a a@sddlZddlZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZddlmZmZmZddlmZmZmZmZddlmZmZdd l m!Z!ed d d Z"Gd d d e#Z$eeej%eeddddZ&e!ej%ej'e!e(fddddZ)ejejdddZ*GdddZ+GdddZ,Gdddej-Z.Gddde#Z/Gdd d ej0d!Z1e12ej1Gd"d#d#ej0d!Z3e32ej3Gd$d%d%e3Z4Gd&d'd'ej0d!Z5e52ej5Gd(d)d)ej0d!Z6e62ej6dBe(ej7e1d*d+d,Z8dCe(ej7e1d*d-d.Z9dDe(ej7e6d*d/d0Z:dEe(ej7e6d*d1d2Z;dFe(ej7e5d*d3d4ZZ?Gd9d:d:e>Z@Gd;d<dZAGd=d>d>e>ZBeCd?d@dAZDdS)HN)utils)x509)hashes serialization)dsaeced25519ed448rsax25519x448)CERTIFICATE_PUBLIC_KEY_TYPESPRIVATE_KEY_TYPESPUBLIC_KEY_TYPES) Extension ExtensionType Extensions_make_sequence_methods)Name _ASN1Type)ObjectIdentifierics&eZdZeeddfdd ZZS)AttributeNotFoundN)msgoidreturncstt||||_dSN)superr__init__r)selfrr __class__r"r"r#r9`szAttribute.valuecCsd|j|jS)Nz)formatrr9r>r"r"r#__repr__dszAttribute.__repr__otherrcCs2t|tstS|j|jko0|j|jko0|j|jkSr) isinstancer8NotImplementedrr9r:rrBr"r"r#__eq__gs    zAttribute.__eq__cCs ||k Srr"rEr"r"r#__ne__qszAttribute.__ne__cCst|j|j|jfSr)hashrr9r:r>r"r"r#__hash__tszAttribute.__hash__)r$r%r&rZ UTF8Stringr9rbytesintrpropertyrr@typingAnyboolrFrGrIr"r"r"r#r8Qs  r8c@sHeZdZejeddddZed\ZZ Z ddZ e edd d Z dS) AttributesN)r.rcCst||_dSr)list _attributes)rr.r"r"r#ryszAttributes.__init__rRcCs d|jS)Nz)r?rRr>r"r"r#r@szAttributes.__repr__rrcCs0|D]}|j|kr|Sqtd||dS)NzNo {} attribute was found)rrr?)rrattrr"r"r#get_attribute_for_oids  z Attributes.get_attribute_for_oid)r$r%r&rMIterabler8rr__len____iter__ __getitem__r@rrUr"r"r"r#rPxs  rPc@seZdZdZdZdS)VersionrN)r$r%r&Zv1v3r"r"r"r#rZsrZcs&eZdZeeddfdd ZZS)InvalidVersionN)rparsed_versionrcstt||||_dSr)rr]rr^)rrr^r r"r#rszInvalidVersion.__init__)r$r%r&r'rKrr(r"r"r r#r]sr]c@sxeZdZejejedddZej e dddZ ej e dddZ ejedd d Zej ejdd d Zej ejdd dZej edddZej edddZej ejejdddZej edddZej edddZej edddZej edddZejee dddZ!ejee dd d!Z"eje dd"d#Z#eje$j%ed$d%d&Z&d'S)( Certificate algorithmrcCsdSz4 Returns bytes using digest passed. Nr"rrar"r"r# fingerprintszCertificate.fingerprintr=cCsdS)z3 Returns certificate serial number Nr"r>r"r"r# serial_numberszCertificate.serial_numbercCsdS)z1 Returns the certificate version Nr"r>r"r"r#versionszCertificate.versioncCsdSz( Returns the public key Nr"r>r"r"r# public_keyszCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) Nr"r>r"r"r#not_valid_beforeszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) Nr"r>r"r"r#not_valid_afterszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. Nr"r>r"r"r#issuerszCertificate.issuercCsdSz2 Returns the subject name object. Nr"r>r"r"r#subjectszCertificate.subjectcCsdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr"r>r"r"r#signature_hash_algorithmsz$Certificate.signature_hash_algorithmcCsdSzJ Returns the ObjectIdentifier of the signature algorithm. Nr"r>r"r"r#signature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. Nr"r>r"r"r#r*szCertificate.extensionscCsdSz. Returns the signature bytes. Nr"r>r"r"r# signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr"r>r"r"r#tbs_certificate_bytessz!Certificate.tbs_certificate_bytesrAcCsdSz" Checks equality. Nr"rEr"r"r#rFszCertificate.