3Tf] ddlmZddlZddlZddlZddlZddlmZddlm Z ddl m Z m Z ddlmZmZmZmZmZmZmZmZddlmZmZmZddlmZmZmZmZdd l m!Z!m"Z"dd l#m$Z$ejd d d Z%ejLe jNe jPe jRe jTe jVe jXe jZe j\fZ/Gd de0Z1 d5dZ2 d6dZ3d7dZ4GddZ5GddZ6GddejnZ8Gdde0Z9GddejtZ;e;jye jvGddejtZ=e=jye jzGdd e=Z>Gd!d"ejtZ?e?jye j~Gd#d$ejtZ@e@jye j d8 d9d%ZAd:d&ZB d8 d9d'ZC d8 d;d(ZD d8 d;d)ZE d8 d) annotationsN)utils)x509)hashes serialization)dsaeced448ed25519paddingrsax448x25519) CertificateIssuerPrivateKeyTypesCertificateIssuerPublicKeyTypesCertificatePublicKeyTypes) Extension Extensions ExtensionType_make_sequence_methods)Name _ASN1Type)ObjectIdentifieric eZdZdfd ZxZS)AttributeNotFoundc2t||||_yN)super__init__oid)selfmsgr! __class__s 8/usr/lib/python3/dist-packages/cryptography/x509/base.pyr zAttributeNotFound.__init__8s )r#strr!rreturnNone__name__ __module__ __qualname__r __classcell__r$s@r%rr7s r&rcZ|D]&}|j|jk(stdy)Nz$This extension has already been set.)r! ValueError) extension extensionses r%_reject_duplicate_extensionr5=s1 E 55IMM !CD DEr&c:|D]\}}}||k(s tdy)Nz$This attribute has already been set.)r1)r! attributesattr_oid_s r%_reject_duplicate_attributer:Gs.%E!Q s?CD DEr&c|j=|j}|r|ntj}|j d|z S|S)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r< utcoffsetdatetime timedeltareplace)timeoffsets r%_convert_to_naive_utc_timerCSsG  {{!!x'9'9';||4|(611 r&ceZdZejj f ddZed dZed dZd dZ d dZ d dZ y) Attributec.||_||_||_yr)_oid_value_type)r"r!valuerIs r%r zAttribute.__init__bs    r&c|jSr)rGr"s r%r!z Attribute.oidls yyr&c|jSr)rHrLs r%rJzAttribute.valueps {{r&c<d|jd|jdS)Nz)r!rJrLs r%__repr__zAttribute.__repr__ts  (4::.CCr&ct|tstS|j|jk(xr4|j|jk(xr|j |j k(Sr) isinstancerENotImplementedr!rJrIr"others r%__eq__zAttribute.__eq__wsS%+! ! HH ! * ekk) * ekk) r&cZt|j|j|jfSr)hashr!rJrIrLs r%__hash__zAttribute.__hash__s TXXtzz4::677r&N)r!rrJbytesrIintr(r)r(rr(rZr(r'rUobjectr(boolr(r[) r+r,r-r UTF8StringrJr propertyr!rPrVrYr&r%rErEasv ))//     D 8r&rEcDeZdZ ddZed\ZZZddZddZ y) Attributesc$t||_yr)list _attributes)r"r7s r%r zAttributes.__init__s +r&rjc"d|jdS)Nz ?EEr&N)r7ztyping.Iterable[Attribute]r(r)r^)r!rr(rE) r+r,r-r r__len____iter__ __getitem__rPrnrer&r%rgrgs7,., , & Not after time (represented as UTC datetime) NrerLs r%not_valid_afterzCertificate.not_valid_afterrr&cy)z1 Returns the issuer name object. NrerLs r%issuerzCertificate.issuerrr&cyz2 Returns the subject name object. NrerLs r%subjectzCertificate.subjectrr&cyzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. NrerLs r%signature_hash_algorithmz$Certificate.signature_hash_algorithmrr&cyzJ Returns the ObjectIdentifier of the signature algorithm. NrerLs r%signature_algorithm_oidz#Certificate.signature_algorithm_oidrr&cy)z= Returns the signature algorithm parameters. NrerLs r%signature_algorithm_parametersz*Certificate.signature_algorithm_parametersrr&cy)z/ Returns an Extensions object. NrerLs r%r3zCertificate.extensionsrr&cyz. Returns the signature bytes. NrerLs r% signaturezCertificate.signaturerr&cy)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. NrerLs r%tbs_certificate_bytesz!Certificate.tbs_certificate_bytesrr&cy)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. NrerLs r%tbs_precertificate_bytesz$Certificate.tbs_precertificate_bytes rr&cyz" Checks equality. NrerTs r%rVzCertificate.__eq__rr&cyz" Computes a hash. NrerLs r%rYzCertificate.__hash__rr&cy)zB Serializes the certificate to PEM or DER format. Nrer"encodings r% public_byteszCertificate.public_bytesrr&cy)z This method verifies that certificate issuer name matches the issuer subject name and that the certificate is signed by the issuer's private key. No other validation is performed. Nre)r"rs r%verify_directly_issued_byz%Certificate.verify_directly_issued_by$rr&Nrzhashes.HashAlgorithmr(rZrb)r(rsr(rr(datetime.datetimer(rr(z%typing.Optional[hashes.HashAlgorithm]r\)r(z;typing.Union[None, padding.PSS, padding.PKCS1v15, ec.ECDSA]r(rr]r_rzserialization.Encodingr(rZ)rr|r(r))r+r,r-abcabstractmethodrrdrrrrrrrrrrr3rrrrVrYrrrer&r%r|r|sf                  .     D                      r&r|) metaclassceZdZeej ddZeej ddZeej ddZy)RevokedCertificatecy)zG Returns the serial number of the revoked certificate. NrerLs r%rz RevokedCertificate.serial_number2rr&cy)zH Returns the date of when this certificate was revoked. NrerLs r%revocation_datez"RevokedCertificate.revocation_date9rr&cy)zW Returns an Extensions object containing a list of Revoked extensions. NrerLs r%r3zRevokedCertificate.extensions@rr&Nrbrr) r+r,r-rdrrrrr3rer&r%rr1sf       r&rcVeZdZ ddZeddZeddZed dZy) _RawRevokedCertificatec.||_||_||_yr_serial_number_revocation_date _extensionsr"rrr3s r%r z_RawRevokedCertificate.__init__M , /%r&c|jSr)rrLs r%rz$_RawRevokedCertificate.serial_numberWs"""r&c|jSr)rrLs r%rz&_RawRevokedCertificate.revocation_date[s$$$r&c|jSr)rrLs r%r3z!_RawRevokedCertificate.extensions_sr&N)rr[rrr3rrbrr)r+r,r-r rdrrr3rer&r%rrLs_&&+& &##%%  r&rc$eZdZejddZejddZej ddZeej ddZ eejddZ eejddZ eejddZ eejddZ eejdd Zeejdd Zeejdd Zejdd Zejdd Zej(d dZej(d!dZej d"dZejd#dZej d$dZy)%CertificateRevocationListcy)z: Serializes the CRL to PEM or DER format. Nrers r%rz&CertificateRevocationList.public_byteserr&cyr~rers r%rz%CertificateRevocationList.fingerprintkrr&cy)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nre)r"rs r%(get_revoked_certificate_by_serial_numberzBCertificateRevocationList.get_revoked_certificate_by_serial_numberqrr&cyrrerLs r%rz2CertificateRevocationList.signature_hash_algorithmzrr&cyrrerLs r%rz1CertificateRevocationList.signature_algorithm_oidrr&cy)zC Returns the X509Name with the issuer of this CRL. NrerLs r%rz