertificateRevocationListrycCsdS)z: Serializes the CRL to PEM or DER format. Nr"r{r"r"r#r|0sz&CertificateRevocationList.public_bytesrbcCsdSrdr"rer"r"r#rf6sz%CertificateRevocationList.fingerprint)rgrcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr")rrgr"r"r#(get_revoked_certificate_by_serial_number<szBCertificateRevocationList.get_revoked_certificate_by_serial_numberr?cCsdSrpr"r@r"r"r#rqEsz2CertificateRevocationList.signature_hash_algorithmcCsdSrrr"r@r"r"r#rsNsz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. Nr"r@r"r"r#rmTsz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. Nr"r@r"r"r# next_updateZsz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. Nr"r@r"r"r# last_update`sz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nr"r@r"r"r#r*fsz$CertificateRevocationList.extensionscCsdSrtr"r@r"r"r#rulsz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr"r@r"r"r#tbs_certlist_bytesrsz,CertificateRevocationList.tbs_certlist_bytesrCcCsdSrwr"rGr"r"r#rHxsz CertificateRevocationList.__eq__cCsdS)z< Number of revoked certificates in the CRL. Nr"r@r"r"r#rX~sz!CertificateRevocationList.__len__)idxrcCsdSrr"rrr"r"r#rZsz%CertificateRevocationList.__getitem__cCsdSrr"rr"r"r#rZscCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr"rr"r"r#rZscCsdS)z8 Iterator over the revoked certificates Nr"r@r"r"r#rYsz"CertificateRevocationList.__iter__)rjrcCsdS)zQ Verifies signature of revocation list against given public key. Nr")rrjr"r"r#is_signature_validsz,CertificateRevocationList.is_signature_validN)+r$r%r&r}r~rrrKr|rrrfrLrVrrrrrqrrsrrmr5rrrr*rurrNrOrHrXoverloadrZsliceListUnionIteratorrYr rr"r"r"r#r/sV  rc@s eZdZejeedddZejedddZ eje dddZ ej e dd d Zej ejejdd d Zej edd dZej edddZej edddZejejedddZej edddZej edddZej edddZ ejeedddZ!dS) CertificateSigningRequestrCcCsdSrwr"rGr"r"r#rHsz CertificateSigningRequest.__eq__r?cCsdSrxr"r@r"r"r#rJsz"CertificateSigningRequest.__hash__cCsdSrir"r@r"r"r#rjsz$CertificateSigningRequest.public_keycCsdSrnr"r@r"r"r#rosz!CertificateSigningRequest.subjectcCsdSrpr"r@r"r"r#rqsz2CertificateSigningRequest.signature_hash_algorithmcCsdSrrr"r@r"r"r#rssz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. Nr"r@r"r"r#r*sz$CertificateSigningRequest.extensionscCsdS)z/ Returns an Attributes object. Nr"r@r"r"r#r.sz$CertificateSigningRequest.attributesrycCsdS)z; Encodes the request to PEM or DER format. Nr"r{r"r"r#r|sz&CertificateSigningRequest.public_bytescCsdSrtr"r@r"r"r#rusz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr"r@r"r"r#tbs_certrequest_bytessz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nr"r@r"r"r#rsz,CertificateSigningRequest.is_signature_validrScCsdS)z: Get the attribute value for a given OID. Nr")rrr"r"r#rUsz/CertificateSigningRequest.get_attribute_for_oidN)"r$r%r&r}r~rNrOrHrLrJrrjrrrorVrrrrqrrsrr*rPr.rrrKr|rurrrUr"r"r"r#rs6 r)databackendrcCs t|Sr) rust_x509load_pem_x509_certificaterrr"r"r#rsrcCs t|Sr)rload_der_x509_certificaterr"r"r#rsrcCs t|Sr)rload_pem_x509_csrrr"r"r#r srcCs t|Sr)rload_der_x509_csrrr"r"r#rsrcCs t|Sr)rload_pem_x509_crlrr"r"r#rsrcCs t|Sr)rload_der_x509_crlrr"r"r#r"src @seZdZdggfejeejeeejej e e eje fdddZ eddddZeeddd d Zdd e e ejedd d dZdeejejejedddZdS) CertificateSigningRequestBuilderN) subject_namer*r.cCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrR)rrr*r.r"r"r#r)s z)CertificateSigningRequestBuilder.