B \Úæ`ÿxã@stddlmZmZmZddlZddlZddlmZmZddl m Z ddl m Z ddl mZddlmZmZmZGdd „d eƒZd d „Zd d „Zdd„Zdd„Zdd„Zdd„Zdd„Zdd„ZGdd„deƒZdd„Zdd„Zd d!„Z d"d#„Z!d$d%„Z"d&d'„Z#d(d)„Z$d*d+„Z%d,d-„Z&d.d/„Z'd0d1„Z(d2d3„Z)d4d5„Z*d6d7„Z+dZ,d8Z-d9d:„Z.d;d<„Z/d=d>„Z0d?d@„Z1dAdB„Z2e j3j4e j3j5e j3j6e j3j7e j3j8e j3j9e j3j:e j3j;e j3je j3j4de j3j5d8e j3j6dDe j3j7dEe j3j8dFe j3j9dGe j3j:dHe j3j;dIe j3jKsz$_decode_x509_name..) rZX509_NAME_entry_countÚrangeZX509_NAME_get_entryr'Z Cryptography_X509_NAME_ENTRY_setÚappendÚsetÚaddrÚName) rZ x509_nameÚcountÚ attributesZ prev_set_idÚxÚentryZ attributeZset_idrrrÚ_decode_x509_name<s   r5cCsV|j |¡}g}x@t|ƒD]4}|j ||¡}| ||jjk¡| t||ƒ¡qW|S)N) rZsk_GENERAL_NAME_numr,Zsk_GENERAL_NAME_valuerrr r-Ú_decode_general_name)rÚgnsÚnumÚnamesÚiÚgnrrrÚ_decode_general_namesNs r<c Cs|j|jjkr.t||jjƒ d¡}tj  |¡S|j|jj kr\t||jj ƒ d¡}tj   |¡S|j|jj krˆt||jjƒ}t t |¡¡S|j|jjkrbt||jjƒ}t|ƒ}|dksÀ|dkrNt |d|d…¡}t ||dd…¡}tt|ƒƒdd…}| d¡}|dkrt|ƒ}d||d…kr6tdƒ‚t |jd  |¡¡} n t |¡} t | ¡S|j|jjkr†t  t!||jj"ƒ¡S|j|jj#kr¶t||jj$ƒ d¡}tj%  |¡S|j|jj&krøt||jj'j(ƒ} t)||jj'j*ƒ} t +t | ¡| ¡St ,d  tj- .|j|j¡¡|j¡‚dS) NÚutf8éé éÚ0r(Ú1zInvalid netmaskz/{0}z{0} is not a supported type)/r"rZGEN_DNSÚ_asn1_string_to_bytesÚdZdNSNamerrZDNSNameZ_init_without_validationZGEN_URIZuniformResourceIdentifierZUniformResourceIdentifierZGEN_RIDrZ registeredIDZ RegisteredIDr#Z GEN_IPADDZ iPAddressÚlenÚ ipaddressZ ip_addressÚbinÚintÚfindÚ ValueErrorZ ip_networkZexplodedÚformatZ IPAddressZ GEN_DIRNAMEZ DirectoryNamer5Z directoryNameZ GEN_EMAILZ rfc822NameZ RFC822NameZ GEN_OTHERNAMEZ otherNameÚtype_idÚ _asn1_to_derr%Z OtherNameZUnsupportedGeneralNameTypeZ_GENERAL_NAMESÚget) rr;r$r&Zdata_lenÚbaseZnetmaskÚbitsÚprefixZiprLr%rrrr6YsP        r6cCst ¡S)N)rZ OCSPNoCheck)rÚextrrrÚ_decode_ocsp_no_check§srScCs0|j d|¡}|j ||jj¡}t t||ƒ¡S)NzASN1_INTEGER *)rÚcastÚgcrÚASN1_INTEGER_freerZ CRLNumberÚ_asn1_integer_to_int)rrRÚasn1_intrrrÚ_decode_crl_number«srYcCs0|j d|¡}|j ||jj¡}t t||ƒ¡S)NzASN1_INTEGER *)rrTrUrrVrZDeltaCRLIndicatorrW)rrRrXrrrÚ_decode_delta_crl_indicator±srZc@seZdZdd„Zdd„ZdS)Ú_X509ExtensionParsercCs||_||_||_dS)N)Ú ext_countÚget_extÚhandlers)Úselfr\r]r^rrrÚ__init__¸sz_X509ExtensionParser.