o c @sddlZddlZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZddlmZmZmZddlmZmZmZmZddlmZmZdd l m!Z!ed d d Z"Gd d d e#Z$deedej%eeddfddZ&de!dej%ej'e!e(ej)e*fddfddZ+dejdejfddZ,GdddZ-GdddZ.Gdddej/Z0Gd d!d!e#Z1Gd"d#d#ej2d$Z3e34ej3Gd%d&d&ej2d$Z5e54ej5Gd'd(d(e5Z6Gd)d*d*ej2d$Z7e74ej7Gd+d,d,ej2d$Z8e84ej8 dGd-e(d.ej9de3fd/d0Z:d-e(dej%e3fd1d2Z; dGd-e(d.ej9de3fd3d4Z< dGd-e(d.ej9de8fd5d6Z= dGd-e(d.ej9de8fd7d8Z> dGd-e(d.ej9de7fd9d:Z? dGd-e(d.ej9de7fd;d<Z@Gd=d>d>ZAGd?d@d@ZBGdAdBdBZCGdCdDdDZDde*fdEdFZEdS)HN)utils)x509)hashes serialization)dsaeced448ed25519rsax448x25519)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESCERTIFICATE_PRIVATE_KEY_TYPESCERTIFICATE_PUBLIC_KEY_TYPES) Extension Extensions ExtensionType_make_sequence_methods)Name _ASN1Type)ObjectIdentifieric*eZdZdededdffdd ZZS)AttributeNotFoundmsgoidreturnNctt||||_dSN)superr__init__r)selfrr __class__6lib/python3.10/site-packages/cryptography/x509/base.pyr ) zAttributeNotFound.__init__)__name__ __module__ __qualname__strrr __classcell__r$r$r"r%r("r extension extensionsrcCs"|D] }|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError)r-r.er$r$r%_reject_duplicate_extension.s  r1r attributescCs$|D] \}}}||krtdqdS)Nz$This attribute has already been set.)r/)rr2Zattr_oid_r$r$r%_reject_duplicate_attribute8s r4timecCs6|jdur|}|r |nt}|jdd|S|S)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r6Z utcoffsetdatetimeZ timedeltareplace)r5offsetr$r$r%_convert_to_naive_utc_timeDs r:c @seZdZejjfdedededdfddZ e defdd Z e defd d Zde fd d Z dedefddZdefddZdS) Attributervalue_typerNcC||_||_||_dSr)_oid_valuer=)r!rr<r=r$r$r%r S zAttribute.__init__cC|jSr)r?r!r$r$r%r]z Attribute.oidcCrBr)r@rCr$r$r%r<arDzAttribute.valuecCsd|j|jS)Nz)formatrr<rCr$r$r%__repr__eszAttribute.__repr__othercCs2t|tstS|j|jko|j|jko|j|jkSr) isinstancer;NotImplementedrr<r=r!rGr$r$r%__eq__hs    zAttribute.__eq__cCst|j|j|jfSr)hashrr<r=rCr$r$r%__hash__rszAttribute.__hash__)r'r(r)rZ UTF8Stringr<rbytesintr propertyrr*rFobjectboolrKrMr$r$r$r%r;Rs$   r;c@sReZdZdejeddfddZed\ZZ Z de fddZ d e defd d ZdS) Attributesr2rNcCst||_dSr)list _attributes)r!r2r$r$r%r wszAttributes.__init__rUcCs d|jS)Nz)rErUrCr$r$r%rFs zAttributes.__repr__rcCs,|D] }|j|kr |Sqtd||)NzNo {} attribute was found)rrrE)r!rattrr$r$r%get_attribute_for_oids  z Attributes.get_attribute_for_oid)r'r(r)typingIterabler;r r__len____iter__ __getitem__r*rFrrWr$r$r$r%rSvs rSc@seZdZdZdZdS)VersionrN)r'r(r)Zv1v3r$r$r$r%r]sr]cr)InvalidVersionrparsed_versionrNcrr)rr`r ra)r!rrar"r$r%r r&zInvalidVersion.__init__)r'r(r)r*rOr r+r$r$r"r%r`r,r`c@seZdZejdejdefddZe ejde fddZ e ejde fddZ ejdefd d Ze ejdejfd d Ze ejdejfd dZe ejdefddZe ejdefddZe ejdejejfddZe ejdefddZe ejdefddZe ejdefddZe ejdefddZe ejdefddZejde de!fd d!Z"ejde fd"d#Z#ejd$e$j%defd%d&Z&d'S)( Certificate algorithmrcCdSz4 Returns bytes using digest passed. Nr$r!rcr$r$r% fingerprintzCertificate.fingerprintcCrd)z3 Returns certificate serial number Nr$rCr$r$r% serial_numberrhzCertificate.serial_numbercCrd)z1 Returns the certificate version Nr$rCr$r$r%versionrhzCertificate.versioncCrdz( Returns the public key Nr$rCr$r$r% public_keyrhzCertificate.public_keycCrd)z? Not before time (represented as