a b3A@sVddlZddlZddlZddlmZddlmZddlmZddlm Z m Z ddl m Z ddl mZmZmZGdd d ejZGd d d ejZe je je je je jfZe jdd d dZGdddejZGdddZGdddejdZGdddejdZ GdddejdZ!GdddZ"GdddZ#e$eddd Z%e$e!dd!d"Z&dS)#N)utils)x509)ocsp)hashes serialization)CERTIFICATE_PRIVATE_KEY_TYPES)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionc@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAMErr=/tmp/pip-target-98j97qn4/lib/python/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULZMALFORMED_REQUESTINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIRED UNAUTHORIZEDrrrrrs r) algorithmreturncCst|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError)rrrr_verify_algorithm/s r!c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r rZGOODREVOKEDUNKNOWNrrrrr"6sr"c @sHeZdZejejejeeje j eje j eje j ej dddZ dS)_SingleResponse)certissuerr cert_status this_update next_updaterevocation_timerevocation_reasonc Cst|tjrt|tjs tdt|t|tjsrr5r@intrBabstractmethodrEncodingrFr ExtensionsrGrrrrr8sr8) metaclassc@seZdZejedddZejeje j dddZ ejeje j dddZ eje j ddd Zejeje j dd d Zejedd d ZejedddZejejdddZejedddZdS)OCSPSingleResponser9cCsdSzY The status of the certificate (an element from the OCSPCertStatus enum) Nrr;rrrcertificate_statussz%OCSPSingleResponse.certificate_statuscCsdSz^ The date of when the certificate was revoked or None if not revoked. Nrr;rrrr+sz"OCSPSingleResponse.revocation_timecCsdSzi The reason the certificate was revoked or None if not specified or not revoked. Nrr;rrrr,sz$OCSPSingleResponse.revocation_reasoncCsdSz The most recent time at which the status being indicated is known by the responder to have been correct Nrr;rrrr)szOCSPSingleResponse.this_updatecCsdSzC The time when newer information will be available Nrr;rrrr*szOCSPSingleResponse.next_updatecCsdSr:rr;rrrr<sz"OCSPSingleResponse.issuer_key_hashcCsdSr=rr;rrrr>sz#OCSPSingleResponse.issuer_name_hashcCsdSr?rr;rrrr@sz!OCSPSingleResponse.hash_algorithmcCsdSrArr;rrrrBsz OCSPSingleResponse.serial_numberN)r r rrHrIr"rRr6r7r0r+rr2r,r)r*rJr<r>rr5r@rKrBrrrrrPs$rPc@seZdZejejedddZeje dddZ eje j dddZ ejejejddd Zejedd d Zejedd d Zejeje jdddZejejedddZejeje jdddZejejdddZejedddZejejejdddZejeje j dddZ!ejejdddZ"ejejejdddZ#ejedd d!Z$ejedd"d#Z%ejejdd$d%Z&eje'dd&d'Z(eje j)dd(d)Z*eje j)dd*d+Z+ej,e-j.ed,d-d.Z/d/S)0 OCSPResponser9cCsdS)z_ An iterator over the individual SINGLERESP structures in the response Nrr;rrr responsesszOCSPResponse.responsescCsdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nrr;rrrresponse_statusszOCSPResponse.response_statuscCsdS)zA The ObjectIdentifier of the signature algorithm Nrr;rrrsignature_algorithm_oidsz$OCSPResponse.signature_algorithm_oidcCsdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nrr;rrrsignature_hash_algorithmsz%OCSPResponse.signature_hash_algorithmcCsdS)z% The signature bytes Nrr;rrr signatureszOCSPResponse.signaturecCsdS)z+ The tbsResponseData bytes Nrr;rrrtbs_response_bytesszOCSPResponse.tbs_response_bytescCsdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nrr;rrr certificates szOCSPResponse.certificatescCsdS)z2 The responder's key hash or None Nrr;rrrresponder_key_hashszOCSPResponse.responder_key_hashcCsdS)z. The responder's Name or None Nrr;rrrresponder_nameszOCSPResponse.responder_namecCsdS)z4 The time the response was produced Nrr;rrr produced_at