o c @sddlZddlZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZddlmZmZmZddlmZmZmZmZddlmZmZdd l m!Z!ed d d Z"Gd d d e#Z$deedej%eeddfddZ&de!dej%ej'e!e(ej)e*fddfddZ+dejdejfddZ,GdddZ-GdddZ.Gdddej/Z0Gd d!d!e#Z1Gd"d#d#ej2d$Z3e34ej3Gd%d&d&ej2d$Z5e54ej5Gd'd(d(e5Z6Gd)d*d*ej2d$Z7e74ej7Gd+d,d,ej2d$Z8e84ej8 dEd-e(d.ej9de3fd/d0Z: dEd-e(d.ej9de3fd1d2Z; dEd-e(d.ej9de8fd3d4Z< dEd-e(d.ej9de8fd5d6Z= dEd-e(d.ej9de7fd7d8Z> dEd-e(d.ej9de7fd9d:Z?Gd;d<d<Z@Gd=d>d>ZAGd?d@d@ZBGdAdBdBZCde*fdCdDZDdS)FN)utils)x509)hashes serialization)dsaeced25519ed448rsax25519x448)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESCERTIFICATE_PRIVATE_KEY_TYPESCERTIFICATE_PUBLIC_KEY_TYPES) Extension ExtensionType Extensions_make_sequence_methods)Name _ASN1Type)ObjectIdentifieric*eZdZdededdffdd ZZS)AttributeNotFoundmsgoidreturnNctt||||_dSN)superr__init__r)selfrr __class__:usr/lib/python3.10/site-packages/cryptography/x509/base.pyr * zAttributeNotFound.__init__)__name__ __module__ __qualname__strrr __classcell__r$r$r"r%r)"r extension extensionsrcCs"|D] }|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError)r-r.er$r$r%_reject_duplicate_extension/s  r1r attributescCs$|D] \}}}||krtdqdS)Nz$This attribute has already been set.)r/)rr2Zattr_oid_r$r$r%_reject_duplicate_attribute9s r4timecCs6|jdur|}|r |nt}|jdd|S|S)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r6 utcoffsetdatetime timedeltareplace)r5offsetr$r$r%_convert_to_naive_utc_timeEs r<c @seZdZejjfdedededdfddZ e defdd Z e defd d Zde fd d Z dedefddZdefddZdS) Attributervalue_typerNcC||_||_||_dSr)_oid_valuer?)r!rr>r?r$r$r%r T zAttribute.__init__cC|jSr)rAr!r$r$r%r^z Attribute.oidcCrDr)rBrEr$r$r%r>brFzAttribute.valuecCsd|j|jS)Nz)formatrr>rEr$r$r%__repr__fszAttribute.__repr__othercCs2t|tstS|j|jko|j|jko|j|jkSr) isinstancer=NotImplementedrr>r?r!rIr$r$r%__eq__is    zAttribute.__eq__cCst|j|j|jfSr)hashrr>r?rEr$r$r%__hash__sszAttribute.__hash__)r'r(r)rZ UTF8Stringr>rbytesintr propertyrr*rHobjectboolrMrOr$r$r$r%r=Ss$   r=c@sReZdZdejeddfddZed\ZZ Z de fddZ d e defd d ZdS) Attributesr2rNcCst||_dSr)list _attributes)r!r2r$r$r%r xszAttributes.__init__rWcCs d|jS)Nz)rGrWrEr$r$r%rHs zAttributes.__repr__rcCs,|D] }|j|kr |Sqtd||)NzNo {} attribute was found)rrrG)r!rattrr$r$r%get_attribute_for_oids  z Attributes.get_attribute_for_oid)r'r(r)typingIterabler=r r__len____iter__ __getitem__r*rHrrYr$r$r$r%rUws rUc@seZdZdZdZdS)VersionrN)r'r(r)v1v3r$r$r$r%r_sr_cr)InvalidVersionrparsed_versionrNcrr)rrcr rd)r!rrdr"r$r%r r&zInvalidVersion.