3 L]2@sxddlmZmZmZddlZddlZddlmZddlZddl m Z ddl m Z ddl mZmZmZe je je je je jdZGdd d eZGd d d eZed d eDZe je je je je jfZddZGdddeZedd eDZddZddZ Gddde!Z"Gddde!Z#Gddde!Z$ej%ej&Gddde!Z'ej%ej&Gdd d e!Z(dS)!)absolute_importdivisionprint_functionN)Enum)x509)hashes)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extension)z 1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAMErr@/tmp/pip-install-wfra5znf/cryptography/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULZMALFORMED_REQUESTINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIRED UNAUTHORIZEDrrrrr"s rccs|]}|j|fVqdS)N)value).0xrrr +srcCst|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError) algorithmrrr_verify_algorithm2s r$c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r rZGOODREVOKEDUNKNOWNrrrrr%9sr%ccs|]}|j|fVqdS)N)r)rrrrrr?scCsddlm}|j|S)Nr)backend),cryptography.hazmat.backends.openssl.backendr(load_der_ocsp_request)datar(rrrr*Bs r*cCsddlm}|j|S)Nr)r()r)r(load_der_ocsp_response)r+r(rrrr,Gs r,c@s2eZdZdgfddZddZddZdd ZdS) OCSPRequestBuilderNcCs||_||_dS)N)_request _extensions)selfrequest extensionsrrr__init__MszOCSPRequestBuilder.__init__cCsP|jdk rtdt|t|tj s6t|tj r>tdt|||f|jS)Nz.Only one certificate can be added to a requestz%cert and issuer must be a Certificate) r.r"r$r r Certificate TypeErrorr-r/)r0certissuerr#rrradd_certificateQs z"OCSPRequestBuilder.add_certificatecCsDt|tjstdtj|j||}t||jt|j |j|gS)Nz"extension must be an ExtensionType) r r ExtensionTyper5 Extensionoidr r/r-r.)r0 extensioncriticalrrr add_extension^s   z OCSPRequestBuilder.add_extensioncCs(ddlm}|jdkrtd|j|S)Nr)r(z*You must add a certificate before building)r)r(r.r"Zcreate_ocsp_request)r0r(rrrbuildis  zOCSPRequestBuilder.build)r r rr3r8r>r?rrrrr-Ls  r-c@seZdZddZdS)_SingleResponsec Cst|tj st|tj r$tdt|t|tjs@td|dk r^t|tj r^td||_||_||_||_ ||_ t|t std|t j k r|dk rt d|dk rt dnNt|tjstdt|}|tkrt d|dk rt|tj rtd ||_||_||_dS) Nz%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r rr4r5r$datetimeZ_certZ_issuer _algorithmZ _this_updateZ _next_updater%r&r"r rZ ReasonFlagsZ _cert_statusZ_revocation_timeZ_revocation_reason) r0r6r7r# cert_status this_update next_updaterevocation_timerevocation_reasonrrrr3rsH     z_SingleResponse.__init__N)r r rr3rrrrr@qsr@c@sReZdZdddgfddZddZddZdd Zd d Zd d Ze ddZ dS)OCSPResponseBuilderNcCs||_||_||_||_dS)N) _response _responder_id_certsr/)r0response responder_idcertsr2rrrr3szOCSPResponseBuilder.__init__c Cs<|jdk rtdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rIr"r@rHrJrKr/) r0r6r7r#rCrDrErFrGZ singleresprrr add_responses  z OCSPResponseBuilder.add_responsecCsP|jdk rtdt|tjs&tdt|ts8tdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rJr"r rr4r5r rHrIrKr/)r0encodingZresponder_certrrrrMs    z OCSPResponseBuilder.responder_idcCs\|jdk rtdt|}t|dkr.tdtdd|DsHtdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|]}t|tjVqdS)N)r rr4)rrrrrrsz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rKr"listlenallr5rHrIrJr/)r0rNrrr certificatess  z OCSPResponseBuilder.certificatescCsLt|tjstdtj|j||}t||jt|j |j |j |j|gS)Nz"extension must be an ExtensionType) r rr9r5r:r;r r/rHrIrJrK)r0r<r=rrrr>s  z!OCSPResponseBuilder.add_extensioncCsVddlm}|jdkrtd|jdkr0tdt|tjsDtd|j t j |||S)Nr)r(z&You must add a response before signingz*You must add a responder_id before signingz.Algorithm must be a registered hash algorithm.) r)r(rIr"rJr rZ HashAlgorithmr5create_ocsp_responserr)r0Z private_keyr#r(rrrsigns    