__init__c CsÈg}tƒ}x°t| ||¡ƒD]š}| |||¡}| ||jjk¡|j |¡}|dk}t   t ||j  |¡ƒ¡} | |krŠt   d | ¡| ¡‚| tjkrä|j |¡} t t|| ƒ¡} t  dd„| Dƒ¡} | t  | || ¡¡| | ¡qy|j| } Wnntk r`|j |¡} | | |jjk¡|j | j| j¡dd…}t  | |¡}| t  | ||¡¡YnPX|j |¡}||jjkr’|  ¡t!d | ¡ƒ‚| ||ƒ} | t  | || ¡¡| | ¡qWt  "|¡S)NrzDuplicate {0} extension foundcSsg|]}t|j‘qSr)rZnative)r*r3rrrú Ôsz._X509ExtensionParser.parse..z0The {0} extension is invalid and can't be parsed)#r.r,r\r]rrr rZX509_EXTENSION_get_criticalrr#rZX509_EXTENSION_get_objectZDuplicateExtensionrKr Z TLS_FEATUREZX509_EXTENSION_get_datar ÚloadrCZ TLSFeaturer-Z Extensionr/r^ÚKeyErrorrr$ÚlengthZUnrecognizedExtensionZX509V3_EXT_d2iZ_consume_errorsrJZ Extensions)r_rZx509_objÚ extensionsZ seen_oidsr:rRZcritZcriticalr&r$Zparsedr%ZhandlerZderZ unrecognizedZext_datarrrÚparse½sN        z_X509ExtensionParser.parseN)rrrr`rfrrrrr[·sr[cCs@|j d|¡}|j ||jj¡}|j |¡}g}xt|ƒD]ö}d}|j ||¡}t  t ||j ƒ¡}|j |jj kr |j |j ¡}g}x˜t|ƒD]Œ} |j |j | ¡} t  t || jƒ¡} | tjkrô|j | jjj| jjj¡dd… d¡} | | ¡q| tjkst‚t|| jjƒ} | | ¡qW| t ||¡¡q)rrTrUrZASN1_BIT_STRING_freeÚASN1_BIT_STRING_get_bitrZKeyUsage) rZ bit_stringÚget_bitZdigital_signatureZcontent_commitmentZkey_enciphermentZdata_enciphermentZ key_agreementZ key_cert_signZcrl_signZ encipher_onlyZ decipher_onlyrrrÚ_decode_key_usage~s,r‚cCs.|j d|¡}|j ||jj¡}t||ƒ}|S)NzGENERAL_NAMES *)rrTrUrÚGENERAL_NAMES_freer<)rr7Ú general_namesrrrÚ_decode_general_names_extension˜s r…cCst t||ƒ¡S)N)rZSubjectAlternativeNamer…)rrRrrrÚ_decode_subject_alt_nameŸsr†cCst t||ƒ¡S)N)rZIssuerAlternativeNamer…)rrRrrrÚ_decode_issuer_alt_name¥sr‡cCsF|j d|¡}|j ||jj¡}t||jƒ}t||jƒ}tj ||dS)NzNAME_CONSTRAINTS *)Zpermitted_subtreesZexcluded_subtrees) rrTrUrZNAME_CONSTRAINTS_freeÚ_decode_general_subtreesZpermittedSubtreesZexcludedSubtreesrZNameConstraints)rZncZ permittedZexcludedrrrÚ_decode_name_constraints«s   r‰cCsl||jjkrdS|j |¡}g}xFt|ƒD]:}|j ||¡}| ||jjk¡t||jƒ}|  |¡q*W|S)N) rr rZsk_GENERAL_SUBTREE_numr,Zsk_GENERAL_SUBTREE_valuerr6rOr-)rZstack_subtreesr8Zsubtreesr:rÚnamerrrrˆµs   rˆcCsD|j d|¡}|j ||jj¡}t||jƒ}t||jƒ}t  ||¡S)NzPOLICY_CONSTRAINTS *) rrTrUrZPOLICY_CONSTRAINTS_freerrZrequireExplicitPolicyZinhibitPolicyMappingrZPolicyConstraints)rZpcZrequire_explicit_policyZinhibit_policy_mappingrrrÚ_decode_policy_constraintsÅs  r‹cCs†|j d|¡}|j ||jj¡}|j |¡}g}xJt|ƒD]>}|j ||¡}| ||jj k¡t   t ||ƒ¡}|  |¡q:Wt  |¡S)Nz#Cryptography_STACK_OF_ASN1_OBJECT *)rrTrUrZsk_ASN1_OBJECT_freeZsk_ASN1_OBJECT_numr,Zsk_ASN1_OBJECT_valuerr rr#rr-ZExtendedKeyUsage)rZskr8Zekusr:rr&rrrÚ_decode_extended_key_usageÕs rŒrc Cs.