U *}f)g@sddlmZmZmZddlZddlZddlZddlmZddl Z ddl m Z ddl m Z ddlmZmZmZmZmZddlmZmZddlmZdd lmZed d d ZGd d d eZddZddZddZ GdddeZ!d6ddZ"d7ddZ#d8ddZ$d9ddZ%d:ddZ&d;d d!Z'Gd"d#d#eZ(e )ej*Gd$d%d%e+Z,e )ej*Gd&d'd'e+Z-e )ej*Gd(d)d)e+Z.e )ej*Gd*d+d+e+Z/Gd,d-d-e+Z0Gd.d/d/e+Z1Gd0d1d1e+Z2Gd2d3d3e+Z3d4d5Z4dS)<)absolute_importdivisionprint_functionN)Enum)utils) _get_backend)dsaeced25519ed448rsa) Extension ExtensionType)Name)ObjectIdentifiericseZdZfddZZS)AttributeNotFoundcstt||||_dSN)superr__init__oid)selfmsgr __class__:/tmp/pip-unpacked-wheel-x36vw73o/cryptography/x509/base.pyr szAttributeNotFound.__init____name__ __module__ __qualname__r __classcell__rrrrrsrcCs"|D]}|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError) extension extensionserrr_reject_duplicate_extension%s r&cCs"|D]\}}||krtdqdS)Nz$This attribute has already been set.)r")r attributesZattr_oid_rrr_reject_duplicate_attribute,s r)cCs:|jdk r2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r* utcoffsetdatetime timedeltareplace)timeoffsetrrr_convert_to_naive_utc_time3s  r1c@seZdZdZdZdS)VersionrN)rrr Zv1v3rrrrr2Asr2cCst|}||Sr)rload_pem_x509_certificatedatabackendrrrr5Fsr5cCst|}||Sr)rload_der_x509_certificater6rrrr9Ksr9cCst|}||Sr)rload_pem_x509_csrr6rrrr:Psr:cCst|}||Sr)rload_der_x509_csrr6rrrr;Usr;cCst|}||Sr)rload_pem_x509_crlr6rrrr<Zsr<cCst|}||Sr)rload_der_x509_crlr6rrrr=_sr=cseZdZfddZZS)InvalidVersioncstt||||_dSr)rr>rparsed_version)rrr?rrrreszInvalidVersion.__init__rrrrrr>dsr>c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$ CertificatecCsdSz4 Returns bytes using digest passed. Nrr algorithmrrr fingerprintlszCertificate.fingerprintcCsdS)z3 Returns certificate serial number Nrrrrr serial_numberrszCertificate.serial_numbercCsdS)z1 Returns the certificate version NrrErrrversionxszCertificate.versioncCsdSz( Returns the public key NrrErrr public_key~szCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) NrrErrrnot_valid_beforeszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) NrrErrrnot_valid_afterszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. NrrErrrissuerszCertificate.issuercCsdSz2 Returns the subject name object. NrrErrrsubjectszCertificate.subjectcCsdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. NrrErrrsignature_hash_algorithmsz$Certificate.signature_hash_algorithmcCsdSzJ Returns the ObjectIdentifier of the signature algorithm. NrrErrrsignature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. NrrErrrr$szCertificate.extensionscCsdSz. Returns the signature bytes. NrrErrr signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. NrrErrrtbs_certificate_bytessz!Certificate.tbs_certificate_bytescCsdSz" Checks equality. Nrrotherrrr__eq__szCertificate.__eq__cCsdSz# Checks not equal. NrrWrrr__ne__szCertificate.__ne__cCsdSz" Computes a hash. NrrErrr__hash__szCertificate.__hash__cCsdS)zB Serializes the certificate to PEM or DER format. Nrrencodingrrr public_bytesszCertificate.public_bytesN)rrr abcabstractmethodrDabstractpropertyrFrGrIrJrKrLrNrPrRr$rTrUrYr[r]r`rrrrr@jsD                r@c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$CertificateRevocationListcCsdS)z: Serializes the CRL to PEM or DER format. Nrr^rrrr`sz&CertificateRevocationList.public_bytescCsdSrArrBrrrrDsz%CertificateRevocationList.fingerprintcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr)rrFrrr(get_revoked_certificate_by_serial_numberszBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCsdSrOrrErrrrPsz2CertificateRevocationList.signature_hash_algorithmcCsdSrQrrErrrrRsz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. NrrErrrrLsz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. NrrErrr next_updatesz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. NrrErrr last_updatesz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. NrrErrrr$sz$CertificateRevocationList.extensionscCsdSrSrrErrrrTsz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. NrrErrrtbs_certlist_bytessz,CertificateRevocationList.tbs_certlist_bytescCsdSrVrrWrrrrYsz CertificateRevocationList.