o 9fF@s>ddlmZddlZddlZddlZddlmZmZddlm Z ddl m Z m Z ddl mZddlmZmZmZGdd d ejZGd d d ejZe je je je je jfZd!ddZGdddejZGdddZGdddejdZ GdddejdZ!GdddejdZ"GdddZ#Gdd d Z$e j%Z%e j&Z&dS)") annotationsN)utilsx509)ocsp)hashes serialization) CertificateIssuerPrivateKeyTypes)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionc@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__ZHASHNAMErr6lib/python3.10/site-packages/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r rr SUCCESSFULZMALFORMED_REQUESTZINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIREDZ UNAUTHORIZEDrrrrrsr algorithmhashes.HashAlgorithmreturnNonecCst|ts tddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError)rrrr_verify_algorithm/s r!c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r rrZGOODREVOKEDZUNKNOWNrrrrr"6sr"c@seZdZdddZdS)_SingleResponsecertx509.Certificateissuerrr cert_statusr" this_updatedatetime.datetime next_updatedatetime.datetime | Nonerevocation_timerevocation_reasonx509.ReasonFlags | Nonec Cst|tjr t|tjstdt|t|tjstd|dur,t|tjs,td||_||_||_||_ ||_ t|t sDtd|t j urZ|durQt d|durYt dn$t|tjsdtdt|}|tkrpt d|dur~t|tjs~td ||_||_||_dS) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)rr Certificate TypeErrorr!datetimeZ_certZ_issuerZ _algorithmZ _this_updateZ _next_updater"r#r r r Z ReasonFlagsZ _cert_statusZ_revocation_timeZ_revocation_reason) selfr%r'rr(r)r+r-r.rrr__init__=s\        z_SingleResponse.__init__N)r%r&r'r&rrr(r"r)r*r+r,r-r,r.r/)r rrr5rrrrr$<sr$c@seZdZeejdddZeejdddZeejddd Zeejdd d Z ejdddZ eejdddZ dS) OCSPRequestrbytescCdSz3 The hash of the issuer public key Nrr4rrrissuer_key_hashzOCSPRequest.issuer_key_hashcCr8z- The hash of the issuer name Nrr:rrrissuer_name_hashr<zOCSPRequest.issuer_name_hashrcCr8zK The hash algorithm used in the issuer name and key hashes Nrr:rrrhash_algorithmr<zOCSPRequest.hash_algorithmintcCr8zM The serial number of the cert whose status is being checked Nrr:rrr serial_numberr<zOCSPRequest.serial_numberencodingserialization.EncodingcCr8)z/ Serializes the request to DER Nrr4rDrrr public_bytesr<zOCSPRequest.public_bytesx509.ExtensionscCr8)zP The list of request extensions. Not single request extensions. Nrr:rrr extensionsr<zOCSPRequest.extensionsNrr7rrrrArDrErr7rrH) r rrpropertyabcabstractmethodr;r>r@rCrGrIrrrrr6s$ r6) metaclassc@seZdZeejdddZeejdddZeejdd d Zeejdd d Z eejdddZ eejd ddZ eejd ddZ eejd!ddZ eejd"ddZdS)#OCSPSingleResponserr"cCr8zY The status of the certificate (an element from the OCSPCertStatus enum) Nrr:rrrcertificate_statusr<z%OCSPSingleResponse.certificate_statusr,cCr8z^ The date of when the certificate was revoked or None if not revoked. Nrr:rrrr-r<z"OCSPSingleResponse.revocation_timer/cCr8zi The reason the certificate was revoked or None if not specified or not revoked. Nrr:rrrr.r<z$OCSPSingleResponse.revocation_reasonr*cCr8z The most recent time at which the status being indicated is known by the responder to have been correct