o c3A@s\ddlZddlZddlZddlmZddlmZddlmZddlm Z m Z ddl m Z ddl mZmZmZGdd d ejZGd d d ejZe je je je je jfZd e jd dfddZGdddejZGdddZGdddejdZGdddejdZ GdddejdZ!GdddZ"GdddZ#de$d efd d!Z%de$d e!fd"d#Z&dS)$N)utils)x509)ocsp)hashes serialization)CERTIFICATE_PRIVATE_KEY_TYPES)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionc@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__ZHASHNAMErr:usr/lib/python3.10/site-packages/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULZMALFORMED_REQUESTZINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIREDZ UNAUTHORIZEDrrrrrsr algorithmreturncCst|ts tddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError)rrrr_verify_algorithm/s rc@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r rZGOODREVOKEDUNKNOWNrrrrr6src@sVeZdZdejdejdejdedejde j ejde j ejde j ej fd d Z d S) _SingleResponsecertissuerr cert_status this_update next_updaterevocation_timerevocation_reasonc Cst|tjr t|tjstdt|t|tjstd|dur,t|tjs,td||_||_||_||_ ||_ t|t sDtd|t j urZ|durQt d|durYt dn$t|tjsdtdt|}|tkrpt d|dur~t|tjs~td ||_||_||_dS) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)rr Certificate TypeErrorrdatetimeZ_certZ_issuerZ _algorithmZ _this_updateZ _next_updaterr rr r ReasonFlagsZ _cert_statusZ_revocation_timeZ_revocation_reason) selfr#r$rr%r&r'r(r)rrr__init__=s\        z_SingleResponse.__init__N) r r rrr+r HashAlgorithmrr-typingOptionalr.r0rrrrr"<s$   r"c@seZdZejdefddZejdefddZejdej fddZ ejde fdd Z ej d ejdefd d Zejdejfd dZdS) OCSPRequestrcCdSz3 The hash of the issuer public key Nrr/rrrissuer_key_hashzOCSPRequest.issuer_key_hashcCr5z- The hash of the issuer name Nrr7rrrissuer_name_hashr9zOCSPRequest.issuer_name_hashcCr5zK The hash algorithm used in the issuer name and key hashes Nrr7rrrhash_algorithmr9zOCSPRequest.hash_algorithmcCr5zM The serial number of the cert whose status is being checked Nrr7rrr serial_numberr9zOCSPRequest.serial_numberencodingcCr5)z/ Serializes the request to DER Nrr/r@rrr public_bytesr9zOCSPRequest.public_bytescCr5)zP The list of request extensions. Not single request extensions. Nrr7rrr extensionsr9zOCSPRequest.extensionsN)r r rabcabstractpropertybytesr8r;rr1r=intr?abstractmethodrEncodingrBr ExtensionsrCrrrrr4sr4) metaclassc@seZdZejdefddZejdeje j fddZ ejdeje j fddZ ejde j fdd Zejdeje j fd d Zejdefd d ZejdefddZejdejfddZejdefddZdS)OCSPSingleResponsercCr5zY The status of the certificate (an element from the OCSPCertStatus enum) Nrr7rrrcertificate_statusr9z%OCSPSingleResponse.certificate_statuscCr5z^ The date of when the certificate was revoked or None if not revoked. Nrr7rrrr(r9z"OCSPSingleResponse.revocation_timecCr5zi The reason the certificate was revoked or None if not specified or not revoked. Nrr7rrrr)r9z$OCSPSingleResponse.revocation_reasoncCr5z The most recent time at which the status being indicated is known by the responder to have been correct Nrr7rrrr&r9zOCSPSingleResponse.this_updatecCr5zC The time when newer information will be available Nrr7rrrr'r9zOCSPSingleResponse.next_updatecCr5r6rr7rrrr8r9z"OCSPSingleResponse.issuer_key_hashcCr5r:rr7rrrr;r9z#OCSPSingleResponse.issuer_name_hashcCr5r<rr7rrrr=r9z!OCSPSingleResponse.hash_algorithmcCr5r>rr7rrrr?r9z OCSPSingleResponse.serial_numberN)r r rrDrErrNr2r3r-r(rr.r)r&r'rFr8r;rr1r=rGr?rrrrrLs&rLc@seZdZejdejefddZejde fddZ ejde j fddZ ejdejejfdd Zejdefd d Zejdefd d Zejdeje jfddZejdejefddZejdeje jfddZejdejfddZejdefddZejdejejfddZejdeje j fddZ!ejdejfddZ"ejdejejfddZ#ejdefd d!Z$ejdefd"d#Z%ejdejfd$d%Z&ejde'fd&d'Z(ejde j)fd(d)Z*ejde j)fd*d+Z+ej,d,e-j.defd-d.Z/d/S)0 OCSPResponsercCr5)z_ An iterator over the individual SINGLERESP structures in the response Nrr7rrr responsesr9zOCSPResponse.responsescCr5)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nrr7rrrresponse_statusr9zOCSPResponse.response_statuscCr5)zA The ObjectIdentifier of the signature algorithm Nrr7rrrsignature_algorithm_oidr9z$OCSPResponse.signature_algorithm_oidcCr5)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nrr7rrrsignature_hash_algorithmr9z%OCSPResponse.signature_hash_algorithmcCr5)z% The