U ΂d] @sddlmZddlZddlZddlZddlZddlmZddlm Z ddl m Z m Z ddlmZmZmZmZmZmZmZmZddlmZmZmZddlmZmZmZmZdd l m!Z!m"Z"dd l#m$Z$ed d d Z%ej&e j'e j(e j)e j*e j+e j,e j-e j.fZ/Gd dde0Z1ddddddZ2ddddddZ3dddddZ4GdddZ5Gd d!d!Z6Gd"d#d#ej7Z8Gd$d%d%e0Z9Gd&d'd'ej:d(Z;e;Gd-d.d.ej:d(Z?e?d?ZEdTd1d2d.d3d@dAZFdUd1d2d.d3dBdCZGGdDdEdEZHGdFdGdGZIGdHdIdIZJGdJdKdKZKdLdMdNdOZLdS)V) annotationsN)utils)x509)hashes serialization)dsaeced448ed25519paddingrsax448x25519) CertificateIssuerPrivateKeyTypesCertificateIssuerPublicKeyTypesCertificatePublicKeyTypes) Extension Extensions ExtensionType_make_sequence_methods)Name _ASN1Type)ObjectIdentifierics&eZdZddddfdd ZZS)AttributeNotFoundstrrNone)msgoidreturncst|||_dSN)super__init__r)selfrr __class__S/var/www/html/myproject/myenv/lib/python3.8/site-packages/cryptography/x509/base.pyr"8s zAttributeNotFound.__init____name__ __module__ __qualname__r" __classcell__r&r&r$r'r7srzExtension[ExtensionType]%typing.List[Extension[ExtensionType]]r) extension extensionsrcCs"|D]}|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError)r.r/er&r&r'_reject_duplicate_extension=s r2rHtyping.List[typing.Tuple[ObjectIdentifier, bytes, typing.Optional[int]]])r attributesrcCs$|D]\}}}||krtdqdS)Nz$This attribute has already been set.)r0)rr4Zattr_oid_r&r&r'_reject_duplicate_attributeGsr6datetime.datetimetimercCs:|jdk r2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r: utcoffsetdatetime timedeltareplace)r9offsetr&r&r'_convert_to_naive_utc_timeSs  r@c@sxeZdZejjfdddddddZeddd d Zeddd d Zd dddZ dddddZ ddddZ dS) Attributerbytesintr)rvalue_typercCs||_||_||_dSr )_oid_valuerE)r#rrDrEr&r&r'r"bszAttribute.__init__rcCs|jSr )rFr#r&r&r'rlsz Attribute.oidcCs|jSr )rGrIr&r&r'rDpszAttribute.valuercCsd|jd|jdS)Nz)rrDrIr&r&r'__repr__tszAttribute.__repr__objectboolotherrcCs2t|tstS|j|jko0|j|jko0|j|jkSr ) isinstancerANotImplementedrrDrEr#rOr&r&r'__eq__ws    zAttribute.__eq__cCst|j|j|jfSr )hashrrDrErIr&r&r'__hash__szAttribute.__hash__N) r)r*r+rZ UTF8StringrDr"propertyrrKrSrUr&r&r&r'rAas  rAc@sHeZdZdddddZed\ZZZddd d Zd d d ddZ dS) Attributesztyping.Iterable[Attribute]r)r4rcCst||_dSr )list _attributes)r#r4r&r&r'r"szAttributes.__init__rYrrHcCsd|jdS)Nz Not after time (represented as UTC datetime) Nr&rIr&r&r'not_valid_afterszCertificate.not_valid_afterrcCsdS)z1 Returns the issuer name object. Nr&rIr&r&r'issuerszCertificate.issuercCsdSz2 Returns the subject name object. Nr&rIr&r&r'subjectszCertificate.subject%typing.Optional[hashes.HashAlgorithm]cCsdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr&rIr&r&r'signature_hash_algorithmsz$Certificate.signature_hash_algorithmrcCsdSzJ Returns the ObjectIdentifier of the signature algorithm. Nr&rIr&r&r'signature_algorithm_oidsz#Certificate.signature_algorithm_oidz;typing.Union[None, padding.PSS, padding.PKCS1v15, ec.ECDSA]cCsdS)z= Returns the signature algorithm parameters. Nr&rIr&r&r'signature_algorithm_parameterssz*Certificate.signature_algorithm_parametersrcCsdS)z/ Returns an Extensions object. Nr&rIr&r&r'r/szCertificate.extensionscCsdSz. Returns the signature bytes. Nr&rIr&r&r' signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr&rIr&r&r'tbs_certificate_bytessz!Certificate.tbs_certificate_bytescCsdS)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. Nr&rIr&r&r'tbs_precertificate_bytes sz$Certificate.tbs_precertificate_bytesrLrMrNcCsdSz" Checks equality. Nr&rRr&r&r'rSszCertificate.