a

� `)g�@s�
dd
lm
Z
mZmZ
ddlZddlZddlZddlmZ
ddl	Z	ddl
mZ
ddlm
Z

ddlmZmZmZmZmZ
ddlmZmZ
ddlmZ
dd	lmZ
e�d
dd�ZGdd
�d
e�Zdd�Zdd�Zdd�Z Gdd�de�Z!d6dd�
Z"d7dd�
Z#d8dd�
Z$d9dd�
Z%d:dd�
Z&d;d d!�
Z'Gd"d#�d#e�Z(e	�)ej*�
Gd$d%�d%e+��
Z,e	�)ej*�
Gd&d'�d'e+��
Z-e	�)ej*�
Gd(d)�d)e+��
Z.e	�)ej*�
Gd*d+�d+e+��
Z/Gd,d-�d-e+�Z0Gd.d/�d/e+�Z1Gd0d1�d1e+�Z2Gd2d3�d3e+�Z3d4d5�Z4dS)<�)�absolute_import�division�print_functionN)
�Enum)
�utils)
�_get_backend)�dsa�ec�ed25519�ed448�rsa)�	Extension�
ExtensionType)
�Name)
�ObjectIdentifieri��
cseZ
dZ�f
d
d�Z�ZS)�AttributeNotFoundcstt
|��|
�

||_dS�
N)�superr�__init__�oid)�self�msgr�
�	__class__��8/usr/lib/python3/dist-packages/cryptography/x509/base.pyr s

zAttributeNotFound.__init__��__name__�
__module__�__qualname__r�
__classcell__rrrrrs
rcCs"|
D]}|j|jkrt
d
�
�
qdS)Nz$This extension has already been set.)r�
ValueError)�	extension�
extensions�
errr�_reject_duplicate_extension%s

r&cCs"|
D]\}}||krtd
�
�
qdS)Nz$This attribute has already been set.)
r")r�
attributesZattr_oid�
_rrr�_reject_duplicate_attribute,s

r)c
Cs:|jd
u
r2|�
�}
|
r|
nt��}
|jd
d�
|
S|Sd
S)z�Normalizes a datetime to a naive datetime in UTC.

    time -- datetime to normalize. Assumed to be in UTC if not timezone
            aware.
    N)
�tzinfo)r*�	utcoffset�datetime�	timedelta�replace)�time�offsetrrr�_convert_to_naive_utc_time3s




r1c
@seZ
dZd
ZdZdS)�Versionr
�N)rrr �v1�v3rrrrr2As

r2cCst|
�
}
|
�
|�
Sr)r�load_pem_x509_certificate��data�backendrrrr6Fs

r6cCst|
�
}
|
�
|�
Sr)r�load_der_x509_certificater7rrrr:Ks

r:cCst|
�
}
|
�
|�
Sr)r�load_pem_x509_csrr7rrrr;Ps

r;cCst|
�
}
|
�
|�
Sr)r�load_der_x509_csrr7rrrr<Us

r<cCst|
�
}
|
�
|�
Sr)r�load_pem_x509_crlr7rrrr=Zs

r=cCst|
�
}
|
�
|�
Sr)r�load_der_x509_crlr7rrrr>_s

r>cseZ
dZ�f
d
d�Z�ZS)�InvalidVersioncstt
|��|
�

||_dSr)rr?r�parsed_version)rrr@rrrres

zInvalidVersion.__init__rrrrrr?ds
r?c@s�eZ
dZejd
d��
Zejdd��
Zejdd��
Zejdd��
Z	ejd	d
��
Z
ejdd��
Zejd
d��
Zejdd��
Z
ejdd��
Zejdd��
Zejdd��
Zejdd��
Zejdd��
Zejdd��
Zejdd��
Zejdd ��
Zejd!d"��
Zd#S)$�Certificatec
Csd
S�z4
        Returns bytes using digest passed.
        Nr�r�	algorithmrrr�fingerprintlszCertificate.fingerprintc


Csd
S)z3
        Returns certificate serial number
        Nr�
rrrr�
serial_numberrszCertificate.serial_numberc


Csd
S)z1
        Returns the certificate version
        NrrFrrr�versionxszCertificate.versionc


Csd
S�z(
        Returns the public key
        NrrFrrr�
public_key~szCertificate.public_keyc


Csd
S)z?
        Not before time (represented as UTC datetime)
        NrrFrrr�not_valid_before�szCertificate.not_valid_beforec


Csd
S)z>
        Not after time (represented as UTC datetime)
        NrrFrrr�not_valid_after�szCertificate.not_valid_afterc