|j d|¡}|j ||jj¡}|j |¡}g}xöt|ƒD]è}d}d}d}d}|j ||¡} | j|jj krZg}|jj } | | jdƒr–|  t j j¡| | jdƒr°|  t j j¡| | jdƒrÊ|  t j j¡| | jdƒrä|  t j j¡| | jdƒrþ|  t j j¡| | jdƒr|  t j j¡| | jdƒr6|  t j j¡| | jd ƒrR|  t j j¡t|ƒ}| j|jj krvt|| jƒ}| j|jj kr| jjtkr¦t|| jjjƒ}nj| jjj} |j | ¡} t ƒ} xBt| ƒD]6}|j !| |¡}| "||jj k¡|  #t$||ƒ¡qÌWt  %| ¡}|  t  &||||¡¡q)'rrTrUrZCRL_DIST_POINTS_freeZsk_DIST_POINT_numr,Zsk_DIST_POINT_valueÚreasonsr r€r-rÚ ReasonFlagsÚkey_compromiseÚ ca_compromiseÚaffiliation_changedÚ supersededÚcessation_of_operationÚcertificate_holdÚprivilege_withdrawnÚ aa_compromiseÚ frozensetZ CRLissuerr<Z distpointr"Ú_DISTPOINT_TYPE_FULLNAMErŠÚfullnameZ relativenameZsk_X509_NAME_ENTRY_numr.Zsk_X509_NAME_ENTRY_valuerr/r'r)ZDistributionPoint)rÚcdpsr8Ú dist_pointsr:Z full_nameZ relative_nameZ crl_issuerrZcdprZrnsZrnumr2ZrnrrrÚ_decode_dist_pointsèsd           rœcCst||ƒ}t |¡S)N)rœrZCRLDistributionPoints)rršr›rrrÚ_decode_crl_distribution_pointsFs rcCst||ƒ}t |¡S)N)rœrZ FreshestCRL)rršr›rrrÚ_decode_freshest_crlKs ržcCs4|j d|¡}|j ||jj¡}t||ƒ}t |¡S)NzASN1_INTEGER *)rrTrUrrVrWrZInhibitAnyPolicy)rrXZ skip_certsrrrÚ_decode_inhibit_any_policyPs rŸcCstddlm}|j d|¡}|j ||jj¡}g}x8t|j |¡ƒD]$}|j  ||¡}|  ||||ƒ¡qBWt   |¡S)Nr)Ú_SignedCertificateTimestampzCryptography_STACK_OF_SCT *) Z)cryptography.hazmat.backends.openssl.x509r rrTrUrZ SCT_LIST_freer,Z sk_SCT_numZ sk_SCT_valuer-rZ)PrecertificateSignedCertificateTimestamps)rZ asn1_sctsr Zsctsr:ZsctrrrÚ-_decode_precert_signed_certificate_timestampsWs r¡) rrr@r{r|r}r~r>é é r@r{r|r}r~r>r¢r£cCsb|j d|¡}|j ||jj¡}|j |¡}yt t|¡St k r\t d  |¡ƒ‚YnXdS)NzASN1_ENUMERATED *zUnsupported reason code: {0}) rrTrUrZASN1_ENUMERATED_freeZASN1_ENUMERATED_getrZ CRLReasonÚ_CRL_ENTRY_REASON_CODE_TO_ENUMrcrJrK)rÚenumÚcoderrrÚ_decode_crl_reasonŽs r§cCs0|j d|¡}|j ||jj¡}t t||ƒ¡S)NzASN1_GENERALIZEDTIME *)rrTrUrÚASN1_GENERALIZEDTIME_freerZInvalidityDateÚ_parse_asn1_generalized_time)rZinv_dateÚgeneralized_timerrrÚ_decode_invalidity_date™s  r«cCs4|j d|¡}|j ||jj¡}t||ƒ}t |¡S)NzGENERAL_NAMES *)rrTrUrrƒr<rZCertificateIssuer)rr7r„rrrÚ_decode_cert_issuer¥s r¬csnˆj d¡}ˆj ||¡}ˆ |dk¡ˆ |dˆjjk¡ˆj |‡fdd„¡}ˆj |d|¡dd…S)Nzunsigned char **rcsˆj |d¡S)Nr)rÚ OPENSSL_free)r)rrrÚ²óz_asn1_to_der..)rrrZ i2d_ASN1_TYPErr rUr)rZ asn1_typerrr)rrrM¬s rMcCs@|j ||jj¡}| ||jjk¡|j ||jj¡}| |¡S)N)rZASN1_INTEGER_to_BNrr rrUZBN_freeZ _bn_to_int)rrXZbnrrrrW·srWcCs||jjkrdSt||ƒSdS)N)rr rW)rrXrrrrr¾s rrcCs|j |j|j¡dd…S)N)rrr$rd)rrtrrrrCÅsrCcCst||ƒ d¡S)Nrg)rCr)rrtrrrÚ_asn1_string_to_asciiÉsr°cs~ˆj d¡}ˆj ||¡}|dkr2td |j¡ƒ‚ˆ |dˆjjk¡ˆj  |‡fdd„¡}ˆj  |d|¡dd…  d¡S)Nzunsigned char **r(z'Unsupported ASN1 string type. Type: {0}rcsˆj |d¡S)Nr)rr­)r)rrrr®×r¯z&_asn1_string_to_utf8..r=) rrrZASN1_STRING_to_UTF8rJrKr"rr rUrr)rrtrrr)rrr!Ís r!cCs`| ||jjk¡|j ||jj¡}||jjkrDtd t||ƒ¡ƒ‚|j ||jj ¡}t ||ƒS)Nz1Couldn't parse ASN.1 time as generalizedtime {!r}) rrr rZASN1_TIME_to_generalizedtimerJrKrCrUr¨r©)rZ asn1_timerªrrrÚ_parse_asn1_timeÜs   r±cCs"t||j d|¡ƒ}tj |d¡S)Nz ASN1_STRING *z %Y%m%d%H%M%SZ)r°rrTÚdatetimeZstrptime)rrªZtimerrrr©îsr©cCs |j |¡S)N)rÚX509_get_ext_count)rr3rrrr®r¯r®cCs|j ||¡S)N)rÚ X509_get_ext)rr3r:rrrr® r¯)r\r]r^cCs |j |¡S)N)rr³)rr3rrrr®%r¯cCs|j ||¡S)N)rr´)rr3r:rrrr®&r¯cCs |j |¡S)N)rZsk_X509_EXTENSION_num)rr3rrrr®+r¯cCs|j ||¡S)N)rZsk_X509_EXTENSION_value)rr3r:rrrr®,r¯cCs |j |¡S)N)rZX509_REVOKED_get_ext_count)rr3rrrr®1r¯cCs|j ||¡S)N)rZX509_REVOKED_get_ext)rr3r:rrrr®2r¯cCs |j |¡S)N)rZX509_CRL_get_ext_count)rr3rrrr®7r¯cCs|j ||¡S)N)rZX509_CRL_get_ext)rr3r:rrrr®8r¯)jZ __future__rrrr²rFZasn1crypto.corerrZ cryptographyrZcryptography.x509.extensionsrZcryptography.x509.namer Zcryptography.x509.oidr r r r rr'r5r<r6rSrYrZÚobjectr[rnrlrsrurwrzr‚r…r†r‡r‰rˆr‹rŒr˜Z_DISTPOINT_TYPE_RELATIVENAMErœrržrŸr¡rŽZ unspecifiedrrr‘r’r“r”Zremove_from_crlr•r–r¤Z_CRL_ENTRY_REASON_ENUM_TO_CODEr§r«r¬rMrWrrrCr°r!r±r©ZBASIC_CONSTRAINTSZSUBJECT_KEY_IDENTIFIERZ KEY_USAGEZSUBJECT_ALTERNATIVE_NAMEZEXTENDED_KEY_USAGEZAUTHORITY_KEY_IDENTIFIERZAUTHORITY_INFORMATION_ACCESSZCERTIFICATE_POLICIESZCRL_DISTRIBUTION_POINTSZ FRESHEST_CRLZ OCSP_NO_CHECKZINHIBIT_ANY_POLICYZISSUER_ALTERNATIVE_NAMEZNAME_CONSTRAINTSZPOLICY_CONSTRAINTSZ_EXTENSION_HANDLERS_NO_SCTÚcopyZ_EXTENSION_HANDLERSZ%PRECERT_SIGNED_CERTIFICATE_TIMESTAMPSZ CRL_REASONZINVALIDITY_DATEZCERTIFICATE_ISSUERZ_REVOKED_EXTENSION_HANDLERSZ CRL_NUMBERZDELTA_CRL_INDICATORZ_CRL_EXTENSION_HANDLERSZ$_CERTIFICATE_EXTENSION_PARSER_NO_SCTZ_CERTIFICATE_EXTENSION_PARSERZ_CSR_EXTENSION_PARSERZ%_REVOKED_CERTIFICATE_EXTENSION_PARSERZ_CRL_EXTENSION_PARSERrrrrÚsè     N?'  ^