CertificateRevocationList.issuerrr&cy)z? Returns the date of next update for this CRL. NrerLs r% next_updatez%CertificateRevocationList.next_updaterr&cy)z? Returns the date of last update for this CRL. NrerLs r% last_updatez%CertificateRevocationList.last_updaterr&cy)zS Returns an Extensions object containing a list of CRL extensions. NrerLs r%r3z$CertificateRevocationList.extensionsrr&cyrrerLs r%rz#CertificateRevocationList.signaturerr&cy)zO Returns the tbsCertList payload bytes as defined in RFC 5280. NrerLs r%tbs_certlist_bytesz,CertificateRevocationList.tbs_certlist_bytesrr&cyrrerTs r%rVz CertificateRevocationList.__eq__rr&cy)z< Number of revoked certificates in the CRL. NrerLs r%roz!CertificateRevocationList.__len__rr&cyrrer"idxs r%rqz%CertificateRevocationList.__getitem__ r&cyrrers r%rqz%CertificateRevocationList.__getitem__rr&cy)zS Returns a revoked certificate (or slice of revoked certificates). Nrers r%rqz%CertificateRevocationList.__getitem__rr&cy)z8 Iterator over the revoked certificates NrerLs r%rpz"CertificateRevocationList.__iter__rr&cy)zQ Verifies signature of revocation list against given public key. Nre)r"rs r%is_signature_validz,CertificateRevocationList.is_signature_validrr&Nrr)rr[r(z#typing.Optional[RevokedCertificate]rr\r)r("typing.Optional[datetime.datetime]rrr]r_rb)rr[r(r)rslicer(typing.List[RevokedCertificate])rztyping.Union[int, slice]r(zAtyping.Union[RevokedCertificate, typing.List[RevokedCertificate]])r(z#typing.Iterator[RevokedCertificate])rrr(ra)r+r,r-rrrrrrdrrrrrr3rrrVrotypingoverloadrqrprrer&r%rrdsH         ,   .                       __   __    + J       9   r&rcNeZdZejddZejddZejddZeejddZ eej ddZ eejddZ eejddZ eejddZ ejdd Zeejdd Zeejdd Zeejdd Zejdd Zy)CertificateSigningRequestcyrrerTs r%rVz CertificateSigningRequest.__eq__rr&cyrrerLs r%rYz"CertificateSigningRequest.__hash__rr&cyrrerLs r%rz$CertificateSigningRequest.public_keyrr&cyrrerLs r%rz!CertificateSigningRequest.subjectrr&cyrrerLs r%rz2CertificateSigningRequest.signature_hash_algorithmrr&cyrrerLs r%rz1CertificateSigningRequest.signature_algorithm_oidrr&cy)z@ Returns the extensions in the signing request. NrerLs r%r3z$CertificateSigningRequest.extensionsrr&cy)z/ Returns an Attributes object. NrerLs r%r7z$CertificateSigningRequest.attributesrr&cy)z; Encodes the request to PEM or DER format. Nrers r%rz&CertificateSigningRequest.public_bytesrr&cyrrerLs r%rz#CertificateSigningRequest.signature"rr&cy)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. NrerLs r%tbs_certrequest_bytesz/CertificateSigningRequest.tbs_certrequest_bytes)rr&cy)z8 Verifies signature of signing request. NrerLs r%rz,CertificateSigningRequest.is_signature_valid1rr&cy)z: Get the attribute value for a given OID. Nre)r"r!s r%rnz/CertificateSigningRequest.get_attribute_for_oid8rr&Nr_rbrrrr\r)r(rgrr])r(ra)r!rr(rZ)r+r,r-rrrVrYrrdrrrr3r7rrrrrnrer&r%rrs           .                    