,d] ^ddlmZddlZddlZddlZddlZddlmZddlm Z ddl m Z m Z ddlmZmZmZmZmZmZmZmZddlmZmZmZddlmZmZmZmZdd l m!Z!m"Z"dd l#m$Z$ejd d d Z%ej&e j'e j(e j)e j*e j+e j,e j-e j.fZ/Gd de0Z1dGdZ2dHdZ3dIdZ4GddZ5Gd d!Z6Gd"d#ej7Z8Gd$d%e0Z9Gd&d'ej:(Z;e;<e j;Gd)d*ej:(Z=e=<e j=Gd+d,e=Z>Gd-d.ej:(Z?e?<e j?Gd/d0ej:(Z@e@<e j@ dJdKd5ZAdLd7ZB dJdKd8ZC dJdMd9ZD dJdMd:ZE dJdNd;ZF dJdNd<ZGGd=d>ZHGd?d@ZIGdAdBZJGdCdDZKdOdFZLdS)P) annotationsN)utils)x509)hashes serialization)dsaeced448ed25519paddingrsax448x25519) CertificateIssuerPrivateKeyTypesCertificateIssuerPublicKeyTypesCertificatePublicKeyTypes) Extension Extensions ExtensionType_make_sequence_methods)Name _ASN1Type)ObjectIdentifieric eZdZdfd ZxZS) AttributeNotFoundmsgstroidrreturnNonecXt|||_dSN)super__init__r)selfrr __class__s 6lib/python3.11/site-packages/cryptography/x509/base.pyr%zAttributeNotFound.__init__8s& )rrrrr r!__name__ __module__ __qualname__r% __classcell__r's@r(rr7s=r)r extensionExtension[ExtensionType] extensions%typing.List[Extension[ExtensionType]]r r!cN|D]!}|j|jkrtd"dS)Nz$This extension has already been set.)r ValueError)r0r2es r(_reject_duplicate_extensionr7=sD EE 5IM ! !CDD D "EEr)rr attributesHtyping.List[typing.Tuple[ObjectIdentifier, bytes, typing.Optional[int]]]cB|D]\}}}||krtddS)Nz$This attribute has already been set.)r5)rr8attr_oid_s r(_reject_duplicate_attributer=GsD%EE!Q s??CDD D EEr)timedatetime.datetimec|jD|}|r|ntj}|d|z S|S)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)rA utcoffsetdatetime timedeltareplace)r>offsets r(_convert_to_naive_utc_timerGSsP  {!!!;x'9';';||4|((611 r)cveZdZejjfdd Zedd Zedd Zdd Z ddZ ddZ dS) Attributerrvaluebytes_typeintr r!c0||_||_||_dSr#)_oid_valuerL)r&rrJrLs r(r%zAttribute.__init__bs    r)c|jSr#)rOr&s r(rz Attribute.oidls yr)c|jSr#)rPrRs r(rJzAttribute.valueps {r)rc(d|jd|jdS)Nz)rrJrRs r(__repr__zAttribute.__repr__tsCCC4:CCCCr)otherobjectboolct|tstS|j|jko|j|jko|j|jkSr#) isinstancerINotImplementedrrJrLr&rWs r(__eq__zAttribute.__eq__wsO%++ "! ! H ! * ek) * ek) r)cDt|j|j|jfSr#)hashrrJrLrRs r(__hash__zAttribute.__hash__sTXtz4:6777r)N)rrrJrKrLrMr r!r rr rKr rrWrXr rYr rM) r+r,r-r UTF8StringrJr%propertyrrVr^rar)r(rIrIas )/ XXDDDD    888888r)rIcDeZdZddZed\ZZZddZdd Z d S) Attributesr8typing.Iterable[Attribute]r r!c.t||_dSr#)list _attributes)r&r8s r(r%zAttributes.__init__s ++r)rorcd|jdS)Nz Not after time (represented as UTC datetime) NrirRs r(not_valid_afterzCertificate.not_valid_afterrr)rcdS)z1 Returns the issuer name object. NrirRs r(issuerzCertificate.issuerrr)cdSz2 Returns the subject name object. NrirRs r(subjectzCertificate.subjectrr)%typing.Optional[hashes.HashAlgorithm]cdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. NrirRs r(signature_hash_algorithmz$Certificate.signature_hash_algorithmrr)rcdSzJ Returns the ObjectIdentifier of the signature algorithm. NrirRs r(signature_algorithm_oidz#Certificate.signature_algorithm_oidrr);typing.Union[None, padding.PSS, padding.PKCS1v15, ec.ECDSA]cdS)z= Returns the signature algorithm parameters. NrirRs r(signature_algorithm_parametersz*Certificate.signature_algorithm_parametersrr)rcdS)z/ Returns an Extensions object. NrirRs r(r2zCertificate.extensionsrr)cdSz. Returns the signature bytes. NrirRs r( signaturezCertificate.signaturerr)cdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. NrirRs r(tbs_certificate_bytesz!Certificate.tbs_certificate_bytesrr)cdS)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. NrirRs r(tbs_precertificate_bytesz$Certificate.tbs_precertificate_bytes rr)rWrXrYcdSz" Checks equality. Nrir]s r(r^zCertificate.