o cKH@sTddlZddlZddlZddlmZmZddlmZddlm Z m Z ddl m Z ddl mZmZmZGdddejZGd d d ejZe je je je je jfZd e jd dfd dZGdddejZGdddZGdddejdZGdddejdZ GdddejdZ!GdddZ"GdddZ#de$d efdd Z%de$d e!fd!d"Z&dS)#N)utilsx509)ocsp)hashes serialization)CERTIFICATE_PRIVATE_KEY_TYPES)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionc@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAMErrC/opt/certbot/lib/python3.10/site-packages/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULMALFORMED_REQUESTINTERNAL_ERROR TRY_LATER SIG_REQUIRED UNAUTHORIZEDrrrrrsr algorithmreturncCst|ts tddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError)rrrr_verify_algorithm.s r$c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r rGOODREVOKEDUNKNOWNrrrrr%5sr%c@sVeZdZdejdejdejdedejde j ejde j ejde j ej fd d Z d S) _SingleResponsecertissuerr cert_status this_update next_updaterevocation_timerevocation_reasonc Cst|tjr t|tjstdt|t|tjstd|dur,t|tjs,td||_||_||_||_ ||_ t|t sDtd|t j urZ|durQt d|durYt dn$t|tjsdtdt|}|tkrpt d|dur~t|tjs~td ||_||_||_dS) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r!r Certificate TypeErrorr$datetime_cert_issuer _algorithm _this_update _next_updater%r'r#r r ReasonFlags _cert_status_revocation_time_revocation_reason) selfr*r+rr,r-r.r/r0rrr__init__<s\        z_SingleResponse.__init__N) r r rrr2r HashAlgorithmr%r4typingOptionalr:r?rrrrr);s$   r)c@seZdZeejdefddZeejdefddZeejde j fddZ eejde fdd Z ejd ejdefd d Zeejdejfd dZdS) OCSPRequestr cCdSz3 The hash of the issuer public key Nrr>rrrissuer_key_hashzOCSPRequest.issuer_key_hashcCrDz- The hash of the issuer name NrrFrrrissuer_name_hashrHzOCSPRequest.issuer_name_hashcCrDzK The hash algorithm used in the issuer name and key hashes NrrFrrrhash_algorithmrHzOCSPRequest.hash_algorithmcCrDzM The serial number of the cert whose status is being checked NrrFrrr serial_numberrHzOCSPRequest.serial_numberencodingcCrD)z/ Serializes the request to DER Nrr>rOrrr public_bytesrHzOCSPRequest.public_bytescCrD)zP The list of request extensions. Not single request extensions. NrrFrrr extensionsrHzOCSPRequest.extensionsN)r r rpropertyabcabstractmethodbytesrGrJrr@rLintrNrEncodingrQr ExtensionsrRrrrrrCs$rC) metaclassc@seZdZeejdefddZeejdej e j fddZ eejdej e j fddZeejde j fdd Zeejdej e j fd d Zeejdefd d ZeejdefddZeejdejfddZeejdefddZdS)OCSPSingleResponser cCrDzY The status of the certificate (an element from the OCSPCertStatus enum) NrrFrrrcertificate_statusrHz%OCSPSingleResponse.certificate_statuscCrDz^ The date of when the certificate was revoked or None if not revoked. NrrFrrrr/rHz"OCSPSingleResponse.revocation_timecCrDzi The reason the certificate was revoked or None if not specified or not revoked. NrrFrrrr0rHz$OCSPSingleResponse.revocation_reasoncCrDz The most recent time at which the status being indicated is known by the