U e]]@sddlmZmZmZddlZddlZddlZddlmZddl Z ddl m Z ddl m Z mZmZmZmZddlmZmZddlmZedd d Zd d Zd d ZGdddeZddZddZddZddZddZddZ Gddde!Z"e #ej$Gddde%Z&e #ej$Gd d!d!e%Z'e #ej$Gd"d#d#e%Z(e #ej$Gd$d%d%e%Z)Gd&d'd'e%Z*Gd(d)d)e%Z+Gd*d+d+e%Z,Gd,d-d-e%Z-d.d/Z.dS)0)absolute_importdivisionprint_functionN)Enum)utils)dsaeced25519ed448rsa) Extension ExtensionType)NameicCs"|D]}|j|jkrtdqdS)Nz$This extension has already been set.)oid ValueError) extension extensionser8/usr/lib/python3/dist-packages/cryptography/x509/base.py_reject_duplicate_extensions rcCs:|jdk r2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)rZ utcoffsetdatetimeZ timedeltareplace)timeoffsetrrr_convert_to_naive_utc_time s  rc@seZdZdZdZdS)VersionrN)__name__ __module__ __qualname__Zv1v3rrrrr.srcCs ||SN)load_pem_x509_certificatedatabackendrrrr%3sr%cCs ||Sr$)load_der_x509_certificater&rrrr)7sr)cCs ||Sr$)load_pem_x509_csrr&rrrr*;sr*cCs ||Sr$)load_der_x509_csrr&rrrr+?sr+cCs ||Sr$)load_pem_x509_crlr&rrrr,Csr,cCs ||Sr$)load_der_x509_crlr&rrrr-Gsr-cseZdZfddZZS)InvalidVersioncstt||||_dSr$)superr.__init__parsed_version)selfmsgr1 __class__rrr0LszInvalidVersion.__init__)r r!r"r0 __classcell__rrr4rr.Ksr.c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$ CertificatecCsdSz4 Returns bytes using digest passed. Nrr2 algorithmrrr fingerprintSszCertificate.fingerprintcCsdS)z3 Returns certificate serial number Nrr2rrr serial_numberYszCertificate.serial_numbercCsdS)z1 Returns the certificate version Nrr<rrrversion_szCertificate.versioncCsdSz( Returns the public key Nrr<rrr public_keyeszCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) Nrr<rrrnot_valid_beforekszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) Nrr<rrrnot_valid_afterqszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. Nrr<rrrissuerwszCertificate.issuercCsdSz2 Returns the subject name object. Nrr<rrrsubject}szCertificate.subjectcCsdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nrr<rrrsignature_hash_algorithmsz$Certificate.signature_hash_algorithmcCsdSzJ Returns the ObjectIdentifier of the signature algorithm. Nrr<rrrsignature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. Nrr<rrrrszCertificate.extensionscCsdSz. Returns the signature bytes. Nrr<rrr signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nrr<rrrtbs_certificate_bytessz!Certificate.tbs_certificate_bytescCsdSz" Checks equality. Nrr2otherrrr__eq__szCertificate.__eq__cCsdSz# Checks not equal. NrrNrrr__ne__szCertificate.__ne__cCsdSz" Computes a hash. Nrr<rrr__hash__szCertificate.__hash__cCsdS)zB Serializes the certificate to PEM or DER format. Nrr2encodingrrr public_bytesszCertificate.public_bytesN)r r!r"abcabstractmethodr;abstractpropertyr=r>r@rArBrCrErGrIrrKrLrPrRrTrWrrrrr7QsD                r7c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$CertificateRevocationListcCsdS)z: Serializes the CRL to PEM or DER format. NrrUrrrrWsz&CertificateRevocationList.public_bytescCsdSr8rr9rrrr;sz%CertificateRevocationList.fingerprintcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr)r2r=rrr(get_revoked_certificate_by_serial_numberszBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCsdSrFrr<rrrrGsz2CertificateRevocationList.signature_hash_algorithmcCsdSrHrr<rrrrIsz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. Nrr<rrrrCsz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. Nrr<rrr next_updatesz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. Nrr<rrr last_updatesz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nrr<rrrrsz$CertificateRevocationList.extensionscCsdSrJrr<rrrrKsz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nrr<rrrtbs_certlist_bytessz,CertificateRevocationList.tbs_certlist_bytescCsdSrMrrNrrrrPsz CertificateRevocationList.__eq__cCsdSrQrrNrrrrRsz CertificateRevocationList.__ne__cCsdS)z< Number of revoked certificates in the CRL. Nrr<rrr__len__ sz!CertificateRevocationList.__len__cCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr)r2idxrrr __getitem__sz%CertificateRevocationList.__getitem__cCsdS)z8 Iterator over the revoked certificates Nrr<rrr__iter__sz"CertificateRevocationList.__iter__cCsdS)zQ Verifies signature of revocation list against given public key. Nr)r2r@rrris_signature_validsz,CertificateRevocationList.is_signature_validN)r r!r"rXrYrWr;r\rZrGrIrCr]r^rrKr_rPrRr`rbrcrdrrrrr[sD                r[c@seZdZejddZejddZejddZejddZej d d Z ej d d Z ej d dZ ej ddZ ejddZej ddZej ddZej ddZdS)CertificateSigningRequestcCsdSrMrrNrrrrP(sz CertificateSigningRequest.__eq__cCsdSrQrrNrrrrR.sz CertificateSigningRequest.__ne__cCsdSrSrr<rrrrT4sz"CertificateSigningRequest.