__eq__cCsdSz# Checks not equal. Nr"rEr"r"r#rGszCertificate.__ne__cCsdSz" Computes a hash. Nr"r>r"r"r#rIszCertificate.__hash__encodingrcCsdS)zB Serializes the certificate to PEM or DER format. Nr"rryr"r"r# public_bytesszCertificate.public_bytesN)'r$r%r&abcabstractmethodr HashAlgorithmrJrdabstractpropertyrKrerZrfr rhr4rirjrrkrmrMOptionalrorrqrr*rsrtobjectrOrFrGrIrEncodingr{r"r"r"r#r_sF r_) metaclassc@sJeZdZejedddZejejdddZeje dddZ dS) RevokedCertificater=cCsdS)zG Returns the serial number of the revoked certificate. Nr"r>r"r"r#resz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. Nr"r>r"r"r#revocation_date sz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr"r>r"r"r#r*szRevokedCertificate.extensionsN) r$r%r&r|rrKrer4rrr*r"r"r"r#rs rc@sXeZdZeejedddZeedddZeejdddZ eedd d Z d S) _RawRevokedCertificatererr*cCs||_||_||_dSr_serial_number_revocation_date _extensionsrrerr*r"r"r#rsz_RawRevokedCertificate.__init__r=cCs|jSr)rr>r"r"r#re)sz$_RawRevokedCertificate.serial_numbercCs|jSr)rr>r"r"r#r-sz&_RawRevokedCertificate.revocation_datecCs|jSr)rr>r"r"r#r*1sz!_RawRevokedCertificate.extensionsN) r$r%r&rKr4rrrLrerr*r"r"r"r#rs rc@seZdZejejedddZeje j edddZ eje e jeddd Zeje je j d d d Zejed d dZejed ddZeje jejd ddZejejd ddZejed ddZejed ddZejed ddZejeedddZ ejeedddZ!eje d d d!Z"e j#e ed"d#d$Z$e j#e%e j&ed"d%d$Z$eje j'e e%fe j'ee j&efd"d&d$Z$eje j(ed d'd(Z)eje*ed)d*d+Z+d,S)-CertificateRevocationListrxcCsdS)z: Serializes the CRL to PEM or DER format. Nr"rzr"r"r#r{7sz&CertificateRevocationList.public_bytesr`cCsdSrbr"rcr"r"r#rd=sz%CertificateRevocationList.fingerprint)rercCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr")rrer"r"r#(get_revoked_certificate_by_serial_numberCszBCertificateRevocationList.get_revoked_certificate_by_serial_numberr=cCsdSrnr"r>r"r"r#roLsz2CertificateRevocationList.signature_hash_algorithmcCsdSrpr"r>r"r"r#rqUsz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. Nr"r>r"r"r#rk[sz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. Nr"r>r"r"r# next_updateasz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. Nr"r>r"r"r# last_updategsz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nr"r>r"r"r#r*msz$CertificateRevocationList.extensionscCsdSrrr"r>r"r"r#rsssz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr"r>r"r"r#tbs_certlist_bytesysz,CertificateRevocationList.tbs_certlist_bytesrAcCsdSrur"rEr"r"r#rFsz CertificateRevocationList.__eq__cCsdSrvr"rEr"r"r#rGsz CertificateRevocationList.__ne__cCsdS)z< Number of revoked certificates in the CRL. Nr"r>r"r"r#rWsz!CertificateRevocationList.__len__)idxrcCsdSrr"rrr"r"r#rYsz%CertificateRevocationList.__getitem__cCsdSrr"rr"r"r#rYscCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr"rr"r"r#rYscCsdS)z8 Iterator over the revoked certificates Nr"r>r"r"r#rXsz"CertificateRevocationList.