B \`\@sddlmZmZmZddlZddlZddlZddlmZddl Z ddl m Z ddl m Z mZmZddlmZmZddlmZedd d Zd d ZGd d d eZddZddZddZddZddZddZGdddeZe ej!Gddde"Z#e ej!Gddde"Z$e ej!Gd d!d!e"Z%e ej!Gd"d#d#e"Z&Gd$d%d%e"Z'Gd&d'd'e"Z(Gd(d)d)e"Z)Gd*d+d+e"Z*d,d-Z+dS).)absolute_importdivisionprint_functionN)Enum)utils)dsaecrsa) Extension ExtensionType)NameicCs:|jdk r2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)rZ utcoffsetdatetimeZ timedeltareplace)timeoffsetrI/opt/alt/python37/lib64/python3.7/site-packages/cryptography/x509/base.py_convert_to_naive_utc_times  rc@seZdZdZdZdS)VersionrN)__name__ __module__ __qualname__Zv1v3rrrrr%srcCs ||S)N)load_pem_x509_certificate)databackendrrrr*srcCs ||S)N)load_der_x509_certificate)rrrrrr.srcCs ||S)N)load_pem_x509_csr)rrrrrr 2sr cCs ||S)N)load_der_x509_csr)rrrrrr!6sr!cCs ||S)N)load_pem_x509_crl)rrrrrr":sr"cCs ||S)N)load_der_x509_crl)rrrrrr#>sr#cseZdZfddZZS)InvalidVersioncstt||||_dS)N)superr$__init__parsed_version)selfmsgr') __class__rrr&CszInvalidVersion.__init__)rrrr& __classcell__rr)r*rr$Bsr$c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zd#S)$ CertificatecCsdS)z4 Returns bytes using digest passed. Nr)r( algorithmrrr fingerprintJszCertificate.fingerprintcCsdS)z3 Returns certificate serial number Nr)r(rrr serial_numberPszCertificate.serial_numbercCsdS)z1 Returns the certificate version Nr)r(rrrversionVszCertificate.versioncCsdS)z( Returns the public key Nr)r(rrr public_key\szCertificate.public_keycCsdS)z? Not before time (represented as UTC datetime) Nr)r(rrrnot_valid_beforebszCertificate.not_valid_beforecCsdS)z> Not after time (represented as UTC datetime) Nr)r(rrrnot_valid_afterhszCertificate.not_valid_aftercCsdS)z1 Returns the issuer name object. Nr)r(rrrissuernszCertificate.issuercCsdS)z2 Returns the subject name object. Nr)r(rrrsubjecttszCertificate.subjectcCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr)r(rrrsignature_hash_algorithmzsz$Certificate.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr)r(rrrsignature_algorithm_oidsz#Certificate.signature_algorithm_oidcCsdS)z/ Returns an Extensions object. Nr)r(rrr extensionsszCertificate.extensionscCsdS)z. Returns the signature bytes. Nr)r(rrr signatureszCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr)r(rrrtbs_certificate_bytessz!Certificate.tbs_certificate_bytescCsdS)z" Checks equality. Nr)r(otherrrr__eq__szCertificate.__eq__cCsdS)z# Checks not equal. Nr)r(r;rrr__ne__szCertificate.__ne__cCsdS)z" Computes a hash. Nr)r(rrr__hash__szCertificate.__hash__cCsdS)zB Serializes the certificate to PEM or DER format. Nr)r(encodingrrr public_bytesszCertificate.public_bytesN)rrrabcabstractmethodr.abstractpropertyr/r0r1r2r3r4r5r6r7r8r9r:r<r=r>r@rrrrr,Hs"r,c@seZdZejddZejddZejddZejddZ ejd d Z ejd d Z ejd dZ ejddZ ejddZejddZejddZejddZejddZejddZdS)CertificateRevocationListcCsdS)z: Serializes the CRL to PEM or DER format. Nr)r(r?rrrr@sz&CertificateRevocationList.public_bytescCsdS)z4 Returns bytes using digest passed. Nr)r(r-rrrr.sz%CertificateRevocationList.fingerprintcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr)r(r/rrr(get_revoked_certificate_by_serial_numberszBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr)r(rrrr6sz2CertificateRevocationList.