,dfHddlmZddlZddlZddlZddlmZmZddlm Z ddl m Z m Z ddl mZddlmZmZmZGdd ejZGd d ejZe je je je je jfZd$dZGddejZGddZGddejZ GddejZ!GddejZ"GddZ#GddZ$d%d"Z%d&d#Z&dS)') annotationsN)utilsx509)ocsp)hashes serialization) CertificateIssuerPrivateKeyTypes)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionceZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAME6lib/python3.11/site-packages/cryptography/x509/ocsp.pyrrs D DDDrrc&eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) rrr SUCCESSFULMALFORMED_REQUESTINTERNAL_ERROR TRY_LATER SIG_REQUIRED UNAUTHORIZEDrrrrrs-JNILLLLrr algorithmhashes.HashAlgorithmreturnNonecNt|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError)r$s r_verify_algorithmr,/s3 i 1 1  G     rceZdZdZdZdZdS)OCSPCertStatusrrrN)rrrGOODREVOKEDUNKNOWNrrrr.r.6s DGGGGrr.ceZdZddZdS)_SingleResponsecertx509.Certificateissuerr$r% cert_statusr. this_updatedatetime.datetime next_update"typing.Optional[datetime.datetime]revocation_timerevocation_reason!typing.Optional[x509.ReasonFlags]c ft|tjrt|tjstdt |t|t jstd|)t|t jstd||_||_||_||_ ||_ t|tstd|tj ur#|td|tdn}t|t jstdt|}|tkrtd|)t|tjstd ||_||_||_dS) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r)r Certificate TypeErrorr,datetime_cert_issuer _algorithm _this_update _next_updater.r0r+r r ReasonFlags _cert_status_revocation_time_revocation_reason) selfr4r6r$r7r8r:r<r=s r__init__z_SingleResponse.__init__=s$ 011 E D$: :  ECDD D)$$$+x'899 ECDD D  ": *, , "KLL L  #''+~66 J  n4 4 4* !!, "- ox/@AA M KLLL8IIO!333 ' !,Z!4#366, # ( /"3rN)r4r5r6r5r$r%r7r.r8r9r:r;r<r;r=r>)rrrrNrrrr3r3<s.B4B4B4B4B4B4rr3c*eZdZeejddZeejddZeejddZeejddZ ejdd Z eejdd Z dS) OCSPRequestr&bytescdSz3 The hash of the issuer public key NrrMs rissuer_key_hashzOCSPRequest.issuer_key_hashrcdSz- The hash of the issuer name NrrTs rissuer_name_hashzOCSPRequest.issuer_name_hashrVrr%cdSzK The hash algorithm used in the issuer name and key hashes NrrTs rhash_algorithmzOCSPRequest.hash_algorithmrVrintcdSzM The serial number of the cert whose status is being checked NrrTs r serial_numberzOCSPRequest.serial_numberrVrencodingserialization.EncodingcdS)z/ Serializes the request to DER NrrMras r public_byteszOCSPRequest.public_bytesrVrx509.ExtensionscdS)zP The list of request extensions. Not single request extensions. NrrTs r extensionszOCSPRequest.extensionsrVrNr&rQr&r%r&r]rarbr&rQr&rf) rrrpropertyabcabstractmethodrUrYr\r`rerhrrrrPrPs    X    X    X    X         X   rrP) metaclassceZdZeejddZeejddZeejddZeejdd Z eejdd Z eejdd Z eejdd Z eejddZ eejddZdS)OCSPSingleResponser&r.cdSzY The status of the certificate (an element from the OCSPCertStatus enum) NrrTs rcertificate_statusz%OCSPSingleResponse.certificate_statusrVrr;cdSz^ The date of when the certificate was revoked or None if not revoked. NrrTs rr<z"OCSPSingleResponse.revocation_timerVrr>cdSzi The reason the certificate was revoked or None if not specified or not revoked. NrrTs rr=z$OCSPSingleResponse.revocation_reasonrVrr9cdSz The most recent time at which the status being indicated is known by the responder to have been correct NrrTs rr8zOCSPSingleResponse.this_updaterVrcdSzC The time when newer information will be available NrrTs rr:zOCSPSingleResponse.next_updaterVrrQcdSrSrrTs rrUz"OCSPSingleResponse.issuer_key_hashrVrcdSrXrrTs