o c @sddlZddlZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZddlmZmZmZddlmZmZmZmZddlmZmZdd l m!Z!ed d d Z"Gd d d e#Z$deedej%eeddfddZ&de!dej%ej'e!e(ej)e*fddfddZ+dejdejfddZ,GdddZ-GdddZ.Gdddej/Z0Gd d!d!e#Z1Gd"d#d#ej2d$Z3e34ej3Gd%d&d&ej2d$Z5e54ej5Gd'd(d(e5Z6Gd)d*d*ej2d$Z7e74ej7Gd+d,d,ej2d$Z8e84ej8 dGd-e(d.ej9de3fd/d0Z:d-e(dej%e3fd1d2Z; dGd-e(d.ej9de3fd3d4Z< dGd-e(d.ej9de8fd5d6Z= dGd-e(d.ej9de8fd7d8Z> dGd-e(d.ej9de7fd9d:Z? dGd-e(d.ej9de7fd;d<Z@Gd=d>d>ZAGd?d@d@ZBGdAdBdBZCGdCdDdDZDde*fdEdFZEdS)HN)utils)x509)hashes serialization)dsaeced448ed25519rsax448x25519)#CERTIFICATE_ISSUER_PUBLIC_KEY_TYPESCERTIFICATE_PRIVATE_KEY_TYPESCERTIFICATE_PUBLIC_KEY_TYPES) Extension Extensions ExtensionType_make_sequence_methods)Name _ASN1Type)ObjectIdentifieric*eZdZdededdffdd ZZS)AttributeNotFoundmsgoidreturnNctt||||_dSN)superr__init__r)selfrr __class__C/opt/certbot/lib/python3.10/site-packages/cryptography/x509/base.pyr ) zAttributeNotFound.__init__)__name__ __module__ __qualname__strrr __classcell__r$r$r"r%r("r extension extensionsrcCs"|D] }|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError)r-r.er$r$r%_reject_duplicate_extension.s  r1r attributescCs$|D] \}}}||krtdqdS)Nz$This attribute has already been set.)r/)rr2attr_oid_r$r$r%_reject_duplicate_attribute8s r5timecCs6|jdur|}|r |nt}|jdd|S|S)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. N)tzinfo)r7 utcoffsetdatetime timedeltareplace)r6offsetr$r$r%_convert_to_naive_utc_timeDs r=c @seZdZejjfdedededdfddZ e defdd Z e defd d Zde fd d Z dedefddZdefddZdS) Attributervalue_typerNcC||_||_||_dSr)_oid_valuer@)r!rr?r@r$r$r%r S zAttribute.__init__cC|jSr)rBr!r$r$r%r]z Attribute.oidcCrEr)rCrFr$r$r%r?arGzAttribute.valuecCsd|j|jS)Nz)formatrr?rFr$r$r%__repr__eszAttribute.__repr__othercCs2t|tstS|j|jko|j|jko|j|jkSr) isinstancer>NotImplementedrr?r@r!rJr$r$r%__eq__hs    zAttribute.__eq__cCst|j|j|jfSr)hashrr?r@rFr$r$r%__hash__rszAttribute.__hash__)r'r(r)r UTF8Stringr?rbytesintr propertyrr*rIobjectboolrNrPr$r$r$r%r>Rs$   r>c@sReZdZdejeddfddZed\ZZ Z de fddZ d e defd d ZdS) Attributesr2rNcCst||_dSr)list _attributes)r!r2r$r$r%r wszAttributes.__init__rYcCs d|jS)Nz)rHrYrFr$r$r%rIs zAttributes.__repr__rcCs,|D] }|j|kr |Sqtd||)NzNo {} attribute was found)rrrH)r!rattrr$r$r%get_attribute_for_oids  z Attributes.get_attribute_for_oid)r'r(r)typingIterabler>r r__len____iter__ __getitem__r*rIrr[r$r$r$r%rWvs rWc@seZdZdZdZdS)VersionrN)r'r(r)v1v3r$r$r$r%rasracr)InvalidVersionrparsed_versionrNcrr)rrer rf)r!rrfr"r$r%r r&zInvalidVersion.__init__)r'r(r)r*rSr r+r$r$r"r%rer,rec@seZdZejdejdefddZe ejde fddZ e ejde fddZ ejdefd d Ze ejdejfd d Ze ejdejfd dZe ejdefddZe ejdefddZe ejdejejfddZe ejdefddZe ejdefddZe ejdefddZe ejdefddZe ejdefddZejde de!fd d!Z"ejde fd"d#Z#ejd$e$j%defd%d&Z&d'S)( Certificate algorithmrcCdSz4 Returns bytes using digest passed. Nr$r!rhr$r$r% fingerprintzCertificate.fingerprintcCri)z3 Returns certificate serial number Nr$rFr$r$r% serial_numberrmzCertificate.serial_numbercCri)z1 Returns the certificate version Nr$rFr$r$r%versionrmzCertificate.versioncCriz( Returns the public key