Csd
S)z1
        Returns the issuer name object.
        NrrFrrr�issuer�szCertificate.issuerc


Csd
S�z2
        Returns the subject name object.
        NrrFrrr�subject�szCertificate.subjectc


Csd
S�zt
        Returns a HashAlgorithm corresponding to the type of the digest signed
        in the certificate.
        NrrFrrr�signature_hash_algorithm�sz$Certificate.signature_hash_algorithmc


Csd
S�zJ
        Returns the ObjectIdentifier of the signature algorithm.
        NrrFrrr�signature_algorithm_oid�sz#Certificate.signature_algorithm_oidc


Csd
S)z/
        Returns an Extensions object.
        NrrFrrrr$�szCertificate.extensionsc


Csd
S�z.
        Returns the signature bytes.
        NrrFrrr�	signature�szCertificate.signaturec


Csd
S)zR
        Returns the tbsCertificate payload bytes as defined in RFC 5280.
        NrrFrrr�tbs_certificate_bytes�sz!Certificate.tbs_certificate_bytesc
Csd
S�z"
        Checks equality.
        Nr�r�otherrrr�__eq__�szCertificate.__eq__c
Csd
S�z#
        Checks not equal.
        NrrXrrr�__ne__�szCertificate.__ne__c


Csd
S�z"
        Computes a hash.
        NrrFrrr�__hash__�szCertificate.__hash__c
Csd
S)zB
        Serializes the certificate to PEM or DER format.
        Nr�r�encodingrrr�public_bytes�szCertificate.public_bytesN)rrr �abc�abstractmethodrE�abstractpropertyrGrHrJrKrLrMrOrQrSr$rUrVrZr\r^rarrrrrAjsD
































rAc@s�eZ
dZejd
d��
Zejdd��
Zejdd��
Zejdd��
Z	ejd	d
��
Z
ejdd��
Zejd
d��
Zejdd��
Z
ejdd��
Zejdd��
Zejdd��
Zejdd��
Zejdd��
Zejdd��
Zejdd��
Zejdd ��
Zejd!d"��
Zd#S)$�CertificateRevocationListc
Csd
S)z:
        Serializes the CRL to PEM or DER format.
        Nrr_rrrra�sz&CertificateRevocationList.public_bytesc
Csd
SrBrrCrrrrE�sz%CertificateRevocationList.fingerprintc
Csd
S)zs
        Returns an instance of RevokedCertificate or None if the serial_number
        is not in the CRL.
        Nr)rrGrrr�(get_revoked_certificate_by_serial_number�szBCertificateRevocationList.get_revoked_certificate_by_serial_numberc


Csd
SrPrrFrrrrQ�sz2CertificateRevocationList.signature_hash_algorithmc


Csd
SrRrrFrrrrS�sz1CertificateRevocationList.signature_algorithm_oidc


Csd
S)zC
        Returns the X509Name with the issuer of this CRL.
        NrrFrrrrM�sz CertificateRevocationList.issuerc


Csd
S)z?
        Returns the date of next update for this CRL.
        NrrFrrr�next_update�sz%CertificateRevocationList.next_updatec


Csd
S)z?
        Returns the date of last update for this CRL.
        NrrFrrr�last_update
sz%CertificateRevocationList.last_updatec


Csd
S)zS
        Returns an Extensions object containing a list of CRL extensions.
        NrrFrrrr$
sz$CertificateRevocationList.extensionsc


Csd
SrTrrFrrrrU
sz#CertificateRevocationList.signaturec


Csd
S)zO
        Returns the tbsCertList payload bytes as defined in RFC 5280.
        NrrFrrr�tbs_certlist_bytes
sz,CertificateRevocationList.tbs_certlist_bytesc
Csd
SrWrrXrrrrZ
sz CertificateRevocationList.__eq__c
Csd
Sr[rrXrrrr\ 
sz CertificateRevocationList.__ne__c


Csd
S)z<
        Number of revoked certificates in the CRL.
        NrrFrrr�__len__&
sz!CertificateRevocationList.__len__c
Csd
S)zS
        Returns a revoked certificate (or slice of revoked certificates).
        Nr)r�idxrrr�__getitem__,
sz%CertificateRevocationList.__getitem__c