__iter__)rhrcCsdS)zQ Verifies signature of revocation list against given public key. Nr")rrhr"r"r#is_signature_validsz,CertificateRevocationList.is_signature_validN),r$r%r&r|r}rrrJr{rr~rdrKrMrrrrrorrqrrkr4rrrr*rsrrrOrFrGrWoverloadrYsliceListUnionIteratorrXrrr"r"r"r#r6sV  rc@s6eZdZejeedddZejeedddZeje dddZ eje dd d Z ej edd d Zej ejejdd dZej edddZej edddZej edddZejejedddZej edddZej edddZ ej edddZ!ejeeddd Z"d!S)"CertificateSigningRequestrAcCsdSrur"rEr"r"r#rFsz CertificateSigningRequest.__eq__cCsdSrvr"rEr"r"r#rGsz CertificateSigningRequest.__ne__r=cCsdSrwr"r>r"r"r#rIsz"CertificateSigningRequest.__hash__cCsdSrgr"r>r"r"r#rhsz$CertificateSigningRequest.public_keycCsdSrlr"r>r"r"r#rmsz!CertificateSigningRequest.subjectcCsdSrnr"r>r"r"r#rosz2CertificateSigningRequest.signature_hash_algorithmcCsdSrpr"r>r"r"r#rqsz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. Nr"r>r"r"r#r*sz$CertificateSigningRequest.extensionscCsdS)z/ Returns an Attributes object. Nr"r>r"r"r#r.sz$CertificateSigningRequest.attributesrxcCsdS)z; Encodes the request to PEM or DER format. Nr"rzr"r"r#r{sz&CertificateSigningRequest.public_bytescCsdSrrr"r>r"r"r#rssz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr"r>r"r"r#tbs_certrequest_bytessz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nr"r>r"r"r#rsz,CertificateSigningRequest.is_signature_validrScCsdS)z: Get the attribute value for a given OID. Nr")rrr"r"r#rUsz/CertificateSigningRequest.get_attribute_for_oidN)#r$r%r&r|r}rrOrFrGrKrIrrhrrrmrMrrr~rorrqrr*rPr.rrrJr{rsrrrUr"r"r"r#rs: r)databackendrcCs t|Sr) rust_x509load_pem_x509_certificaterrr"r"r#rsrcCs t|Sr)rload_der_x509_certificaterr"r"r#rsrcCs t|Sr)rload_pem_x509_csrrr"r"r#rsrcCs t|Sr)rload_der_x509_csrrr"r"r#r%srcCs t|Sr)rload_pem_x509_crlrr"r"r#r,srcCs t|Sr)rload_der_x509_crlrr"r"r#r3src@seZdZdggfejeejeeejej e e fdddZ eddddZ eeddd d Ze e dd d d ZdeejejejedddZdS) CertificateSigningRequestBuilderN) subject_namer*r.cCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrR)rrr*r.r"r"r#r:s z)CertificateSigningRequestBuilder.__init__namercCs4t|tstd|jdur$tdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rCr TypeErrorrr+rrrRrrr"r"r#rGs   z-CertificateSigningRequestBuilder.subject_nameextvalcriticalrcCsDt|tstdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rCrrrrr-rrrrRrrrr)r"r"r# add_extensionSs   z.CertificateSigningRequestBuilder.add_extension)rr9rcCsLt|tstdt|ts$tdt||jt|j|j|j||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytes) rCrrrJr0rRrrr)rrr9r"r"r# add_attributees   z.CertificateSigningRequestBuilder.add_attribute private_keyrarrcCs |jdurtdt|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr+rZcreate_x509_csrrrrarr"r"r#signys z%CertificateSigningRequestBuilder.sign)N)r$r%r&rMrrrrrTuplerrJrrrOrrrrr~rNrrr"r"r"r#r9s,      rc @seZdZUejeeed<ddddddgfeje eje eje eje eje j eje j ejeeddddZ e ddddZe ddd d Ze dd d d Ze ddddZe j ddddZe j ddddZeeddddZdeejejejedddZdS)CertificateBuilderrN) issuer_namerrhrerirjr*rcCs6tj|_||_||_||_||_||_||_||_ dSr) rZr\_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)rrrrhrerirjr*r"r"r#rs zCertificateBuilder.