szOCSPResponse.produced_atcCsdSrQrr;rrrrR&szOCSPResponse.certificate_statuscCsdSrSrr;rrrr+,szOCSPResponse.revocation_timecCsdSrTrr;rrrr,3szOCSPResponse.revocation_reasoncCsdSrUrr;rrrr):szOCSPResponse.this_updatecCsdSrVrr;rrrr*AszOCSPResponse.next_updatecCsdSr:rr;rrrr<GszOCSPResponse.issuer_key_hashcCsdSr=rr;rrrr>MszOCSPResponse.issuer_name_hashcCsdSr?rr;rrrr@SszOCSPResponse.hash_algorithmcCsdSrArr;rrrrBYszOCSPResponse.serial_numbercCsdS)zR The list of response extensions. Not single response extensions. Nrr;rrrrG_szOCSPResponse.extensionscCsdS)zR The list of single response extensions. Not response extensions. Nrr;rrrsingle_extensionseszOCSPResponse.single_extensionsrCcCsdS)z0 Serializes the response to DER NrrErrrrFkszOCSPResponse.public_bytesN)0r r rrHrIr6IteratorrPrXrrYrZObjectIdentifierrZr7rr5r[rJr\r]Listr.r^r_Namer`r0rar"rRr+r2r,r)r*r<r>r@rKrBrNrGrbrLrrMrFrrrrrWsZ rWc@seZdZdgfejejejejej fej ej ej ddddZ ejejej ddddZej eddd d Zed d d ZdS)OCSPRequestBuilderN)requestrGrcCs||_||_dSN)_request _extensions)r3rgrGrrrr4ss zOCSPRequestBuilder.__init__)r&r'rrcCsL|jdurtdt|t|tjr2t|tjs:tdt|||f|jS)Nz.Only one certificate can be added to a requestr-) rir r!rrr.r/rfrj)r3r&r'rrrradd_certificates z"OCSPRequestBuilder.add_certificateextvalcriticalrcCsDt|tjstdt|j||}t||jt|j |j|gSNz"extension must be an ExtensionType) rr ExtensionTyper/ Extensionoidr rjrfrir3rmrn extensionrrr add_extensions  z OCSPRequestBuilder.add_extensionr9cCs|jdurtdt|S)Nz*You must add a certificate before building)rir rZcreate_ocsp_requestr;rrrbuilds zOCSPRequestBuilder.build)r r rr6r7Tuplerr.rr5rdrqrpr4rkboolrur8rvrrrrrfrs(   rfc @s eZdZdddgfejeejejeje fejej ejej ej ej dddZ ejejejeejejejejejejejdd ddZe ejddd d Zejejdd d d Zej eddddZeejejedddZeeedddZdS)OCSPResponseBuilderN)response responder_idcertsrGcCs||_||_||_||_dSrh) _response _responder_id_certsrj)r3rzr{r|rGrrrr4s zOCSPResponseBuilder.__init__) r&r'rr(r)r*r+r,rc Cs<|jdurtdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)r}r r%ryr~rrj) r3r&r'rr(r)r*r+r,Z singleresprrr add_responses$  z OCSPResponseBuilder.add_response)rDresponder_certrcCsP|jdurtdt|tjs&tdt|ts8tdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) r~r rrr.r/r ryr}rrj)r3rDrrrrr{s   z OCSPResponseBuilder.responder_id)r|rcCs\|jdurtdt|}t|dkr.tdtdd|DsHtdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|]}t|tjVqdSrh)rrr.).0xrrr z3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rr listlenallr/ryr}r~rj)r3r|rrrr^s  z OCSPResponseBuilder.certificatesrlcCsLt|tjstdt|j||}t||jt|j |j |j |j|gSro) rrrpr/rqrrr rjryr}r~rrsrrrrus   z!OCSPResponseBuilder.add_extension) private_keyrrcCs6|jdurtd|jdur$tdttj|||S)Nz&You must add a response before signingz*You must add a responder_id before signing)r}r r~rcreate_ocsp_responserr)r3rrrrrsigns   zOCSPResponseBuilder.sign)rYrcCs4t|tstd|tjur$tdt|dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)rrr/rr rr)clsrYrrrbuild_unsuccessfuls  z&OCSPResponseBuilder.build_unsuccessful)r r rr6r7r%rwrr.r rdrqrpr4rr5r"r0r2rr{Iterabler^rxrurrWr classmethodrrrrrrrysN           ry)datarcCs t|Srh)rload_der_ocsp_requestrrrrr"srcCs t|Srh)rload_der_ocsp_responserrrrr&sr)'rHr0r6Z cryptographyrrZ"cryptography.hazmat.bindings._rustrZcryptography.hazmat.primitivesrrZ/cryptography.hazmat.primitives.asymmetric.typesrZcryptography.x509.baserr r Enumr rSHA1SHA224SHA256SHA384SHA512rr5r!r"r%ABCMetar8rPrWrfryrJrrrrrrs6      F&;2~