U cH @sdZddlZddlZddlmZddlmZmZddlmZm Z ddl m Z m Z ddl mZd d d d d ddddddg ZedddgZejGdd d ejZeddGdd d ZeejejZeejejdZeejejeejejedZejGdd d ejZeddGdd d Zeeeeeedd d!Z eddGd"d d Z!eddGd#ddZ"Gd$ddej#Z$Gd%dde$Z%dS)&z .. versionadded:: 0.20.0 N) dataclass)datetime timedelta) FrozenSetOptional)algoskeys) PKIXSubtreesRevocationCheckingRuleRevocationCheckingPolicyFreshnessReqTypeCertRevTrustPolicyPKIXValidationParamsAlgorithmUsageConstraintAlgorithmUsagePolicyDisallowWeakAlgorithmsPolicyDEFAULT_WEAK_HASH_ALGOSREQUIRE_REVINFO NO_REVOCATIONZmd2md5sha1c@seZdZdZdZdZdZdZdZdZ dZ e e d d d Z e e d d d Ze e d ddZe e d ddZe e d ddZe e d ddZdS)r zg Rules determining in what circumstances revocation data has to be checked, and what kind. ZclrcheckZ ocspcheckZ bothcheckZ eithercheckZnocheckZifdeclaredcheckZifdeclaredsoftcheckreturncCs|tjtjtjfkSN)r CHECK_IF_DECLAREDCHECK_IF_DECLARED_SOFTNO_CHECKselfr E/tmp/pip-unpacked-wheel-rwcmptg8/pyhanko_certvalidator/policy_decl.pystrict`s zRevocationCheckingRule.strictcCs|tjtjfkSr)r rrrr r r!tolerantiszRevocationCheckingRule.tolerantcCs|tjtjfkSr)r CRL_REQUIREDCRL_AND_OCSP_REQUIREDrr r r! crl_mandatorypsz$RevocationCheckingRule.crl_mandatorycCs|tjtjfkSr)r r OCSP_REQUIREDrr r r! crl_relevantwsz#RevocationCheckingRule.crl_relevantcCs|tjtjfkSr)r r'r%rr r r!ocsp_mandatory~sz%RevocationCheckingRule.ocsp_mandatorycCs|tjtjfkSr)r rr$rr r r! ocsp_relevantsz$RevocationCheckingRule.ocsp_relevantN)__name__ __module__ __qualname____doc__r$r'r%CRL_OR_OCSP_REQUIREDrrrpropertyboolr"r#r&r(r)r*r r r r!r #s( T)frozenc@sFeZdZUdZeed<eed<eedddZe e ddd Z d S) r zu Class describing a revocation checking policy based on the types defined in the ETSI TS 119 172 series. ee_certificate_ruleintermediate_ca_cert_rule)policycCs4z t|WStk r.td|dYnXdS)N'z ' is not a valid revocation mode)LEGACY_POLICY_MAPKeyError ValueError)clsr5r r r! from_legacys z$RevocationCheckingPolicy.from_legacyrcCs|jjo|jj Sr)r3r#rr r r! essentialsz"RevocationCheckingPolicy.essentialN) r+r,r-r.r __annotations__ classmethodstrr;r0r1r<r r r r!r s )r3r4)z soft-failz hard-failrequirec@s(eZdZdZeZeZeZdS)r z% Freshness requirement type. N) r+r,r-r.enumautoDEFAULTZMAX_DIFF_REVOCATION_VALIDATIONZTIME_AFTER_SIGNATUREr r r r!r s c@sTeZdZUdZeed<dZeeed<e j Z e ed<dZ eeed<dZ eed<dS) rzz Class describing conditions for trusting revocation info. Based on CertificateRevTrust in ETSI TS 119 172-3. Zrevocation_checking_policyN freshnessfreshness_req_type!expected_post_expiry_revinfo_timeFretroactive_revinfo)r+r,r-r.r r=rDrrr rCrErFrGr1r r r r!rs  )a_polsb_polsrcCs>d|k}d|k}|r"|r"tdgS|r*|S|r2|S||@SdS)z Intersect two sets of policies, taking into account the special 'any_policy'. :param a_pols: A set of policies. :param b_pols: Another set of policies. :return: The intersection of both. any_policyN) frozenset)rHrIZa_anyZb_anyr r r!intersect_policy_setss rLc@steZdZUedgZeed<dZeed<dZeed<dZ eed<dZ e e ed<dZ e e ed <ddd d d ZdS) rrJuser_initial_policy_setFinitial_policy_mapping_inhibitinitial_explicit_policyinitial_any_policy_inhibitNinitial_permitted_subtreesinitial_excluded_subtrees)otherrcCsdd|jkr|j}nd|jkr$|j}n |j|j@}|jo:|j}|joF|j}|joR|j}t||||dS)aa Combine the conditions of these PKIX validation params with another set of parameters, producing the most lenient set of parameters that is stricter than both inputs. :param other: Another set of PKIX validation parameters. :return: A combined set of PKIX validation parameters. rJ)rMrPrOrN)rMrPrOrNr)rrSZinit_policy_setrPrOrNr r r!merges&     zPKIXValidationParams.merge)r+r,r-rKrMr=rNr1rOrPrQrr rRrTr r r r!r7s     c@sBeZdZUdZeed<dZeeed<dZ ee ed<ddZ dS)rzh Expression of a constraint on the usage of an algorithm (possibly with parameter choices). allowedNnot_allowed_afterfailure_reasoncCs|jSrrUrr r r!