B QUc@sddlZddlZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZddlmZmZmZddlmZmZmZmZddlmZmZdd l m!Z!ed d d Z"Gd d d e#Z$eeej%eeddddZ&e!ej%ej'e!e(ej)e*fddddZ+ejejdddZ,GdddZ-GdddZ.Gdddej/Z0Gddde#Z1Gdd d ej2d!Z3e34ej3Gd"d#d#ej2d!Z5e54ej5Gd$d%d%e5Z6Gd&d'd'ej2d!Z7e74ej7Gd(d)d)ej2d!Z8e84ej8dBe(ej9e3d*d+d,Z:dCe(ej9e3d*d-d.Z;dDe(ej9e8d*d/d0ZdGe(ej9e7d*d5d6Z?Gd7d8d8Z@Gd9d:d:ZAGd;d<d<ZBGd=d>d>ZCe*d?d@dAZDdS)HN)utils)x509)hashes serialization)dsaeced25519ed448rsax25519x448)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESCERTIFICATE_PRIVATE_KEY_TYPESCERTIFICATE_PUBLIC_KEY_TYPES) Extension ExtensionType Extensions_make_sequence_methods)Name _ASN1Type)ObjectIdentifierics&eZdZeeddfdd ZZS)AttributeNotFoundN)msgoidreturncstt||||_dS)N)superr__init__r)selfrr) __class__5lib/python3.7/site-packages/cryptography/x509/base.pyr*szAttributeNotFound.__init__)__name__ __module__ __qualname__strrr __classcell__r r )rr!r)sr) extension extensionsrcCs&x |D]}|j|jkrtdqWdS)Nz$This extension has already been set.)r ValueError)r'r(er r r!_reject_duplicate_extension/s  r+)r attributesrcCs(x"|D]\}}}||krtdqWdS)Nz$This attribute has already been set.)r))rr,Zattr_oid_r r r!_reject_duplicate_attribute9sr.)timercCs:|jdk r2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r0Z utcoffsetdatetimeZ timedeltareplace)r/offsetr r r!_convert_to_naive_utc_timeEs  r4c@sxeZdZejjfeeeddddZ e edddZ e eddd Ze dd d Z eed d dZedddZdS) AttributeN)rvalue_typercCs||_||_||_dS)N)_oid_valuer7)rrr6r7r r r!rTszAttribute.__init__)rcCs|jS)N)r8)rr r r!r^sz Attribute.oidcCs|jS)N)r9)rr r r!r6bszAttribute.valuecCsd|j|jS)Nz)formatrr6)rr r r!__repr__fszAttribute.__repr__)otherrcCs2t|tstS|j|jko0|j|jko0|j|jkS)N) isinstancer5NotImplementedrr6r7)rr<r r r!__eq__is    zAttribute.__eq__cCst|j|j|jfS)N)hashrr6r7)rr r r!__hash__sszAttribute.__hash__)r"r#r$rZ UTF8Stringr6rbytesintrpropertyrr%r;objectboolr?rAr r r r!r5Ss r5c@sNeZdZejeddddZed\ZZ Z e dddZ e ed d d ZdS) AttributesN)r,rcCst||_dS)N)list _attributes)rr,r r r!rxszAttributes.__init__rI)rcCs d|jS)Nz)r:rI)rr r r!r;szAttributes.__repr__)rrcCs0x|D]}|j|kr|SqWtd||dS)NzNo {} attribute was found)rrr:)rrattrr r r!get_attribute_for_oids  z Attributes.get_attribute_for_oid)r"r#r$typingIterabler5rr__len____iter__ __getitem__r%r;rrKr r r r!rGws rGc@seZdZdZdZdS)VersionrN)r"r#r$Zv1v3r r r r!rQsrQcs&eZdZeeddfdd ZZS)InvalidVersionN)rparsed_versionrcstt||||_dS)N)rrTrrU)rrrU)rr r!rszInvalidVersion.__init__)r"r#r$r%rCrr&r r )rr!rTsrTc@sveZdZejejedddZej e dddZ ej e dddZ ejedd d Zej ejdd d Zej ejdd dZej edddZej edddZej ejejdddZej edddZej edddZej edddZej edddZej edddZeje e!dd d!Z"eje dd"d#Z#eje$j%ed$d%d&Z&d'S)( Certificate) algorithmrcCsdS)z4 Returns bytes using digest passed. Nr )rrWr r r! fingerprintszCertificate.fingerprint)rcCsdS)z3 Returns certificate serial number Nr )rr r r! serial_numberszCertificate.serial_numbercCsdS)z1 Returns the certificate version Nr )rr r r!versionszCertificate.versioncCsdS)z( Returns the public key Nr )rr r r! public_keyszCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) Nr )rr r r!not_valid_beforeszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) Nr )rr r r!not_valid_afterszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. Nr )rr r r!issuerszCertificate.issuercCsdS)z2 Returns the subject name object. Nr )rr r r!subjectszCertificate.subjectcCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr )rr r r!signature_hash_algorithmsz$Certificate.