Csd
S)z8
        Iterator over the revoked certificates
        NrrFrrr�__iter__2
sz"CertificateRevocationList.__iter__c
Csd
S)zQ
        Verifies signature of revocation list against given public key.
        Nr)rrJrrr�is_signature_valid8
sz,CertificateRevocationList.is_signature_validN)rrr rbrcrarErfrdrQrSrMrgrhr$rUrirZr\rjrlrmrnrrrrre�sD
































rec@s�eZ
dZejd
d��
Zejdd��
Zejdd��
Zejdd��
Zej	d	d
��
Z
ej	dd��
Zej	d
d��
Zej	dd��
Z
ejdd��
Zej	dd��
Zej	dd��
Zej	dd��
Zej	dd��
ZdS)�CertificateSigningRequestc
Csd
SrWrrXrrrrZA
sz CertificateSigningRequest.__eq__c
Csd
Sr[rrXrrrr\G
sz CertificateSigningRequest.__ne__c


Csd
Sr]rrFrrrr^M
sz"CertificateSigningRequest.__hash__c


Csd
SrIrrFrrrrJS
sz$CertificateSigningRequest.public_keyc


Csd
SrNrrFrrrrOY
sz!CertificateSigningRequest.subjectc


Csd
SrPrrFrrrrQ_
sz2CertificateSigningRequest.signature_hash_algorithmc


Csd
SrRrrFrrrrSf
sz1CertificateSigningRequest.signature_algorithm_oidc


Csd
S)z@
        Returns the extensions in the signing request.
        NrrFrrrr$l
sz$CertificateSigningRequest.extensionsc
Csd
S)z;
        Encodes the request to PEM or DER format.
        Nrr_rrrrar
sz&CertificateSigningRequest.public_bytesc


Csd
SrTrrFrrrrUx
sz#CertificateSigningRequest.signaturec


Csd
S)zd
        Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC
        2986.
        NrrFrrr�tbs_certrequest_bytes~
sz/CertificateSigningRequest.tbs_certrequest_bytesc


Csd
S)z8
        Verifies signature of signing request.
        NrrFrrrrn�
sz,CertificateSigningRequest.is_signature_validc


Csd
S)z:
        Get the attribute value for a given OID.
        NrrFrrr�get_attribute_for_oid�
sz/CertificateSigningRequest.get_attribute_for_oidN)rrr rbrcrZr\r^rJrdrOrQrSr$rarUrprnrqrrrrro?
s4
























roc@s6eZ
dZejd
d��
Zejdd��
Zejdd��
ZdS)�RevokedCertificatec


Csd
S)zG
        Returns the serial number of the revoked certificate.
        NrrFrrrrG�
sz RevokedCertificate.serial_numberc


Csd
S)zH
        Returns the date of when this certificate was revoked.
        NrrFrrr�revocation_date�
sz"RevokedCertificate.revocation_datec


Csd
S)zW
        Returns an Extensions object containing a list of Revoked extensions.
        NrrFrrrr$�
szRevokedCertificate.extensionsN)rrr rbrdrGrsr$rrrrrr�
s




rrc@s>eZ
dZd
ggfdd�
Zdd�Zdd�Zdd	�Zdd
d�
Zd
S)
� CertificateSigningRequestBuilderNcCs|
|_||_
||_d
S)zB
        Creates an empty X.509 certificate request (v1).
        N)�
_subject_name�_extensions�_attributes)r�subject_namer$r'rrrr�
s

z)CertificateSigningRequestBuilder.__init__cCs4t|
t
�std
�
�
|jdu
r$td�
�
t|
|j|j�S)zF
        Sets the certificate requestor's distinguished name.
        �Expecting x509.Name object.N�&The subject name may only be set once.)�
isinstancer�	TypeErrorrur"rtrvrw�r�namerrrrx�
s







�z-CertificateSigningRequestBuilder.subject_namecCsDt|
t
�std
�
�
t|
j||
�}
t|
|j�
t|j|j|
g
|j	�S)zE
        Adds an X.509 extension to the certificate request.
        �"extension must be an ExtensionType)
r{rr|r
rr&rvrtrurw�rr#�criticalrrr�
add_extension�
s






�z.CertificateSigningRequestBuilder.add_extensioncCsLt|
t
�std
�
�
t|t�s$td�
�
t|
|j�
t|j|j|j|
|fg
�S)zK
        Adds an X.509 attribute with an OID and associated value.
        zoid must be an ObjectIdentifierzvalue must be bytes)	r{rr|�bytesr)rwrtrurv)rr�valuerrr�
add_attribute�
s