signature bytes Nrr7rrr signaturer9zOCSPResponse.signaturecCr5)z+ The tbsResponseData bytes Nrr7rrrtbs_response_bytesr9zOCSPResponse.tbs_response_bytescCr5)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nrr7rrr certificates r9zOCSPResponse.certificatescCr5)z2 The responder's key hash or None Nrr7rrrresponder_key_hashr9zOCSPResponse.responder_key_hashcCr5)z. The responder's Name or None Nrr7rrrresponder_namer9zOCSPResponse.responder_namecCr5)z4 The time the response was produced Nrr7rrr produced_at r9zOCSPResponse.produced_atcCr5rMrr7rrrrN&r9zOCSPResponse.certificate_statuscCr5rOrr7rrrr(,r9zOCSPResponse.revocation_timecCr5rPrr7rrrr)3r9zOCSPResponse.revocation_reasoncCr5rQrr7rrrr&:r9zOCSPResponse.this_updatecCr5rRrr7rrrr'Ar9zOCSPResponse.next_updatecCr5r6rr7rrrr8Gr9zOCSPResponse.issuer_key_hashcCr5r:rr7rrrr;Mr9zOCSPResponse.issuer_name_hashcCr5r<rr7rrrr=Sr9zOCSPResponse.hash_algorithmcCr5r>rr7rrrr?Yr9zOCSPResponse.serial_numbercCr5)zR The list of response extensions. Not single response extensions. Nrr7rrrrC_r9zOCSPResponse.extensionscCr5)zR The list of single response extensions. Not response extensions. Nrr7rrrsingle_extensionser9zOCSPResponse.single_extensionsr@cCr5)z0 Serializes the response to DER NrrArrrrBkr9zOCSPResponse.public_bytesN)0r r rrDrEr2IteratorrLrTrrUrZObjectIdentifierrVr3rr1rWrFrXrYListr+rZr[Namer\r-r]rrNr(r.r)r&r'r8r;r=rGr?rJrCr^rHrrIrBrrrrrSs^  rSc@seZdZdgfdejejejejej fdej ej ej ddfddZ dejdejd ej ddfd d Zd ej d eddfddZdefddZdS)OCSPRequestBuilderNrequestrCrcCs||_||_dSN)_request _extensions)r/rcrCrrrr0ss zOCSPRequestBuilder.__init__r#r$rcCsL|jdur tdt|t|tjrt|tjstdt|||f|jS)Nz.Only one certificate can be added to a requestr*) rerrrrr+r,rbrf)r/r#r$rrrradd_certificates z"OCSPRequestBuilder.add_certificateextvalcriticalcCsDt|tjs tdt|j||}t||jt|j |j|gSNz"extension must be an ExtensionType) rr ExtensionTyper, Extensionoidr rfrbrer/rhri extensionrrr add_extensions  z OCSPRequestBuilder.add_extensioncCs|jdur tdt|S)Nz*You must add a certificate before building)rerrZcreate_ocsp_requestr7rrrbuilds  zOCSPRequestBuilder.build)r r rr2r3Tuplerr+rr1r`rlrkr0rgboolrpr4rqrrrrrbrs>     rbc@s0eZdZdddgfdejedejejeje fdejej ejdej ej ej fddZ dejd ejd ejd ed ejd ejejdejejdejejddfddZde dejddfddZdejejddfddZdej deddfddZded ejejdefddZed edefd!d"ZdS)#OCSPResponseBuilderNresponse responder_idcertsrCcCs||_||_||_||_dSrd) _response _responder_id_certsrf)r/rurvrwrCrrrr0s  zOCSPResponseBuilder.__init__r#r$rr%r&r'r(r)rc Cs<|jdur tdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rxrr"rtryrzrf) r/r#r$rr%r&r'r(r)Z singleresprrr add_responses$  z OCSPResponseBuilder.add_responser@responder_certcCsP|jdur tdt|tjstdt|tstdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) ryrrrr+r,r rtrxrzrf)r/r@r|rrrrvs   z OCSPResponseBuilder.responder_idcCs\|jdur tdt|}t|dkrtdtdd|Ds$tdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|] }t|tjVqdSrd)rrr+).0xrrr sz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rzrlistlenallr,rtrxryrf)r/rwrrrrZs  z OCSPResponseBuilder.certificatesrhricCsLt|tjs tdt|j||}t||jt|j |j |j |j|gSrj) rrrkr,rlrmr rfrtrxryrzrnrrrrps   z!OCSPResponseBuilder.add_extension private_keycCs6|jdur td|jdurtdttj|||S)Nz&You must add a response before signingz*You must add a responder_id before signing)rxrryrcreate_ocsp_responserr)r/rrrrrsigns   zOCSPResponseBuilder.signrUcCs4t|ts td|tjurtdt|dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)rrr,rrrr)clsrUrrrbuild_unsuccessfuls  z&OCSPResponseBuilder.build_unsuccessful)r r rr2r3r"rrrr+r r`rlrkr0rr1rr-r.r{rvIterablerZrsrprrSr classmethodrrrrrrrts           rtdatacC t|Srd)rload_der_ocsp_requestrrrrr" rcCrrd)rload_der_ocsp_responserrrrr&rr)'rDr-r2 cryptographyrrZ"cryptography.hazmat.bindings._rustrZcryptography.hazmat.primitivesrrZ/cryptography.hazmat.primitives.asymmetric.typesrZcryptography.x509.baserr r Enumr rZSHA1ZSHA224ZSHA256ZSHA384ZSHA512rr1rrr"ABCMetar4rLrSrbrtrFrrrrrrs8      F&;2~