__init__)r'r(r)r*rQr r+r$r$r"r%rcr,rcc@s|eZdZejdejdefddZej de fddZ ej de fddZ ejdefd d Zej dejfd d Zej dejfd dZej defddZej defddZej dejejfddZej defddZej defddZej defddZej defddZej defddZejde de!fd d!Z"ejde fd"d#Z#ejd$e$j%defd%d&Z&d'S)( Certificate algorithmrcCdSz4 Returns bytes using digest passed. Nr$r!rfr$r$r% fingerprintzCertificate.fingerprintcCrg)z3 Returns certificate serial number Nr$rEr$r$r% serial_numberrkzCertificate.serial_numbercCrg)z1 Returns the certificate version Nr$rEr$r$r%versionrkzCertificate.versioncCrgz( Returns the public key Nr$rEr$r$r% public_keyrkzCertificate.public_keycCrg)z? Not before time (represented as UTC datetime) Nr$rEr$r$r%not_valid_beforerkzCertificate.not_valid_beforecCrg)z> Not after time (represented as UTC datetime) Nr$rEr$r$r%not_valid_afterrkzCertificate.not_valid_aftercCrg)z1 Returns the issuer name object. Nr$rEr$r$r%issuerrkzCertificate.issuercCrgz2 Returns the subject name object. Nr$rEr$r$r%subjectrkzCertificate.subjectcCrgzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr$rEr$r$r%signature_hash_algorithmrkz$Certificate.signature_hash_algorithmcCrgzJ Returns the ObjectIdentifier of the signature algorithm. Nr$rEr$r$r%signature_algorithm_oidrkz#Certificate.signature_algorithm_oidcCrg)z/ Returns an Extensions object. Nr$rEr$r$r%r.rkzCertificate.extensionscCrgz. Returns the signature bytes. Nr$rEr$r$r% signaturerkzCertificate.signaturecCrg)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr$rEr$r$r%tbs_certificate_bytesrkz!Certificate.tbs_certificate_bytescCrg)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. Nr$rEr$r$r%tbs_precertificate_bytesrkz$Certificate.tbs_precertificate_bytesrIcCrgz" Checks equality. Nr$rLr$r$r%rMrkzCertificate.__eq__cCrgz" Computes a hash. Nr$rEr$r$r%rOrkzCertificate.__hash__encodingcCrg)zB Serializes the certificate to PEM or DER format. Nr$r!rr$r$r% public_bytesrkzCertificate.public_bytesN)'r'r(r)abcabstractmethodr HashAlgorithmrPrjabstractpropertyrQrlr_rmrror8rprqrrrrtrZOptionalrvrrxrr.rzr{r|rSrTrMrOrEncodingrr$r$r$r%resJ  re) metaclassc@sJeZdZejdefddZejdejfddZejde fddZ dS) RevokedCertificatercCrg)zG Returns the serial number of the revoked certificate. Nr$rEr$r$r%rlrkz RevokedCertificate.serial_numbercCrg)zH Returns the date of when this certificate was revoked. Nr$rEr$r$r%revocation_date rkz"RevokedCertificate.revocation_datecCrg)zW Returns an Extensions object containing a list of Revoked extensions. Nr$rEr$r$r%r.rkzRevokedCertificate.extensionsN) r'r(r)rrrQrlr8rrr.r$r$r$r%rsrc@s\eZdZdedejdefddZedefddZedejfd d Z edefd d Z d S)_RawRevokedCertificaterlrr.cCr@r_serial_number_revocation_date _extensionsr!rlrr.r$r$r%r rCz_RawRevokedCertificate.__init__rcCrDr)rrEr$r$r%rl)rFz$_RawRevokedCertificate.serial_numbercCrDr)rrEr$r$r%r-rFz&_RawRevokedCertificate.revocation_datecCrDr)rrEr$r$r%r.1rFz!