U ct @sddlZddlZddlmZddlmZmZddlmZddlm Z m Z m Z m Z m Z mZddlmZmZmZddlmZddlmZdd lmZmZdd lmZdd lmZmZmZm Z m!Z!m"Z"m#Z#dd l$m%Z%dd l&m'Z'ddl(m)Z)ddl*m+Z+ddl,m-Z-m.Z.ddl/m0Z0m1Z1m2Z2ddl3m4Z4ddl5m6Z6m7Z7m8Z8m9Z9e:e;Zej?ee+e ej@dddZAeGdddZBe'eeCedddZDej>ej?eej@ejEfee'e+eCee e e'eBfd d!d"ZFej>ej?eej@ejEfee'eeCee'd# d$d%ZGeGd&d'd'ZHe e-ej>ejIe eJe e-d(d)d*ZKejIe ejLej@ej>eCd+d,d-ZMej@ej?ej@ejIej>eHeCd.d/d0ZNej?e ejLej@ejIej>eHeCd1d2d3ZOeej@ejEfee-e'ee ePe e-feCeHee e ePd4 d5d6ZQe-ej>e+eHe eCej>fd7d8d9ZRd]ej?ej@e ePe e-feHe e%e e)e e-d:d;d<ZSej@eej@ejEfe-eCeHe e ePd=d>d?ZTej@eej@ejEfe-e e-eHd@dAdBZUd^e4ej@eHe edCdDdEZVe ePeWeHedFdGdHZXd_eej@ejEfe'ee edIdJdKZYeddGdLdMdMZZeddGdNdOdOZ[eddGdPdQdQZ\eej@ejEfee-e'e4e ePe e-feCeHee e[dR dSdTZ]d`eej@ejEfe'e4ee ee\dUdVdWZ^dXdYZ_eej@ejEfej>ej?ej>dZd[d\Z`dS)aN) defaultdict) dataclassfield)datetime)DictListOptionalSetTupleUnion)cmscrlx509)InvalidSignature) ValProcState) AuthorityAuthorityWithCert)ValidationContext)CertificateFetchErrorCRLNoMatchesErrorCRLValidationErrorCRLValidationIndeterminateErrorPathValidationErrorPSSParameterMismatch RevokedError)ValidationTimingParams)ValidationPath)CertRevTrustPolicy)CertificateRegistry) CRLContainerRevinfoUsabilityRating)KNOWN_CRL_ENTRY_EXTENSIONSKNOWN_CRL_EXTENSIONSVALID_REVOCATION_REASONS)RevinfoManager)ConsListget_ac_extension_value get_issuer_dn validate_sigT)frozenc@s&eZdZUdZeed<eeed<dS) CRLWithPathsz0 A CRL with a number of candidate paths r pathsN)__name__ __module__ __qualname____doc__r__annotations__rrr1r1N/tmp/pip-unpacked-wheel-rwcmptg8/pyhanko_certvalidator/revinfo/validate_crl.pyr*/s r*)crl_authority_namecertificate_listcert_issuer_auth cert_registryreturnc s|j}d}t|tr|j}|||}|s@||jkr@|||}|s|jdk rg}||h}|j|2z"3dHW}|j|krf|d|qf6|S)Nr) issuer isinstancerZ certificateZretrieve_by_nameZfetcherZfetch_crl_issuerssubjectinsert) r3r4r5r6Zdelegated_issuerZcert_issuer_cert candidatesZ valid_namescertr1r1r2 _find_candidate_crl_issuer_certs9s,   r>c@sdeZdZUeed<dZeed<dZeed<dZeed<dZeed<e e dZ e e ed<d d Zd S) _CRLIssuerSearchErrscandidate_issuersrcandidates_skippedsignatures_failedunauthorized_certspath_building_failuresdefault_factoryexplicit_errorscCs|jdk}|jr|j|jkr"tS|j|jkr6tdS|j|jkrRt|rLdndS|j|jkrnt|rhdndS|jrt|jdkr|jdSd}|d d d |jD7}t|SdS) Nz#CRL signature could not be verifiedzDThe CRL issuers that were identified are not authorized to sign CRLszAThe CRL issuer that was identified is not authorized to sign CRLszSThe chain of trust for the CRL issuers that were identified could not be determinedzQThe chain of trust for the CRL issuer that was identified could not be determinedrz&Unable to determine CRL trust status. z; css|]}t|VqdSN)str).0er1r1r2 sz/_CRLIssuerSearchErrs.get_exc..) r@rArrBrrCrDrGlenjoin)selfpluralmsgr1r1r2get_exchs2      z_CRLIssuerSearchErrs.get_excN)r,r-r.intr0rArBrCrDrlistrGrrrSr1r1r1r2r?