3 L]\@sddlmZmZmZddlZddlZddlZddlmZddl Z ddl m Z ddl m Z mZmZddlmZmZddlmZejdd d Zd d Zd d ZGdddeZddZddZddZddZddZddZGdddeZ e j!ej"Gddde#Z$e j!ej"Gd d!d!e#Z%e j!ej"Gd"d#d#e#Z&e j!ej"Gd$d%d%e#Z'Gd&d'd'e#Z(Gd(d)d)e#Z)Gd*d+d+e#Z*Gd,d-d-e#Z+d.d/Z,dS)0)absolute_importdivisionprint_functionN)Enum)utils)dsaecrsa) Extension ExtensionType)NameicCs&x |D]}|j|jkrtdqWdS)Nz$This extension has already been set.)oid ValueError) extension extensionser@/tmp/pip-install-wfra5znf/cryptography/cryptography/x509/base.py_reject_duplicate_extensions  rcCs:|jdk r2|j}|r|ntj}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r utcoffsetdatetime timedeltareplace)timeoffsetrrr_convert_to_naive_utc_times  rc@seZdZdZdZdS)VersionrN)__name__ __module__ __qualname__Zv1v3rrrrr,srcCs |j|S)N)load_pem_x509_certificate)databackendrrrr$1sr$cCs |j|S)N)load_der_x509_certificate)r%r&rrrr'5sr'cCs |j|S)N)load_pem_x509_csr)r%r&rrrr(9sr(cCs |j|S)N)load_der_x509_csr)r%r&rrrr)=sr)cCs |j|S)N)load_pem_x509_crl)r%r&rrrr*Asr*cCs |j|S)N)load_der_x509_crl)r%r&rrrr+Esr+cseZdZfddZZS)InvalidVersioncstt|j|||_dS)N)superr,__init__parsed_version)selfmsgr/) __class__rrr.JszInvalidVersion.__init__)r r!r"r. __classcell__rr)r2rr,Isr,c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$ CertificatecCsdS)z4 Returns bytes using digest passed. Nr)r0 algorithmrrr fingerprintQszCertificate.fingerprintcCsdS)z3 Returns certificate serial number Nr)r0rrr serial_numberWszCertificate.serial_numbercCsdS)z1 Returns the certificate version Nr)r0rrrversion]szCertificate.versioncCsdS)z( Returns the public key Nr)r0rrr public_keycszCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) Nr)r0rrrnot_valid_beforeiszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) Nr)r0rrrnot_valid_afteroszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. Nr)r0rrrissueruszCertificate.issuercCsdS)z2 Returns the subject name object. Nr)r0rrrsubject{szCertificate.subjectcCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr)r0rrrsignature_hash_algorithmsz$Certificate.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr)r0rrrsignature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. Nr)r0rrrrszCertificate.extensionscCsdS)z. Returns the signature bytes. Nr)r0rrr signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr)r0rrrtbs_certificate_bytessz!Certificate.tbs_certificate_bytescCsdS)z" Checks equality. Nr)r0otherrrr__eq__szCertificate.__eq__cCsdS)z# Checks not equal. Nr)r0rBrrr__ne__szCertificate.__ne__cCsdS)z" Computes a hash. Nr)r0rrr__hash__szCertificate.__hash__cCsdS)zB Serializes the certificate to PEM or DER format. Nr)r0encodingrrr public_bytesszCertificate.public_bytesN)r r!r"abcabstractmethodr6abstractpropertyr7r8r9r:r;r<r=r>r?rr@rArCrDrErGrrrrr4Os"r4c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$CertificateRevocationListcCsdS)z: Serializes the CRL to PEM or DER format. Nr)r0rFrrrrGsz&CertificateRevocationList.public_bytescCsdS)z4 Returns bytes using digest passed. Nr)r0r5rrrr6sz%CertificateRevocationList.fingerprintcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr)r0r7rrr(get_revoked_certificate_by_serial_numberszBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr)r0rrrr>sz2CertificateRevocationList.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr)r0rrrr?sz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. Nr)r0rrrr<sz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. Nr)r0rrr next_updatesz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. Nr)r0rrr last_updatesz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nr)r0rrrrsz$CertificateRevocationList.extensionscCsdS)z. Returns the signature bytes. Nr)r0rrrr@sz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr)r0rrrtbs_certlist_bytessz,CertificateRevocationList.tbs_certlist_bytescCsdS)z" Checks equality. Nr)r0rBrrrrCsz CertificateRevocationList.