_RawRevokedCertificate.extensionsN) r'r(r)rQr8rr rRrlrr.r$r$r$r%rs  rc@seZdZejdejdefddZejde j defddZ ejde de jefd d Zejde je j fd d Zejdefd dZejdefddZejde jejfddZejdejfddZejdefddZejdefddZejdefddZejdedefddZ ejde fddZ!e j"d e defd!d"Z#e j"d e$de j%efd#d"Z#ejd e j&e e$fde j&ee j%effd$d"Z#ejde j'efd%d&Z(ejd'e)defd(d)Z*d*S)+CertificateRevocationListrrcCrg)z: Serializes the CRL to PEM or DER format. Nr$rr$r$r%r7rkz&CertificateRevocationList.public_bytesrfcCrgrhr$rir$r$r%rj=rkz%CertificateRevocationList.fingerprintrlcCrg)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr$)r!rlr$r$r%(get_revoked_certificate_by_serial_numberCrkzBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCrgrur$rEr$r$r%rvLrkz2CertificateRevocationList.signature_hash_algorithmcCrgrwr$rEr$r$r%rxUrkz1CertificateRevocationList.signature_algorithm_oidcCrg)zC Returns the X509Name with the issuer of this CRL. Nr$rEr$r$r%rr[rkz CertificateRevocationList.issuercCrg)z? Returns the date of next update for this CRL. Nr$rEr$r$r% next_updatearkz%CertificateRevocationList.next_updatecCrg)z? Returns the date of last update for this CRL. Nr$rEr$r$r% last_updategrkz%CertificateRevocationList.last_updatecCrg)zS Returns an Extensions object containing a list of CRL extensions. Nr$rEr$r$r%r.mrkz$CertificateRevocationList.extensionscCrgryr$rEr$r$r%rzsrkz#CertificateRevocationList.signaturecCrg)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr$rEr$r$r%tbs_certlist_bytesyrkz,CertificateRevocationList.tbs_certlist_bytesrIcCrgr}r$rLr$r$r%rMrkz CertificateRevocationList.__eq__cCrg)z< Number of revoked certificates in the CRL. Nr$rEr$r$r%r\rkz!CertificateRevocationList.__len__idxcCdSrr$r!rr$r$r%r^z%CertificateRevocationList.__getitem__cCrrr$rr$r$r%r^rcCrg)zS Returns a revoked certificate (or slice of revoked certificates). Nr$rr$r$r%r^rkcCrg)z8 Iterator over the revoked certificates Nr$rEr$r$r%r]rkz"CertificateRevocationList.__iter__rocCrg)zQ Verifies signature of revocation list against given public key. Nr$)r!ror$r$r%is_signature_validrkz,CertificateRevocationList.is_signature_validN)+r'r(r)rrrrrPrrrrjrQrZrrrrrvrrxrrrr8rrrr.rzrrSrTrMr\overloadr^sliceListUnionIteratorr]r rr$r$r$r%r6sf     rc@s&eZdZejdedefddZejdefddZ ejde fddZ ej de fd d Zej dejejfd d Zej defd dZej defddZej defddZejdejdefddZej defddZej defddZej defddZ ejdedefddZ!dS) CertificateSigningRequestrIrcCrgr}r$rLr$r$r%rMrkz CertificateSigningRequest.__eq__cCrgr~r$rEr$r$r%rOrkz"CertificateSigningRequest.__hash__cCrgrnr$rEr$r$r%rorkz$CertificateSigningRequest.public_keycCrgrsr$rEr$r$r%rtrkz!CertificateSigningRequest.subjectcCrgrur$rEr$r$r%rvrkz2CertificateSigningRequest.signature_hash_algorithmcCrgrwr$rEr$r$r%rxrkz1CertificateSigningRequest.signature_algorithm_oidcCrg)z@ Returns the extensions in the signing request. Nr$rEr$r$r%r.rkz$CertificateSigningRequest.extensionscCrg)z/ Returns an Attributes object. Nr$rEr$r$r%r2rkz$CertificateSigningRequest.attributesrcCrg)z; Encodes the request to PEM or DER format. Nr$rr$r$r%rrkz&CertificateSigningRequest.public_bytescCrgryr$rEr$r$r%rzrkz#CertificateSigningRequest.signaturecCrg)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr$rEr$r$r%tbs_certrequest_bytesrkz/CertificateSigningRequest.tbs_certrequest_bytescCrg)z8 Verifies signature