Nr$rFr$r$r% public_keyrmzCertificate.public_keycCri)z? Not before time (represented as UTC datetime) Nr$rFr$r$r%not_valid_beforermzCertificate.not_valid_beforecCri)z> Not after time (represented as UTC datetime) Nr$rFr$r$r%not_valid_afterrmzCertificate.not_valid_aftercCri)z1 Returns the issuer name object. Nr$rFr$r$r%issuerrmzCertificate.issuercCriz2 Returns the subject name object. Nr$rFr$r$r%subjectrmzCertificate.subjectcCrizt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr$rFr$r$r%signature_hash_algorithmrmz$Certificate.signature_hash_algorithmcCrizJ Returns the ObjectIdentifier of the signature algorithm. Nr$rFr$r$r%signature_algorithm_oidrmz#Certificate.signature_algorithm_oidcCri)z/ Returns an Extensions object. Nr$rFr$r$r%r.rmzCertificate.extensionscCriz. Returns the signature bytes. Nr$rFr$r$r% signaturermzCertificate.signaturecCri)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr$rFr$r$r%tbs_certificate_bytesrmz!Certificate.tbs_certificate_bytescCri)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. Nr$rFr$r$r%tbs_precertificate_bytesrmz$Certificate.tbs_precertificate_bytesrJcCriz" Checks equality. Nr$rMr$r$r%rNrmzCertificate.__eq__cCriz" Computes a hash. Nr$rFr$r$r%rPrmzCertificate.__hash__encodingcCri)zB Serializes the certificate to PEM or DER format. Nr$r!rr$r$r% public_bytesrmzCertificate.public_bytesN)'r'r(r)abcabstractmethodr HashAlgorithmrRrlrTrSrnrarorrqr9rrrsrrtrvr\Optionalrxrrzrr.r|r}r~rUrVrNrPrEncodingrr$r$r$r%rgsb rg) metaclassc@sVeZdZeejdefddZeejdejfddZ eejde fddZ dS) RevokedCertificatercCri)zG Returns the serial number of the revoked certificate. Nr$rFr$r$r%rnrmz RevokedCertificate.serial_numbercCri)zH Returns the date of when this certificate was revoked. Nr$rFr$r$r%revocation_datermz"RevokedCertificate.revocation_datecCri)zW Returns an Extensions object containing a list of Revoked extensions. Nr$rFr$r$r%r. rmzRevokedCertificate.extensionsN) r'r(r)rTrrrSrnr9rrr.r$r$r$r%rsrc@s\eZdZdedejdefddZedefddZedejfd d Z edefd d Z d S)_RawRevokedCertificaternrr.cCrAr_serial_number_revocation_date _extensionsr!rnrr.r$r$r%r -rDz_RawRevokedCertificate.__init__rcCrEr)rrFr$r$r%rn7rGz$_RawRevokedCertificate.serial_numbercCrEr)rrFr$r$r%r;rGz&_RawRevokedCertificate.revocation_datecCrEr)rrFr$r$r%r.?rGz!_RawRevokedCertificate.extensionsN) r'r(r)rSr9rr rTrnrr.r$r$r$r%r,s  rc@seZdZejdejdefddZejde j defddZ ejde de jefd d Zeejde je j fd d Zeejdefd dZeejdefddZeejde jejfddZeejdejfddZeejdefddZeejdefddZeejdefddZejdedefddZ ejde fddZ!e j"d e defd!d"Z#e j"d e$de j%efd#d"Z#ejd e j&e e$fde j&ee j%effd$d"Z#ejde j'efd%d&Z(ejd'e)defd(d)Z*d*S)+CertificateRevocationListrrcCri)z: Serializes the CRL to PEM or DER format. Nr$rr$r$r%rErmz&CertificateRevocationList.public_bytesrhcCrirjr$rkr$r$r%rlKrmz%CertificateRevocationList.fingerprintrncCri)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr$)r!rnr$r$r%(get_revoked_certificate_by_serial_numberQrmzBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCrirwr$rFr$r$r%rxZrmz2CertificateRevocationList.signature_hash_algorithmcCriryr$rFr$r$r%rzdrmz1CertificateRevocationList.signature_algorithm_oidcCri)zC