responder to have been correct NrrFrrrr-rHzOCSPSingleResponse.this_updatecCrDzC The time when newer information will be available NrrFrrrr.rHzOCSPSingleResponse.next_updatecCrDrErrFrrrrGrHz"OCSPSingleResponse.issuer_key_hashcCrDrIrrFrrrrJrHz#OCSPSingleResponse.issuer_name_hashcCrDrKrrFrrrrLrHz!OCSPSingleResponse.hash_algorithmcCrDrMrrFrrrrNrHz OCSPSingleResponse.serial_numberN)r r rrSrTrUr%r]rArBr4r/rr:r0r-r.rVrGrJrr@rLrWrNrrrrr[s8r[c@sfeZdZeejdejefddZ eejde fddZ eejde j fddZeejdejejfdd Zeejdefd d Zeejdefd d Zeejdeje jfddZeejdejefddZeejdeje jfddZeejdejfddZeejdefddZeejdejejfddZ eejdeje j!fddZ"eejdejfddZ#eejdejejfddZ$eejdefd d!Z%eejdefd"d#Z&eejdejfd$d%Z'eejde(fd&d'Z)eejde j*fd(d)Z+eejde j*fd*d+Z,ejd,e-j.defd-d.Z/d/S)0 OCSPResponser cCrD)z_ An iterator over the individual SINGLERESP structures in the response NrrFrrr responsesrHzOCSPResponse.responsescCrD)zm The status of the response. This is a value from the OCSPResponseStatus enumeration NrrFrrrresponse_statusrHzOCSPResponse.response_statuscCrD)zA The ObjectIdentifier of the signature algorithm NrrFrrrsignature_algorithm_oidrHz$OCSPResponse.signature_algorithm_oidcCrD)zX Returns a HashAlgorithm corresponding to the type of the digest signed NrrFrrrsignature_hash_algorithmrHz%OCSPResponse.signature_hash_algorithmcCrD)z% The signature bytes NrrFrrr signaturerHzOCSPResponse.signaturecCrD)z+ The tbsResponseData bytes NrrFrrrtbs_response_bytesrHzOCSPResponse.tbs_response_bytescCrD)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. NrrFrrr certificatesrHzOCSPResponse.certificatescCrD)z2 The responder's key hash or None NrrFrrrresponder_key_hash(rHzOCSPResponse.responder_key_hashcCrD)z. The responder's Name or None NrrFrrrresponder_name/rHzOCSPResponse.responder_namecCrD)z4 The time the response was produced NrrFrrr produced_at6rHzOCSPResponse.produced_atcCrDr\rrFrrrr]=rHzOCSPResponse.certificate_statuscCrDr^rrFrrrr/DrHzOCSPResponse.revocation_timecCrDr_rrFrrrr0LrHzOCSPResponse.revocation_reasoncCrDr`rrFrrrr-TrHzOCSPResponse.this_updatecCrDrarrFrrrr.\rHzOCSPResponse.next_updatecCrDrErrFrrrrGcrHzOCSPResponse.issuer_key_hashcCrDrIrrFrrrrJjrHzOCSPResponse.issuer_name_hashcCrDrKrrFrrrrLqrHzOCSPResponse.hash_algorithmcCrDrMrrFrrrrNxrHzOCSPResponse.serial_numbercCrD)zR The list of response extensions. Not single response extensions. NrrFrrrrRrHzOCSPResponse.extensionscCrD)zR The list of single response extensions. Not response extensions. NrrFrrrsingle_extensionsrHzOCSPResponse.single_extensionsrOcCrD)z0 Serializes the response to DER NrrPrrrrQrHzOCSPResponse.public_bytesN)0r r rrSrTrUrAIteratorr[rcrrdrObjectIdentifierrerBrr@rfrVrgrhListr2rirjNamerkr4rlr%r]r/r:r0r-r.rGrJrLrWrNrYrRrmrrXrQrrrrrbs rbc @seZdZddgfdejejejejej fdejeje e e ej fdej ej ejddfddZdejd ejd ej ddfd d Zd e de de d ej ddf ddZdejdeddfddZdefddZdS)OCSPRequestBuilderNrequest request_hashrRr cCs||_||_||_dSN)_request _request_hash _extensions)r>rsrtrRrrrr?s  zOCSPRequestBuilder.