Nrr:rrrr)r<zOCSPSingleResponse.this_updatecCr8zC The time when newer information will be available Nrr:rrrr+r<zOCSPSingleResponse.next_updater7cCr8r9rr:rrrr;r<z"OCSPSingleResponse.issuer_key_hashcCr8r=rr:rrrr>r<z#OCSPSingleResponse.issuer_name_hashrcCr8r?rr:rrrr@r<z!OCSPSingleResponse.hash_algorithmrAcCr8rBrr:rrrrCr<z OCSPSingleResponse.serial_numberNrr"rr,rr/rr*rJrKrL)r rrrOrPrQrUr-r.r)r+r;r>r@rCrrrrrSs8rSc@seZdZeejd@ddZeejdAddZeejdBd d ZeejdCd d Z eejdDddZ eejdDddZ eejdEddZ eejdFddZ eejdGddZeejdHddZeejdId d!ZeejdJd#d$ZeejdKd&d'ZeejdHd(d)ZeejdJd*d+ZeejdDd,d-ZeejdDd.d/ZeejdLd1d2ZeejdMd4d5ZeejdNd7d8ZeejdNd9d:ZejdOd=d>Zd?S)P OCSPResponser#typing.Iterator[OCSPSingleResponse]cCr8)z_ An iterator over the individual SINGLERESP structures in the response Nrr:rrr responsesr<zOCSPResponse.responsesrcCr8)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nrr:rrrresponse_statusr<zOCSPResponse.response_statusx509.ObjectIdentifiercCr8)zA The ObjectIdentifier of the signature algorithm Nrr:rrrsignature_algorithm_oidr<z$OCSPResponse.signature_algorithm_oidhashes.HashAlgorithm | NonecCr8)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nrr:rrrsignature_hash_algorithm r<z%OCSPResponse.signature_hash_algorithmr7cCr8)z% The signature bytes Nrr:rrr signaturer<zOCSPResponse.signaturecCr8)z+ The tbsResponseData bytes Nrr:rrrtbs_response_bytesr<zOCSPResponse.tbs_response_byteslist[x509.Certificate]cCr8)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nrr:rrr certificates r<zOCSPResponse.certificates bytes | NonecCr8)z2 The responder's key hash or None Nrr:rrrresponder_key_hash)r<zOCSPResponse.responder_key_hashx509.Name | NonecCr8)z. The responder's Name or None Nrr:rrrresponder_name0r<zOCSPResponse.responder_namer*cCr8)z4 The time the response was produced Nrr:rrr produced_at7r<zOCSPResponse.produced_atr"cCr8rTrr:rrrrU>r<zOCSPResponse.certificate_statusr,cCr8rVrr:rrrr-Er<zOCSPResponse.revocation_timer/cCr8rWrr:rrrr.Mr<zOCSPResponse.revocation_reasoncCr8rXrr:rrrr)Ur<zOCSPResponse.this_updatecCr8rYrr:rrrr+]r<zOCSPResponse.next_updatecCr8r9rr:rrrr;dr<zOCSPResponse.issuer_key_hashcCr8r=rr:rrrr>kr<zOCSPResponse.issuer_name_hashrcCr8r?rr:rrrr@rr<zOCSPResponse.hash_algorithmrAcCr8rBrr:rrrrCyr<zOCSPResponse.serial_numberrHcCr8)zR The list of response extensions. Not single response extensions. Nrr:rrrrIr<zOCSPResponse.extensionscCr8)zR The list of single response extensions. Not response extensions. Nrr:rrrsingle_extensionsr<zOCSPResponse.single_extensionsrDrEcCr8)z0 Serializes the response to DER NrrFrrrrGr<zOCSPResponse.public_bytesN)rr_)rr)rrb)rrdrJ)rrh)rrj)rrlr]rZr[r\rKrLrNrM)r rrrOrPrQr`rarcrerfrgrirkrmrnrUr-r.r)r+r;r>r@rCrIrorGrrrrr^sr^c@sFeZdZddgfd#d d Zd$ddZd%ddZd&ddZd'd!d"ZdS)(OCSPRequestBuilderNrequestFtuple[x509.Certificate, x509.Certificate, hashes.HashAlgorithm] | None request_hash5tuple[bytes, bytes, int, hashes.HashAlgorithm] | NonerI(list[x509.Extension[x509.ExtensionType]]rrcCs||_||_||_dSN)_request _request_hash _extensions)r4rqrsrIrrrr5s  zOCSPRequestBuilder.