�z.CertificateSigningRequestBuilder.add_attributecCs(t|�
}|j
d
urtd�
�
|�||
|�S)zF
        Signs the request using the requestor's private key.
        Nz/A CertificateSigningRequest must have a subject)rrur"Zcreate_x509_csr�rZprivate_keyrDr9rrr�sign�
s



z%CertificateSigningRequestBuilder.sign)
N)rrr rrxr�r�r�rrrrrt�
s

rtc@sfeZ
dZd
d
d
d
d
d
gfdd�
Zdd�Zdd�Zdd	�Zd
d�Zdd
�Zdd�Z	dd�Z
ddd�
Zd
S)�CertificateBuilderNcCs6tj
|_|
|_||_||_||_||_||_||_	dSr)
r2r5�_version�_issuer_nameru�_public_key�_serial_number�_not_valid_before�_not_valid_afterrv)r�issuer_namerxrJrGrKrLr$rrrr�
s







zCertificateBuilder.__init__cCsDt|
t
�std
�
�
|jdu
r$td�
�
t|
|j|j|j|j	|j
|j�S)z3
        Sets the CA's distinguished name.
        ryN�%The issuer name may only be set once.)r{rr|r�r"r�rur�r�r�r�rvr}rrrr��
s












�zCertificateBuilder.issuer_namecCsDt|
t
�std
�
�
|jdu
r$td�
�
t|j|
|j|j|j	|j
|j�S)z:
        Sets the requestor's distinguished name.
        ryNrz)r{rr|rur"r�r�r�r�r�r�rvr}rrrrxs












�zCertificateBuilder.subject_namecCsXt|
t
jtjtjtjt	j
f�s&td
�
�
|jdu
r8t
d�
�
t|j|j|
|j|j|j|j�S)zT
        Sets the requestor's public key (as found in the signing request).
        zhExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey or Ed448PublicKey.Nz$The public key may only be set once.)r{r�DSAPublicKeyr�RSAPublicKeyr	ZEllipticCurvePublicKeyr
ZEd25519PublicKeyrZEd448PublicKeyr|r�r"r�r�rur�r�r�rv)r�keyrrrrJ s.




��

�









�zCertificateBuilder.public_keycCsjt|
t
j�std
�
�
|jdu
r&td�
�
|
dk
r6td�
�
|
��dkrJtd�
�
t|j|j	|j
|
|j|j|j
�S)z5
        Sets the certificate serial number.
        �'Serial number must be of integral type.N�'The serial number may only be set once.r
z%The serial number should be positive.��3The serial number should not be more than 159 bits.)r{�six�
integer_typesr|r�r"�
bit_lengthr�r�rur�r�r�rv�r�numberrrrrG?s&







�






�z CertificateBuilder.serial_numbercCszt|
t
j
�std
�
�
|jdu
r&td�
�
t|
�
}
|
tkr>td�
�
|jdu
rZ|
|jkrZtd�
�
t|j	|j
|j|j|
|j|j
�S)z7
        Sets the certificate activation time.
        �Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)r{r,r|r�r"r1�_EARLIEST_UTC_TIMEr�r�r�rur�r�rv�rr/rrrrKZs,







�

�






�z#CertificateBuilder.not_valid_beforecCszt|
t
j
�std
�
�
|jdu
r&td�
�
t|
�
}
|
tkr>td�
�
|jdu
rZ|
|jkrZtd�
�
t|j	|j
|j|j|j|
|j
�S)z7
        Sets the certificate expiration time.
        r�Nz)The not valid after may only be set once.z<The not valid after date must be on or after 1950 January 1.zAThe not valid after date must be after the not valid before date.)r{r,r|r�r"r1r�r�r�r�rur�r�rvr�rrrrLws2







���
�






�z"CertificateBuilder.not_valid_afterc	CsTt|
t
�std
�
�
t|
j||
�}
t|
|j�
t|j|j	|j
|j|j|j
|j|
g
�S)z=
        Adds an X.509 extension to the certificate.
        r)r{rr|r
rr&rvr�r�rur�r�r�r�r�rrrr��s










�z CertificateBuilder.add_extensioncCs�t|�
}|j
d
urtd�
�
|jd
ur,td�
�
|jd
ur>td�
�
|jd
urPtd�
�
|jd
urbtd�
�
|jd
urttd�
�
|�||
|�S)zC
        Signs the certificate using the CA's private key.
        Nz&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public key)	rrur"r�r�r�r�r�Zcreate_x509_certificater�rrrr��s












zCertificateBuilder.sign)
N)rrr rr�rxrJrGrKrLr�r�rrrrr��
s 





�
 r�c@sReZ
dZd
d
d
ggfdd�
Zdd�Zdd�Zdd	�Zd
d�Zdd
�Zddd�
Z	d
S)� CertificateRevocationListBuilderNcCs"|
|_||_
||_||_||_dSr)r��_last_update�_next_updaterv�_revoked_certificates)rr�rhrgr$Zrevoked_certificatesrrrr�s




z)CertificateRevocationListBuilder.__init__cCs<t|
t
�std
�
�
|jdu
r$td�
�
t|
|j|j|j|j	�S)Nryr�)
r{rr|r�r"r�r�r�rvr�)rr�rrrr��s











