U *”}f½3ã@spddlmZmZmZddlZddlZddlmZddlZddl m Z ddl m Z ddl mZmZmZe  ¡e  ¡e  ¡e  ¡e  ¡dœZGdd „d eƒZGd d „d eƒZd d „eDƒZe je je je je jfZdd„ZGdd„deƒZdd „eDƒZdd„Zdd„ZGdd„de ƒZ!Gdd„de ƒZ"Gdd„de ƒZ#e $ej%¡Gdd„de ƒƒZ&e $ej%¡Gdd „d e ƒƒZ'dS)!é)Úabsolute_importÚdivisionÚprint_functionN)ÚEnum)Úx509)Úhashes)Ú_EARLIEST_UTC_TIMEÚ_convert_to_naive_utc_timeÚ_reject_duplicate_extension)z 1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c@seZdZdZdZdS)ÚOCSPResponderEncodingzBy HashzBy NameN)Ú__name__Ú __module__Ú __qualname__ÚHASHÚNAME©rrú:/tmp/pip-unpacked-wheel-x36vw73o/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)ÚOCSPResponseStatusréééééN) r r rÚ SUCCESSFULZMALFORMED_REQUESTÚINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIREDÚ UNAUTHORIZEDrrrrr$s rcCsi|] }|j|“qSr©Úvalue©Ú.0ÚxrrrÚ -sr!cCst|tƒstdƒ‚dS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512)Ú isinstanceÚ_ALLOWED_HASHESÚ ValueError)Ú algorithmrrrÚ_verify_algorithm7s ÿr&c@seZdZdZdZdZdS)ÚOCSPCertStatusrrrN)r r rZGOODÚREVOKEDÚUNKNOWNrrrrr'>sr'cCsi|] }|j|“qSrrrrrrr!DscCsddlm}| |¡S©Nr©Úbackend)Ú,cryptography.hazmat.backends.openssl.backendr,Úload_der_ocsp_request©Údatar,rrrr.Gs r.cCsddlm}| |¡Sr*)r-r,Úload_der_ocsp_responser/rrrr1Ms r1c@s2eZdZdgfdd„Zdd„Zdd„Zdd „ZdS) ÚOCSPRequestBuilderNcCs||_||_dS©N)Ú_requestÚ _extensions)ÚselfÚrequestÚ extensionsrrrÚ__init__TszOCSPRequestBuilder.__init__cCsL|jdk rtdƒ‚t|ƒt|tjƒr2t|tjƒs:tdƒ‚t|||f|jƒS)Nz.Only one certificate can be added to a requestú%cert and issuer must be a Certificate) r4r$r&r"rÚ CertificateÚ TypeErrorr2r5)r6ÚcertÚissuerr%rrrÚadd_certificateXs ÿz"OCSPRequestBuilder.add_certificatecCsDt|tjƒstdƒ‚t |j||¡}t||jƒt|j |j|gƒS©Nz"extension must be an ExtensionType) r"rÚ ExtensionTyper<Ú ExtensionÚoidr r5r2r4©r6Ú extensionÚcriticalrrrÚ add_extensionds   ÿz OCSPRequestBuilder.add_extensioncCs(ddlm}|jdkrtdƒ‚| |¡S)Nrr+z*You must add a certificate before building)r-r,r4r$Zcreate_ocsp_request)r6r,rrrÚbuildos  zOCSPRequestBuilder.build)r r rr9r?rGrHrrrrr2Ss  r2c@seZdZdd„ZdS)Ú_SingleResponsec Cst|tjƒrt|tjƒs tdƒ‚t|ƒt|tjƒsr%Ú cert_statusÚ this_updateÚ next_updateÚrevocation_timeÚrevocation_reasonrrrr9ys` ÿ  ÿ ÿ ÿÿ ÿ ÿÿz_SingleResponse.__init__N)r r rr9rrrrrIxsrIc@sReZdZdddgfdd„Zdd„Zdd„Zdd „Zd d „Zd d „Ze dd„ƒZ dS)ÚOCSPResponseBuilderNcCs||_||_||_||_dSr3)Ú _responseÚ _responder_idÚ_certsr5)r6ÚresponseÚ responder_idÚcertsr8rrrr9¿szOCSPResponseBuilder.__init__c Cs<|jdk rtdƒ‚t||||||||ƒ} t| |j|j|jƒS)Nz#Only one response per OCSPResponse.)rRr$rIrQrSrTr5) r6r=r>r%rLrMrNrOrPZ singleresprrrÚ add_responseÇs$ ø üz OCSPResponseBuilder.add_responsecCsP|jdk rtdƒ‚t|tjƒs&tdƒ‚t|tƒs8tdƒ‚t|j||f|j |j ƒS)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rSr$r"rr;r<r rQrRrTr5)r6ÚencodingZresponder_certrrrrVæs   ÿüz OCSPResponseBuilder.responder_idcCs\|jdk rtdƒ‚t|ƒ}t|ƒdkr.tdƒ‚tdd„|DƒƒsHtdƒ‚t|j|j||j ƒS)Nz!certificates may only be set oncerzcerts must not be an empty listcss|]}t|tjƒVqdSr3)r"rr;rrrrÚ ýsz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rTr$ÚlistÚlenÚallr<rQrRrSr5)r6rWrrrÚ certificates÷s  üz OCSPResponseBuilder.certificatescCsLt|tjƒstdƒ‚t |j||¡}t||jƒt|j |j |j |j|gƒSr@) r"rrAr<rBrCr r5rQrRrSrTrDrrrrGs   üz!OCSPResponseBuilder.add_extensioncCsBddlm}|jdkrtdƒ‚|jdkr0tdƒ‚| tj|||¡S)Nrr+z&You must add a response before signingz*You must add a responder_id before signing)r-r,rRr$rSÚcreate_ocsp_responserr)r6Z private_keyr%r,rrrÚsigns   