_s     r?candidate_crl_issuer_pathvalidation_contextissuing_authority_identical proc_statec s||jrdSzR|j}|s,|jddd}ddlm}|j|}|||t||ddIdHWnPt k r}z2|j}t j d|j j d |d td |W5d}~XYnXdS) NT)Z never_defz CRL issuerr)intl_validate_path)ee_name_overridecert_path_stack)rZzPath for CRL issuer z could not be validated.exc_infoz8The CRL issuer certificate path could not be validated. )Zcheck_validationlastr\ describe_certZpyhanko_certvalidator.validater[r]Zconsrrloggerwarningr:Zhuman_friendlyr) rWrXrYrZZ temp_overrider[ new_stackrLZiss_certr1r1r2_validate_crl_issuer_paths4   re) r3r4r=r5 cert_pathcertificate_registry is_indirectrZr7c s:t|}t||||dIdH} |j} tt| d} g} | D]} | j| k}| j | kod| j|k}|s|s|s| j d7_ qD| j }|rd|j kr| j d7_ qDzt|| jWn&tk r| jd7_YqDYnX|| }|s&z|| }Wn(tk r$| jd7_YqDYnX| |qD| | fS)N)r5r6)r@rHZcrl_sign)hashlibsha256dumpdigestr>namer?rNr:r8rAkey_usage_valuenativerC_verify_crl_signature public_keyrrBcheck_path_verif_recursiontruncate_to_issuer_and_append LookupErrorrDappend)r3r4r=r5rfrgrhrZZ cert_sha256Zcandidate_crl_issuerscert_issuer_nameerrscandidate_pathscandidate_crl_issuerZ direct_issuerZindirect_issuerrn cand_pathr1r1r2_find_candidate_crl_pathssR         r{) r3r4r=r5rfrXrhrZr7c st||||||j||dIdH\}} |D]} | j} || rR|j|| | S|| } zP| o~|dk o~|j| jk} t | || |dIdH|j|| | WSt k r} z| j | WYq(W5d} ~ XYq(Xq(| dS)Nr=r5rfrgrhrZrV)r{rgr`rrrevinfo_managerZrecord_crl_issuerrsrqrkrerrGrurS)r3r4r=r5rfrXrhrZrxrwrWryrYrLr1r1r2_find_crl_issuersV      r~c@s,eZdZUeedZeed<dZeed<dS)_CRLErrsrEfailuresrissuer_failuresN) r,r-r.rrUrr0rrTr1r1r1r2rBs r) delta_listsr3crl_idpparent_crl_akir7cCsp|D]f}|j}|j|krq|j}|dkr0|dk s|dk rB|dkrBq|dk rX|j|jkrXq||jkrdq|SdSrI)crl_datar8 issuing_distribution_point_valueroauthority_key_identifier)rr3rrZcandidate_delta_cl_contZcandidate_delta_clZ delta_crl_idpr1r1r2_find_matching_delta_crlHs"  r)rcrl_dps crl_issuerr3r7cCs`d}d}d}g}|d}|rrd}|jdkrB|jD]} || q0n0|j} | j|j|tjd| d|r,|D]} |rqL| d} | rd}| jdkr| jD]} | |krd}qqn6|j} | j| jtjd| d} | |krd}q|| dr|d}| dD]}||krd}q|qq|n d}tjd|d} | |krLd}|p^| p^| S)NFdistribution_pointT full_namedirectory_namermvaluer)rmchosenrur:copyZuntagr GeneralName)rrrr3Z has_idp_nameZ has_dp_nameZ idp_dp_matchZidp_general_namesZ idp_dp_nameZ general_nameZinner_extended_issuer_namedpZdp_nameZdp_extended_issuer_nameZdp_crl_authority_namer1r1r2_match_dps_idp_namesfsl          r)r=r4rrr3rwr7cCst||j||d}|s8|jd|f|jd7_dS|djrh|jrh|jdjrh|jd|fdS|djr|jr|jdjdkr|jd |fdS|d jr|jd |fdSd S) Nrrrr3z{The CRL issuing distribution point extension does not share any names with the certificate CRL distribution point extensionrHFonly_contains_user_certscazMCRL only contains end-entity certificates and certificate is a CA certificateonly_contains_ca_certszNCRL only contains CA certificates and certificate is an end-entity certificateZonly_contains_attribute_certsz(CRL only contains attribute certificatesT)rcrl_distribution_points_valuerrurroZbasic_constraints_value)r=r4rrr3rwmatchr1r1r2_handle_crl_idp_ext_constraintssT    r)r4rrrr3rwr7cCsft||||d}|s6|jd|f|jd7_dS|djpH|dj}|rb|jd|fdSdS) NrzThe CRL issuing distribution point extension does not share any names with the attribute certificate's CRL distribution point extensionrHFrrzVCRL only contains public-key certificates, but certificate is an attribute certificateT)rrrurro)r4rrrr3rwrZpkc_onlyr1r1r2)_handle_attr_cert_crl_idp_ext_constraintss2  