of signing request. Nr$rEr$r$r%rrkz,CertificateSigningRequest.is_signature_validrcCrg)z: Get the attribute value for a given OID. Nr$)r!rr$r$r%rYrkz/CertificateSigningRequest.get_attribute_for_oidN)"r'r(r)rrrSrTrMrQrOrrorrrtrZrrrrvrrxrr.rUr2rrrPrrzrrrYr$r$r$r%rs:  rdatabackendcC t|Sr) rust_x509load_pem_x509_certificaterrr$r$r%r rcCrr)rload_der_x509_certificaterr$r$r%r rrcCrr)rload_pem_x509_csrrr$r$r%rrrcCrr)rload_der_x509_csrrr$r$r%rrrcCrr)rload_pem_x509_crlrr$r$r%r"rrcCrr)rload_der_x509_crlrr$r$r%r)rrc @seZdZdggfdejedejeedejej e e eje ffddZ deddfd d Zd ed eddfd dZddde de dejeddfddZ ddedejejdejdefddZdS) CertificateSigningRequestBuilderN subject_namer.r2cCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrW)r!rr.r2r$r$r%r 0s  z)CertificateSigningRequestBuilder.__init__namercCs4t|ts td|jdurtdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rJr TypeErrorrr/rrrWr!rr$r$r%r?s   z-CertificateSigningRequestBuilder.subject_nameextvalcriticalcCsDt|ts tdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rJrrrrr1rrrrWr!rrr-r$r$r% add_extensionKs   z.CertificateSigningRequestBuilder.add_extension)_tagrr>rcCs|t|ts tdt|tstd|durt|tstdt||j|dur-|j}nd}t|j |j |j|||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rJrrrPrr4rWr>rrr)r!rr>rtagr$r$r% add_attribute]s   z.CertificateSigningRequestBuilder.add_attribute private_keyrfrcCs |jdur tdt|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr/rZcreate_x509_csrr!rrfrr$r$r%sign}s z%CertificateSigningRequestBuilder.signr)r'r(r)rZrrrrrTuplerrPrQr rrTrrrrrrAnyrrr$r$r$r%r/sR     $ rc@s:eZdZUejeeed<ddddddgfdeje deje deje deje deje j deje j d ejeed dfd d Z d e d dfddZd e d dfddZde d dfddZde d dfddZde j d dfddZde j d dfddZdeded dfdd Z d&d!ed"ejejd#ejd efd$d%ZdS)'CertificateBuilderrN issuer_namerrorlrprqr.rcCs6tj|_||_||_||_||_||_||_||_ dSr) r_rb_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r!rrrorlrprqr.r$r$r%r s  zCertificateBuilder.__init__rcCsDt|ts td|jdurtdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rJrrrr/rrrrrrrrr$r$r%rs  zCertificateBuilder.issuer_namecCsDt|ts td|jdurtdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rJrrrr/rrrrrrrrr$r$r%rs  zCertificateBuilder.subject_namekeyc Cs`t|tjtjtjtjt j t j t jfstd|jdur tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rJrZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyrZEd25519PublicKeyr ZEd448PublicKeyr ZX25519PublicKeyr Z X448PublicKeyrrr/rrrrrrr)r!rr$r$r%ros2  zCertificateBuilder.public_keynumbercCsht|ts td|jdurtd|dkrtd|dkr$tdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rJrQrrr/ bit_lengthrrrrrrrr!rr$r$r%rls&   z CertificateBuilder.serial_numberr5cCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rJr8rrr/r<_EARLIEST_UTC_TIMErrrrrrrr!r5r$r$r%rps,  z#CertificateBuilder.not_valid_beforecCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.zs  $       $ m  t U      \nI