__hash__cCsdSr?rr<rrrr@:sz$CertificateSigningRequest.public_keycCsdSrDrr<rrrrE@sz!CertificateSigningRequest.subjectcCsdSrFrr<rrrrGFsz2CertificateSigningRequest.signature_hash_algorithmcCsdSrHrr<rrrrIMsz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. Nrr<rrrrSsz$CertificateSigningRequest.extensionscCsdS)z; Encodes the request to PEM or DER format. NrrUrrrrWYsz&CertificateSigningRequest.public_bytescCsdSrJrr<rrrrK_sz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nrr<rrrtbs_certrequest_bytesesz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nrr<rrrrdlsz,CertificateSigningRequest.is_signature_validN)r r!r"rXrYrPrRrTr@rZrErGrIrrWrKrfrdrrrrre&s0           rec@s6eZdZejddZejddZejddZdS)RevokedCertificatecCsdS)zG Returns the serial number of the revoked certificate. Nrr<rrrr=usz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. Nrr<rrrrevocation_date{sz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nrr<rrrrszRevokedCertificate.extensionsN)r r!r"rXrZr=rhrrrrrrgss   rgc@s2eZdZdgfddZddZddZdd ZdS) CertificateSigningRequestBuilderNcCs||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_name _extensions)r2 subject_namerrrrr0sz)CertificateSigningRequestBuilder.__init__cCs0t|tstd|jdk r$tdt||jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.) isinstancer TypeErrorrjrrirkr2namerrrrls   z-CertificateSigningRequestBuilder.subject_namecCs@t|tstdt|j||}t||jt|j|j|gS)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) ror rpr rrrkrirjr2rZcriticalrrr add_extensions   z.CertificateSigningRequestBuilder.add_extensioncCs |jdkrtd||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rjrZcreate_x509_csrr2Z private_keyr:r(rrrsigns z%CertificateSigningRequestBuilder.sign)r r!r"r0rlrurwrrrrris ric@sdeZdZddddddgfddZddZddZdd Zd d Zd d ZddZ ddZ ddZ dS)CertificateBuilderNcCs6tj|_||_||_||_||_||_||_||_ dSr$) rr#Z_version _issuer_namerj _public_key_serial_number_not_valid_before_not_valid_afterrk)r2 issuer_namerlr@r=rArBrrrrr0szCertificateBuilder.__init__cCsDt|tstd|jdk r$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rmN%The issuer name may only be set once.) rorrpryrrxrjrzr{r|r}rkrqrrrr~s  zCertificateBuilder.issuer_namecCsDt|tstd|jdk r$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rmNrn) rorrprjrrxryrzr{r|r}rkrqrrrrls  zCertificateBuilder.subject_namecCsXt|tjtjtjtjt j fs&t d|j dk r8t dt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zhExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey or Ed448PublicKey.Nz$The public key may only be set once.)rorZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyr ZEd25519PublicKeyr ZEd448PublicKeyrprzrrxryrjr{r|r}rk)r2keyrrrr@s"  zCertificateBuilder.public_keycCsjt|tjstd|jdk r&td|dkr6td|dkrJtdt|j|j |j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.)rosix integer_typesrpr{r bit_lengthrxryrjrzr|r}rkr2Znumberrrrr=s"   z CertificateBuilder.serial_numbercCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rorrpr|rr_EARLIEST_UTC_TIMEr}rxryrjrzr{rkr2rrrrrAs(  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.ztd|jdk rZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rorrprrrrrrryrkr)r2r^rrrr^ns$  z,CertificateRevocationListBuilder.last_updatecCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rorrprrrrrrryrkr)r2r]rrrr]s$  z,CertificateRevocationListBuilder.next_updatecCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. rs) ror rpr rrrkrryrrrrtrrrrus   z.CertificateRevocationListBuilder.add_extensioncCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rorgrprryrrrkr)r2Zrevoked_certificaterrradd_revoked_certificates  z8CertificateRevocationListBuilder.add_revoked_certificatecCsD|jdkrtd|jdkr$td|jdkr6td||||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)ryrrrZcreate_x509_crlrvrrrrws   z%CertificateRevocationListBuilder.sign) r r!r"r0r~r^r]rurrwrrrrr[s   rc@s<eZdZddgfddZddZddZdd Zd d ZdS) RevokedCertificateBuilderNcCs||_||_||_dSr$)r{_revocation_daterk)r2r=rhrrrrr0sz"RevokedCertificateBuilder.__init__cCsZt|tjstd|jdk r&td|dkr6td|dkrJtdt||j|j S)Nrrrz$The serial number should be positiverr) rorrrpr{rrrrrkrrrrr=s   z'RevokedCertificateBuilder.serial_numbercCsNt|tjstd|jdk r&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rorrprrrrrr{rkrrrrrhs  z)RevokedCertificateBuilder.revocation_datecCsDt|tstdt|j||}t||jt|j|j |j|gS)Nrs) ror rpr rrrkrr{rrtrrrrus   z'RevokedCertificateBuilder.add_extensioncCs.|jdkrtd|jdkr$td||S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)r{rrZcreate_x509_revoked_certificate)r2r(rrrbuilds  zRevokedCertificateBuilder.build)r r!r"r0r=rhrurrrrrrs   rcCsttddd?S)NZbigr)rZint_from_bytesosurandomrrrrrandom_serial_numbersr)/Z __future__rrrrXrrenumrrZ cryptographyrZ)cryptography.hazmat.primitives.asymmetricrrr r r Zcryptography.x509.extensionsr r Zcryptography.x509.namerrrrrr%r)r*r+r,r- Exceptionr.Z add_metaclassABCMetaobjectr7r[rergrirxrrrrrrrsD    i j L )+_;