r) r=r5certificate_list_contpathrXdelta_lists_by_issuer use_deltasrwrZr7c  s|j} zt||j|j|d\} } Wntk r8YdSX|j| } | sz(t| | ||||| |dIdH} | j} Wndt k r|j d7_ YdSt t fk r}z |j |jd| fWYdSd}~XYnXt| ||| |d}|dkrdS|j|j|jd}|j}|tjkrX|tjkr.d}n|tjkr@d}nd }|j ||fdS|rxt| | |j|j||d }nd}zt| ||||d \}}Wntk rYdSX|j}|jr|jnd}|r|dks||krtj||d |d |S)Nrgrw)r=r5rfrXrhrZrHrrr=rrhrwpolicy timing_paramszCRL is not recent enoughzCRL is too recentz&CRL freshness could not be established)r4rrrrrwrr=rdelta_certificate_list_contrwZCRL)reasonZ revocation_dtZ revinfo_typerZ) r_get_crl_authority_namermrgrtr}Zcheck_crl_issuerr~r`rrrrrruargs!_get_crl_scope_assuming_authority usable_atZrevinfo_policyrratingr OKSTALETOO_NEW_maybe_get_delta_crl_check_cert_on_crl_and_deltaNotImplementedErrorZpoint_in_time_validationZvalidation_timerformat)r=r5rrrXrrrwrZr4rhr3rZcrl_issuer_pathrLinterim_reasonsfreshness_resultrrRr revoked_daterevoked_reasonZtiming control_timer1r1r2_handle_single_crls       r)rrvrgrwr7c Cs|j}|j}t|o|dj}|s*|j}nf|d}|rb|jdkrN|jdj}q|j|j}n.|j r|| |j } | j }n|j d|ft ||fS)zR Figure out the name of the entity on behalf of which the CRL was issued. Z indirect_crlrrrzcCRL is marked as an indirect CRL, but provides no mechanism for locating the CRL issuer certificate)rrboolror8rmrrrurZretrieve_by_key_identifierr:rrt) rrvrgrwr4rrhr3Z crl_idp_nameZtmp_crl_issuerr1r1r2rs2   r)r4rrrwrrr7cCs|jrt|jdkrdS|j}|j}||jg}t||||jd} | sLdS| j} | j t rp|j d| fdSzt | |jWn&tk r|j d| fYdSX|r|r| j||d} | j} | tjkr | tjkrd} n| tjkrd} nd} |j | | fdS| SdS) Nr)rr3rrzIOne or more unrecognized critical extensions are present in the delta CRLz)Delta CRL signature could not be verifiedrzDelta CRL is stalezDelta CRL is too recentz,Delta CRL freshness could not be established)Zfreshest_crl_valuerNr:rgethashablerrrcritical_extensionsr"rrurprqrrrr rrr)r4rrrwrrr3rZcandidate_delta_listsrdelta_certificate_listrrrRr1r1r2rsj       r)rr=rrhrwr7cCs~|j}|j}t|tj}d}d} |r,|j} n t|d} | rptjd|jd} | D] } | drNd}| | dkrNd} qN|j} t |}| |k}|o| o|}|o| p| }|j |k}|s|s|r|r|j d7_ dS|dk r|rt ||||| |d}nt | |||| |d }|sdSd}|r4|d jdk r4|d j}d}|rB|}|dkrVt}n|}|jtrz|jd |fdS|S) NFZcrl_distribution_pointsrrrTrH)r=r4rrr3rw)rr4rrr3rwZonly_some_reasonszCOne or more unrecognized critical extensions are present in the CRL)rrr9r Certificaterr&rr:r'r8rrrror#rrr"rru)rr=rrhrwr4ris_pkcZhas_dp_crl_issuerZdp_matchrZcrl_issuer_general_namerr3rvZ same_issuerZindirect_matchZ missing_idpZindirect_crl_issuerZ crl_idp_matchZ idp_reasonsZ reason_keysrr1r1r2rs            rrc Cs|j}d}d}t|}|r`|j} zt||| |j\}}Wn&tk r^|jd|fYnX|dkrzt||||j\}}Wn&tk r|jd|fYnX|r|jdkrd}d}||fS)Nz]One or more unrecognized critical extensions are present in the CRL entry for the certificateZremove_from_crl)rr'find_cert_in_listr:rrruro) rr=rrrwr4rrrvrr1r1r2rlsN  r)r}r=rwrc s||IdH}|j}tt}tt}|D]}|j} |dk r`|j} | dks*| |ks*|| |kr`q*z4| jj} | jdkr||  |n||  |Wq*t k r} z&d} t j | | d|j | | fW5d} ~ XYq*Xq*||fS)Nz/Generic processing error while classifying CRL.r^)Zasync_retrieve_crls poe_managerrrUrZ issuance_dater8rZdelta_crl_indicator_valueru