__init__r*r+rcCsZ|jdus |jdurtdt|t|tjrt|tjs"tdt|||f|j|j S)N.Only one certificate can be added to a requestr1) rvrwr#r$r!rr2r3rrrx)r>r*r+rrrradd_certificatesz"OCSPRequestBuilder.add_certificaterJrGrNcCs|jdus |jdurtdt|tstdt|td|td||j t |ks5|j t |kr9tdt |j||||f|j S)Nryz serial_number must be an integerrJrGz`issuer_name_hash and issuer_key_hash must be the same length as the digest size of the algorithm) rvrwr#r!rWr3r$r _check_bytes digest_sizelenrrrx)r>rJrGrNrrrradd_certificate_by_hashs(     z*OCSPRequestBuilder.add_certificate_by_hashextvalcriticalcCsHt|tjs tdt|j||}t||jt|j |j |j|gSNz"extension must be an ExtensionType) r!r ExtensionTyper3 Extensionoidr rxrrrvrwr>rr extensionrrr add_extensions  z OCSPRequestBuilder.add_extensioncCs&|jdur|jdurtdt|S)Nz*You must add a certificate before building)rvrwr#rcreate_ocsp_requestrFrrrbuilds zOCSPRequestBuilder.build)r r rrArBTuplerr2rr@rVrWrprrr?rzr~boolrrCrrrrrrrs^      rrc@s0eZdZdddgfdejedejejeje fdejej ejdej ej ej fddZ dejd ejd ejd ed ejd ejejdejejdejejddfddZde dejddfddZdejejddfddZdej deddfddZded ejejdefddZed edefd!d"ZdS)#OCSPResponseBuilderNresponse responder_idcertsrRcCs||_||_||_||_dSru) _response _responder_id_certsrx)r>rrrrRrrrr?s  zOCSPResponseBuilder.__init__r*r+rr,r-r.r/r0r c Cs<|jdur tdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rr#r)rrrrx) r>r*r+rr,r-r.r/r0 singleresprrr add_responses$  z OCSPResponseBuilder.add_responserOresponder_certcCsP|jdur tdt|tjstdt|tstdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rr#r!rr2r3r rrrrx)r>rOrrrrrs   z OCSPResponseBuilder.responder_idcCs\|jdur tdt|}t|dkrtdtdd|Ds$tdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|] }t|tjVqdSru)r!rr2).0xrrr 3sz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rr#listr}allr3rrrrx)r>rrrrri+s  z OCSPResponseBuilder.certificatesrrcCsLt|tjs tdt|j||}t||jt|j |j |j |j|gSr) r!rrr3rrr rxrrrrrrrrr<s   z!OCSPResponseBuilder.add_extension private_keycCs6|jdur td|jdurtdttj|||S)Nz&You must add a response before signingz*You must add a responder_id before signing)rr#rrcreate_ocsp_responserr)r>rrrrrsignLs   zOCSPResponseBuilder.signrdcCs4t|ts td|tjurtdt|dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r!rr3rr#rr)clsrdrrrbuild_unsuccessfulZs  z&OCSPResponseBuilder.build_unsuccessful)r r rrArBr)rrr2r rprrr?rr@r%r4r:rrIterablerirrrrbr classmethodrrrrrrrs           rdatacC t|Sru)rload_der_ocsp_requestrrrrrh rcCrru)rload_der_ocsp_responserrrrrlrr)'rTr4rA cryptographyrr"cryptography.hazmat.bindings._rustrcryptography.hazmat.primitivesrr/cryptography.hazmat.primitives.asymmetric.typesrcryptography.x509.baserr r Enumr rSHA1SHA224SHA256SHA384SHA512r"r@r$r%r)ABCMetarCr[rbrrrrVrrrrrrs6    F+D%V~