UTC datetime) Nr$rCr$r$r%not_valid_beforerhzCertificate.not_valid_beforecCrd)z> Not after time (represented as UTC datetime) Nr$rCr$r$r%not_valid_afterrhzCertificate.not_valid_aftercCrd)z1 Returns the issuer name object. Nr$rCr$r$r%issuerrhzCertificate.issuercCrdz2 Returns the subject name object. Nr$rCr$r$r%subjectrhzCertificate.subjectcCrdzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr$rCr$r$r%signature_hash_algorithmrhz$Certificate.signature_hash_algorithmcCrdzJ Returns the ObjectIdentifier of the signature algorithm. Nr$rCr$r$r%signature_algorithm_oidrhz#Certificate.signature_algorithm_oidcCrd)z/ Returns an Extensions object. Nr$rCr$r$r%r.rhzCertificate.extensionscCrdz. Returns the signature bytes. Nr$rCr$r$r% signaturerhzCertificate.signaturecCrd)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr$rCr$r$r%tbs_certificate_bytesrhz!Certificate.tbs_certificate_bytescCrd)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. Nr$rCr$r$r%tbs_precertificate_bytesrhz$Certificate.tbs_precertificate_bytesrGcCrdz" Checks equality. Nr$rJr$r$r%rKrhzCertificate.__eq__cCrdz" Computes a hash. Nr$rCr$r$r%rMrhzCertificate.__hash__encodingcCrd)zB Serializes the certificate to PEM or DER format. Nr$r!r|r$r$r% public_bytesrhzCertificate.public_bytesN)'r'r(r)abcabstractmethodr HashAlgorithmrNrgrPrOrir]rjrrlr7rmrnrrorqrXOptionalrsrrurr.rwrxryrQrRrKrMrEncodingr~r$r$r$r%rbsb rb) metaclassc@sVeZdZeejdefddZeejdejfddZ eejde fddZ dS) RevokedCertificatercCrd)zG Returns the serial number of the revoked certificate. Nr$rCr$r$r%rirhz RevokedCertificate.serial_numbercCrd)zH Returns the date of when this certificate was revoked. Nr$rCr$r$r%revocation_daterhz"RevokedCertificate.revocation_datecCrd)zW Returns an Extensions object containing a list of Revoked extensions. Nr$rCr$r$r%r. rhzRevokedCertificate.extensionsN) r'r(r)rPrrrOrir7rrr.r$r$r$r%rsrc@s\eZdZdedejdefddZedefddZedejfd d Z edefd d Z d S)_RawRevokedCertificaterirr.cCr>r_serial_number_revocation_date _extensionsr!rirr.r$r$r%r -rAz_RawRevokedCertificate.__init__rcCrBr)rrCr$r$r%ri7rDz$_RawRevokedCertificate.serial_numbercCrBr)rrCr$r$r%r;rDz&_RawRevokedCertificate.revocation_datecCrBr)rrCr$r$r%r.?rDz!_RawRevokedCertificate.extensionsN) r'r(r)rOr7rr rPrirr.r$r$r$r%r,s  rc@seZdZejdejdefddZejde j defddZ ejde de jefd d Zeejde je j fd d Zeejdefd dZeejdefddZeejde jejfddZeejdejfddZeejdefddZeejdefddZeejdefddZejdedefddZ ejde fddZ!e j"d e defd!d"Z#e j"d e$de j%efd#d"Z#ejd e j&e e$fde j&ee j%effd$d"Z#ejde j'efd%d&Z(ejd'e)defd(d)Z*d*S)+CertificateRevocationListr|rcCrd)z: Serializes the CRL to PEM or DER format. Nr$r}r$r$r%r~Erhz&CertificateRevocationList.public_bytesrccCrdrer$rfr$r$r%rgKrhz%CertificateRevocationList.fingerprintricCrd)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr$)r!rir$r$r%(get_revoked_certificate_by_serial_numberQrhzBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCrdrrr$rCr$r$r%rsZrhz2CertificateRevocationList.signature_hash_algorithmcCrdrtr$rCr$r$r%rudrhz1CertificateRevocationList.signature_algorithm_oidcCrd)zC Returns the X509Name with the issuer of this CRL. Nr$rCr$r$r%rokrhz CertificateRevocationList.issuercCrd)z? Returns