ValueErrorloggingdebugr)r}r=rwrZcertificate_listsrcomplete_lists_by_issuerrrr4ZissuedZissuer_hashablerLrRr1r1r2_classify_relevant_crlss:   $rchecked_reasons total_crlsrwrZcCs^|dh8}|tkrZ||jkr0td|dS|jsB|jdtd|d|jSdS)NZunusedz%No CRLs were issued by the issuer of z, or any indirect CRL issuer)z6The available CRLs do not cover all revocation reasonszUnable to determine if z; is revoked due to insufficient information from known CRLs)r#rrrarrurrr1r1r2_process_crl_completenesss  r)r=rrXrZc sTt|tj}|p(tt||s"dndd}|j}t}t|||IdH\}} z| |} Wn(t k rt d| dYnXg} | D]} | | qt| } t}| D]}z4t|| |||| |||d IdH}|dk r||O}Wqtk r0}z&d}tj||d|j||fW5d}~XYqXqt|| ||}|dk rP|dS) a Verifies a certificate against a list of CRLs, checking to make sure the certificate has not been revoked. Uses the algorithm from https://tools.ietf.org/html/rfc5280#section-6.3 as a basis, but the implementation differs to allow CRLs from unrecorded locations. :param cert: An asn1crypto.x509.Certificate or asn1crypto.cms.AttributeCertificateV2 object to check for in the CRLs :param path: A pyhanko_certvalidator.path.ValidationPath object of the cert's validation path, or in the case of an AC, the AA's validation path. :param validation_context: A pyhanko_certvalidator.context.ValidationContext object to use for caching validation information :param use_deltas: A boolean indicating if delta CRLs should be used :param proc_state: Internal state for error reporting and policy application decisions. :raises: pyhanko_certvalidator.errors.CRLNoMatchesError - when none of the CRLs match the certificate pyhanko_certvalidator.errors.CRLValidationError - when any error occurs trying to verify the CertificateList pyhanko_certvalidator.errors.RevokedError - when the CRL indicates the certificate has been revoked zattribute certificateN)r]r\+Could not determine issuer certificate for in path.) r=r5rrrXrrrwrZ.Generic processing error while validating CRL.r^)r9rrrr%singr}rrfind_issuing_authorityrtrravaluesextendrNsetrrrrrrur)r=rrXrrZrr}rwrrr5crls_to_process issuer_crlsrrrrrLrRexcr1r1r2 verify_crlsb%       $ rc@s&eZdZUdZeed<eeed<dS)ProvisionalCRLTrustz_ A provisional CRL path, together with an optional delta CRL that may be relevant. rdeltaN)r,r-r.r/rr0rrr1r1r1r2rPs  rc@s8eZdZUdZeed<eeed<eed<e j ed<dS) CRLOfInterestz A CRL of interest. r prov_pathsrhr3N) r,r-r.r/rr0rrrrNamer1r1r1r2rcs   rc@s*eZdZUdZeeed<eeed<dS)CRLCollectionResultzb The result of a CRL collection operation for AdES point-in-time validation purposes. crls failure_msgsN)r,r-r.r/rrr0rJr1r1r1r2rs   r) r=r5rrr}rrrwrZr7c  sH|j} |j} zt||j| |d\} } Wntk r<YdSXz&t| | |||| | |dIdH\} }Wndtk r|jd7_YdStt fk r}z |j |j d| fWYdSd}~XYnXg}| D]Z}|j }t|||| |d}|dkrq|rt| |||d}nd}t||d}| |q|s8dSt||| | dS) Nrr|rHrr)r4rrrw)rr)r rrhr3)rrgrrmrtr{rrrrrrurr`rrrr)r=r5rrr}rrrwrZr4registryrhr3rx_rLZprovisional_resultsrzZputative_issuerrrZprovr1r1r2_assess_crl_relevancest     r)r=rr}rrZr7c s0|ptt|d}t}t||||d}|IdH\}} g} |D]} | | qDz||} Wn(tk rt d| dYnXg} | D]}z6t || ||| ||||d IdH}|dk r| |Wqt k r}z&d}tj||d|j ||fW5d}~XYqXqt| d d |jDd S) ah Collect