zOCSPResponseBuilder.signcCs@ddlm}t|tstd|tjkr0td|j|dddS)Nr)r(z7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r)r(r rr5rr"rU)clsresponse_statusr(rrrbuild_unsuccessfuls   z&OCSPResponseBuilder.build_unsuccessful) r r rr3rOrMrTr>rV classmethodrYrrrrrHs   rHc@s`eZdZejddZejddZejddZejddZej d d Z ejd d Z d S) OCSPRequestcCsdS)z3 The hash of the issuer public key Nr)r0rrrissuer_key_hash szOCSPRequest.issuer_key_hashcCsdS)z- The hash of the issuer name Nr)r0rrrissuer_name_hashszOCSPRequest.issuer_name_hashcCsdS)zK The hash algorithm used in the issuer name and key hashes Nr)r0rrrhash_algorithmszOCSPRequest.hash_algorithmcCsdS)zM The serial number of the cert whose status is being checked Nr)r0rrr serial_numberszOCSPRequest.serial_numbercCsdS)z/ Serializes the request to DER Nr)r0rPrrr public_bytes!szOCSPRequest.public_bytescCsdS)zP The list of request extensions. Not single request extensions. Nr)r0rrrr2'szOCSPRequest.extensionsN) r r rabcabstractpropertyr\r]r^r_abstractmethodr`r2rrrrr[s r[c@seZdZejddZejddZejddZejddZejd d Z ejd d Z ejd dZ ejddZ ejddZ ejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zejd#d$Zejd%d&Zd'S)( OCSPResponsecCsdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nr)r0rrrrX0szOCSPResponse.response_statuscCsdS)zA The ObjectIdentifier of the signature algorithm Nr)r0rrrsignature_algorithm_oid7sz$OCSPResponse.signature_algorithm_oidcCsdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nr)r0rrrsignature_hash_algorithm=sz%OCSPResponse.signature_hash_algorithmcCsdS)z% The signature bytes Nr)r0rrr signatureCszOCSPResponse.signaturecCsdS)z+ The tbsResponseData bytes Nr)r0rrrtbs_response_bytesIszOCSPResponse.tbs_response_bytescCsdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nr)r0rrrrTOszOCSPResponse.certificatescCsdS)z2 The responder's key hash or None Nr)r0rrrresponder_key_hashWszOCSPResponse.responder_key_hashcCsdS)z. The responder's Name or None Nr)r0rrrresponder_name]szOCSPResponse.responder_namecCsdS)z4 The time the response was produced Nr)r0rrr produced_atcszOCSPResponse.produced_atcCsdS)zY The status of the certificate (an element from the OCSPCertStatus enum) Nr)r0rrrcertificate_statusiszOCSPResponse.certificate_statuscCsdS)z^ The date of when the certificate was revoked or None if not revoked. Nr)r0rrrrFoszOCSPResponse.revocation_timecCsdS)zi The reason the certificate was revoked or None if not specified or not revoked. Nr)r0rrrrGvszOCSPResponse.revocation_reasoncCsdS)z The most recent time at which the status being indicated is known by the responder to have been correct Nr)r0rrrrD}szOCSPResponse.this_updatecCsdS)zC The time when newer information will be available Nr)r0rrrrEszOCSPResponse.next_updatecCsdS)z3 The hash of the issuer public key Nr)r0rrrr\szOCSPResponse.issuer_key_hashcCsdS)z- The hash of the issuer name Nr)r0rrrr]szOCSPResponse.issuer_name_hashcCsdS)zK The hash algorithm used in the issuer name and key hashes Nr)r0rrrr^szOCSPResponse.hash_algorithmcCsdS)zM The serial number of the cert whose status is being checked Nr)r0rrrr_szOCSPResponse.serial_numbercCsdS)zR The list of response extensions. Not single response extensions. Nr)r0rrrr2szOCSPResponse.extensionsN)r r rrarbrXrerfrgrhrTrirjrkrlrFrGrDrEr\r]r^r_r2rrrrrd.s&rd)) __future__rrrrarAenumrsixZ cryptographyrZcryptography.hazmat.primitivesrZcryptography.x509.baserr r SHA1SHA224SHA256SHA384SHA512Z _OIDS_TO_HASHr rdictZ_RESPONSE_STATUS_TO_ENUMr!r$r%Z_CERT_STATUS_TO_ENUMr*r,objectr-r@rH add_metaclassABCMetar[rdrrrrs:       %>Y%