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr)r(rrrr7sz1CertificateRevocationList.signature_algorithm_oidcCsdS)zC Returns the X509Name with the issuer of this CRL. Nr)r(rrrr4sz CertificateRevocationList.issuercCsdS)z? Returns the date of next update for this CRL. Nr)r(rrr next_updatesz%CertificateRevocationList.next_updatecCsdS)z? Returns the date of last update for this CRL. Nr)r(rrr last_updatesz%CertificateRevocationList.last_updatecCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nr)r(rrrr8sz$CertificateRevocationList.extensionscCsdS)z. Returns the signature bytes. Nr)r(rrrr9sz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr)r(rrrtbs_certlist_bytessz,CertificateRevocationList.tbs_certlist_bytescCsdS)z" Checks equality. Nr)r(r;rrrr<sz CertificateRevocationList.__eq__cCsdS)z# Checks not equal. Nr)r(r;rrrr=sz CertificateRevocationList.__ne__cCsdS)zQ Verifies signature of revocation list against given public key. Nr)r(r1rrris_signature_validsz,CertificateRevocationList.is_signature_validN)rrrrArBr@r.rErCr6r7r4rFrGr8r9rHr<r=rIrrrrrDsrDc@seZdZejddZejddZejddZejddZej d d Z ej d d Z ej d dZ ej ddZ ejddZej ddZej ddZej ddZdS)CertificateSigningRequestcCsdS)z" Checks equality. Nr)r(r;rrrr< sz CertificateSigningRequest.__eq__cCsdS)z# Checks not equal. Nr)r(r;rrrr=sz CertificateSigningRequest.__ne__cCsdS)z" Computes a hash. Nr)r(rrrr>sz"CertificateSigningRequest.__hash__cCsdS)z( Returns the public key Nr)r(rrrr1sz$CertificateSigningRequest.public_keycCsdS)z2 Returns the subject name object. Nr)r(rrrr5%sz!CertificateSigningRequest.subjectcCsdS)zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr)r(rrrr6+sz2CertificateSigningRequest.signature_hash_algorithmcCsdS)zJ Returns the ObjectIdentifier of the signature algorithm. Nr)r(rrrr72sz1CertificateSigningRequest.signature_algorithm_oidcCsdS)z@ Returns the extensions in the signing request. Nr)r(rrrr88sz$CertificateSigningRequest.extensionscCsdS)z; Encodes the request to PEM or DER format. Nr)r(r?rrrr@>sz&CertificateSigningRequest.public_bytescCsdS)z. Returns the signature bytes. Nr)r(rrrr9Dsz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr)r(rrrtbs_certrequest_bytesJsz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nr)r(rrrrIQsz,CertificateSigningRequest.is_signature_validN)rrrrArBr<r=r>r1rCr5r6r7r8r@r9rKrIrrrrrJ srJc@s6eZdZejddZejddZejddZdS)RevokedCertificatecCsdS)zG Returns the serial number of the revoked certificate. Nr)r(rrrr/Zsz RevokedCertificate.serial_numbercCsdS)zH Returns the date of when this certificate was revoked. Nr)r(rrrrevocation_date`sz"RevokedCertificate.revocation_datecCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr)r(rrrr8fszRevokedCertificate.extensionsN)rrrrArCr/rMr8rrrrrLXsrLc@s2eZdZdgfddZddZddZdd ZdS) CertificateSigningRequestBuilderNcCs||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_name _extensions)r( subject_namer8rrrr&nsz)CertificateSigningRequestBuilder.