__eq__cCsdSz" Computes a hash. Nr&rIr&r&r'rUszCertificate.__hash__serialization.EncodingencodingrcCsdS)zB Serializes the certificate to PEM or DER format. Nr&r#rr&r&r' public_bytesszCertificate.public_bytesr)rrrcCsdS)z This method verifies that certificate issuer name matches the issuer subject name and that the certificate is signed by the issuer's private key. No other validation is performed. Nr&)r#rrr&r&r'verify_directly_issued_by$sz%Certificate.verify_directly_issued_byN)r)r*r+abcabstractmethodrkrVrlrmrorprqrrrtrwryrzr/r|r}r~rSrUrrr&r&r&r'resfre) metaclassc@sTeZdZeejddddZeejddddZeejddd d Zd S) RevokedCertificaterCrHcCsdS)zG Returns the serial number of the revoked certificate. Nr&rIr&r&r'rl2sz RevokedCertificate.serial_numberr7cCsdS)zH Returns the date of when this certificate was revoked. Nr&rIr&r&r'revocation_date9sz"RevokedCertificate.revocation_datercCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr&rIr&r&r'r/@szRevokedCertificate.extensionsN) r)r*r+rVrrrlrr/r&r&r&r'r1src@sTeZdZddddddZedddd Zeddd d Zeddd d ZdS)_RawRevokedCertificaterCr7rrlrr/cCs||_||_||_dSr _serial_number_revocation_date _extensionsr#rlrr/r&r&r'r"Msz_RawRevokedCertificate.__init__rHcCs|jSr )rrIr&r&r'rlWsz$_RawRevokedCertificate.serial_numbercCs|jSr )rrIr&r&r'r[sz&_RawRevokedCertificate.revocation_datecCs|jSr )rrIr&r&r'r/_sz!_RawRevokedCertificate.extensionsN)r)r*r+r"rVrlrr/r&r&r&r'rLs rc@seZdZejdddddZejddddd Zejd d d d dZeejddddZ eejddddZ eejddddZ eejddddZ eejddddZ eejddd d!Zeejddd"d#Zeejddd$d%Zejd&d'd(d)d*Zejd dd+d,Zejd d-d.d/d0Zejd1d2d.d3d0Zejd4d5d.d6d0Zejd7dd8d9Zejd:d'd;dS)?CertificateRevocationListrrBrcCsdS)z: Serializes the CRL to PEM or DER format. Nr&rr&r&r'resz&CertificateRevocationList.public_bytesrfrgcCsdSrir&rjr&r&r'rkksz%CertificateRevocationList.fingerprintrCz#typing.Optional[RevokedCertificate])rlrcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr&)r#rlr&r&r'(get_revoked_certificate_by_serial_numberqszBCertificateRevocationList.get_revoked_certificate_by_serial_numberrurHcCsdSrvr&rIr&r&r'rwzsz2CertificateRevocationList.signature_hash_algorithmrcCsdSrxr&rIr&r&r'rysz1CertificateRevocationList.signature_algorithm_oidrcCsdS)zC Returns the X509Name with the issuer of this CRL. Nr&rIr&r&r'rrsz CertificateRevocationList.issuer"typing.Optional[datetime.datetime]cCsdS)z? Returns the date of next update for this CRL. Nr&rIr&r&r' next_updatesz%CertificateRevocationList.next_updater7cCsdS)z? Returns the date of last update for this CRL. Nr&rIr&r&r' last_updatesz%CertificateRevocationList.last_updatercCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nr&rIr&r&r'r/sz$CertificateRevocationList.extensionscCsdSr{r&rIr&r&r'r|sz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr&rIr&r&r'tbs_certlist_bytessz,CertificateRevocationList.tbs_certlist_bytesrLrMrNcCsdSrr&rRr&r&r'rSsz CertificateRevocationList.__eq__cCsdS)z< Number of revoked certificates in the CRL. Nr&rIr&r&r'r]sz!CertificateRevocationList.__len__r)idxrcCsdSr r&r#rr&r&r'r_sz%CertificateRevocationList.