__eq__rr)cdSz" Computes a hash. NrirRs r(razCertificate.__hash__rr)encodingserialization.EncodingcdS)zB Serializes the certificate to PEM or DER format. Nrir&rs r( public_byteszCertificate.public_bytesrr)rr!cdS)z This method verifies that certificate issuer name matches the issuer subject name and that the certificate is signed by the issuer's private key. No other validation is performed. Nri)r&rs r(verify_directly_issued_byz%Certificate.verify_directly_issued_by$rr)Nrrr rKrf)r rxr rr r?r rr rrb)r rr rrcrerrr rK)rrr r!)r+r,r-abcabstractmethodrrhrrrrrrrrrrr2rrrr^rarrrir)r(rrs@       X    X         X    X    X    X    X    X    X    X    X    X    X                       r)r) metaclassceZdZeejd dZeejd dZeejd dZdS) RevokedCertificater rMcdS)zG Returns the serial number of the revoked certificate. NrirRs r(rz RevokedCertificate.serial_number2rr)r?cdS)zH Returns the date of when this certificate was revoked. NrirRs r(revocation_datez"RevokedCertificate.revocation_date9rr)rcdS)zW Returns an Extensions object containing a list of Revoked extensions. NrirRs r(r2zRevokedCertificate.extensions@rr)Nrfrr) r+r,r-rhrrrrr2rir)r(rr1s    X    X    X   r)rc^eZdZd dZedd Zedd Zedd Zd S)_RawRevokedCertificaterrMrr?r2rc0||_||_||_dSr#_serial_number_revocation_date _extensionsr&rrr2s r(r%z_RawRevokedCertificate.__init__M" , /%r)r c|jSr#)rrRs r(rz$_RawRevokedCertificate.serial_numberWs ""r)c|jSr#)rrRs r(rz&_RawRevokedCertificate.revocation_date[s $$r)c|jSr#)rrRs r(r2z!_RawRevokedCertificate.extensions_s r)N)rrMrr?r2rrfrr)r+r,r-r%rhrrr2rir)r(rrLs&&&&###X#%%%X%   X   r)rceZdZejd/dZejd0dZejd1d Zeejd2dZ eejd3dZ eejd4dZ eejd5dZ eejd6dZ eejd7dZeejd8dZeejd8dZejd9dZejd:dZejd;d"Zejdd*Zejd?d-Zd.S)@CertificateRevocationListrrr rKcdS)z: Serializes the CRL to PEM or DER format. Nrirs r(rz&CertificateRevocationList.public_byteserr)rrcdSrrirs r(rz%CertificateRevocationList.fingerprintkrr)rrM#typing.Optional[RevokedCertificate]cdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nri)r&rs r((get_revoked_certificate_by_serial_numberzBCertificateRevocationList.get_revoked_certificate_by_serial_numberqrr)rcdSrrirRs r(rz2CertificateRevocationList.signature_hash_algorithmzrr)rcdSrrirRs r(rz1CertificateRevocationList.signature_algorithm_oidrr)rcdS)zC Returns the X509Name with the issuer of this CRL. NrirRs r(rz CertificateRevocationList.issuerrr)"typing.Optional[datetime.datetime]cdS)z? Returns the date of next update for this CRL. NrirRs r( next_updatez%CertificateRevocationList.next_updaterr)r?cdS)z? Returns the date of last update for this CRL. NrirRs r( last_updatez%CertificateRevocationList.last_updaterr)rcdS)zS Returns an Extensions object containing a list of CRL extensions. NrirRs r(r2z$CertificateRevocationList.extensionsrr)cdSrrirRs r(rz#CertificateRevocationList.signaturerr)cdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. NrirRs r(tbs_certlist_bytesz,CertificateRevocationList.tbs_certlist_bytesrr)rWrXrYcdSrrir]s r(r^z CertificateRevocationList.