__init__cCs0t|tstd|jdk r$tdt||jS)zF Sets the certificate requestor's distinguished name. zExpecting x509.Name object.Nz&The subject name may only be set once.) isinstancer TypeErrorrO ValueErrorrNrP)r(namerrrrQus   z-CertificateSigningRequestBuilder.subject_namecCsXt|tstdt|j||}x"|jD]}|j|jkr(tdq(Wt|j|j|gS)zE Adds an X.509 extension to the certificate request. z"extension must be an ExtensionTypez$This extension has already been set.) rRr rSr oidrPrTrNrO)r( extensioncriticalerrr add_extensions    z.CertificateSigningRequestBuilder.add_extensioncCs |jdkrtd||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rOrTZcreate_x509_csr)r( private_keyr-rrrrsigns z%CertificateSigningRequestBuilder.sign)rrrr&rQrZr\rrrrrNms rNc@sdeZdZddddddgfddZddZddZdd Zd d Zd d ZddZ ddZ ddZ dS)CertificateBuilderNcCs6tj|_||_||_||_||_||_||_||_ dS)N) rrZ_version _issuer_namerO _public_key_serial_number_not_valid_before_not_valid_afterrP)r( issuer_namerQr1r/r2r3r8rrrr&szCertificateBuilder.__init__cCsDt|tstd|jdk r$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. zExpecting x509.Name object.Nz%The issuer name may only be set once.) rRr rSr^rTr]rOr_r`rarbrP)r(rUrrrrcs   zCertificateBuilder.issuer_namecCsDt|tstd|jdk r$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. zExpecting x509.Name object.Nz&The subject name may only be set once.) rRr rSrOrTr]r^r_r`rarbrP)r(rUrrrrQs   zCertificateBuilder.subject_namecCsPt|tjtjtjfstd|jdk r0t dt |j |j ||j |j|j|jS)zT Sets the requestor's public key (as found in the signing request). zGExpecting one of DSAPublicKey, RSAPublicKey, or EllipticCurvePublicKey.Nz$The public key may only be set once.)rRrZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyrSr_rTr]r^rOr`rarbrP)r(keyrrrr1s    zCertificateBuilder.public_keycCsjt|tjstd|jdk r&td|dkr6td|dkrJtdt|j|j |j ||j |j |j S)z5 Sets the certificate serial number. z'Serial number must be of integral type.Nz'The serial number may only be set once.rz%The serial number should be positive.z3The serial number should not be more than 159 bits.)rRsix integer_typesrSr`rT bit_lengthr]r^rOr_rarbrP)r(numberrrrr/s    z CertificateBuilder.serial_numbercCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. zExpecting datetime object.Nz*The not valid before may only be set once.zHThe not valid before date must be after the unix epoch (1970 January 1).zBThe not valid before date must be before the not valid after date.)rRrrSrarTr _UNIX_EPOCHrbr]r^rOr_r`rP)r(rrrrr2s   z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. zExpecting datetime object.Nz)The not valid after may only be set once.zGThe not valid after date must be after the unix epoch (1970 January 1).zAThe not valid after date must be after the not valid before date.)rRrrSrbrTrrjrar]r^rOr_r`rP)r(rrrrr3s     z"CertificateBuilder.not_valid_afterc Cslt|tstdt|j||}x"|jD]}|j|jkr(tdq(Wt|j|j |j |j |j |j |j|gS)z= Adds an X.509 extension to the certificate. z"extension must be an ExtensionTypez$This extension has already been set.)rRr rSr rVrPrTr]r^rOr_r`rarb)r(rWrXrYrrrrZs     z CertificateBuilder.add_extensioncCsz|jdkrtd|jdkr$td|jdkr6td|jdkrHtd|jdkrZtd|jdkrltd||||S)zC Signs the certificate using the CA's private key. Nz&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public key)rOrTr^r`rarbr_Zcreate_x509_certificate)r(r[r-rrrrr\+s      zCertificateBuilder.sign) rrrr&rcrQr1r/r2r3rZr\rrrrr]s r]c@sPeZdZdddggfddZddZddZdd Zd d Zd d ZddZ dS) CertificateRevocationListBuilderNcCs"||_||_||_||_||_dS)N)r^ _last_update _next_updaterP_revoked_certificates)r(rcrGrFr8Zrevoked_certificatesrrrr&Es z)CertificateRevocationListBuilder.