__eq__cCsdS)z# Checks not equal. Nr)r0rBrrrrDsz CertificateRevocationList.__ne__cCsdS)z< Number of revoked certificates in the CRL. Nr)r0rrr__len__ sz!CertificateRevocationList.__len__cCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr)r0idxrrr __getitem__sz%CertificateRevocationList.__getitem__cCsdS)z8 Iterator over the revoked certificates Nr)r0rrr__iter__sz"CertificateRevocationList.__iter__cCsdS)zQ Verifies signature of revocation list against given public key. Nr)r0r9rrris_signature_validsz,CertificateRevocationList.is_signature_validN)r r!r"rHrIrGr6rLrJr>r?r<rMrNrr@rOrCrDrPrRrSrTrrrrrKs"rKc@seZdZejddZejddZejddZejddZej d d Z ej d d Z ej d dZ ej ddZ ejddZej ddZej ddZej ddZdS)CertificateSigningRequestcCsdS)z" Checks equality. Nr)r0rBrrrrC&sz CertificateSigningRequest.__eq__cCsdS)z# Checks not equal. Nr)r0rBrrrrD,sz CertificateSigningRequest.__ne__cCsdS)z" Computes a hash. Nr)r0rrrrE2sz"CertificateSigningRequest.__hash__cCsdS)z( Returns the public key Nr)r0rrrr98sz$CertificateSigningRequest.public_keycCsdS)z2 Returns the subject name object. Nr)r0rrrr=>sz!CertificateSigningRequest.subjectcCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr)r0rrrr>Dsz2CertificateSigningRequest.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr)r0rrrr?Ksz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. Nr)r0rrrrQsz$CertificateSigningRequest.extensionscCsdS)z; Encodes the request to PEM or DER format. Nr)r0rFrrrrGWsz&CertificateSigningRequest.public_bytescCsdS)z. Returns the signature bytes. Nr)r0rrrr@]sz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr)r0rrrtbs_certrequest_bytescsz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nr)r0rrrrTjsz,CertificateSigningRequest.is_signature_validN)r r!r"rHrIrCrDrEr9rJr=r>r?rrGr@rVrTrrrrrU$srUc@s6eZdZejddZejddZejddZdS)RevokedCertificatecCsdS)zG Returns the serial number of the revoked certificate. Nr)r0rrrr7ssz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. Nr)r0rrrrevocation_dateysz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr)r0rrrrszRevokedCertificate.extensionsN)r r!r"rHrJr7rXrrrrrrWqsrWc@s2eZdZdgfddZddZddZdd ZdS) CertificateSigningRequestBuilderNcCs||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_name _extensions)r0 subject_namerrrrr.sz)CertificateSigningRequestBuilder.__init__cCs0t|tstd|jdk r$tdt||jS)zF Sets the certificate requestor's distinguished name. zExpecting x509.Name object.Nz&The subject name may only be set once.) isinstancer TypeErrorrZrrYr[)r0namerrrr\s   z-CertificateSigningRequestBuilder.subject_namecCs@t|tstdt|j||}t||jt|j|j|gS)zE Adds an X.509 extension to the certificate request. z"extension must be an ExtensionType) r]r r^r rrr[rYrZ)r0rcriticalrrr add_extensions   z.CertificateSigningRequestBuilder.add_extensioncCs |jdkrtd|j|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rZrZcreate_x509_csr)r0 private_keyr5r&rrrsigns z%CertificateSigningRequestBuilder.sign)r r!r"r.r\rarcrrrrrYs rYc@sdeZdZddddddgfddZddZddZdd Zd d Zd d ZddZ ddZ ddZ dS)CertificateBuilderNcCs6tj|_||_||_||_||_||_||_||_ dS)N) rr#_version _issuer_namerZ _public_key_serial_number_not_valid_before_not_valid_afterr[)r0 issuer_namer\r9r7r:r;rrrrr.szCertificateBuilder.