ÿzOCSPResponseBuilder.signcCs@ddlm}t|tƒstdƒ‚|tjkr0tdƒ‚| |ddd¡S)Nrr+z7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r-r,r"rr<rr$r_)ÚclsÚresponse_statusr,rrrÚbuild_unsuccessful s  ÿ z&OCSPResponseBuilder.build_unsuccessful) r r rr9rXrVr^rGr`Ú classmethodrcrrrrrQ¾sÿ  rQc@s`eZdZejdd„ƒZejdd„ƒZejdd„ƒZejdd„ƒZej d d „ƒZ ejd d „ƒZ d S)Ú OCSPRequestcCsdS©z3 The hash of the issuer public key Nr©r6rrrÚissuer_key_hash0szOCSPRequest.issuer_key_hashcCsdS©z- The hash of the issuer name NrrgrrrÚissuer_name_hash6szOCSPRequest.issuer_name_hashcCsdS©zK The hash algorithm used in the issuer name and key hashes NrrgrrrÚhash_algorithm<szOCSPRequest.hash_algorithmcCsdS©zM The serial number of the cert whose status is being checked NrrgrrrÚ serial_numberBszOCSPRequest.serial_numbercCsdS)z/ Serializes the request to DER Nr)r6rYrrrÚ public_bytesHszOCSPRequest.public_bytescCsdS)zP The list of request extensions. Not single request extensions. Nrrgrrrr8NszOCSPRequest.extensionsN) r r rÚabcÚabstractpropertyrhrjrlrnÚabstractmethodror8rrrrre.s     rec@s$eZdZejdd„ƒZejdd„ƒZejdd„ƒZejdd„ƒZejd d „ƒZ ejd d „ƒZ ejd d„ƒZ ejdd„ƒZ ejdd„ƒZ ejdd„ƒZejdd„ƒZejdd„ƒZejdd„ƒZejdd„ƒZejdd„ƒZejdd „ƒZejd!d"„ƒZejd#d$„ƒZejd%d&„ƒZejd'd(„ƒZd)S)*Ú OCSPResponsecCsdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration NrrgrrrrbWszOCSPResponse.response_statuscCsdS)zA The ObjectIdentifier of the signature algorithm NrrgrrrÚsignature_algorithm_oid^sz$OCSPResponse.signature_algorithm_oidcCsdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed NrrgrrrÚsignature_hash_algorithmdsz%OCSPResponse.signature_hash_algorithmcCsdS)z% The signature bytes NrrgrrrÚ signaturejszOCSPResponse.signaturecCsdS)z+ The tbsResponseData bytes NrrgrrrÚtbs_response_bytespszOCSPResponse.tbs_response_bytescCsdS)z» A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nrrgrrrr^vszOCSPResponse.certificatescCsdS)z2 The responder's key hash or None NrrgrrrÚresponder_key_hash~szOCSPResponse.responder_key_hashcCsdS)z. The responder's Name or None NrrgrrrÚresponder_name„szOCSPResponse.responder_namecCsdS)z4 The time the response was produced NrrgrrrÚ produced_atŠszOCSPResponse.produced_atcCsdS)zY The status of the certificate (an element from the OCSPCertStatus enum) NrrgrrrÚcertificate_statusszOCSPResponse.certificate_statuscCsdS)z^ The date of when the certificate was revoked or None if not revoked. NrrgrrrrO–szOCSPResponse.revocation_timecCsdS)zi The reason the certificate was revoked or None if not specified or not revoked. NrrgrrrrPszOCSPResponse.revocation_reasoncCsdS)z The most recent time at which the status being indicated is known by the responder to have been correct NrrgrrrrM¤szOCSPResponse.this_updatecCsdS)zC The time when newer information will be available NrrgrrrrN«szOCSPResponse.next_updatecCsdSrfrrgrrrrh±szOCSPResponse.issuer_key_hashcCsdSrirrgrrrrj·szOCSPResponse.issuer_name_hashcCsdSrkrrgrrrrl½szOCSPResponse.hash_algorithmcCsdSrmrrgrrrrnÃszOCSPResponse.serial_numbercCsdS)zR The list of response extensions. Not single response extensions. Nrrgrrrr8ÉszOCSPResponse.extensionscCsdS)zR The list of single response extensions. Not response extensions. NrrgrrrÚsingle_extensionsÏszOCSPResponse.single_extensionsN)r r rrprqrbrtrurvrwr^rxryrzr{rOrPrMrNrhrjrlrnr8r|rrrrrsUsP                   rs)(Ú __future__rrrrprJÚenumrÚsixZ cryptographyrZcryptography.hazmat.primitivesrZcryptography.x509.baserr r ÚSHA1ÚSHA224ÚSHA256ÚSHA384ÚSHA512Z _OIDS_TO_HASHr rZ_RESPONSE_STATUS_TO_ENUMr#r&r'Z_CERT_STATUS_TO_ENUMr.r1Úobjectr2rIrQÚ add_metaclassÚABCMetarersrrrrÚsD   û  û %Fp &