o ge0n@sJddlZddlZddlZddlZddlmZddlmZmZddl m Z ddl m Z m Z ddlmZmZmZmZmZddlmZmZmZddlmZdd lmZed d d ZGd d d eZdedejefddZ dedejej!ee"ffddZ#dejdejfddZ$Gdddej%Z&GdddeZ'Gdddej(d Z)Gd!d"d"ej(d Z*Gd#d$d$ej(d Z+Gd%d&d&ej(d Z,d>d'e"de)fd(d)Z-d>d'e"de)fd*d+Z.d>d'e"de,fd,d-Z/d>d'e"de,fd.d/Z0d>d'e"de+fd0d1Z1d>d'e"de+fd2d3Z2Gd4d5d5e3Z4Gd6d7d7e3Z5Gd8d9d9e3Z6Gd:d;d;e3Z7de8fdrrrrKr zInvalidVersion.__init__r!rrrrr=Jr&r=c@seZdZejdejdefddZej de fddZ ej de fddZ ejdefd d Zej dejfd d Zej dejfd dZej defddZej defddZej dejejfddZej defddZej defddZej defddZej defddZejdede fddZ!ejdede fd d!Z"ejde fd"d#Z#ejd$e$j%defd%d&Z&d'S)( Certificate algorithmr1cCdSz4 Returns bytes using digest passed. Nrrr@rrr fingerprintQzCertificate.fingerprintcCrA)z3 Returns certificate serial number Nrrrrr serial_numberWrEzCertificate.serial_numbercCrA)z1 Returns the certificate version NrrFrrrversion]rEzCertificate.versioncCrAz( Returns the public key NrrFrrr public_keycrEzCertificate.public_keycCrA)z? Not before time (represented as UTC datetime) NrrFrrrnot_valid_beforeirEzCertificate.not_valid_beforecCrA)z> Not after time (represented as UTC datetime) NrrFrrrnot_valid_afterorEzCertificate.not_valid_aftercCrA)z1 Returns the issuer name object. NrrFrrrissuerurEzCertificate.issuercCrAz2 Returns the subject name object. NrrFrrrsubject{rEzCertificate.subjectcCrAzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. NrrFrrrsignature_hash_algorithmrEz$Certificate.signature_hash_algorithmcCrAzJ Returns the ObjectIdentifier of the signature algorithm. NrrFrrrsignature_algorithm_oidrEz#Certificate.signature_algorithm_oidcCrA)z/ Returns an Extensions object. NrrFrrrr(rEzCertificate.extensionscCrAz. Returns the signature bytes. NrrFrrr signaturerEzCertificate.signaturecCrA)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. NrrFrrrtbs_certificate_bytesrEz!Certificate.tbs_certificate_bytesothercCrAz" Checks equality. NrrrWrrr__eq__rEzCertificate.__eq__cCrAz# Checks not equal. NrrYrrr__ne__rEzCertificate.__ne__cCrAz" Computes a hash. NrrFrrr__hash__rEzCertificate.__hash__encodingcCrA)zB Serializes the certificate to PEM or DER format. Nrrr_rrr public_bytesrEzCertificate.public_bytesN)'r"r#r$abcabstractmethodr HashAlgorithmbytesrDabstractpropertyintrGr9rHrrJr4rKrLrrMrOtypingOptionalrQrrSrr(rUrVobjectboolrZr\r^rEncodingrarrrrr?PsJ  r?) metaclassc@sJeZdZejdefddZejdejfddZejde fddZ dS) RevokedCertificater1cCrA)zG Returns the serial number of the revoked certificate. NrrFrrrrGrEz RevokedCertificate.serial_numbercCrA)zH Returns the date of when this certificate was revoked. NrrFrrrrevocation_daterEz"RevokedCertificate.revocation_datecCrA)zW Returns an Extensions object containing a list of Revoked extensions. NrrFrrrr(rEzRevokedCertificate.extensionsN) r"r#r$rbrfrgrGr4rorr(rrrrrnsrnc@s|eZdZejdejdefddZejde j defddZ ejde de jefd d Zejde j fd d Zejdefd dZejdefddZejdejfddZejdejfddZejdefddZejdefddZejdefddZejdedefddZ ejdedefddZ!ejde fd d!Z"ejd"d#Z#ejd$d%Z$ejd&e%defd'd(Z&d)S)*CertificateRevocationListr_r1cCrA)z: Serializes the CRL to PEM or DER