__eq__cCsdSrZrrWrrrr[ sz CertificateRevocationList.__ne__cCsdS)z< Number of revoked certificates in the CRL. NrrErrr__len__&sz!CertificateRevocationList.__len__cCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr)ridxrrr __getitem__,sz%CertificateRevocationList.__getitem__cCsdS)z8 Iterator over the revoked certificates NrrErrr__iter__2sz"CertificateRevocationList.__iter__cCsdS)zQ Verifies signature of revocation list against given public key. Nr)rrIrrris_signature_valid8sz,CertificateRevocationList.is_signature_validN)rrr rarbr`rDrercrPrRrLrfrgr$rTrhrYr[rirkrlrmrrrrrdsD                rdc@seZdZejddZejddZejddZejddZej d d Z ej d d Z ej d dZ ej ddZ ejddZej ddZej ddZej ddZej ddZdS)CertificateSigningRequestcCsdSrVrrWrrrrYAsz CertificateSigningRequest.__eq__cCsdSrZrrWrrrr[Gsz CertificateSigningRequest.__ne__cCsdSr\rrErrrr]Msz"CertificateSigningRequest.__hash__cCsdSrHrrErrrrISsz$CertificateSigningRequest.public_keycCsdSrMrrErrrrNYsz!CertificateSigningRequest.subjectcCsdSrOrrErrrrP_sz2CertificateSigningRequest.signature_hash_algorithmcCsdSrQrrErrrrRfsz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. NrrErrrr$lsz$CertificateSigningRequest.extensionscCsdS)z; Encodes the request to PEM or DER format. Nrr^rrrr`rsz&CertificateSigningRequest.public_bytescCsdSrSrrErrrrTxsz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. NrrErrrtbs_certrequest_bytes~sz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. NrrErrrrmsz,CertificateSigningRequest.is_signature_validcCsdS)z: Get the attribute value for a given OID. NrrErrrget_attribute_for_oidsz/CertificateSigningRequest.get_attribute_for_oidN)rrr rarbrYr[r]rIrcrNrPrRr$r`rTrormrprrrrrn?s4            rnc@s6eZdZejddZejddZejddZdS)RevokedCertificatecCsdS)zG Returns the serial number of the revoked certificate. NrrErrrrFsz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. NrrErrrrevocation_datesz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. NrrErrrr$szRevokedCertificate.extensionsN)rrr rarcrFrrr$rrrrrqs   rqc@s>eZdZdggfddZddZddZdd Zd d d ZdS) CertificateSigningRequestBuilderNcCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_name _extensions _attributes)r subject_namer$r'rrrrsz)CertificateSigningRequestBuilder.__init__cCs4t|tstd|jdk r$tdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.) isinstancer TypeErrorrtr"rsrurvrnamerrrrws  z-CertificateSigningRequestBuilder.subject_namecCsDt|tstdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rzrr{r rr&rursrtrvrr#criticalrrr add_extensions   z.CertificateSigningRequestBuilder.add_extensioncCsLt|tstdt|ts$tdt||jt|j|j|j||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytes) rzrr{bytesr)rvrsrtru)rrvaluerrr add_attributes   z.CertificateSigningRequestBuilder.add_attributecCs(t|}|jdkrtd||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rrtr"Zcreate_x509_csrrZ private_keyrCr8rrrsigns z%CertificateSigningRequestBuilder.sign)N)rrr rrwrrrrrrrrss  rsc@sfeZdZddddddgfddZddZddZdd Zd d Zd d ZddZ ddZ dddZ dS)CertificateBuilderNcCs6tj|_||_||_||_||_||_||_||_ dSr) r2r4_version _issuer_namert _public_key_serial_number_not_valid_before_not_valid_afterru)r issuer_namerwrIrFrJrKr$rrrrs zCertificateBuilder.