U e]3@sddlmZmZmZddlZddlZddlmZddlZddl m Z ddl m Z ddl mZmZddlmZmZmZe e e e e dZGd d d eZGd d d eZed deDZe je je je je jfZddZGdddeZ edde DZ!ddZ"ddZ#Gddde$Z%Gddde$Z&Gddde$Z'e(ej)Gddde$Z*e(ej)Gd d!d!e$Z+dS)")absolute_importdivisionprint_functionN)Enum)x509)hashes)ed25519ed448)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extension)z 1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__ZHASHNAMErr8/usr/lib/python3/dist-packages/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) rrr SUCCESSFULZMALFORMED_REQUESTZINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIREDZ UNAUTHORIZEDrrrrr#s rccs|]}|j|fVqdSNvalue.0xrrr ,sr!cCst|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError) algorithmrrr_verify_algorithm3s r&c@seZdZdZdZdZdS)OCSPCertStatusrrrN)rrrZGOODREVOKEDZUNKNOWNrrrrr':sr'ccs|]}|j|fVqdSrrrrrrr!@scCsddlm}||SNrbackend),cryptography.hazmat.backends.openssl.backendr+load_der_ocsp_requestdatar+rrrr-Cs r-cCsddlm}||Sr))r,r+load_der_ocsp_responser.rrrr0Hs r0c@s2eZdZdgfddZddZddZdd ZdS) OCSPRequestBuilderNcCs||_||_dSr)_request _extensions)selfZrequest extensionsrrr__init__NszOCSPRequestBuilder.__init__cCsL|jdk rtdt|t|tjr2t|tjs:tdt|||f|jS)Nz.Only one certificate can be added to a request%cert and issuer must be a Certificate) r2r$r&r"r Certificate TypeErrorr1r3)r4certissuerr%rrradd_certificateRs   z"OCSPRequestBuilder.add_certificatecCsDt|tjstdt|j||}t||jt|j |j|gSNz"extension must be an ExtensionType) r"r ExtensionTyper9 Extensionoidr r3r1r2r4 extensionZcriticalrrr add_extension_s   z OCSPRequestBuilder.add_extensioncCs(ddlm}|jdkrtd||S)Nrr*z*You must add a certificate before building)r,r+r2r$Zcreate_ocsp_request)r4r+rrrbuildjs  zOCSPRequestBuilder.build)rrrr6r<rCrDrrrrr1Ms  r1c@seZdZddZdS)_SingleResponsec Cst|tjrt|tjs tdt|t|tjs.z$certs must be a list of Certificates) rOr$listlenallr9rLrMrNr3)r4rQrrr certificatess  z OCSPResponseBuilder.certificatescCsLt|tjstdt|j||}t||jt|j |j |j |j|gSr=) r"rr>r9r?r@r r3rLrMrNrOrArrrrCs   z!OCSPResponseBuilder.add_extensioncCszddlm}|jdkrtd|jdkr0tdt|tjtj frT|dk rhtdnt|t j sht d| tj|||S)Nrr*z&You must add a response before signingz*You must add a responder_id before signingz8algorithm must be None when signing via ed25519 or ed448z.Algorithm must be a registered hash algorithm.)r,r+rMr$rNr"rZEd25519PrivateKeyr ZEd448PrivateKeyrZ HashAlgorithmr9create_ocsp_responserr)r4Z private_keyr%r+rrrsigns(     zOCSPResponseBuilder.signcCs@ddlm}t|tstd|tjkr0td||dddS)Nrr*z7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r,r+r"rr9rr$rX)clsresponse_statusr+rrrbuild_unsuccessfuls   z&OCSPResponseBuilder.build_unsuccessful) rrrr6rRrPrWrCrY classmethodr\rrrrrLs   rLc@s`eZdZejddZejddZejddZejddZej d d Z ejd d Z d S) OCSPRequestcCsdSz3 The hash of the issuer public key Nrr4rrrissuer_key_hashszOCSPRequest.issuer_key_hashcCsdSz- The hash of the issuer name Nrr`rrrissuer_name_hashszOCSPRequest.issuer_name_hashcCsdSzK The hash algorithm used in the issuer name and key hashes Nrr`rrrhash_algorithmszOCSPRequest.hash_algorithmcCsdSzM The serial number of the cert whose status is being checked Nrr`rrr serial_number#szOCSPRequest.serial_numbercCsdS)z/ Serializes the request to DER Nr)r4rSrrr public_bytes(szOCSPRequest.public_bytescCsdS)zP The list of request extensions. Not single request extensions. Nrr`rrrr5.szOCSPRequest.extensionsN) rrrabcabstractpropertyrarcrergabstractmethodrhr5rrrrr^s     r^c@seZdZejddZejddZejddZejddZejd d Z ejd d Z ejd dZ ejddZ ejddZ ejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zejd#d$Zejd%d&Zd'S)( OCSPResponsecCsdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nrr`rrrr[7szOCSPResponse.response_statuscCsdS)zA The ObjectIdentifier of the signature algorithm Nrr`rrrsignature_algorithm_oid>sz$OCSPResponse.signature_algorithm_oidcCsdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nrr`rrrsignature_hash_algorithmDsz%OCSPResponse.signature_hash_algorithmcCsdS)z% The signature bytes Nrr`rrr signatureJszOCSPResponse.signaturecCsdS)z+ The tbsResponseData bytes Nrr`rrrtbs_response_bytesPszOCSPResponse.tbs_response_bytescCsdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nrr`rrrrWVszOCSPResponse.certificatescCsdS)z2 The responder's key hash or None Nrr`rrrresponder_key_hash^szOCSPResponse.responder_key_hashcCsdS)z. The responder's Name or None Nrr`rrrresponder_namedszOCSPResponse.responder_namecCsdS)z4 The time the response was produced Nrr`rrr produced_atjszOCSPResponse.produced_atcCsdS)zY The status of the certificate (an element from the OCSPCertStatus enum) Nrr`rrrcertificate_statuspszOCSPResponse.certificate_statuscCsdS)z^ The date of when the certificate was revoked or None if not revoked. Nrr`rrrrJvszOCSPResponse.revocation_timecCsdS)zi The reason the certificate was revoked or None if not specified or not revoked. Nrr`rrrrK}szOCSPResponse.revocation_reasoncCsdS)z The most recent time at which the status being indicated is known by the responder to have been correct Nrr`rrrrHszOCSPResponse.this_updatecCsdS)zC The time when newer information will be available Nrr`rrrrIszOCSPResponse.next_updatecCsdSr_rr`rrrraszOCSPResponse.issuer_key_hashcCsdSrbrr`rrrrcszOCSPResponse.issuer_name_hashcCsdSrdrr`rrrreszOCSPResponse.hash_algorithmcCsdSrfrr`rrrrgszOCSPResponse.serial_numbercCsdS)zR The list of response extensions. Not single response extensions. Nrr`rrrr5szOCSPResponse.extensionsN)rrrrirjr[rmrnrorprWrqrrrsrtrJrKrHrIrarcrergr5rrrrrl5sL                  rl),Z __future__rrrrirFenumrZsixZ cryptographyrZcryptography.hazmat.primitivesrZ)cryptography.hazmat.primitives.asymmetricrr Zcryptography.x509.baser r r ZSHA1ZSHA224ZSHA256ZSHA384ZSHA512Z _OIDS_TO_HASHr rdictZ_RESPONSE_STATUS_TO_ENUMr#r&r'Z_CERT_STATUS_TO_ENUMr-r0objectr1rErLZ add_metaclassABCMetar^rlrrrrsF     %>_ %