3TffH<ddlmZddlZddlZddlZddlmZmZddlm Z ddl m Z m Z ddl mZddlmZmZmZGdd ej&ZGd d ej&Ze j,e j.e j0e j2e j4fZdd ZGd dej&ZGddZGddej>Z Gddej>Z!Gddej>Z"GddZ#GddZ$ddZ%d dZ&y)!) annotationsN)utilsx509)ocsp)hashes serialization) CertificateIssuerPrivateKeyTypes)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionceZdZdZdZy)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAME8/usr/lib/python3/dist-packages/cryptography/x509/ocsp.pyrrs D Drrc$eZdZdZdZdZdZdZdZy)OCSPResponseStatusrN) rrr SUCCESSFULMALFORMED_REQUESTINTERNAL_ERROR TRY_LATER SIG_REQUIRED UNAUTHORIZEDrrrrrs!JNILLrrc:t|ts tdy)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError) algorithms r_verify_algorithmr)/s! i 1 G   2rceZdZdZdZdZy)OCSPCertStatusrrrN)rrrGOODREVOKEDUNKNOWNrrrr+r+6s DGGrr+c4eZdZ ddZy)_SingleResponsec t|tjrt|tjs tdt |t|t j s td|%t|t j s td||_||_||_||_ ||_ t|ts td|tjur| td|vtdt|t j s tdt|}|tkr td|%t|tj s td ||_||_||_y) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r%r Certificate TypeErrorr)datetime_cert_issuer _algorithm _this_update _next_updater+r-r'r r ReasonFlags _cert_status_revocation_time_revocation_reason) selfcertissuerr( cert_status this_update next_updaterevocation_timerevocation_reasons r__init__z_SingleResponse.__init__=s$ 0 01 D$$: CD D)$+x'8'89CD D  ": **, KL L  #''+~6J  n44 4* !!, " ox/@/@A KLL8IO!33 ' !,Z!4#3#36 # ( /"3rN)r@x509.CertificaterArHr(hashes.HashAlgorithmrBr+rCdatetime.datetimerD"typing.Optional[datetime.datetime]rErKrF!typing.Optional[x509.ReasonFlags])rrrrGrrrr0r0<s^B4B4!B4( B4 $ B4 ' B48B4<B4=B4rr0c"eZdZeej ddZeej ddZeej d dZeej d dZ ej d dZ eej d dZ y) OCSPRequestcyz3 The hash of the issuer public key Nrr?s rissuer_key_hashzOCSPRequest.issuer_key_hashrcyz- The hash of the issuer name NrrQs rissuer_name_hashzOCSPRequest.issuer_name_hashrSrcyzK The hash algorithm used in the issuer name and key hashes NrrQs rhash_algorithmzOCSPRequest.hash_algorithmrSrcyzM The serial number of the cert whose status is being checked NrrQs r serial_numberzOCSPRequest.serial_numberrSrcy)z/ Serializes the request to DER Nrr?encodings r public_byteszOCSPRequest.public_bytesrSrcy)zP The list of request extensions. Not single request extensions. NrrQs r extensionszOCSPRequest.extensionsrSrNreturnbytesrdrIrdintr_zserialization.Encodingrdrerdzx509.Extensions) rrrpropertyabcabstractmethodrRrVrYr\r`rbrrrrNrNs              rrN) metaclassceZdZeej d dZeej d dZeej d dZeej ddZ eej d dZ eej ddZ eej ddZ eej ddZ eej dd Zy )OCSPSingleResponsecyzY The status of the certificate (an element from the OCSPCertStatus enum) NrrQs rcertificate_statusz%OCSPSingleResponse.certificate_statusrSrcyz^ The date of when the certificate was revoked or None if not revoked. NrrQs rrEz"OCSPSingleResponse.revocation_timerSrcyzi The reason the certificate was revoked or None if not specified or not revoked. NrrQs rrFz$OCSPSingleResponse.revocation_reasonrSrcyz The most recent time at which the status being indicated is known by the responder to have been correct NrrQs rrCzOCSPSingleResponse.this_updaterSrcyzC The time when newer information will be available NrrQs rrDzOCSPSingleResponse.next_updaterSrcyrPrrQs rrRz"OCSPSingleResponse.issuer_key_hashrSrcyrUrrQs