__eq__rr)cdS)z< Number of revoked certificates in the CRL. NrirRs r(rtz!CertificateRevocationList.__len__rr)idxrcdSr#rir&rs r(rvz%CertificateRevocationList.__getitem__ r)slicetyping.List[RevokedCertificate]cdSr#rirs r(rvz%CertificateRevocationList.__getitem__rr)typing.Union[int, slice]Atyping.Union[RevokedCertificate, typing.List[RevokedCertificate]]cdS)zS Returns a revoked certificate (or slice of revoked certificates). Nrirs r(rvz%CertificateRevocationList.__getitem__rr)#typing.Iterator[RevokedCertificate]cdS)z8 Iterator over the revoked certificates NrirRs r(ruz"CertificateRevocationList.__iter__rr)rrcdS)zQ Verifies signature of revocation list against given public key. Nri)r&rs r(is_signature_validz,CertificateRevocationList.is_signature_validrr)Nrr)rrMr rrrbr)r rrrrcrerf)rrMr r)rrr r)rrr r)r r)rrr rY)r+r,r-rrrrrrhrrrrrr2rrr^rttypingoverloadrvrurrir)r(rrds                 X    X    X    X    X    X    X    X            _   _  _   _                  r)rcHeZdZejddZejddZejd d Zeejd!d Z eejd"d Z eejd#dZ eejd$dZ eejd%dZ ejd&dZeejd'dZeejd'dZeejd(dZejd)dZdS)*CertificateSigningRequestrWrXr rYcdSrrir]s r(r^z CertificateSigningRequest.__eq__rr)rMcdSrrirRs r(raz"CertificateSigningRequest.__hash__rr)rcdSrrirRs r(rz$CertificateSigningRequest.public_keyrr)rcdSrrirRs r(rz!CertificateSigningRequest.subjectrr)rcdSrrirRs r(rz2CertificateSigningRequest.signature_hash_algorithmrr)rcdSrrirRs r(rz1CertificateSigningRequest.signature_algorithm_oidrr)rcdS)z@ Returns the extensions in the signing request. NrirRs r(r2z$CertificateSigningRequest.extensionsrr)rkcdS)z/ Returns an Attributes object. NrirRs r(r8z$CertificateSigningRequest.attributesrr)rrrKcdS)z; Encodes the request to PEM or DER format. Nrirs r(rz&CertificateSigningRequest.public_bytesrr)cdSrrirRs r(rz#CertificateSigningRequest.signature"rr)cdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. NrirRs r(tbs_certrequest_bytesz/CertificateSigningRequest.tbs_certrequest_bytes)rr)cdS)z8 Verifies signature of signing request. NrirRs r(rz,CertificateSigningRequest.is_signature_valid1rr)rcdS)z: Get the attribute value for a given OID. Nri)r&rs r(rsz/CertificateSigningRequest.get_attribute_for_oid8rr)Nrerfrrrrbr)r rkrrc)r rY)rrr rK)r+r,r-rrr^rarrhrrrr2r8rrrrrsrir)r(rrs6                 X    X    X    X    X         X    X    X        r)rdatarKbackend typing.Anyc*tj|Sr#) rust_x509load_pem_x509_certificaterrs r(r r D  .t 4 44r)typing.List[Certificate]c*tj|Sr#)r load_pem_x509_certificates)rs r(rrJs  / 5 55r)c*tj|Sr#)r load_der_x509_certificater s r(rrOrr)c*tj|Sr#)r load_pem_x509_csrr s r(rrV  &t , ,,r)c*tj|Sr#)r load_der_x509_csrr s r(rr]rr)c*tj|Sr#)r load_pem_x509_crlr s r(rrdrr)c*tj|Sr#)r load_der_x509_crlr s r(rrkrr)cHeZdZdggfd"dZd#d Zd$dZddd%dZ d&d'd!ZdS)( CertificateSigningRequestBuilderN subject_nametyping.Optional[Name]r2r3r8r9c0||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerro)r&rr2r8s r(r%z)CertificateSigningRequestBuilder.__init__rs"*%%r)namerr ct|tstd|jt dt ||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)r[r TypeErrorr"r5rrror&r#s r(rz-CertificateSigningRequestBuilder.subject_names\$%% ;9:: :   )EFF F/ $"D$4   r)extvalrcriticalrYct|tstdt|j||}t ||jt|j|j|gz|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) r[rr'rrr7rrr"ror&r)r*r0s r( add_extensionz.CertificateSigningRequestBuilder.add_extensionsw &-00 B@AA Afj(F;; #It/?