�z,CertificateRevocationListBuilder.issuer_namecCsrt|
t
j
�std
�
�
|jdu
r&td�
�
t|
�
}
|
tkr>td�
�
|jdu
rZ|
|jkrZtd�
�
t|j	|
|j|j
|j�S)Nr��!Last update may only be set once.�8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.)r{r,r|r�r"r1r�r�r�r�rvr�)rrhrrrrh�s(








�

�




�z,CertificateRevocationListBuilder.last_updatecCsrt|
t
j
�std
�
�
|jdu
r&td�
�
t|
�
}
|
tkr>td�
�
|jdu
rZ|
|jkrZtd�
�
t|j	|j|
|j
|j�S)Nr�r�r�z8The next update date must be after the last update date.)r{r,r|r�r"r1r�r�r�r�rvr�)rrgrrrrg�s(








�

�




�z,CertificateRevocationListBuilder.next_updatecCsLt|
t
�std
�
�
t|
j||
�}
t|
|j�
t|j|j	|j
|j|
g
|j�S)zM
        Adds an X.509 extension to the certificate revocation list.
        r)r{rr|r
rr&rvr�r�r�r�r�r�rrrr�
s









�z.CertificateRevocationListBuilder.add_extensioncCs2t|
t
�std
�
�
t|j|j|j|j|j|
g
�S)z8
        Adds a revoked certificate to the CRL.
        z)Must be an instance of RevokedCertificate)	r{rrr|r�r�r�r�rvr�)rZrevoked_certificaterrr�add_revoked_certificates







�z8CertificateRevocationListBuilder.add_revoked_certificatecCsLt|�
}|j
durtd
�
�
|jdur,td�
�
|jdur>td�
�
|�||
|�S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)rr�r"r�r�Zcreate_x509_crlr�rrrr�-s







z%CertificateRevocationListBuilder.sign)
N)
rrr rr�rhrgr�r�r�rrrrr��s



�

r�c@s>eZ
dZd
d
gfdd�
Zdd�Zdd�Zdd	�Zdd
d�
Zd
S)
�RevokedCertificateBuilderNcCs|
|_||_
||_dSr)r��_revocation_daterv)rrGrsr$rrrr<s

z"RevokedCertificateBuilder.__init__cCsZt|
t
j�std
�
�
|jdu
r&td�
�
|
dk
r6td�
�
|
��dkrJtd�
�
t|
|j|j	�S)Nr�r�r
z$The serial number should be positiver�r�)
r{r�r�r|r�r"r�r�r�rvr�rrrrGCs








�

�z'RevokedCertificateBuilder.serial_numbercCsNt|
t
j
�std
�
�
|jdu
r&td�
�
t|
�
}
|
tkr>td�
�
t|j|
|j	�S)Nr�z)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.)
r{r,r|r�r"r1r�r�r�rvr�rrrrsUs








�

�z)RevokedCertificateBuilder.revocation_datecCsDt|
t
�std
�
�
t|
j||
�}
t|
|j�
t|j|j	|j|
g
�S)Nr)
r{rr|r
rr&rvr�r�r�r�rrrr�cs








�z'RevokedCertificateBuilder.add_extensioncCs6t|
�
}
|j
durtd
�
�
|jdur,td�
�
|
�|�
S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr�r"r�Zcreate_x509_revoked_certificate)rr9rrr�buildos







�zRevokedCertificateBuilder.build)
N)rrr rrGrsr�r�rrrrr�;s�
r�cCst�
t�d
�
d�d?S)N��bigr)r�int_from_bytes�os�urandomrrrr�random_serial_number{s
r�)
N)
N)
N)
N)
N)
N)5�
__future__rrrrbr,r��enumrr��cryptographyrZcryptography.hazmat.backendsr�)cryptography.hazmat.primitives.asymmetricrr	r
rr�cryptography.x509.extensionsr
r�cryptography.x509.namer�cryptography.x509.oidrr��	Exceptionrr&r)r1r2r6r:r;r<r=r>r?�
add_metaclass�ABCMeta�objectrArerorrrtr�r�r�r�rrrr�<module>sL














i

j

R

A^v@