Returns the X509Name with the issuer of this CRL. Nr$rFr$r$r%rtkrmz CertificateRevocationList.issuercCri)z? Returns the date of next update for this CRL. Nr$rFr$r$r% next_updaterrmz%CertificateRevocationList.next_updatecCri)z? Returns the date of last update for this CRL. Nr$rFr$r$r% last_updateyrmz%CertificateRevocationList.last_updatecCri)zS Returns an Extensions object containing a list of CRL extensions. Nr$rFr$r$r%r.rmz$CertificateRevocationList.extensionscCrir{r$rFr$r$r%r|rmz#CertificateRevocationList.signaturecCri)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr$rFr$r$r%tbs_certlist_bytesrmz,CertificateRevocationList.tbs_certlist_bytesrJcCrirr$rMr$r$r%rNrmz CertificateRevocationList.__eq__cCri)z< Number of revoked certificates in the CRL. Nr$rFr$r$r%r^rmz!CertificateRevocationList.__len__idxcCdSrr$r!rr$r$r%r`z%CertificateRevocationList.__getitem__cCrrr$rr$r$r%r`rcCri)zS Returns a revoked certificate (or slice of revoked certificates). Nr$rr$r$r%r`rmcCri)z8 Iterator over the revoked certificates Nr$rFr$r$r%r_rmz"CertificateRevocationList.__iter__rqcCri)zQ Verifies signature of revocation list against given public key. Nr$)r!rqr$r$r%is_signature_validrmz,CertificateRevocationList.is_signature_validN)+r'r(r)rrrrrRrrrrlrSr\rrrrTrxrrzrrtr9rrrr.r|rrUrVrNr^overloadr`sliceListUnionIteratorr_r rr$r$r$r%rDsv    rc@sFeZdZejdedefddZejdefddZ ejde fddZ e ejde fd d Ze ejdejejfd d Ze ejdefd dZe ejdefddZe ejdefddZejdejdefddZe ejdefddZe ejdefddZe ejdefddZ ejdedefddZ!dS) CertificateSigningRequestrJrcCrirr$rMr$r$r%rNrmz CertificateSigningRequest.__eq__cCrirr$rFr$r$r%rPrmz"CertificateSigningRequest.__hash__cCrirpr$rFr$r$r%rqrmz$CertificateSigningRequest.public_keycCrirur$rFr$r$r%rvrmz!CertificateSigningRequest.subjectcCrirwr$rFr$r$r%rxrmz2CertificateSigningRequest.signature_hash_algorithmcCriryr$rFr$r$r%rzrmz1CertificateSigningRequest.signature_algorithm_oidcCri)z@ Returns the extensions in the signing request. Nr$rFr$r$r%r.rmz$CertificateSigningRequest.extensionscCri)z/ Returns an Attributes object. Nr$rFr$r$r%r2rmz$CertificateSigningRequest.attributesrcCri)z; Encodes the request to PEM or DER format. Nr$rr$r$r%rrmz&CertificateSigningRequest.public_bytescCrir{r$rFr$r$r%r|rmz#CertificateSigningRequest.signaturecCri)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr$rFr$r$r%tbs_certrequest_bytes rmz/CertificateSigningRequest.tbs_certrequest_bytescCri)z8 Verifies signature of signing request. Nr$rFr$r$r%rrmz,CertificateSigningRequest.is_signature_validrcCri)z: Get the attribute value for a given OID. Nr$)r!rr$r$r%r[rmz/CertificateSigningRequest.get_attribute_for_oidN)"r'r(r)rrrUrVrNrSrPrrqrTrrvr\rrrrxrrzrr.rWr2rrrRrr|rrr[r$r$r$r%rsJ rdatabackendcC t|Sr) rust_x509load_pem_x509_certificaterrr$r$r%r$ rcCrr)rload_pem_x509_certificates)rr$r$r%r*s rcCrr)rload_der_x509_certificaterr$r$r%r/rrcCrr)rload_pem_x509_csrrr$r$r%r6rrcCrr)rload_der_x509_csrrr$r$r%r=rrcCrr)rload_pem_x509_crlrr$r$r%rDrrcCrr)rload_der_x509_crlrr$r$r%rKrrc @seZdZdggfdejedejeedejej e e eje ffddZ deddfd d Zd ed eddfd dZddde de dejeddfddZ ddedejejdejdefddZdS) CertificateSigningRequestBuilderN subject_namer.r2cCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrY)r!rr.r2r$r$r%r Rs  z)CertificateSigningRequestBuilder.