rrVz#OCSPSingleResponse.issuer_name_hashrSrcyrXrrQs rrYz!OCSPSingleResponse.hash_algorithmrSrcyr[rrQs rr\z OCSPSingleResponse.serial_numberrSrNrdr+rdrKrdrLrdrJrcrfrg)rrrrkrlrmrsrErFrCrDrRrVrYr\rrrrprps2                   rrpc&eZdZeej ddZeej ddZeej ddZeej ddZ eej ddZ eej ddZ eej ddZ eej ddZ eej dd Zeej d d Zeej d!d Zeej d"d Zeej d#d Zeej d dZeej d"dZeej ddZeej ddZeej d$dZeej d%dZeej d&dZeej d&dZej d'dZy)( OCSPResponsecy)z_ An iterator over the individual SINGLERESP structures in the response NrrQs r responseszOCSPResponse.responsesrSrcy)zm The status of the response. This is a value from the OCSPResponseStatus enumeration NrrQs rresponse_statuszOCSPResponse.response_statusrSrcy)zA The ObjectIdentifier of the signature algorithm NrrQs rsignature_algorithm_oidz$OCSPResponse.signature_algorithm_oidrSrcy)zX Returns a HashAlgorithm corresponding to the type of the digest signed NrrQs rsignature_hash_algorithmz%OCSPResponse.signature_hash_algorithm rSrcy)z% The signature bytes NrrQs r signaturezOCSPResponse.signaturerSrcy)z+ The tbsResponseData bytes NrrQs rtbs_response_byteszOCSPResponse.tbs_response_bytesrSrcy)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. NrrQs r certificateszOCSPResponse.certificates rSrcy)z2 The responder's key hash or None NrrQs rresponder_key_hashzOCSPResponse.responder_key_hash)rSrcy)z. The responder's Name or None NrrQs rresponder_namezOCSPResponse.responder_name0rSrcy)z4 The time the response was produced NrrQs r produced_atzOCSPResponse.produced_at7rSrcyrrrrQs rrszOCSPResponse.certificate_status>rSrcyrurrQs rrEzOCSPResponse.revocation_timeErSrcyrwrrQs rrFzOCSPResponse.revocation_reasonMrSrcyryrrQs rrCzOCSPResponse.this_updateUrSrcyr{rrQs rrDzOCSPResponse.next_update]rSrcyrPrrQs rrRzOCSPResponse.issuer_key_hashdrSrcyrUrrQs rrVzOCSPResponse.issuer_name_hashkrSrcyrXrrQs rrYzOCSPResponse.hash_algorithmrrSrcyr[rrQs rr\zOCSPResponse.serial_numberyrSrcy)zR The list of response extensions. Not single response extensions. NrrQs rrbzOCSPResponse.extensionsrSrcy)zR The list of single response extensions. Not response extensions. NrrQs rsingle_extensionszOCSPResponse.single_extensionsrSrcy)z0 Serializes the response to DER Nrr^s rr`zOCSPResponse.public_bytesrSrN)rdz#typing.Iterator[OCSPSingleResponse])rdr)rdzx509.ObjectIdentifier)rd%typing.Optional[hashes.HashAlgorithm]rc)rdztyping.List[x509.Certificate])rdztyping.Optional[bytes])rdztyping.Optional[x509.Name]rrrrrfrgrjri)rrrrkrlrmrrrrrrrrrrrsrErFrCrDrRrVrYr\rbrr`rrrrrs        .                                       rrczeZdZddgf ddZ ddZ d dZ d dZd dZy) OCSPRequestBuilderNc.||_||_||_yN)_request _request_hash _extensions)r?request request_hashrbs rrGzOCSPRequestBuilder.__init__s  )%rc$|j |j tdt|t |t j rt |t j s tdt|||f|j|jS)N.Only one certificate can be added to a requestr2) rrr'r)r%rr3r4rr)r?r@rAr(s radd_certificatez"OCSPRequestBuilder.add_certificates == $(:(:(FMN N)$$ 0 01 D$$: CD D! 69 %t'9'94;K;K  rc|j |j tdt|ts t dt |tjd|tjd||jt|k7s|jt|k7r tdt|j||||f|jS)Nrz serial_number must be an integerrVrRz`issuer_name_hash and issuer_key_hash must be the same length as the digest size of the algorithm) rrr'r%rhr4r)r _check_bytes digest_sizelenrr)r?rVrRr\r(s radd_certificate_by_hashz*OCSPRequestBuilder.add_certificate_by_hashs == $(:(:(FMN N-->? ?)