@@@/     { *     r))_tagrrrJrKr/typing.Optional[_ASN1Type]cnt|tstdt|tstd|$t|tstdt ||j||j}nd}t|j |j |j|||fgzS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) r[rr'rKrr=rorJrr"r)r&rrJr/tags r( add_attributez.CertificateSigningRequestBuilder.add_attributes#/00 ?=>> >%'' 3122 2  JtY$?$? 344 4#C)9:::  *CCC/      eS 12 2   r) private_keyrr"typing.Optional[_AllowedHashTypes]rr rcZ|jtdtj|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)r"r5r create_x509_csrr&r4rrs r(signz%CertificateSigningRequestBuilder.signs1   %NOO O({IFFFr))rr r2r3r8r9)r#rr r)r)rr*rYr r)rrrJrKr/r0r rr#)r4rrr5rr r r)r+r,r-r%rr.r3r9rir)r(rrqs/3<>  & & & & &         .,0       H# G G G G G G Gr)rc|eZdZUded<ddddddgfd0dZd1dZd1dZd2dZd3dZd4dZ d4dZ d5d$Z d6dd%d7d/Z dS)8CertificateBuilderr3rN issuer_namer rr*typing.Optional[CertificatePublicKeyTypes]rtyping.Optional[int]rrrr2r r!ctj|_||_||_||_||_||_||_||_ dSr#) rxr{_version _issuer_namer" _public_keyr_not_valid_before_not_valid_afterr)r&r<rrrrrr2s r(r%zCertificateBuilder.__init__sK  ')%+!1 /%r)r#rc t|tstd|jt dt ||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. r%N%The issuer name may only be set once.) r[rr'rAr5r;r"rBrrCrDrr(s r(r<zCertificateBuilder.issuer_namesv$%% ;9:: :   (DEE E!         "  !     r)c t|tstd|jt dt |j||j|j|j |j |j S)z: Sets the requestor's distinguished name. r%Nr&) r[rr'r"r5r;rArBrrCrDrr(s r(rzCertificateBuilder.subject_namesv$%% ;9:: :   )EFF F!         "  !     r)keyrc lt|tjtjt jtjtj tj tjfstd|jt#dt%|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)r[r DSAPublicKeyr RSAPublicKeyr EllipticCurvePublicKeyr Ed25519PublicKeyr Ed448PublicKeyrX25519PublicKeyr X448PublicKeyr'rBr5r;rAr"rrCrDr)r&rHs r(rzCertificateBuilder.public_keys   )($&"     !    'CDD D!         "  !     r)numberrMc Tt|tstd|jt d|dkrt d|dkrt dt |j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) r[rMr'rr5 bit_lengthr;rAr"rBrCrDrr&rQs r(rz CertificateBuilder.serial_number,s&#&& GEFF F   *FGG G Q;;DEE E     # % %H "         "  !     r)r>r?c zt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)r[rCr'rCr5rG_EARLIEST_UTC_TIMErDr;rAr"rBrrr&r>s r(rz#CertificateBuilder.not_valid_beforeGs$ 122 :899 9  ! -IJJ J)$// $ $ $$   ,8M1M1M "           !     r)c zt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rZNz)The not valid after may only be set once.zrrrrr2r3r r!)r#rr r;)rHrr r;)rQrMr r;)r>r?r r;)r)rr*rYr r;r#) r4rrr5rr r_r`r r) r+r,r-__annotations__r%r<rrrrrr.r9rir)r(r;r;s 6666.2.2AE.2?C>B<>&&&&&&    $    $# # # # J    6    :    @    4# '  ' ' ' ' ' ' ' ' r)r;cleZdZUded<ded<dddggfd$d Zd%dZd&dZd'dZd(dZd)dZ d*d+d#Z dS), CertificateRevocationListBuilderr3rr_revoked_certificatesNr<r rrrr2revoked_certificatescL||_||_||_||_||_dSr#)rA _last_update _next_updaterri)r&r<rrr2rjs r(r%z)CertificateRevocationListBuilder.__init__s2(''%%9"""r)rr ct|tstd|jt dt ||j|j|j|j S)Nr%rF) r[rr'rAr5rhrlrmrri)r&r<s r(r<z,CertificateRevocationListBuilder.issuer_namesj+t,, ;9:: :   (DEE E/         &    r)r?cbt|tjstd|jt dt |}|t krt d|j||jkrt dt|j ||j|j |j S)NrZ!