__init__namercCs4t|ts td|jdurtdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rKr TypeErrorrr/rrrYr!rr$r$r%ras   z-CertificateSigningRequestBuilder.subject_nameextvalcriticalcCsDt|ts tdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rKrrrrr1rrrrYr!rrr-r$r$r% add_extensionms   z.CertificateSigningRequestBuilder.add_extension)_tagrr?rcCs|t|ts tdt|tstd|durt|tstdt||j|dur-|j}nd}t|j |j |j|||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rKrrrRrr5rYr?rrr)r!rr?rtagr$r$r% add_attributes   z.CertificateSigningRequestBuilder.add_attribute private_keyrhrcCs |jdur tdt|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr/rcreate_x509_csrr!rrhrr$r$r%signs z%CertificateSigningRequestBuilder.signr)r'r(r)r\rrrrrTuplerrRrSr rrVrrrrrrAnyrrr$r$r$r%rQsR     $ rc@s:eZdZUejeeed<ddddddgfdeje deje deje deje deje j deje j d ejeed dfd d Z d e d dfddZd e d dfddZde d dfddZde d dfddZde j d dfddZde j d dfddZdeded dfdd Z d&d!ed"ejejd#ejd efd$d%ZdS)'CertificateBuilderrN issuer_namerrqrnrrrsr.rcCs6tj|_||_||_||_||_||_||_||_ dSr) rard_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r!rrrqrnrrrsr.r$r$r%r s  zCertificateBuilder.__init__rcCsDt|ts td|jdurtdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rKrrrr/rrrrrrrrr$r$r%rs  zCertificateBuilder.issuer_namecCsDt|ts td|jdurtdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rKrrrr/rrrrrrrrr$r$r%rs  zCertificateBuilder.subject_namekeyc Cs`t|tjtjtjtjt j t j t jfstd|jdur tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rKr DSAPublicKeyr RSAPublicKeyrEllipticCurvePublicKeyr Ed25519PublicKeyrEd448PublicKeyr X25519PublicKeyr X448PublicKeyrrr/rrrrrrr)r!rr$r$r%rqs2  zCertificateBuilder.public_keynumbercCsht|ts td|jdurtd|dkrtd|dkr$tdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rKrSrrr/ bit_lengthrrrrrrrr!rr$r$r%rn s&   z CertificateBuilder.serial_numberr6cCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rKr9rrr/r=_EARLIEST_UTC_TIMErrrrrrrr!r6r$r$r%rr's,  z#CertificateBuilder.not_valid_beforecCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.zs   z)RevokedCertificateBuilder.revocation_daterrcCsDt|ts tdt|j||}t||jt|j|j |j|gS)Nr) rKrrrrr1rrrrrr$r$r%rNs   z'RevokedCertificateBuilder.add_extensionrcCs:|jdur td|jdurtdt|j|jt|jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr/rrrr)r!rr$r$r%build\s  zRevokedCertificateBuilder.buildr)r'r(r)r\rrSr9rrrr rnrrVrrrrr$r$r$r%r!s2      rcCsttddd?S)Nbigr)rS from_bytesosurandomr$r$r$r%random_serial_numberjsrr)Frr9rr\ cryptographyr"cryptography.hazmat.bindings._rustrrcryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrrrr r r r /cryptography.hazmat.primitives.asymmetric.typesr rrcryptography.x509.extensionsrrrrcryptography.x509.namerrcryptography.x509.oidrr Exceptionrrr1rrRrrSr5r=r>rWEnumrareABCMetargregisterrrrrrrrrrrrrrrrrrr$r$r$r%s  $       $ y  | ]      \nI