the date of next update for this CRL. Nr$rCr$r$r% next_updaterrhz%CertificateRevocationList.next_updatecCrd)z? Returns the date of last update for this CRL. Nr$rCr$r$r% last_updateyrhz%CertificateRevocationList.last_updatecCrd)zS Returns an Extensions object containing a list of CRL extensions. Nr$rCr$r$r%r.rhz$CertificateRevocationList.extensionscCrdrvr$rCr$r$r%rwrhz#CertificateRevocationList.signaturecCrd)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr$rCr$r$r%tbs_certlist_bytesrhz,CertificateRevocationList.tbs_certlist_bytesrGcCrdrzr$rJr$r$r%rKrhz CertificateRevocationList.__eq__cCrd)z< Number of revoked certificates in the CRL. Nr$rCr$r$r%rZrhz!CertificateRevocationList.__len__idxcCdSrr$r!rr$r$r%r\z%CertificateRevocationList.__getitem__cCrrr$rr$r$r%r\rcCrd)zS Returns a revoked certificate (or slice of revoked certificates). Nr$rr$r$r%r\rhcCrd)z8 Iterator over the revoked certificates Nr$rCr$r$r%r[rhz"CertificateRevocationList.__iter__rlcCrd)zQ Verifies signature of revocation list against given public key. Nr$)r!rlr$r$r%is_signature_validrhz,CertificateRevocationList.is_signature_validN)+r'r(r)rrrrrNr~rrrgrOrXrrrrPrsrrurror7rrrr.rwrrQrRrKrZZoverloadr\sliceListZUnionIteratorr[r rr$r$r$r%rDsv    rc@sFeZdZejdedefddZejdefddZ ejde fddZ e ejde fd d Ze ejdejejfd d Ze ejdefd dZe ejdefddZe ejdefddZejdejdefddZe ejdefddZe ejdefddZe ejdefddZ ejdedefddZ!dS) CertificateSigningRequestrGrcCrdrzr$rJr$r$r%rKrhz CertificateSigningRequest.__eq__cCrdr{r$rCr$r$r%rMrhz"CertificateSigningRequest.__hash__cCrdrkr$rCr$r$r%rlrhz$CertificateSigningRequest.public_keycCrdrpr$rCr$r$r%rqrhz!CertificateSigningRequest.subjectcCrdrrr$rCr$r$r%rsrhz2CertificateSigningRequest.signature_hash_algorithmcCrdrtr$rCr$r$r%rurhz1CertificateSigningRequest.signature_algorithm_oidcCrd)z@ Returns the extensions in the signing request. Nr$rCr$r$r%r.rhz$CertificateSigningRequest.extensionscCrd)z/ Returns an Attributes object. Nr$rCr$r$r%r2rhz$CertificateSigningRequest.attributesr|cCrd)z; Encodes the request to PEM or DER format. Nr$r}r$r$r%r~rhz&CertificateSigningRequest.public_bytescCrdrvr$rCr$r$r%rwrhz#CertificateSigningRequest.signaturecCrd)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr$rCr$r$r%tbs_certrequest_bytes rhz/CertificateSigningRequest.tbs_certrequest_bytescCrd)z8 Verifies signature of signing request. Nr$rCr$r$r%rrhz,CertificateSigningRequest.is_signature_validrcCrd)z: Get the attribute value for a given OID. Nr$)r!rr$r$r%rWrhz/CertificateSigningRequest.get_attribute_for_oidN)"r'r(r)rrrQrRrKrOrMrrlrPrrqrXrrrrsrrurr.rSr2rrrNr~rwrrrWr$r$r$r%rsJ rdatabackendcC t|Sr) rust_x509load_pem_x509_certificaterrr$r$r%r$ rcCrr)rload_pem_x509_certificates)rr$r$r%r*s rcCrr)rload_der_x509_certificaterr$r$r%r/rrcCrr)rload_pem_x509_csrrr$r$r%r6rrcCrr)rload_der_x509_csrrr$r$r%r=rrcCrr)rload_pem_x509_crlrr$r$r%rDrrcCrr)rload_der_x509_crlrr$r$r%rKrrc @seZdZdggfdejedejeedejej e e eje ffddZ deddfd d Zd ed eddfd dZddde de dejeddfddZ ddedejejdejdefddZdS) CertificateSigningRequestBuilderN subject_namer.r2cCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrU)r!rr.r2r$r$r%r Rs  z)CertificateSigningRequestBuilder.