__getitem__slicetyping.List[RevokedCertificate]cCsdSr r&rr&r&r'r_sztyping.Union[int, slice]zAtyping.Union[RevokedCertificate, typing.List[RevokedCertificate]]cCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr&rr&r&r'r_sz#typing.Iterator[RevokedCertificate]cCsdS)z8 Iterator over the revoked certificates Nr&rIr&r&r'r^sz"CertificateRevocationList.__iter__r)rorcCsdS)zQ Verifies signature of revocation list against given public key. Nr&)r#ror&r&r'is_signature_validsz,CertificateRevocationList.is_signature_validN)r)r*r+rrrrkrrVrwryrrrrr/r|rrSr]typingoverloadr_r^rr&r&r&r'rdsXrc@s6eZdZejdddddZejdddd Zejd dd d Zeejd dddZ eejddddZ eejddddZ eejddddZ eejddddZ ejddddd Zeejddd!d"Zeejddd#d$Zeejddd%d&Zejddd'd(d)Zd*S)+CertificateSigningRequestrLrMrNcCsdSrr&rRr&r&r'rSsz CertificateSigningRequest.__eq__rCrHcCsdSrr&rIr&r&r'rUsz"CertificateSigningRequest.__hash__rcCsdSrnr&rIr&r&r'rosz$CertificateSigningRequest.public_keyrcCsdSrsr&rIr&r&r'rtsz!CertificateSigningRequest.subjectrucCsdSrvr&rIr&r&r'rwsz2CertificateSigningRequest.signature_hash_algorithmrcCsdSrxr&rIr&r&r'rysz1CertificateSigningRequest.signature_algorithm_oidrcCsdS)z@ Returns the extensions in the signing request. Nr&rIr&r&r'r/sz$CertificateSigningRequest.extensionsrWcCsdS)z/ Returns an Attributes object. Nr&rIr&r&r'r4sz$CertificateSigningRequest.attributesrrBrcCsdS)z; Encodes the request to PEM or DER format. Nr&rr&r&r'rsz&CertificateSigningRequest.public_bytescCsdSr{r&rIr&r&r'r|"sz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr&rIr&r&r'tbs_certrequest_bytes)sz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nr&rIr&r&r'r1sz,CertificateSigningRequest.is_signature_validrZcCsdS)z: Get the attribute value for a given OID. Nr&)r#rr&r&r'r\8sz/CertificateSigningRequest.get_attribute_for_oidN)r)r*r+rrrSrUrorVrtrwryr/r4rr|rrr\r&r&r&r'rsDrrB typing.Any)databackendrcCs t|Sr ) rust_x509load_pem_x509_certificaterrr&r&r'rDsrztyping.List[Certificate])rrcCs t|Sr )rload_pem_x509_certificates)rr&r&r'rJsrcCs t|Sr )rload_der_x509_certificaterr&r&r'rOsrcCs t|Sr )rload_pem_x509_csrrr&r&r'rVsrcCs t|Sr )rload_der_x509_csrrr&r&r'r]srcCs t|Sr )rload_pem_x509_crlrr&r&r'rdsrcCs t|Sr )rload_der_x509_crlrr&r&r'rksrc@sxeZdZdggfddddddZddd d d Zd d ddddZdddddddddZddddddddZdS) CertificateSigningRequestBuilderNtyping.Optional[Name]r-r3) subject_namer/r4cCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrY)r#rr/r4r&r&r'r"rs z)CertificateSigningRequestBuilder.__init__rnamercCs4t|tstd|jdk r$tdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rPr TypeErrorrr0rrrYr#rr&r&r'rs  z-CertificateSigningRequestBuilder.subject_namerrMextvalcriticalrcCsDt|tstdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rPrrrrr2rrrrYr#rrr.r&r&r' add_extensions   z.CertificateSigningRequestBuilder.add_extension)_tagrrBztyping.Optional[_ASN1Type])rrDrrcCs|t|tstdt|ts$td|dk r>t|ts>tdt||j|dk rZ|j}nd}t|j |j |j|||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rPrrrBrr6rYrDrrr)r#rrDrtagr&r&r' add_attributes   z.CertificateSigningRequestBuilder.add_attributer"typing.Optional[_AllowedHashTypes]rr private_keyrhrrcCs |jdkrtdt|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr0rZcreate_x509_csrr#rrhrr&r&r'signs z%CertificateSigningRequestBuilder.sign)N)r)r*r+r"rrrrr&r&r&r'rqs $rc @seZdZUded<ddddddgfddddddddd d d Zd dd ddZd dd ddZdddddZdddddZdddddZ dddddZ d d!dd"d#d$Z d.dd%d&d'd(d)d*d+d,d-Z dS)/CertificateBuilderr-rNrz*typing.Optional[CertificatePublicKeyTypes]typing.Optional[int]rr) issuer_namerrorlrprqr/rcCs6tj|_||_||_||_||_||_||_||_ dSr ) r`rb_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r#rrrorlrprqr/r&r&r'r"s zCertificateBuilder.