__init__rcCsDt|tstd|jdur$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rCrrrr+rrrrrrrrr"r"r#rs  zCertificateBuilder.issuer_namecCsDt|tstd|jdur$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rCrrrr+rrrrrrrrr"r"r#rs  zCertificateBuilder.subject_name)keyrc Cs`t|tjtjtjtjt j t j t jfs.td|jdur@tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rCrZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyrZEd25519PublicKeyr ZEd448PublicKeyr ZX25519PublicKeyr Z X448PublicKeyrrr+rrrrrrr)rrr"r"r#rhs2  zCertificateBuilder.public_keynumberrcCsht|tstd|jdur$td|dkr4td|dkrHtdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rCrKrrr+ bit_lengthrrrrrrrrrr"r"r#res&   z CertificateBuilder.serial_numberr1cCszt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rCr4rrr+r7_EARLIEST_UTC_TIMErrrrrrrrr2r"r"r#ris,  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.ztd|jdurZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rCr4rrr+r7rrrrrr)rrr"r"r#rs(  z,CertificateRevocationListBuilder.last_update)rrcCsrt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rCr4rrr+r7rrrrrr)rrr"r"r#rs(  z,CertificateRevocationListBuilder.next_updatercCsLt|tstdt|j||}t||jt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. r) rCrrrrr-rrrrrrrr"r"r#rs   z.CertificateRevocationListBuilder.add_extension)revoked_certificatercCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rCrrrrrrrr)rrr"r"r#add_revoked_certificates  z8CertificateRevocationListBuilder.add_revoked_certificatercCsD|jdurtd|jdur$td|jdur6tdt|||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rr+rrrZcreate_x509_crlrr"r"r#rs   z%CertificateRevocationListBuilder.sign)N)r$r%r&rMrrrrrrrr4rrrrrOrrrrr~rNrrr"r"r"r#rtsH           rc@seZdZddgfejeejejejee dddZ eddddZ ejddd d Z e e dd d d ZdejedddZdS)RevokedCertificateBuilderNrcCs||_||_||_dSrrrr"r"r#rsz"RevokedCertificateBuilder.__init__rcCsXt|tstd|jdur$td|dkr4td|dkrHtdt||j|jS)Nrrrz$The serial number should be positiverr) rCrKrrr+rrrrrr"r"r#res    z'RevokedCertificateBuilder.serial_numberr1cCsNt|tjstd|jdur&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rCr4rrr+r7rrrrrr"r"r#rs   z)RevokedCertificateBuilder.revocation_datercCsDt|tstdt|j||}t||jt|j|j |j|gS)Nr) rCrrrrr-rrrrrr"r"r#r(s   z'RevokedCertificateBuilder.add_extension)rrcCs:|jdurtd|jdur$tdt|j|jt|jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr+rrrr)rrr"r"r#build6s  zRevokedCertificateBuilder.build)N)r$r%r&rMrrKr4rrrrrerrOrrNrrr"r"r"r#rs     rr=cCsttddd?S)Nbigr)rK from_bytesosurandomr"r"r"r#random_serial_numberDsr)N)N)N)N)N)N)Er|r4rrMZ cryptographyrZ"cryptography.hazmat.bindings._rustrrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrrrr r r r Z/cryptography.hazmat.primitives.asymmetric.typesr rrZcryptography.x509.extensionsrrrrZcryptography.x509.namerrZcryptography.x509.oidrr Exceptionrrr-rrJr0r7r8rPEnumrZr]ABCMetar_registerrrrrrNrrrrrrrrrrrrKrr"r"r"r#s  $     'l  x [       NnI