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr )rr r r!signature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. Nr )rr r r!r(szCertificate.extensionscCsdS)z. Returns the signature bytes. Nr )rr r r! signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr )rr r r!tbs_certificate_bytessz!Certificate.tbs_certificate_bytescCsdS)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. Nr )rr r r!tbs_precertificate_bytessz$Certificate.tbs_precertificate_bytes)r<rcCsdS)z" Checks equality. Nr )rr<r r r!r?szCertificate.__eq__cCsdS)z" Computes a hash. Nr )rr r r!rAszCertificate.__hash__)encodingrcCsdS)zB Serializes the certificate to PEM or DER format. Nr )rrer r r! public_bytesszCertificate.public_bytesN)'r"r#r$abcabstractmethodr HashAlgorithmrBrXabstractpropertyrCrYrQrZrr[r1r\r]rr^r_rLOptionalr`rrarr(rbrcrdrErFr?rArEncodingrfr r r r!rVsDrV) metaclassc@sJeZdZejedddZejejdddZeje dddZ dS) RevokedCertificate)rcCsdS)zG Returns the serial number of the revoked certificate. Nr )rr r r!rYsz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. Nr )rr r r!revocation_date sz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr )rr r r!r(szRevokedCertificate.extensionsN) r"r#r$rgrjrCrYr1rorr(r r r r!rns rnc@sXeZdZeejedddZeedddZeejdddZ eedd d Z d S) _RawRevokedCertificate)rYror(cCs||_||_||_dS)N)_serial_number_revocation_date _extensions)rrYror(r r r!rsz_RawRevokedCertificate.__init__)rcCs|jS)N)rq)rr r r!rY)sz$_RawRevokedCertificate.serial_numbercCs|jS)N)rr)rr r r!ro-sz&_RawRevokedCertificate.revocation_datecCs|jS)N)rs)rr r r!r(1sz!_RawRevokedCertificate.extensionsN) r"r#r$rCr1rrrDrYror(r r r r!rpsrpc@seZdZejejedddZeje j edddZ eje e jeddd Zeje je j d d d Zejed d dZejed ddZeje jejd ddZejejd ddZejed ddZejed ddZejed ddZejeedddZ eje d ddZ!e j"e ed d!d"Z#e j"e$e j%ed d#d"Z#eje j&e e$fe j&ee j%efd d$d"Z#eje j'ed d%d&Z(eje)ed'd(d)Z*d*S)+CertificateRevocationList)rercCsdS)z: Serializes the CRL to PEM or DER format. Nr )rrer r r!rf7sz&CertificateRevocationList.public_bytes)rWrcCsdS)z4 Returns bytes using digest passed. Nr )rrWr r r!rX=sz%CertificateRevocationList.fingerprint)rYrcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr )rrYr r r!(get_revoked_certificate_by_serial_numberCszBCertificateRevocationList.get_revoked_certificate_by_serial_number)rcCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr )rr r r!r`Lsz2CertificateRevocationList.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr )rr r r!raUsz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. Nr )rr r r!r^[sz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. Nr )rr r r! next_updateasz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. Nr )rr r r! last_updategsz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nr )rr r r!r(msz$CertificateRevocationList.extensionscCsdS)z. Returns the signature bytes. Nr )rr r r!rbssz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr )rr r r!tbs_certlist_bytesysz,CertificateRevocationList.tbs_certlist_bytes)r<rcCsdS)z" Checks equality. Nr )rr<r r r!r?sz CertificateRevocationList.__eq__cCsdS)z< Number of revoked certificates in the CRL. Nr )rr r r!rNsz!CertificateRevocationList.__len__)idxrcCsdS)Nr )rryr r r!rPsz%CertificateRevocationList.__getitem__cCsdS)Nr )rryr r r!rPscCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr )rryr r r!rPscCsdS)z8 Iterator over the revoked certificates Nr )rr r r!rOsz"CertificateRevocationList.__iter__)r[rcCsdS)zQ Verifies signature of revocation list against given public key. Nr )rr[r r r!is_signature_validsz,CertificateRevocationList.is_signature_validN)+r"r#r$rgrhrrlrBrfrrirXrCrLrkrnrurjr`rrarr^r1rvrwrr(rbrxrErFr?rNZoverloadrPsliceListZUnionIteratorrOr rzr r r r!rt6sN  rtc@s eZdZejeedddZejedddZ eje dddZ ej e dd d Zej ejejdd d Zej edd dZej edddZej edddZejejedddZej edddZej edddZej edddZ ejeedddZ!dS) CertificateSigningRequest)r<rcCsdS)z" Checks equality. Nr )rr<r r r!r?sz CertificateSigningRequest.