format. Nrr`rrrrarEz&CertificateRevocationList.public_bytesr@cCrArBrrCrrrrDrEz%CertificateRevocationList.fingerprintrGcCrA)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr)rrGrrr(get_revoked_certificate_by_serial_numberrEzBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCrArPrrFrrrrQrEz2CertificateRevocationList.signature_hash_algorithmcCrArRrrFrrrrSrEz1CertificateRevocationList.signature_algorithm_oidcCrA)zC Returns the X509Name with the issuer of this CRL. NrrFrrrrMrEz CertificateRevocationList.issuercCrA)z? Returns the date of next update for this CRL. NrrFrrr next_updaterEz%CertificateRevocationList.next_updatecCrA)z? Returns the date of last update for this CRL. NrrFrrr last_updaterEz%CertificateRevocationList.last_updatecCrA)zS Returns an Extensions object containing a list of CRL extensions. NrrFrrrr(rEz$CertificateRevocationList.extensionscCrArTrrFrrrrU rEz#CertificateRevocationList.signaturecCrA)zO Returns the tbsCertList payload bytes as defined in RFC 5280. NrrFrrrtbs_certlist_bytesrEz,CertificateRevocationList.tbs_certlist_bytesrWcCrArXrrYrrrrZrEz CertificateRevocationList.__eq__cCrAr[rrYrrrr\rEz CertificateRevocationList.__ne__cCrA)z< Number of revoked certificates in the CRL. NrrFrrr__len__"rEz!CertificateRevocationList.__len__cCrA)zS Returns a revoked certificate (or slice of revoked certificates). Nr)ridxrrr __getitem__(rEz%CertificateRevocationList.__getitem__cCrA)z8 Iterator over the revoked certificates NrrFrrr__iter__.rEz"CertificateRevocationList.__iter__rJcCrA)zQ Verifies signature of revocation list against given public key. Nr)rrJrrris_signature_valid4rEz,CertificateRevocationList.is_signature_validN)'r"r#r$rbrcrrlrerarrdrDrgrhrirnrqrfrQrrSrrMr4rrrsrr(rUrtrjrkrZr\rurwrxrryrrrrrpsN   rpc@s$eZdZejdedefddZejdedefddZejde fddZ ejde fd d Z ej defd d Zej dejfd dZej defddZej defddZejdejdefddZej defddZej defddZej defddZejdedefddZdS) CertificateSigningRequestrWr1cCrArXrrYrrrrZ<rEz CertificateSigningRequest.__eq__cCrAr[rrYrrrr\BrEz CertificateSigningRequest.__ne__cCrAr]rrFrrrr^HrEz"CertificateSigningRequest.__hash__cCrArIrrFrrrrJNrEz$CertificateSigningRequest.public_keycCrArNrrFrrrrOTrEz!CertificateSigningRequest.subjectcCrArPrrFrrrrQZrEz2CertificateSigningRequest.signature_hash_algorithmcCrArRrrFrrrrSarEz1CertificateSigningRequest.signature_algorithm_oidcCrA)z@ Returns the extensions in the signing request. NrrFrrrr(grEz$CertificateSigningRequest.extensionsr_cCrA)z; Encodes the request to PEM or DER format. Nrr`rrrramrEz&CertificateSigningRequest.public_bytescCrArTrrFrrrrUsrEz#CertificateSigningRequest.signaturecCrA)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. NrrFrrrtbs_certrequest_bytesyrEz/CertificateSigningRequest.tbs_certrequest_bytescCrA)z8 Verifies signature of signing request. NrrFrrrryrEz,CertificateSigningRequest.is_signature_validrcCrA)z: Get the attribute value for a given OID. Nr)rrrrrget_attribute_for_oidrEz/CertificateSigningRequest.get_attribute_for_oidN)r"r#r$rbrcrjrkrZr\rgr^rrJrfrrOrrdrQrrSrr(rrlrerarUr{ryr|rrrrrz;s6rzdatacCt|}||Sr)rload_pem_x509_certificater}backendrrrr rcCr~r)rload_der_x509_certificaterrrrrrrcCr~r)rload_pem_x509_csrrrrrrrrcCr~r)rload_der_x509_csrrrrrrrrcCr~r)rload_pem_x509_crlrrrrrrrcCr~r)rload_der_x509_crlrrrrrrrc@sjeZdZdggfddZdefddZdedefd d Zd e d e fd dZ dde de jdefddZdS) CertificateSigningRequestBuilderNcCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_name _extensions _attributes)r subject_namer(r,rrrrs z)CertificateSigningRequestBuilder.