rrYz#OCSPSingleResponse.issuer_name_hashrVrr%cdSr[rrTs rr\z!OCSPSingleResponse.hash_algorithmrVrr]cdSr_rrTs rr`z OCSPSingleResponse.serial_numberrVrNr&r.r&r;r&r>r&r9rirjrk)rrrrnrorprvr<r=r8r:rUrYr\r`rrrrsrss    X    X    X    X    X    X    X    X    X   rrscJeZdZeejd*dZeejd+dZeejd,dZeejd-d Z eejd.d Z eejd.d Z eejd/dZ eejd0dZ eejd1dZeejd2dZeejd3dZeejd4dZeejd5dZeejd2dZeejd4dZeejd.dZeejd.dZeejd6d Zeejd7d"Zeejd8d$Zeejd8d%Zejd9d(Zd)S): OCSPResponser&#typing.Iterator[OCSPSingleResponse]cdS)z_ An iterator over the individual SINGLERESP structures in the response NrrTs r responseszOCSPResponse.responsesrVrrcdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration NrrTs rresponse_statuszOCSPResponse.response_statusrVrx509.ObjectIdentifiercdS)zA The ObjectIdentifier of the signature algorithm NrrTs rsignature_algorithm_oidz$OCSPResponse.signature_algorithm_oidrVr%typing.Optional[hashes.HashAlgorithm]cdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed NrrTs rsignature_hash_algorithmz%OCSPResponse.signature_hash_algorithm rVrrQcdS)z% The signature bytes NrrTs r signaturezOCSPResponse.signaturerVrcdS)z+ The tbsResponseData bytes NrrTs rtbs_response_byteszOCSPResponse.tbs_response_bytesrVrtyping.List[x509.Certificate]cdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. NrrTs r certificateszOCSPResponse.certificates rVrtyping.Optional[bytes]cdS)z2 The responder's key hash or None NrrTs rresponder_key_hashzOCSPResponse.responder_key_hash)rVrtyping.Optional[x509.Name]cdS)z. The responder's Name or None NrrTs rresponder_namezOCSPResponse.responder_name0rVrr9cdS)z4 The time the response was produced NrrTs r produced_atzOCSPResponse.produced_at7rVrr.cdSrurrTs rrvzOCSPResponse.certificate_status>rVrr;cdSrxrrTs rr<zOCSPResponse.revocation_timeErVrr>cdSrzrrTs rr=zOCSPResponse.revocation_reasonMrVrcdSr|rrTs rr8zOCSPResponse.this_updateUrVrcdSr~rrTs rr:zOCSPResponse.next_update]rVrcdSrSrrTs rrUzOCSPResponse.issuer_key_hashdrVrcdSrXrrTs rrYzOCSPResponse.issuer_name_hashkrVrr%cdSr[rrTs rr\zOCSPResponse.hash_algorithmrrVrr]cdSr_rrTs rr`zOCSPResponse.serial_numberyrVrrfcdS)zR The list of response extensions. Not single response extensions. NrrTs rrhzOCSPResponse.extensionsrVrcdS)zR The list of single response extensions. Not response extensions. NrrTs rsingle_extensionszOCSPResponse.single_extensionsrVrrarbcdS)z0 Serializes the response to DER Nrrds rrezOCSPResponse.public_bytesrVrN)r&r)r&r)r&r)r&rri)r&r)r&r)r&rrrrrrjrkrmrl)rrrrnrorprrrrrrrrrrrvr<r=r8r:rUrYr\r`rhrrerrrrrs    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X        rrc>eZdZddgfdd ZddZd dZd!dZd"dZdS)#OCSPRequestBuilderNrequestWtyping.Optional[typing.Tuple[x509.Certificate, x509.Certificate, hashes.HashAlgorithm]] request_hashFtyping.Optional[typing.Tuple[bytes, bytes, int, hashes.HashAlgorithm]]rh/typing.List[x509.Extension[x509.ExtensionType]]r&r'c0||_||_||_dSN)_request _request_hash _extensions)rMrrrhs rrNzOCSPRequestBuilder.__init__s!  )%rr4r5r6r$r%c|j|jtdt|t |t jrt |t jstdt|||f|j|j S)N.Only one certificate can be added to a requestr@) rrr+r,r)rrArBrr)rMr4r6r$s radd_certificatez"OCSPRequestBuilder.add_certificates = $(:(FMNN N)$$$$ 011 E D$: :  ECDD D! 69 %t'94;K   rrYrQrUr`r]c|j|jtdt|tst dt |tjd|tjd||j t|ks|j t|krtdt|j||||f|j S)Nrz serial_number must be an integerrYrUz`issuer_name_hash and issuer_key_hash must be the same length as the digest size of the algorithm) rrr+r)r]rBr,r _check_bytes digest_sizelenrr)rMrYrUr`r$s radd_certificate_by_hashz*OCSPRequestBuilder.add_certificate_by_hashs = $(:(FMNN N--- @>?? ?)$$$ -/?@@@ ,o>>>  C % %    "c/&:&: : :6  " M  y I     rextvalx509.ExtensionTypecriticalboolct|tjstdtj|j||}t ||jt|j |j |j|gzSNz"extension must be an ExtensionType) r)r ExtensionTyperB Extensionoidr rrrrrMrr extensions r add_extensionz OCSPRequestBuilder.add_extensionsy&$"455 B@AA AN6:x@@ #It/?@@@! M4-t/?9+/M   rrPcd|j|jtdtj|S)Nz*You must add a certificate before building)rrr+rcreate_ocsp_requestrTs rbuildzOCSPRequestBuilder.builds2 = T%7%?IJJ J'---r)rrrrrhrr&r')r4r5r6r5r$r%r&r) rYrQrUrQr`r]r$r%r&r)rrrrr&r)r&rP)rrrrNrrrrrrrrrs  FH&&&&&     &    <     ......rrc`eZdZdddgfd.d Zd/dZd0dZd1d Zd2d%Zd3d*Ze d4d-Z dS)5OCSPResponseBuilderNresponse typing.Optional[_SingleResponse] responder_idFtyping.Optional[typing.Tuple[x509.Certificate, OCSPResponderEncoding]]certs.typing.Optional[typing.List[x509.Certificate]]rhrc>||_||_||_||_dSr) _response _responder_id_certsr)rMrrrrhs rrNzOCSPResponseBuilder.__init__s(") %rr4r5r6r$r%r7r.r8r9r:r;r<r=r>r&c |jtdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rr+r3rrrr) rMr4r6r$r7r8r:r<r= singleresps r add_responsez OCSPResponseBuilder.add_responsesj > %BCC C$           #    K      rrarresponder_certc|jtdt|tjst dt|t st dt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rr+r)rrArBrrrrr)rMrars rrz OCSPResponseBuilder.responder_ids   )@AA A.$*:;; DBCC C($9:: H # N X & K      r!typing.Iterable[x509.Certificate]c"|jtdt|}t|dkrtdt d|Dst dt |j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listc3JK|]}t|tjVdSr)r)rrA).0xs r z3OCSPResponseBuilder.certificates..4s/BBq:a!122BBBBBBrz$certs must be a list of Certificates) rr+listrallrBrrrr)rMrs rrz OCSPResponseBuilder.certificates,s ; "@AA AU  u::??>?? ?BBEBBBBB DBCC C" N         rrrrrct|tjstdtj|j||}t ||jt|j |j |j |j|gzSr) r)rrrBrrr rrrrrrs rrz!OCSPResponseBuilder.add_extension=s&$"455 B@AA AN6:x@@ #It/?@@@" N   K   { *    r private_keyr rrc|jtd|jtdtjt j|||S)Nz&You must add a response before signingz*You must add a responder_id before signing)rr+rrcreate_ocsp_responserr)rMrr$s rsignzOCSPResponseBuilder.signMsT > !EFF F   %IJJ J(  )4i   rrrct|tstd|tjurt dt j|dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r)rrBrr+rr)clsrs rbuild_unsuccessfulz&OCSPResponseBuilder.build_unsuccessful[sc/+=>> I  0; ; ;CDD D($dKKKr)rrrrrrrhr)r4r5r6r5r$r%r7r.r8r9r:r;r<r;r=r>r&r)rarrr5r&r)rrr&r)rrrrr&r)rr r$rr&r)rrr&r) rrrrNrrrrr classmethodrrrrrrs6: @DFH & & & & &    >    &    "         L L L[ L L LrrdatarQc*tj|Sr)rload_der_ocsp_requestrs rrris  %d + ++rc*tj|Sr)rload_der_ocsp_responsers rrrms  &t , ,,r)r$r%r&r')rrQr&rP)rrQr&r)' __future__rrorCtyping cryptographyrr"cryptography.hazmat.bindings._rustrcryptography.hazmat.primitivesrr/cryptography.hazmat.primitives.asymmetric.typesr cryptography.x509.baser r r EnumrrSHA1SHA224SHA256SHA384SHA512r*r,r.r3ABCMetarPrsrrrrrrrrr s #"""""  $$$$$$$$333333@@@@@@@@EJ  K M M M M     UZ C4C4C4C4C4C4C4C4L( ( ( ( ( CK( ( ( ( VA A A A A 3;A A A A Ha a a a a S[a a a a HS.S.S.S.S.S.S.S.l{L{L{L{L{L{L{L{L|,,,,------r