__init__namercCs4t|tstd|jdur$tdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rEr TypeErrorrr+rrrRrrr"r"r#r8s   z-CertificateSigningRequestBuilder.subject_nameextvalcriticalrcCsDt|tstdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rErrrrr-rrrrRrrrr)r"r"r# add_extensionDs   z.CertificateSigningRequestBuilder.add_extension)_tag)rr;rrcCs|t|tstdt|ts$td|dur>t|ts>tdt||j|durZ|j}nd}t|j |j |j|||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rErrrKrr0rRr;rrr)rrr;rtagr"r"r# add_attributeVs   z.CertificateSigningRequestBuilder.add_attribute private_keyrcrrcCs |jdurtdt|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr+rZcreate_x509_csrrrrcrr"r"r#signvs z%CertificateSigningRequestBuilder.sign)N)r$r%r&rVrrrrrTuplerrKrLrrrOrrrrrrAnyrrr"r"r"r#r(s8     $ rc @seZdZUejeeed<ddddddgfeje eje eje eje eje j eje j ejeeddddZ e ddddZe ddd d Ze dd d d Ze ddddZe j ddddZe j ddddZeeddddZdeejejejedddZdS)CertificateBuilderrN) issuer_namerrjrgrkrlr*rcCs6tj|_||_||_||_||_||_||_||_ dSr) r[r^_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)rrrrjrgrkrlr*r"r"r#rs zCertificateBuilder.__init__rcCsDt|tstd|jdur$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rErrrr+rrrrrrrrr"r"r#rs  zCertificateBuilder.issuer_namecCsDt|tstd|jdur$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rErrrr+rrrrrrrrr"r"r#rs  zCertificateBuilder.subject_name)keyrc Cs`t|tjtjtjtjt j t j t jfs.td|jdur@tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rErZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyrZEd25519PublicKeyr ZEd448PublicKeyr ZX25519PublicKeyr Z X448PublicKeyrrr+rrrrrrr)rrr"r"r#rjs2  zCertificateBuilder.public_keynumberrcCsht|tstd|jdur$td|dkr4td|dkrHtdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rErLrrr+ bit_lengthrrrrrrrrrr"r"r#rgs&   z CertificateBuilder.serial_numberr1cCszt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rEr5rrr+r9_EARLIEST_UTC_TIMErrrrrrrrr2r"r"r#rks,  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.ztd|jdurZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rEr5rrr+r9rrrrrr)rrr"r"r#rs(  z,CertificateRevocationListBuilder.last_update)rrcCsrt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rEr5rrr+r9rrrrrr)rrr"r"r#rs(  z,CertificateRevocationListBuilder.next_updatercCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. r) rErrrrr-rrrrrrrr"r"r#rs   z.CertificateRevocationListBuilder.add_extension)revoked_certificatercCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rErrrrrrrr)rrr"r"r#add_revoked_certificates  z8CertificateRevocationListBuilder.add_revoked_certificatercCsD|jdurtd|jdur$td|jdur6tdt|||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rr+rrrZcreate_x509_crlrr"r"r#rs   z%CertificateRevocationListBuilder.sign)N)r$r%r&rVrrrrrrrr5rrrrrOrrrrrrrrr"r"r"r#rqsH           rc@seZdZddgfejeejejejee dddZ eddddZ ejddd d Z e e dd d d ZdejedddZdS)RevokedCertificateBuilderNrcCs||_||_||_dSrrrr"r"r#rsz"RevokedCertificateBuilder.__init__rcCsXt|tstd|jdur$td|dkr4td|dkrHtdt||j|jS)Nrrrz$The serial number should be positiverr) rErLrrr+rrrrrr"r"r#rgs    z'RevokedCertificateBuilder.serial_numberr1cCsNt|tjstd|jdur&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rEr5rrr+r9rrrrrr"r"r#rs   z)RevokedCertificateBuilder.revocation_datercCsDt|tstdt|j||}t||jt|j|j |j|gS)Nr) rErrrrr-rrrrrr"r"r#r%s   z'RevokedCertificateBuilder.add_extension)rrcCs:|jdurtd|jdur$tdt|j|jt|jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr+rrrr)rrr"r"r#build3s  zRevokedCertificateBuilder.build)N)r$r%r&rVrrLr5rrrrrgrrOrrrrr"r"r"r#rs     rr?cCsttddd?S)Nbigr)rL from_bytesosurandomr"r"r"r#random_serial_numberAsr)N)N)N)N)N)N)Er}r5rrVZ cryptographyrZ"cryptography.hazmat.bindings._rustrrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrrrr r r r Z/cryptography.hazmat.primitives.asymmetric.typesr rrZcryptography.x509.extensionsrrrrZcryptography.x509.namerrZcryptography.x509.oidrr Exceptionrrr-rrKrrLr0r9r:rPEnumr[r_ABCMetararegisterrrrrrrrrrrrrrrrrr"r"r"r#s  $     $f  t U       \nI