U c-@sddlZddlZddlmZmZddlmZddlmZddl m Z ddl m Z m Z mZddlmZdd lmZdd lmZdd lmZmZmZdd lmZmZd dddddgZdejeee eedddZGdddZdS)N)IterableOptional)x509) type_name)ValidationContext)InvalidCertificateErrorPathBuildingErrorValidationError)ValidationPath)PKIXValidationParams)CancelableAsyncIterator)async_validate_pathvalidate_tls_hostnamevalidate_usage) __version____version_info__rrCertificateValidatorrr find_valid_path) certificatepathsvalidation_contextpkix_validation_paramsc sg}zzh|2z\3dHW}z"t|||IdH|WWWnStk rf}z||W5d}~XYq Xq 6Wn4tk r|jdkrtd|jjdYnXW5|IdHXt |dkr|dd}|D]}dt |kr|}q|r||ddS)N>maybeyesz1The X.509 certificate provided is self-signed - ""rr signature) cancelrr appendr Z self_signedrsubjectZhuman_friendlylenstr) rrrr exceptionscandidate_patheZnon_signature_exception exceptionr&B/tmp/pip-unpacked-wheel-rwcmptg8/pyhanko_certvalidator/__init__.pyrs8 $    c@sxeZdZdZdejeeejeeee dddZ e ddZ e ddd Zdd d Zdd dZddZddZdS)rN)end_entity_certintermediate_certsr pkix_paramscCsF|dkrt}|dk r0|j}|D]}||q ||_||_||_dS)a  :param end_entity_cert: An asn1crypto.x509.Certificate object X.509 end-entity certificate to validate :param intermediate_certs: None or a list of asn1crypto.x509.Certificate Used in constructing certificate paths for validation. :param validation_context: A pyhanko_certvalidator.context.ValidationContext() object that controls generic validation options and tracks revocation data. The same validation context will also be used in the validation of relevant certificates found in OCSP responses and/or CRLs. :param pkix_params: A pyhanko_certvalidator.context.PKIXValidationParams() object that controls advanced PKIX validation parameters used to validate the end-entity certificate. These can be used to constrain policy processing and names. Ancillary validation of CRLs and OCSP responses ignore these settings. N)rcertificate_registryregister_context _certificate_params)selfr(r)rr*r+Zintermediate_certr&r&r'__init__Fs! zCertificateValidator.__init__cCs|jS)N)r.)r0r&r&r'rssz CertificateValidator.certificate)returncsH|jdk r|jS|j}|jj|}t|||j|jdIdH|_}|S)a Builds possible certificate paths and validates them until a valid one is found, or all fail. :raises: pyhanko_certvalidator.errors.PathBuildingError - when an error occurs building the path pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked N)rr)_pathr.r-Z path_builderZasync_build_paths_lazyrr/)r0rrr#r&r&r'rws z(CertificateValidator.async_validate_pathFcCs tdtt||||S)a Validates the certificate path and that the certificate is valid for the key usage and extended key usage purposes specified. .. deprecated:: 0.17.0 Use :meth:`async_validate_usage` instead. :param key_usage: A set of unicode strings of the required key usage purposes. Valid values include: - "digital_signature" - "non_repudiation" - "key_encipherment" - "data_encipherment" - "key_agreement" - "key_cert_sign" - "crl_sign" - "encipher_only" - "decipher_only" :param extended_key_usage: A set of unicode strings of the required extended key usage purposes. These must be either dotted number OIDs, or one of the following extended key usage purposes: - "server_auth" - "client_auth" - "code_signing" - "email_protection" - "ipsec_end_system" - "ipsec_tunnel" - "ipsec_user" - "time_stamping" - "ocsp_signing" - "wireless_access_points" An example of a dotted number OID: - "1.3.6.1.5.5.7.3.1" :param extended_optional: A bool - if the extended_key_usage extension may be ommited and still considered valid :raises: pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked pyhanko_certvalidator.errors.InvalidCertificateError - when the certificate is not valid for the usages specified :return: A pyhanko_certvalidator.path.ValidationPath object of the validated certificate validation path zB'validate_usage' is deprecated, use 'async_validate_usage' instead)warningswarnDeprecationWarningasynciorunasync_validate_usage)r0 key_usageextended_key_usageextended_optionalr&r&r'rs:z#CertificateValidator.validate_usagecs&|IdH}t|j|j||||S)aN Validates the certificate path and that the certificate is valid for the key usage and extended key usage purposes specified. :param key_usage: A set of unicode strings of the required key usage purposes. Valid values include: - "digital_signature" - "non_repudiation" - "key_encipherment" - "data_encipherment" - "key_agreement" - "key_cert_sign" - "crl_sign" - "encipher_only" - "decipher_only" :param extended_key_usage: A set of unicode strings of the required extended key usage purposes. These must be either dotted number OIDs, or one of the following extended key usage purposes: - "server_auth" - "client_auth" - "code_signing" - "email_protection" - "ipsec_end_system" - "ipsec_tunnel" - "ipsec_user" - "time_stamping" - "ocsp_signing" - "wireless_access_points" An example of a dotted number OID: - "1.3.6.1.5.5.7.3.1" :param extended_optional: A bool - if the extended_key_usage extension may be ommited and still considered valid :raises: pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked pyhanko_certvalidator.errors.InvalidCertificateError - when the certificate is not valid for the usages specified :return: A pyhanko_certvalidator.path.ValidationPath object of the validated certificate validation path N)rrr-r.)r0r:r;r<Zvalidated_pathr&r&r'r9s7z)CertificateValidator.async_validate_usagecCstdtt||S)ah Validates the certificate path, that the certificate is valid for the hostname provided and that the certificate is valid for the purpose of a TLS connection. .. deprecated:: 0.17.0 Use :meth:`async_validate_tls` instead. :param hostname: A unicode string of the TLS server hostname :raises: pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked pyhanko_certvalidator.errors.InvalidCertificateError - when the certificate is not valid for TLS or the hostname :return: A pyhanko_certvalidator.path.ValidationPath object of the validated certificate validation path z>'validate_tls' is deprecated, use 'async_validate_tls' instead)r4r5r6r7r8async_validate_tlsr0hostnamer&r&r' validate_tlss z!CertificateValidator.validate_tlscs$|IdHt|j|j||jS)a Validates the certificate path, that the certificate is valid for the hostname provided and that the certificate is valid for the purpose of a TLS connection. :param hostname: A unicode string of the TLS server hostname :raises: pyhanko_certvalidator.errors.PathValidationError - when an error occurs validating the path pyhanko_certvalidator.errors.RevokedError - when the certificate or another certificate in its path has been revoked pyhanko_certvalidator.errors.InvalidCertificateError - when the certificate is not valid for TLS or the hostname :return: A pyhanko_certvalidator.path.ValidationPath object of the validated certificate validation path N)rrr-r.r3r>r&r&r'r=4sz'CertificateValidator.async_validate_tls)NNN)NF)NF)__name__ __module__ __qualname__r3r Certificaterrrr r1propertyrr rrr9r@r=r&r&r&r'rBs*  -  G A)N) r7r4typingrrZ asn1cryptor_typesrcontextrerrorsrr r pathr Z policy_declr utilr validaterrrversionrr__all__rDrrr&r&r&r's4       (