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) r[rCr'rlr5rGr[rmrhrArri)r&rs r(rz,CertificateRevocationListBuilder.last_updates+x'899 :899 9   (@AA A0== + + +M    ([4;L-L-LK 0         &    r)cbt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j||j |j S)NrZrprqz8The next update date must be after the last update date.) r[rCr'rmr5rGr[rlrhrArri)r&rs r(rz,CertificateRevocationListBuilder.next_updates+x'899 :899 9   (@AA A0== + + +M    ([4;L-L-LJ 0         &    r)r)rr*rYct|tstdt|j||}t ||jt|j|j |j |j|gz|j S)zM Adds an X.509 extension to the certificate revocation list. r,) r[rr'rrr7rrhrArlrmrir-s r(r.z.CertificateRevocationListBuilder.add_extensions &-00 B@AA Afj(F;; #It/?@@@/         { *  &    r)revoked_certificaterct|tstdt|j|j|j|j|j|gzS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) r[rr'rhrArlrmrri)r&rts r(add_revoked_certificatez8CertificateRevocationListBuilder.add_revoked_certificate(sa -/ABB IGHH H/          &*=)> >    r)r4rrr5rr rc|jtd|jtd|jtdt j|||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rAr5rlrmr create_x509_crlr8s r(r9z%CertificateRevocationListBuilder.sign9sa   $=>> >   $ABB B   $ABB B({IFFFr)) r<r rrrrr2r3rjr)r<rr rh)rr?r rh)rr?r rh)r)rr*rYr rh)rtrr rhr#)r4rrr5rr r r) r+r,r-rfr%r<rrr.rvr9rir)r(rhrhs6666::::.2:>:><>@B : : : : :         0    0    &    *# GGGGGGGr)rhc@eZdZddgfddZdd ZddZddZdddZdS)RevokedCertificateBuilderNrr>rrr2r3c0||_||_||_dSr#rrs r(r%z"RevokedCertificateBuilder.__init__Lrr)rQrMr c$t|tstd|jt d|dkrt d|dkrt dt ||j|jS)NrSrTrz$The serial number should be positiverUrV) r[rMr'rr5rWrzrrrXs r(rz'RevokedCertificateBuilder.serial_numberVs&#&& GEFF F   *FGG G Q;;CDD D     # % %H ) D)4+;   r)r>r?ct|tjstd|jt dt |}|t krt dt|j||j S)NrZz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) r[rCr'rr5rGr[rzrrr\s r(rz)RevokedCertificateBuilder.revocation_datehs$ 122 :899 9  ,HII I)$// $ $ $L )  t'7   r)r)rr*rYct|tstdt|j||}t ||jt|j|j |j|gzS)Nr,) r[rr'rrr7rrzrrr-s r(r.z'RevokedCertificateBuilder.add_extensionxsw&-00 B@AA Afj(F;; #It/?@@@(    !   { *   r)rr rc|jtd|jtdt|j|jt |jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr5rrrr)r&rs r(buildzRevokedCertificateBuilder.buildsf   &NOO O  (C &    ! t' ( (   r))rr>rrr2r3)rQrMr rz)r>r?r rz)r)rr*rYr rzr#)rr r r)r+r,r-r%rrr.rrir)r(rzrzKs/3>B<> &&&&&    $                r)rzrMcbttjdddz S)Nbigr)rM from_bytesosurandomrir)r(random_serial_numberrs# >>"*R..% 0 0A 55r))r0r1r2r3r r!)rrr8r9r r!)r>r?r r?r#)rrKrr r r)rrKr r)rrKrr r r)rrKrr r rrf)M __future__rrrCrr cryptographyr"cryptography.hazmat.bindings._rustrr cryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrr r r r r rr/cryptography.hazmat.primitives.asymmetric.typesrrrcryptography.x509.extensionsrrrrcryptography.x509.namerrcryptography.x509.oidrr[UnionSHA224SHA256SHA384SHA512SHA3_224SHA3_256SHA3_384SHA3_512_AllowedHashTypes Exceptionrr7r=rGrIrkEnumrxr}ABCMetarregisterrrrrr rrrrrrrr;rhrzrrir)r(rs #"""""  @@@@@@@@@@@@@@                      32222222222222&X&tQ22L M M M M O O O O   EEEE E E E E    !8!8!8!8!8!8!8!8HFFFFFFFF(     ej   -----Y--- F F F F F CKF F F F T Y*+++     3;    0I8999     /   0y y y y y #+y y y y x""9#FGGGY Y Y Y Y #+Y Y Y Y z""9#FGGG (,55555 6666 (,55555(,-----(,-----(,-----(,----- YGYGYGYGYGYGYGYGxt t t t t t t t nDGDGDGDGDGDGDGDGNF F F F F F F F R666666r)