__eq__)rcCsdS)z" Computes a hash. Nr )rr r r!rAsz"CertificateSigningRequest.__hash__cCsdS)z( Returns the public key Nr )rr r r!r[sz$CertificateSigningRequest.public_keycCsdS)z2 Returns the subject name object. Nr )rr r r!r_sz!CertificateSigningRequest.subjectcCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr )rr r r!r`sz2CertificateSigningRequest.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr )rr r r!rasz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. Nr )rr r r!r(sz$CertificateSigningRequest.extensionscCsdS)z/ Returns an Attributes object. Nr )rr r r!r,sz$CertificateSigningRequest.attributes)rercCsdS)z; Encodes the request to PEM or DER format. Nr )rrer r r!rfsz&CertificateSigningRequest.public_bytescCsdS)z. Returns the signature bytes. Nr )rr r r!rbsz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr )rr r r!tbs_certrequest_bytessz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nr )rr r r!rzsz,CertificateSigningRequest.is_signature_valid)rrcCsdS)z: Get the attribute value for a given OID. Nr )rrr r r!rKsz/CertificateSigningRequest.get_attribute_for_oidN)"r"r#r$rgrhrErFr?rCrArr[rjrr_rLrkrrir`rrarr(rGr,rrlrBrfrbrrzrKr r r r!r~s4r~)databackendrcCs t|S)N) rust_x509load_pem_x509_certificate)rrr r r!rsrcCs t|S)N)rload_der_x509_certificate)rrr r r!r srcCs t|S)N)rload_pem_x509_csr)rrr r r!rsrcCs t|S)N)rload_der_x509_csr)rrr r r!rsrcCs t|S)N)rload_pem_x509_crl)rrr r r!r"srcCs t|S)N)rload_der_x509_crl)rrr r r!r)src @seZdZdggfejeejeeejej e e eje fdddZ eddddZeeddd d Zdd e e ejedd d dZdeejejejedddZdS) CertificateSigningRequestBuilderN) subject_namer(r,cCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namersrI)rrr(r,r r r!r0s z)CertificateSigningRequestBuilder.__init__)namercCs4t|tstd|jdk r$tdt||j|jS)zF Sets the certificate requestor's distinguished name. zExpecting x509.Name object.Nz&The subject name may only be set once.)r=r TypeErrorrr)rrsrI)rrr r r!r?s   z-CertificateSigningRequestBuilder.subject_name)extvalcriticalrcCsDt|tstdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. z"extension must be an ExtensionType) r=rrrrr+rsrrrI)rrrr'r r r! add_extensionKs   z.CertificateSigningRequestBuilder.add_extension)_tag)rr6rrcCs|t|tstdt|ts$td|dk r>t|ts>tdt||j|dk rZ|j}nd}t|j |j |j|||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) r=rrrBrr.rIr6rrrs)rrr6rtagr r r! add_attribute]s   z.CertificateSigningRequestBuilder.add_attribute) private_keyrWrrcCs |jdkrtdt|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr)rZcreate_x509_csr)rrrWrr r r!sign}s z%CertificateSigningRequestBuilder.sign)N)r"r#r$rLrkrr|rrTuplerrBrCrrrFrrrrrriAnyr~rr r r r!r/s>  rc @seZdZUejeeed<ddddddgfeje eje eje eje eje j eje j ejeeddddZ e ddddZe ddd d Ze dd d d Ze ddddZe j ddddZe j ddddZeeddddZdeejejejedddZdS)CertificateBuilderrsN) issuer_namerr[rYr\r]r(rcCs6tj|_||_||_||_||_||_||_||_ dS)N) rQrSZ_version _issuer_namer _public_keyrq_not_valid_before_not_valid_afterrs)rrrr[rYr\r]r(r r r!rs zCertificateBuilder.