__init__rrcCsDt|tstd|jdk r$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rPrrrr0rrrrrrrrr&r&r'rs  zCertificateBuilder.issuer_namecCsDt|tstd|jdk r$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rPrrrr0rrrrrrrrr&r&r'rs  zCertificateBuilder.subject_namer)keyrc Cs`t|tjtjtjtjt j t j t jfs.td|jdk r@tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rPrZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyr ZEd25519PublicKeyr ZEd448PublicKeyrZX25519PublicKeyr Z X448PublicKeyrrr0rrrrrrr)r#rr&r&r'ros2  zCertificateBuilder.public_keyrCnumberrcCsht|tstd|jdk r$td|dkr4td|dkrHtdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rPrCrrr0 bit_lengthrrrrrrrr#rr&r&r'rl,s&   z CertificateBuilder.serial_numberr7r8cCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rPr<rrr0r@_EARLIEST_UTC_TIMErrrrrrrr#r9r&r&r'rpGs,  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.ztd|jdk rZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rPr<rrr0r@rrrrrr)r#rr&r&r'rs(  z,CertificateRevocationListBuilder.last_update)rrcCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rPr<rrr0r@rrrrrr)r#rr&r&r'rs(  z,CertificateRevocationListBuilder.next_updaterrMrcCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. r) rPrrrrr2rrrrrrrr&r&r'rs   z.CertificateRevocationListBuilder.add_extensionr)revoked_certificatercCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rPrrrrrrrr)r#rr&r&r'add_revoked_certificate(s  z8CertificateRevocationListBuilder.add_revoked_certificaterrrrrcCsD|jdkrtd|jdkr$td|jdkr6tdt|||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rr0rrrZcreate_x509_crlrr&r&r'r9s   z%CertificateRevocationListBuilder.sign)N) r)r*r+rr"rrrrrrr&r&r&r'rs rc@sjeZdZddgfddddddZddd d d Zd dd ddZddddddZddddddZdS)RevokedCertificateBuilderNrrr-rcCs||_||_||_dSr rrr&r&r'r"Lsz"RevokedCertificateBuilder.__init__rCrcCsXt|tstd|jdk r$td|dkr4td|dkrHtdt||j|jS)Nrrrz$The serial number should be positiverr) rPrCrrr0rrrrrr&r&r'rlVs   z'RevokedCertificateBuilder.serial_numberr7r8cCsNt|tjstd|jdk r&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rPr<rrr0r@rrrrrr&r&r'rhs  z)RevokedCertificateBuilder.revocation_daterrMrcCsDt|tstdt|j||}t||jt|j|j |j|gS)Nr) rPrrrrr2rrrrrr&r&r'rxs   z'RevokedCertificateBuilder.add_extensionrr)rrcCs:|jdkrtd|jdkr$tdt|j|jt|jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr0rrrr)r#rr&r&r'builds  zRevokedCertificateBuilder.build)N)r)r*r+r"rlrrrr&r&r&r'rKs rrCrHcCsttddd?S)Nbigr)rC from_bytesosurandomr&r&r&r'random_serial_numbersr)N)N)N)N)N)N)M __future__rrr<rrZ cryptographyrZ"cryptography.hazmat.bindings._rustrrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrrr r r r r rZ/cryptography.hazmat.primitives.asymmetric.typesrrrZcryptography.x509.extensionsrrrrZcryptography.x509.namerrZcryptography.x509.oidrrUnionSHA224SHA256SHA384SHA512ZSHA3_224ZSHA3_256ZSHA3_384ZSHA3_512Z_AllowedHashTypes Exceptionrr2r6r@rArWEnumr`rcABCMetareregisterrrrrrrrrrrrrrrrrr&r&r&r's|   (     $  | ] \xI