__init__cCsDt|tstd|jdk r$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. zExpecting x509.Name object.Nz%The issuer name may only be set once.) r]r r^rfrrdrZrgrhrirjr[)r0r_rrrrks   zCertificateBuilder.issuer_namecCsDt|tstd|jdk r$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. zExpecting x509.Name object.Nz&The subject name may only be set once.) r]r r^rZrrdrfrgrhrirjr[)r0r_rrrr\s   zCertificateBuilder.subject_namecCsPt|tjtjtjfstd|jdk r0t dt |j |j ||j |j|j|jS)zT Sets the requestor's public key (as found in the signing request). zGExpecting one of DSAPublicKey, RSAPublicKey, or EllipticCurvePublicKey.Nz$The public key may only be set once.)r]rZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyr^rgrrdrfrZrhrirjr[)r0keyrrrr9s    zCertificateBuilder.public_keycCsjt|tjstd|jdk r&td|dkr6td|jdkrJtdt|j|j |j ||j |j |j S)z5 Sets the certificate serial number. z'Serial number must be of integral type.Nz'The serial number may only be set once.rz%The serial number should be positive.z3The serial number should not be more than 159 bits.)r]six integer_typesr^rhr bit_lengthrdrfrZrgrirjr[)r0numberrrrr7s    z CertificateBuilder.serial_numbercCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. zExpecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)r]rr^rirr_EARLIEST_UTC_TIMErjrdrfrZrgrhr[)r0rrrrr:s   z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. zExpecting datetime object.Nz)The not valid after may only be set once.ztd|jdk rZ||jkrZtdt|j ||j|j |j S)NzExpecting datetime object.z!Last update may only be set once.z8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) r]rr^rtrrrrrursrfr[rv)r0rNrrrrNis   z,CertificateRevocationListBuilder.last_updatecCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j||j |j S)NzExpecting datetime object.z!Last update may only be set once.z8The last update date must be on or after 1950 January 1.z8The next update date must be after the last update date.) r]rr^rurrrrrtrsrfr[rv)r0rMrrrrM{s   z,CertificateRevocationListBuilder.next_updatecCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. z"extension must be an ExtensionType) r]r r^r rrr[rsrfrtrurv)r0rr`rrrras   z.CertificateRevocationListBuilder.add_extensioncCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) r]rWr^rsrfrtrur[rv)r0Zrevoked_certificaterrradd_revoked_certificates  z8CertificateRevocationListBuilder.add_revoked_certificatecCsD|jdkrtd|jdkr$td|jdkr6td|j|||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rfrrtruZcreate_x509_crl)r0rbr5r&rrrrcs   z%CertificateRevocationListBuilder.sign) r r!r"r.rkrNrMrarwrcrrrrrsVs  rsc@s<eZdZddgfddZddZddZdd Zd d ZdS) RevokedCertificateBuilderNcCs||_||_||_dS)N)rh_revocation_dater[)r0r7rXrrrrr.sz"RevokedCertificateBuilder.__init__cCsZt|tjstd|jdk r&td|dkr6td|jdkrJtdt||j|j S)Nz'Serial number must be of integral type.z'The serial number may only be set once.rz$The serial number should be positivermz3The serial number should not be more than 159 bits.) r]rnror^rhrrprxryr[)r0rqrrrr7s   z'RevokedCertificateBuilder.serial_numbercCsNt|tjstd|jdk r&tdt|}|tkr>tdt|j||j S)NzExpecting datetime object.z)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) r]rr^ryrrrrrxrhr[)r0rrrrrXs  z)RevokedCertificateBuilder.revocation_datecCsDt|tstdt|j||}t||jt|j|j |j|gS)Nz"extension must be an ExtensionType) r]r r^r rrr[rxrhry)r0rr`rrrras  z'RevokedCertificateBuilder.add_extensioncCs.|jdkrtd|jdkr$td|j|S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rhrryZcreate_x509_revoked_certificate)r0r&rrrbuilds   zRevokedCertificateBuilder.build)r r!r"r.r7rXrarzrrrrrxs    rxcCstjtjddd?S)Nbigr )rZint_from_bytesosurandomrrrrrandom_serial_numbersr)- __future__rrrrHrr}enumrrnZ cryptographyrZ)cryptography.hazmat.primitives.asymmetricrrr Zcryptography.x509.extensionsr r Zcryptography.x509.namer rrrrrr$r'r(r)r*r+ Exceptionr, add_metaclassABCMetaobjectr4rKrUrWrYrdrsrxrrrrrsD   ijL)(_;