__init__r%r&r'rrcCsZ|jdus |jdurtdt|t|tjrt|tjs"tdt|||f|j|j S)N.Only one certificate can be added to a requestr0) rwrxr r!rrr1r2rpry)r4r%r'rrrradd_certificatesz"OCSPRequestBuilder.add_certificater>r7r;rCrAcCs|jdus |jdurtdt|tstdt|td|td||j t |ks5|j t |kr9tdt |j||||f|j S)Nrzz serial_number must be an integerr>r;z`issuer_name_hash and issuer_key_hash must be the same length as the digest size of the algorithm) rwrxr rrAr2r!r _check_bytesZ digest_sizelenrpry)r4r>r;rCrrrradd_certificate_by_hashs&    z*OCSPRequestBuilder.add_certificate_by_hashextvalx509.ExtensionTypecriticalboolcCsJt|tjs tdt|j||}t||jt|j |j g|j|SNz"extension must be an ExtensionType) rr ExtensionTyper2 Extensionoidr ryrprwrxr4rr extensionrrr add_extensions  z OCSPRequestBuilder.add_extensionr6cCs&|jdur|jdurtdt|S)Nz*You must add a certificate before building)rwrxr rZcreate_ocsp_requestr:rrrbuilds zOCSPRequestBuilder.build)rqrrrsrtrIrurr)r%r&r'r&rrrrp) r>r7r;r7rCrArrrrp)rrrrrrp)rr6)r rrr5r{r~rrrrrrrps    rpc@s`eZdZdddgfd5d d Zd6ddZd7d d!Zd8d#d$Zd9d)d*Zd:d/d0Ze d;d3d4Z dS)<OCSPResponseBuilderNresponse_SingleResponse | None responder_id5tuple[x509.Certificate, OCSPResponderEncoding] | Nonecertslist[x509.Certificate] | NonerIrucCs||_||_||_||_dSrv) _response _responder_id_certsry)r4rrrrIrrrr5s zOCSPResponseBuilder.__init__r%r&r'rrr(r"r)r*r+r,r-r.r/rc Cs<|jdur tdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rr r$rrrry) r4r%r'rr(r)r+r-r.Z singleresprrr add_responses$  z OCSPResponseBuilder.add_responserDr responder_certcCsP|jdur tdt|tjstdt|tstdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rr rrr1r2r rrrry)r4rDrrrrrs   z OCSPResponseBuilder.responder_id!typing.Iterable[x509.Certificate]cCs\|jdur tdt|}t|dkrtdtdd|Ds$tdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|] }t|tjVqdSrv)rrr1).0xrrr 1sz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rr listr}allr2rrrry)r4rrrrri)s  z OCSPResponseBuilder.certificatesrrrrcCsNt|tjs tdt|j||}t||jt|j |j |j g|j|Sr) rrrr2rrr ryrrrrrrrrr:s   z!OCSPResponseBuilder.add_extension private_keyrrdr^cCs6|jdur td|jdurtdttj|||S)Nz&You must add a response before signingz*You must add a responder_id before signing)rr rrcreate_ocsp_responserr)r4rrrrrsignJs   zOCSPResponseBuilder.signrarcCs4t|ts td|tjurtdt|dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)rrr2rr rr)clsrarrrbuild_unsuccessfulXs  z&OCSPResponseBuilder.build_unsuccessful)rrrrrrrIru)r%r&r'r&rrr(r"r)r*r+r,r-r,r.r/rr)rDr rr&rr)rrrr)rrrrrr)rrrrdrr^)rarrr^) r rrr5rrrirr classmethodrrrrrrs    r)rrrr)'Z __future__rrPr3typingZ cryptographyrrZ"cryptography.hazmat.bindings._rustrZcryptography.hazmat.primitivesrrZ/cryptography.hazmat.primitives.asymmetric.typesrZcryptography.x509.baser r r Enumr rZSHA1ZSHA224ZSHA256ZSHA384ZSHA512rr!r"r$ABCMetar6rSr^rprZload_der_ocsp_requestZload_der_ocsp_responserrrrs8     F+D%T}