potentially relevant CRLs with the associated validation paths. Will not perform actual path validation. :param cert: The certificate under scrutiny. :param path: The path currently being evaluated. :param revinfo_manager: The revocation info manager. :param control_time: The control time before which the validation info should have been issued. :param use_deltas: Whether to include delta CRLs. :param proc_state: The state of any prior validation process. :return: A :class:`.CRLCollectionResult`. )r])rNrr) r=r5rrrrr}rwrZrr^cSsg|] }|dqS)rr1)rKfr1r1r2 +sz4collect_relevant_crls_with_paths..)rr)rr%rrrrrrrtrrarrurrrrr)r=rr}rrrZrwZ classify_jobrrrrr5Z relevant_crlsrresultrLrRr1r1r2 collect_relevant_crls_with_pathssT    $rc Cs|dj}|dj}z.t|dj|d||||dddWnFtk rn}ztd|W5d}~XYntk rtdYnXdS) a2 Verifies the digital signature on an asn1crypto.crl.CertificateList object :param certificate_list: An asn1crypto.crl.CertificateList object :raises: pyhanko_certvalidator.errors.CRLValidationError - when the signature is invalid or uses an unsupported algorithm Zsignature_algorithm signature tbs_cert_list parameters)rZ signed_dataZpublic_key_infoZsig_algo hash_algorz/Invalid signature parameters on CertificateListNz5Unable to verify the signature of the CertificateList)signature_algorr(rorkrrr)r4rqrrrLr1r1r2rp/s*    rp)r=rvr4r3c Cs|dd}t|tjr |j}n|ddj}|}|D]l}|jtrJt|jr`|j|kr`|j}||krjq6|dj|krzq6|j st d}n|j }|dj|fSdS) a! Looks for a cert in the list of revoked certificates :param cert: An asn1crypto.x509.Certificate object of the cert being checked, or an asn1crypto.cms.AttributeCertificateV2 object in the case of an attribute certificate. :param cert_issuer_name: The certificate issuer's distinguished name :param certificate_list: An ans1crypto.crl.CertificateList object to look in for the cert :param crl_authority_name: The distinguished name of the default authority for which the CRL issues certificates. :return: A tuple of (None, None) if not present, otherwise a tuple of (asn1crypto.x509.Time object, asn1crypto.crl.CRLReason object) representing the date/time the object was revoked and why rrevoked_certificatesZac_info serial_numberZuser_certificate unspecifiedZrevocation_date)NN) r9rrrrorr!rZ issuer_nameZcrl_reason_valuer Z CRLReason) r=rvr4r3rZ cert_serialZlast_issuer_nameZ revoked_certZ crl_reasonr1r1r2rQs0   r)NN)N)TN)TN)arir collectionsrZ dataclassesrrrtypingrrrr r r Z asn1cryptor r rZcryptography.exceptionsrZpyhanko_certvalidator._staterZpyhanko_certvalidator.authorityrrZpyhanko_certvalidator.contextrZpyhanko_certvalidator.errorsrrrrrrrZpyhanko_certvalidator.ltv.typesrZpyhanko_certvalidator.pathrZ!pyhanko_certvalidator.policy_declrZpyhanko_certvalidator.registryrZ&pyhanko_certvalidator.revinfo.archivalrr Z'pyhanko_certvalidator.revinfo.constantsr!r"r#Z%pyhanko_certvalidator.revinfo.managerr$Zpyhanko_certvalidator.utilr%r&r'r( getLoggerr,rbr*rZCertificateListrr>r?rreZAttributeCertificateV2r{r~rZIssuingDistributionPointbytesrZCRLDistributionPointsrrrrJrrrrrrrTrrrrrrrrprr1r1r1r2sf      $        &, + I F  G C . u 1 L g > - # _ U N#