__init__namecCs4t|ts td|jdurtdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.) isinstancer TypeErrorrr)rrrrrrrrrs   z-CertificateSigningRequestBuilder.subject_nameextvalcriticalcCsDt|ts tdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rrrr rr+rrrrrrrr'rrr add_extensions   z.CertificateSigningRequestBuilder.add_extensionrvaluecCsLt|ts tdt|tstdt||jt|j|j|j||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytes) rrrrer/rrrr)rrrrrr add_attributes   z.CertificateSigningRequestBuilder.add_attribute private_keyr@r1cCs(t|}|jdur td||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rrr)create_x509_csrrrr@rrrrsigns z%CertificateSigningRequestBuilder.signr)r"r#r$rrrrrkrrrerrrrdrzrrrrrrs rc@seZdZddddddgfddZdefddZdefddZd efd d Zd e fd dZ de j fddZ de j fddZ dedefddZ ddedejdefddZdS)CertificateBuilderNcCs6tj|_||_||_||_||_||_||_||_ dSr) r9r<_version _issuer_namer _public_key_serial_number_not_valid_before_not_valid_afterr)r issuer_namerrJrGrKrLr(rrrrs  zCertificateBuilder.__init__rcCsDt|ts td|jdurtdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rrrrr)rrrrrrrrrrrrs  zCertificateBuilder.issuer_namecCsDt|ts td|jdurtdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rrrrr)rrrrrrrrrrrrs  zCertificateBuilder.subject_namekeycCsXt|tjtjtjtjt j fst d|j durt dt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zhExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey or Ed448PublicKey.Nz$The public key may only be set once.)rr DSAPublicKeyr RSAPublicKeyr EllipticCurvePublicKeyr Ed25519PublicKeyr Ed448PublicKeyrrr)rrrrrrr)rrrrrrJ)s.  zCertificateBuilder.public_keynumbercCsht|ts td|jdurtd|dkrtd|dkr$tdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rrgrrr) bit_lengthrrrrrrrrrrrrrGKs&   z CertificateBuilder.serial_numberr0cCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rr4rrr)r8_EARLIEST_UTC_TIMErrrrrrrrr0rrrrKfs,  z#CertificateBuilder.not_valid_beforecCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.zs   z%CertificateRevocationListBuilder.signr)r"r#r$rrrr4rsrrrrkrrnrrrrdrprrrrrrs(  rc@s\eZdZddgfddZdefddZdejfdd Zd ed e fd d Z dde fddZ dS)RevokedCertificateBuilderNcCs||_||_||_dSr)r_revocation_dater)rrGror(rrrrRs z"RevokedCertificateBuilder.__init__rcCsXt|ts td|jdurtd|dkrtd|dkr$tdt||j|jS)Nrrrz$The serial number should be positiverr) rrgrrr)rrrrrrrrrGYs    z'RevokedCertificateBuilder.serial_numberr0cCsNt|tjs td|jdurtdt|}|tkrtdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rr4rrr)r8rrrrrrrrroks   z)RevokedCertificateBuilder.revocation_daterrcCsDt|ts tdt|j||}t||jt|j|j |j|gS)Nr) rrrr rr+rrrrrrrrrys   z'RevokedCertificateBuilder.add_extensionr1cCs6t|}|jdur td|jdurtd||S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rrr)rcreate_x509_revoked_certificate)rrrrrbuilds   zRevokedCertificateBuilder.buildr) r"r#r$rrgrGr4rorrkrrnrrrrrrQs  rcCsttddd?S)Nbigr)rg from_bytesosurandomrrrrrandom_serial_numbersrr):rbr4rrh cryptographyrcryptography.hazmat._typesrrcryptography.hazmat.backendsrcryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrr r r r cryptography.x509.extensionsr rrcryptography.x509.namercryptography.x509.oidrr ExceptionrListr+Tuplerer/r8Enumr9r=ABCMetar?rnrprzrrrrrrrjrrrrrgrrrrrsV        klRFf{@