$ -/?@ ,o>  C %   " "c/&: :6  " MM  y I     rct|tjs tdtj|j ||}t ||jt|j|j|j|gzSNz"extension must be an ExtensionType) r%r ExtensionTyper4 Extensionoidr rrrrr?extvalcritical extensions r add_extensionz OCSPRequestBuilder.add_extensionsq&$"4"45@A ANN6::x@ #It/?/?@! MM4--t/?/?9+/M  rcr|j|j tdtj|S)Nz*You must add a certificate before building)rrr'rcreate_ocsp_requestrQs rbuildzOCSPRequestBuilder.builds4 == T%7%7%?IJ J''--r)rzWtyping.Optional[typing.Tuple[x509.Certificate, x509.Certificate, hashes.HashAlgorithm]]rzFtyping.Optional[typing.Tuple[bytes, bytes, int, hashes.HashAlgorithm]]rb/typing.List[x509.Extension[x509.ExtensionType]]rdNone)r@rHrArHr(rIrdr) rVrerRrer\rhr(rIrdr)rx509.ExtensionTyperboolrdr)rdrN)rrrrGrrrrrrrrrs  FH& & &D& &   ! (    &     (    <  (  48    .rrceZdZdddgf d dZ d dZ d dZ d dZ d dZ ddZe ddZ y)OCSPResponseBuilderNc<||_||_||_||_yr) _response _responder_id_certsr)r?response responder_idcertsrbs rrGzOCSPResponseBuilder.__init__s"") %rc |j tdt||||||||} t| |j|j |j S)Nz#Only one response per OCSPResponse.)rr'r0rrrr) r?r@rAr(rBrCrDrErF singleresps r add_responsez OCSPResponseBuilder.add_responsesg >> %BC C$          #     KK      rc |j tdt|tjs t dt|t s t dt|j||f|j|jS)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rr'r%rr3r4rrrrr)r?r_responder_certs rrz OCSPResponseBuilder.responder_ids    )@A A.$*:*:;BC C($9:H # NN X & KK      rc |j tdt|}t|dk(r tdt d|Ds t dt |j|j||jS)Nz!certificates may only be set oncerzcerts must not be an empty listc3PK|]}t|tj ywr)r%rr3).0xs r z3OCSPResponseBuilder.certificates..4sBq:a!1!12Bs$&z$certs must be a list of Certificates) rr'listrallr4rrrr)r?rs rrz OCSPResponseBuilder.certificates,s} ;; "@A AU  u:?>? ?BEBBBC C" NN          rc.t|tjs tdtj|j ||}t ||jt|j|j|j|j|gzSr) r%rrr4rrr rrrrrrs rrz!OCSPResponseBuilder.add_extension=sz&$"4"45@A ANN6::x@ #It/?/?@" NN    KK    { *   rc|j td|j tdtjt j |||S)Nz&You must add a response before signingz*You must add a responder_id before signing)rr'rrcreate_ocsp_responserr)r? private_keyr(s rsignzOCSPResponseBuilder.signMsT >> !EF F    %IJ J((  ) )4i  rct|ts td|tjur t dt j |dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r%rr4rr'rr)clsrs rbuild_unsuccessfulz&OCSPResponseBuilder.build_unsuccessful[sS/+=>I  0;; ;CD D(($dKKr)rz typing.Optional[_SingleResponse]rzFtyping.Optional[typing.Tuple[x509.Certificate, OCSPResponderEncoding]]rz.typing.Optional[typing.List[x509.Certificate]]rbr)r@rHrArHr(rIrBr+rCrJrDrKrErKrFrLrdr)r_rrrHrdr)rz!typing.Iterable[x509.Certificate]rdr)rrrrrdr)rr r(rrdr)rrrdr) rrrrGrrrrr classmethodrrrrrrs36: @DFH &2 &  & > &D &  ! (  $  '  8 < =   > - ?O  & 6  " ( 48   5  9      L0 L  L Lrrc,tj|Sr)rload_der_ocsp_requestdatas rrris  % %d ++rc,tj|Sr)rload_der_ocsp_responsers rrrms  & &t ,,r)r(rIrdr)rrerdrN)rrerdr)' __future__rrlr5typing cryptographyrr"cryptography.hazmat.bindings._rustrcryptography.hazmat.primitivesrr/cryptography.hazmat.primitives.asymmetric.typesr cryptography.x509.baser r r EnumrrSHA1SHA224SHA256SHA384SHA512r&r)r+r0ABCMetarNrprrrrrrrrrs #  $3@EJJ  KK MM MM MM MM  UZZ C4C4L( CKK( VA 3;;A Ha S[[a HS.S.l{L{L|,-r