__init__namercCs4t|ts td|jdurtdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rHr TypeErrorrr/rrrUr!rr$r$r%ras   z-CertificateSigningRequestBuilder.subject_nameextvalcriticalcCsDt|ts tdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rHrrrrr1rrrrUr!rrr-r$r$r% add_extensionms   z.CertificateSigningRequestBuilder.add_extension)_tagrr<rcCs|t|ts tdt|tstd|durt|tstdt||j|dur-|j}nd}t|j |j |j|||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rHrrrNrr4rUr<rrr)r!rr<rtagr$r$r% add_attributes   z.CertificateSigningRequestBuilder.add_attribute private_keyrcrcCs |jdur tdt|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr/rZcreate_x509_csrr!rrcrr$r$r%signs z%CertificateSigningRequestBuilder.signr)r'r(r)rXrrrrrTuplerrNrOr rrRrrrrrrAnyrrr$r$r$r%rQsR     $ rc@s:eZdZUejeeed<ddddddgfdeje deje deje deje deje j deje j d ejeed dfd d Z d e d dfddZd e d dfddZde d dfddZde d dfddZde j d dfddZde j d dfddZdeded dfdd Z d&d!ed"ejejd#ejd efd$d%ZdS)'CertificateBuilderrN issuer_namerrlrirmrnr.rcCs6tj|_||_||_||_||_||_||_||_ dSr) r]r_Z_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r!rrrlrirmrnr.r$r$r%r s  zCertificateBuilder.__init__rcCsDt|ts td|jdurtdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rHrrrr/rrrrrrrrr$r$r%rs  zCertificateBuilder.issuer_namecCsDt|ts td|jdurtdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rHrrrr/rrrrrrrrr$r$r%rs  zCertificateBuilder.subject_namekeyc Cs`t|tjtjtjtjt j t j t jfstd|jdur tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rHrZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyr ZEd25519PublicKeyrZEd448PublicKeyr ZX25519PublicKeyr Z X448PublicKeyrrr/rrrrrrr)r!rr$r$r%rls2  zCertificateBuilder.public_keynumbercCsht|ts td|jdurtd|dkrtd|dkr$tdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rHrOrrr/ bit_lengthrrrrrrrr!rr$r$r%ri s&   z CertificateBuilder.serial_numberr5cCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rHr7rrr/r:_EARLIEST_UTC_TIMErrrrrrrr!r5r$r$r%rm's,  z#CertificateBuilder.not_valid_beforecCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.zrrrr$r$r%r "rAz"RevokedCertificateBuilder.__init__rrcCsXt|ts td|jdurtd|dkrtd|dkr$tdt||j|jS)Nrrrz$The serial number should be positiverr) rHrOrrr/rrrrrr$r$r%ri,s    z'RevokedCertificateBuilder.serial_numberr5cCsNt|tjs td|jdurtdt|}|tkrtdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rHr7rrr/r:rrrrrr$r$r%r>s   z)RevokedCertificateBuilder.revocation_daterrcCsDt|ts tdt|j||}t||jt|j|j |j|gS)Nr) rHrrrrr1rrrrrr$r$r%rNs   z'RevokedCertificateBuilder.add_extensionrcCs:|jdur td|jdurtdt|j|jt|jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr/rrrr)r!rr$r$r%build\s  zRevokedCertificateBuilder.buildr)r'r(r)rXrrOr7rrrr rirrRrrrrr$r$r$r%r!s2      rcCsttddd?S)NZbigr)rO from_bytesosurandomr$r$r$r%random_serial_numberjsrr)Frr7rrXZ cryptographyrZ"cryptography.hazmat.bindings._rustrrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrrrr r r r Z/cryptography.hazmat.primitives.asymmetric.typesr rrZcryptography.x509.extensionsrrrrZcryptography.x509.namerrZcryptography.x509.oidrr Exceptionrrr1rrNrrOr4r:r;rSEnumr]r`ABCMetarbregisterrrrrrrrrrrrrrrrrrr$r$r$r%s  $       $ y  | ]      \nI