r&rc,tj|Sr) rust_x509load_pem_x509_certificatedatabackends r%rrD  . .t 44r&c,tj|Sr)rload_pem_x509_certificates)rs r%rrJs  / / 55r&c,tj|Sr)rload_der_x509_certificaters r%rrOrr&c,tj|Sr)rload_pem_x509_csrrs r%rrV  & &t ,,r&c,tj|Sr)rload_der_x509_csrrs r%r r ]rr&c,tj|Sr)rload_pem_x509_crlrs r%r r drr&c,tj|Sr)rload_der_x509_crlrs r%rrkrr&cxeZdZdggf ddZd dZ d dZdd d dZ d d dZy) CertificateSigningRequestBuilderNc.||_||_||_y)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrj)r" subject_namer3r7s r%r z)CertificateSigningRequestBuilder.__init__rs*%%r&ct|ts td|j t dt ||j |jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.&The subject name may only be set once.)rRr TypeErrorrr1rrrjr"names r%rz-CertificateSigningRequestBuilder.subject_namesR$%9: :    )EF F/ $""D$4$4  r&ct|ts tdt|j||}t ||j t|j|j |gz|jS)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rRrrrr!r5rrrrjr"extvalcriticalr2s r% add_extensionz.CertificateSigningRequestBuilder.add_extensionsk &-0@A Afjj(F; #It/?/?@/       { *     r&)_tagcZt|ts tdt|ts td|t|ts tdt ||j | |j}nd}t|j|j|j |||fgzS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rRrrrZrr:rjrJrrr)r"r!rJr tags r% add_attributez.CertificateSigningRequestBuilder.add_attributes#/0=> >%'12 2  JtY$?34 4#C)9)9:  **CC/         eS 12 2  r&c^|j tdtj|||S)zF Signs the request using the requestor's private key. z/A CertificateSigningRequest must have a subject)rr1rcreate_x509_csrr" private_keyrrs r%signz%CertificateSigningRequestBuilder.signs1    %NO O(({IFFr&)rtyping.Optional[Name]r3%typing.List[Extension[ExtensionType]]r7Htyping.List[typing.Tuple[ObjectIdentifier, bytes, typing.Optional[int]]])rrr(r)rrrrar(r)r!rrJrZr ztyping.Optional[_ASN1Type]r(rr)r'rr"typing.Optional[_AllowedHashTypes]r typing.Anyr(r)r+r,r-r rrr#r(rer&r%rrqs/3<>  &+ &: & &   # /3 ) .,0    )  *  H# G5 G6 G G # Gr&rceZdZUded<ddddddgf ddZddZddZ ddZddZdd Z dd Z dd Z ddd  dd Z y)CertificateBuilderr*rNctj|_||_||_||_||_||_||_||_ yr) rsrv_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r" issuer_namerrrrrr3s r%r zCertificateBuilder.__init__sG  ')%+!1 /%r&c t|ts td|j t dt ||j |j|j|j|j|jS)z3 Sets the CA's distinguished name. r%The issuer name may only be set once.) rRrrr2r1r/rr3rr4r5rrs r%r6zCertificateBuilder.issuer_namesx$%9: :    (DE E!            " "  ! !     r&c t|ts td|j t dt |j ||j|j|j|j|jS)z: Sets the requestor's distinguished name. rr) rRrrrr1r/r2r3rr4r5rrs r%rzCertificateBuilder.subject_namesx$%9: :    )EF F!            " "  ! !     r&c t|tjtjt j tjtjtjtjfs td|j t#dt%|j&|j(||j*|j,|j.|j0S)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.z$The public key may only be set once.)rRr DSAPublicKeyr RSAPublicKeyr EllipticCurvePublicKeyr Ed25519PublicKeyr Ed448PublicKeyrX25519PublicKeyr X448PublicKeyrr3r1r/r2rrr4r5r)r"keys r%rzCertificateBuilder.public_keys     ))(($$&&""   !     