__bool__sz!AlgorithmUsageConstraint.__bool__) r+r,r-r.r1r=rVrrrWr?rYr r r r!rs c@sHeZdZdZejeeedddZ ej eeee j edddZ dS) rzR Abstract interface defining a usage policy for cryptographic algorithms. algomomentrcCstdS)a Determine if the indicated digest algorithm can be used at the point in time indicated. :param algo: A digest algorithm description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. NNotImplementedErrorrr[r\r r r!digest_algorithm_allowedsz-AlgorithmUsagePolicy.digest_algorithm_allowedr[r\ public_keyrcCstdS)a' Determine if the indicated signature algorithm (including the associated digest function and any parameters, if applicable) can be used at the point in time indicated. :param algo: A signature mechanism description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :param public_key: The public key associated with the operation, if available. .. note:: This parameter can be used to enforce key size limits or to filter out keys with known structural weaknesses. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. Nr])rr[r\rbr r r!signature_algorithm_allowedsz0AlgorithmUsagePolicy.signature_algorithm_allowedN)r+r,r-r.rDigestAlgorithmrrrr`SignedDigestAlgorithmr PublicKeyInforcr r r r!rs c@s\eZdZdZeeddfddZeje e e dddZ ej e e e eje d d d Zd S) ra Primitive usage policy that forbids a list of user-specified "weak" algorithms and allows everything else. It also ignores the time parameter completely. .. note:: This denial-based strategy is supplied to provide a backwards-compatible default. In many scenarios, an explicit allow-based strategy is more appropriate. Users with specific security requirements are encouraged to implement :class:`.AlgorithmUsagePolicy` themselves. :param weak_hash_algos: The list of digest algorithms considered weak. Defaults to :const:`.DEFAULT_WEAK_HASH_ALGOS`. :param weak_signature_algos: The list of digest algorithms considered weak. Defaults to the empty set. :param rsa_key_size_threshold: The key length threshold for RSA keys, in bits. :param dsa_key_size_threshold: The key length threshold for DSA keys, in bits. iix cCs||_||_||_||_dSr)weak_hash_algosweak_signature_algosrsa_key_size_thresholddsa_key_size_threshold)rrgrhrirjr r r!__init__ sz%DisallowWeakAlgorithmsPolicy.__init__rZcCst|dj|jkS)N algorithm)rnativergr_r r r!r`sz5DisallowWeakAlgorithmsPolicy.digest_algorithm_allowedrac Cs|j}||jk}|d}|dk}|r|dk r|s6|r|j}d} |rV||jkrV|j} n|rj||jkrj|j} | dk rtdd|d|d| dSz |j} Wntk rd} YnX|r| dk r| t d|ji|} | stdd | d |dj d | j d St|d S)NrsaZdsaFz Key size z for algorithm z- is considered too small; policy mandates >= )rUrWrlzDigest algorithm z< is not allowed, which disqualifies the signature mechanism z as well.)rUrWrVrX)Zsignature_algorh startswithZbit_sizerirjr hash_algor9r`rrdrmrV) rr[r\rbZ algo_nameZ algo_allowedZis_rsaZis_dsaZkey_szZfailed_thresholdrpZdigest_allowedr r r!rc s@     z8DisallowWeakAlgorithmsPolicy.signature_algorithm_allowedN)r+r,r-r.rrKrkrrdrrrr`rerrfrcr r r r!rs  )&r.abcrAZ dataclassesrrrtypingrrZ asn1cryptorrZ name_treesr __all__rKruniqueEnumr r r/rrrrrr7r rr?rLrrABCrrr r r r!sp  i  . n2