__init__)rrcCsDt|tstd|jdk r$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. zExpecting x509.Name object.Nz%The issuer name may only be set once.) r=rrrr)rrrrqrrrs)rrr r r!rs  zCertificateBuilder.issuer_namecCsDt|tstd|jdk r$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. zExpecting x509.Name object.Nz&The subject name may only be set once.) r=rrrr)rrrrqrrrs)rrr r r!rs  zCertificateBuilder.subject_name)keyrc Cs`t|tjtjtjtjt j t j t jfs.td|jdk r@tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)r=rZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyrZEd25519PublicKeyr ZEd448PublicKeyr ZX25519PublicKeyr Z X448PublicKeyrrr)rrrrqrrrs)rrr r r!r[s*  zCertificateBuilder.public_key)numberrcCsht|tstd|jdk r$td|dkr4td|dkrHtdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. z'Serial number must be of integral type.Nz'The serial number may only be set once.rz%The serial number should be positive.z3The serial number should not be more than 159 bits.) r=rCrrqr) bit_lengthrrrrrrrs)rrr r r!rYs"   z CertificateBuilder.serial_number)r/rcCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. zExpecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)r=r1rrr)r4_EARLIEST_UTC_TIMErrrrrrqrs)rr/r r r!r\s&  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. zExpecting datetime object.Nz)The not valid after may only be set once.ztd|jdk rZ||jkrZtdt|j ||j|j |j S)NzExpecting datetime object.z!Last update may only be set once.z8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) r=r1rrr)r4rrrrrsr)rrwr r r!rws"  z,CertificateRevocationListBuilder.last_update)rvrcCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j||j |j S)NzExpecting datetime object.z!Last update may only be set once.z8The last update date must be on or after 1950 January 1.z8The next update date must be after the last update date.) r=r1rrr)r4rrrrrsr)rrvr r r!rvs"  z,CertificateRevocationListBuilder.next_update)rrrcCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. z"extension must be an ExtensionType) r=rrrrr+rsrrrrr)rrrr'r r r!rs   z.CertificateRevocationListBuilder.add_extension)revoked_certificatercCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) r=rnrrrrrrsr)rrr r r!add_revoked_certificates z8CertificateRevocationListBuilder.add_revoked_certificate)rrWrrcCsD|jdkrtd|jdkr$td|jdkr6tdt|||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rr)rrrZcreate_x509_crl)rrrWrr r r!rs   z%CertificateRevocationListBuilder.sign)N)r"r#r$rLr|rrrrnrkrr1rrrwrvrFrrrrrirrtrr r r r!rxs& @ rc@seZdZddgfejeejejejee dddZ eddddZ ejddd d Z e e dd d d ZdejedddZdS)RevokedCertificateBuilderN)rYror(cCs||_||_||_dS)N)rqrrrs)rrYror(r r r!rsz"RevokedCertificateBuilder.__init__)rrcCsXt|tstd|jdk r$td|dkr4td|dkrHtdt||j|jS)Nz'Serial number must be of integral type.z'The serial number may only be set once.rz$The serial number should be positiverz3The serial number should not be more than 159 bits.) r=rCrrqr)rrrrrs)rrr r r!rY s   z'RevokedCertificateBuilder.serial_number)r/rcCsNt|tjstd|jdk r&tdt|}|tkr>tdt|j||j S)NzExpecting datetime object.z)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) r=r1rrrr)r4rrrqrs)rr/r r r!ros  z)RevokedCertificateBuilder.revocation_date)rrrcCsDt|tstdt|j||}t||jt|j|j |j|gS)Nz"extension must be an ExtensionType) r=rrrrr+rsrrqrr)rrrr'r r r!r,s  z'RevokedCertificateBuilder.add_extension)rrcCs:|jdkrtd|jdkr$tdt|j|jt|jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rqr)rrrprrs)rrr r r!build:s  zRevokedCertificateBuilder.build)N)r"r#r$rLrkrCr1r|rrrrYrorFrrrnrr r r r!rs. r)rcCsttddd?S)NZbigr)rC from_bytesosurandomr r r r!random_serial_numberHsr)N)N)N)N)N)N)Ergr1rrLZ cryptographyrZ"cryptography.hazmat.bindings._rustrrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrrrr r r r Z/cryptography.hazmat.primitives.asymmetric.typesr rrZcryptography.x509.extensionsrrrrZcryptography.x509.namerrZcryptography.x509.oidrr Exceptionrr|r+rrBrkrCr.r4r5rGEnumrQrTABCMetarVregisterrnrprtr~rrrrrrrrrrrrr r r r!sj  $   $m  t U \nI