'CD D!            " "  ! !     r&c \t|ts td|j t d|dkr t d|j dk\r t dt |j|j|j||j|j|jS)z5 Sets the certificate serial number. 'Serial number must be of integral type.'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rRr[rrr1 bit_lengthr/r2rr3r4r5rr"numbers r%rz CertificateBuilder.serial_number,s&#&EF F    *FG G Q;DE E    # %H "            " "  ! !     r&c t|tjs td|j t dt |}|t kr t d|j||jkDr t dt|j|j|j|j||j|jS)z7 Sets the certificate activation time. Expecting datetime object.z*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rRr>rr4r1rC_EARLIEST_UTC_TIMEr5r/r2rr3rrr"rAs r%rz#CertificateBuilder.not_valid_beforeGs$ 1 1289 9  ! ! -IJ J)$/ $ $$   ,8M8M1M "               ! !     r&c t|tjs td|j t dt |}|t kr t d|j||jkr t dt|j|j|j|j|j||jS)z7 Sets the certificate expiration time. rLz)The not valid after may only be set once.zrr5r1rCrMr4r/r2rr3rrrNs r%rz"CertificateBuilder.not_valid_afterds$ 1 1289 9  ,HI I)$/ $ $#   " " .t--- "              " "      r&c Ht|ts tdt|j||}t ||j t|j|j|j|j|j|j|j |gzS)z= Adds an X.509 extension to the certificate. r)rRrrrr!r5rr/r2rr3rr4r5rs r%rz CertificateBuilder.add_extensions &-0@A Afjj(F; #It/?/?@!              " "  ! !    { *  r&) rsa_paddingc|j td|j td|j td|j td|j td|j td|Zt|tjtjfs tdt|tjs tdtj||||S) zC Signs the certificate using the CA's private key. z&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public keyzPadding must be PSS or PKCS1v15z&Padding is only supported for RSA keys)rr1r2rr4r5r3rRr PSSPKCS1v15rr RSAPrivateKeyrcreate_x509_certificate)r"r'rrrQs r%r(zCertificateBuilder.signs    %EF F    $EF F    &FG G  ! ! )NO O  (MN N    #CD D  "kGKK9I9I+JK ABBk3+<+<= HII00 +y+  r&)r6r)rr)rz*typing.Optional[CertificatePublicKeyTypes]rtyping.Optional[int]rrrrr3r*r(r))rrr(r/)rBrr(r/)rJr[r(r/)rArr(r/)rrrrar(r/r) r'rrr,rr-rQzB<>&*&,&? & , & = &<&:& && $ $# &#  # J 6 : @ # /3  4# '  ' 5' 6'  '  '  ' r&r/ceZdZUded<ded<dddggf d dZ ddZ ddZ dd Z dd Z dd Z d dd Z y) CertificateRevocationListBuilderr*rr_revoked_certificatesNcJ||_||_||_||_||_yr)r2 _last_update _next_updaterr[)r"r6rrr3revoked_certificatess r%r z)CertificateRevocationListBuilder.__init__s,(''%%9"r&ct|ts td|j t dt ||j |j|j|jS)Nrr8) rRrrr2r1rZr]r^rr[)r"r6s r%r6z,CertificateRevocationListBuilder.issuer_namesf+t,9: :    (DE E/            & &   r&crt|tjs td|j t dt |}|t kr t d|j||jkDr t dt|j||j|j|jS)NrL!