__init__cCsDt|tstd|jdk r$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rxN%The issuer name may only be set once.) rzrr{rr"rrtrrrrrur|rrrrs  zCertificateBuilder.issuer_namecCsDt|tstd|jdk r$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rxNry) rzrr{rtr"rrrrrrrur|rrrrws  zCertificateBuilder.subject_namecCsXt|tjtjtjtjt j fs&t d|j dk r8t dt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zhExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey or Ed448PublicKey.Nz$The public key may only be set once.)rzrZ DSAPublicKeyr Z RSAPublicKeyr ZEllipticCurvePublicKeyr ZEd25519PublicKeyr ZEd448PublicKeyr{rr"rrrtrrrru)rkeyrrrrI s.  zCertificateBuilder.public_keycCsjt|tjstd|jdk r&td|dkr6td|dkrJtdt|j|j |j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.)rzsix integer_typesr{rr" bit_lengthrrrtrrrrurnumberrrrrF?s&   z CertificateBuilder.serial_numbercCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rzr,r{rr"r1_EARLIEST_UTC_TIMErrrrtrrrurr/rrrrJZs,  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.ztd|jdkrPtd|jdkrbtd|jdkrttd||||S)zC Signs the certificate using the CA's private key. Nz&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public key) rrtr"rrrrrZcreate_x509_certificaterrrrrs      zCertificateBuilder.sign)N) rrr rrrwrIrFrJrKrrrrrrrs   rc@sReZdZdddggfddZddZddZdd Zd d Zd d ZdddZ dS) CertificateRevocationListBuilderNcCs"||_||_||_||_||_dSr)r _last_update _next_updateru_revoked_certificates)rrrgrfr$Zrevoked_certificatesrrrrs z)CertificateRevocationListBuilder.__init__cCs<t|tstd|jdk r$tdt||j|j|j|j S)Nrxr) rzrr{rr"rrrrur)rrrrrrs  z,CertificateRevocationListBuilder.issuer_namecCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rzr,r{rr"r1rrrrrur)rrgrrrrgs(  z,CertificateRevocationListBuilder.last_updatecCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rzr,r{rr"r1rrrrrur)rrfrrrrfs(  z,CertificateRevocationListBuilder.next_updatecCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. r~) rzrr{r rr&rurrrrrrrrrr s   z.CertificateRevocationListBuilder.add_extensioncCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rzrqr{rrrrrur)rZrevoked_certificaterrradd_revoked_certificates  z8CertificateRevocationListBuilder.add_revoked_certificatecCsLt|}|jdkrtd|jdkr,td|jdkr>td||||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rrr"rrZcreate_x509_crlrrrrr-s   z%CertificateRevocationListBuilder.sign)N) rrr rrrgrfrrrrrrrrs  rc@s>eZdZddgfddZddZddZdd Zd d d ZdS) RevokedCertificateBuilderNcCs||_||_||_dSr)r_revocation_dateru)rrFrrr$rrrr<sz"RevokedCertificateBuilder.__init__cCsZt|tjstd|jdk r&td|dkr6td|dkrJtdt||j|j S)Nrrrz$The serial number should be positiverr) rzrrr{rr"rrrrurrrrrFCs   z'RevokedCertificateBuilder.serial_numbercCsNt|tjstd|jdk r&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rzr,r{rr"r1rrrrurrrrrrUs  z)RevokedCertificateBuilder.revocation_datecCsDt|tstdt|j||}t||jt|j|j |j|gS)Nr~) rzrr{r rr&rurrrrrrrrcs   z'RevokedCertificateBuilder.add_extensioncCs6t|}|jdkrtd|jdkr,td||S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rrr"rZcreate_x509_revoked_certificate)rr8rrrbuildos  zRevokedCertificateBuilder.build)N)rrr rrFrrrrrrrrr;s  rcCsttddd?S)Nbigr)rZint_from_bytesosurandomrrrrrandom_serial_number{sr)N)N)N)N)N)N)5 __future__rrrrar,renumrrZ cryptographyrZcryptography.hazmat.backendsrZ)cryptography.hazmat.primitives.asymmetricrr r r r Zcryptography.x509.extensionsr rZcryptography.x509.namerZcryptography.x509.oidrr Exceptionrr&r)r1r2r5r9r:r;r<r=r> add_metaclassABCMetaobjectr@rdrnrqrsrrrrrrrrsL            i j R A^v@