__init__cCs<t|tstd|jdk r$tdt||j|j|j|j S)NzExpecting x509.Name object.z%The issuer name may only be set once.) rRr rSr^rTrkrlrmrPrn)r(rcrrrrcMs   z,CertificateRevocationListBuilder.issuer_namecCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j ||j|j |j S)NzExpecting datetime object.z!Last update may only be set once.zCThe last update date must be after the unix epoch (1970 January 1).z9The last update date must be before the next update date.) rRrrSrlrTrrjrmrkr^rPrn)r(rGrrrrGWs   z,CertificateRevocationListBuilder.last_updatecCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j||j |j S)NzExpecting datetime object.z!Last update may only be set once.zCThe last update date must be after the unix epoch (1970 January 1).z8The next update date must be after the last update date.) rRrrSrmrTrrjrlrkr^rPrn)r(rFrrrrFis   z,CertificateRevocationListBuilder.next_updatecCsdt|tstdt|j||}x"|jD]}|j|jkr(tdq(Wt|j|j |j |j|g|j S)zM Adds an X.509 extension to the certificate revocation list. z"extension must be an ExtensionTypez$This extension has already been set.) rRr rSr rVrPrTrkr^rlrmrn)r(rWrXrYrrrrZ{s     z.CertificateRevocationListBuilder.add_extensioncCs2t|tstdt|j|j|j|j|j|gS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rRrLrSrkr^rlrmrPrn)r(Zrevoked_certificaterrradd_revoked_certificates  z8CertificateRevocationListBuilder.add_revoked_certificatecCsD|jdkrtd|jdkr$td|jdkr6td||||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)r^rTrlrmZcreate_x509_crl)r(r[r-rrrrr\s   z%CertificateRevocationListBuilder.sign) rrrr&rcrGrFrZror\rrrrrkDs  rkc@s<eZdZddgfddZddZddZdd Zd d ZdS) RevokedCertificateBuilderNcCs||_||_||_dS)N)r`_revocation_daterP)r(r/rMr8rrrr&sz"RevokedCertificateBuilder.__init__cCsZt|tjstd|jdk r&td|dkr6td|dkrJtdt||j|j S)Nz'Serial number must be of integral type.z'The serial number may only be set once.rz$The serial number should be positiverez3The serial number should not be more than 159 bits.) rRrfrgrSr`rTrhrprqrP)r(rirrrr/s   z'RevokedCertificateBuilder.serial_numbercCsNt|tjstd|jdk r&tdt|}|tkr>tdt|j||j S)NzExpecting datetime object.z)The revocation date may only be set once.zBThe revocation date must be after the unix epoch (1970 January 1).) rRrrSrqrTrrjrpr`rP)r(rrrrrMs  z)RevokedCertificateBuilder.revocation_datecCs\t|tstdt|j||}x"|jD]}|j|jkr(tdq(Wt|j|j |j|gS)Nz"extension must be an ExtensionTypez$This extension has already been set.) rRr rSr rVrPrTrpr`rq)r(rWrXrYrrrrZs    z'RevokedCertificateBuilder.add_extensioncCs.|jdkrtd|jdkr$td||S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)r`rTrqZcreate_x509_revoked_certificate)r(rrrrbuilds   zRevokedCertificateBuilder.build)rrrr&r/rMrZrrrrrrrps   rpcCsttddd?S)NZbigr )rZint_from_bytesosurandomrrrrrandom_serial_numbersrv),Z __future__rrrrArrtenumrrfZ cryptographyrZ)cryptography.hazmat.primitives.asymmetricrrr Zcryptography.x509.extensionsr r Zcryptography.x509.namer rjrrrrr r!r"r# Exceptionr$Z add_metaclassABCMetaobjectr,rDrJrLrNr]rkrprvrrrrsB   iXL,,c?