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rRr>rr]r1rCrMr^rZr2rr[)r"rs r%rz,CertificateRevocationListBuilder.last_updates+x'8'8989 9    (@A A0= + +M     ([4;L;L-LK 0            & &   r&crt|tjs td|j t dt |}|t kr t d|j||jkr t dt|j|j||j|jS)NrLrbrcz8The next update date must be after the last update date.) rRr>rr^r1rCrMr]rZr2rr[)r"rs r%rz,CertificateRevocationListBuilder.next_updates+x'8'8989 9    (@A A0= + +M     ([4;L;L-LJ 0            & &   r&ct|ts tdt|j||}t ||j t|j|j|j|j |gz|jS)zM Adds an X.509 extension to the certificate revocation list. r) rRrrrr!r5rrZr2r]r^r[rs r%rz.CertificateRevocationListBuilder.add_extensions} &-0@A Afjj(F; #It/?/?@/             { *  & &   r&ct|ts tdt|j|j |j |j|j|gzS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rRrrrZr2r]r^rr[)r"revoked_certificates r%add_revoked_certificatez8CertificateRevocationListBuilder.add_revoked_certificate(s_ -/ABGH H/              & &*=)> >   r&c|j td|j td|j tdt j |||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)r2r1r]r^rcreate_x509_crlr&s r%r(z%CertificateRevocationListBuilder.sign9sa    $=> >    $AB B    $AB B(({IFFr&) r6r)rrrrr3r*r_r)r6rr(rZ)rrr(rZ)rrr(rZ)rrrrar(rZ)rgrr(rZr)r'rrr,rr-r(r) r+r,r-rXr r6rrrrhr(rer&r%rZrZs66::.2:>:><>@B :* :8 :8 : : : > :    )   , ) 0 , ) 0 # /3 ) & #5 ) *# G5G6G G # Gr&rZc\eZdZddgf ddZddZ d dZ d dZd d dZy) RevokedCertificateBuilderNc.||_||_||_yrrrs r%r z"RevokedCertificateBuilder.__init__Lrr&ct|ts td|j t d|dkr t d|j dk\r t dt ||j|jS)NrDrErz$The serial number should be positiverFrG) rRr[rrr1rHrlrrrIs r%rz'RevokedCertificateBuilder.serial_numberVs&#&EF F    *FG G Q;CD D    # %H ) D))4+;+;  r&ct|tjs td|j t dt |}|t kr t dt|j||jS)NrLz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rRr>rrr1rCrMrlrrrNs r%rz)RevokedCertificateBuilder.revocation_datehs}$ 1 1289 9  ,HI I)$/ $ $L )   t'7'7  r&ct|ts tdt|j||}t ||j t|j|j|j |gzS)Nr) rRrrrr!r5rrlrrrs r%rz'RevokedCertificateBuilder.add_extensionxsk&-0@A Afjj(F; #It/?/?@(     ! !    { *  r&c|j td|j tdt|j|jt |j S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr1rrrr)r"rs r%buildzRevokedCertificateBuilder.buildse    &NO O  (C &     ! ! t'' (  r&)rrWrrr3r*)rJr[r(rl)rArr(rl)rrrrar(rlr)rr-r(r)r+r,r-r rrrrrrer&r%rlrlKsj/3>B<> &+&<&: & $ % "  #  /3  "    r&rlcZtjtjdddz S)Nbigr)r[ from_bytesosurandomrer&r%random_serial_numberrys >>"**R.% 0A 55r&)r2zExtension[ExtensionType]r3r*r(r))r!rr7r+r(r))rArr(rr)rrZrr-r(r|)rrZr(ztyping.List[Certificate])rrZrr-r(r)rrZrr-r(rrb)M __future__rrr>rwr cryptographyr"cryptography.hazmat.bindings._rustrrcryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrr r r r r rr/cryptography.hazmat.primitives.asymmetric.typesrrrcryptography.x509.extensionsrrrrcryptography.x509.namerrcryptography.x509.oidrrMUnionSHA224SHA256SHA384SHA512SHA3_224SHA3_256SHA3_384SHA3_512_AllowedHashTypes Exceptionrr5r:rCrErgEnumrsrxABCMetar|registerrrrrrrrrr r rrr/rZrlryrer&r%rs #  @@     32&X&&tQ2LL MM MM MM MM OO OO OO OO   E'E5E E E  E E  E !8!8HFF( ejj -Y- F CKKF T Y**+ 3;; 0I889 / 0y #++y x""9#F#FGY #++Y z""9#F#FG (,5 5$55 6 (,5 5$55(,- -$--(,- -$--(,- -$--(,- -$-- YGYGxt t nDGDGNF F R6r&