o ge9@snddlZddlZddlZddlmZddlmZddlmZmZddl m Z m Z m Z m Z eeeeedZGdddejZGd d d ejZd d eDZejejejejejfZd dZGdddejZdd eDZGdddeZGdddejdZGdddejdZ GdddeZ!GdddeZ"de#defdd Z$de#de fd!d"Z%dS)#N)utils)x509)hashes serialization)_EARLIEST_UTC_TIME_PRIVATE_KEY_TYPES_convert_to_naive_utc_time_reject_duplicate_extension)z 1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAMErr8/usr/lib/python3/dist-packages/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULMALFORMED_REQUESTINTERNAL_ERROR TRY_LATER SIG_REQUIRED UNAUTHORIZEDrrrrr#srcCi|]}|j|qSrvalue.0xrrr ,r$cCst|ts tddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError) algorithmrrr_verify_algorithm6s r*c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r r GOODREVOKEDUNKNOWNrrrrr+=sr+cCrrrr!rrrr$Cr%c@seZdZddZdS)_SingleResponsec Cst|tjr t|tjstdt|t|tjstd|dur,t|tjs,td||_||_||_||_ ||_ t|t sDtd|t j urZ|durQt d|durYt dn$t|tjsdtdt|}|tkrpt d|dur~t|tjs~td ||_||_||_dS) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r&r Certificate TypeErrorr*datetime_cert_issuer _algorithm _this_update _next_updater+r-r(rr ReasonFlags _cert_status_revocation_time_revocation_reason) selfcertissuerr) cert_status this_update next_updaterevocation_timerevocation_reasonrrr__init__Gs\        z_SingleResponse.__init__N)r r r rErrrrr/Fs r/c@seZdZejdefddZejdefddZejdej fddZ ejde fdd Z ej d ejdefd d Zejdejfd dZdS) OCSPRequestreturncCdSz3 The hash of the issuer public key Nrr=rrrissuer_key_hashzOCSPRequest.issuer_key_hashcCrHz- The hash of the issuer name NrrJrrrissuer_name_hashrLzOCSPRequest.issuer_name_hashcCrHzK The hash algorithm used in the issuer name and key hashes NrrJrrrhash_algorithmrLzOCSPRequest.hash_algorithmcCrHzM The serial number of the cert whose status is being checked NrrJrrr serial_numberrLzOCSPRequest.serial_numberencodingcCrH)z/ Serializes the request to DER Nrr=rSrrr public_bytesrLzOCSPRequest.public_bytescCrH)zP The list of request extensions. Not single request extensions. NrrJrrr extensionsrLzOCSPRequest.extensionsN)r r r abcabstractpropertybytesrKrNr HashAlgorithmrPintrRabstractmethodrEncodingrUr ExtensionsrVrrrrrFsrF) metaclassc@seZdZejdefddZejdejfddZ ejde j e j fddZejdefdd Zejdefd d Zejde jejfd d Zejde j efddZejde j ejfddZejdejfddZejdefddZejde j ejfddZejde j ejfddZejdejfddZejde j ejfddZ ejdefddZ!ejdefd d!Z"ejde j fd"d#Z#ejde$fd$d%Z%ejdej&fd&d'Z'ejdej&fd(d)Z(ej)d*e*j+defd+d,Z,d-S). OCSPResponserGcCrH)zm The status of the response. This is a value from the OCSPResponseStatus enumeration NrrJrrrresponse_statusrLzOCSPResponse.response_statuscCrH)zA The ObjectIdentifier of the signature algorithm NrrJrrrsignature_algorithm_oidrLz$OCSPResponse.signature_algorithm_oidcCrH)zX Returns a HashAlgorithm corresponding to the type of the digest signed NrrJrrrsignature_hash_algorithmrLz%OCSPResponse.signature_hash_algorithmcCrH)z% The signature bytes NrrJrrr signaturerLzOCSPResponse.signaturecCrH)z+ The tbsResponseData bytes NrrJrrrtbs_response_bytesrLzOCSPResponse.tbs_response_bytescCrH)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. NrrJrrr certificatesrLzOCSPResponse.certificatescCrH)z2 The responder's key hash or None NrrJrrrresponder_key_hashrLzOCSPResponse.responder_key_hashcCrH)z. The responder's Name or None NrrJrrrresponder_namerLzOCSPResponse.responder_namecCrH)z4 The time the response was produced NrrJrrr produced_atrLzOCSPResponse.produced_atcCrH)zY The status of the certificate (an element from the OCSPCertStatus enum) NrrJrrrcertificate_statusrLzOCSPResponse.certificate_statuscCrH)z^ The date of when the certificate was revoked or None if not revoked. NrrJrrrrCrLzOCSPResponse.revocation_timecCrH)zi The reason the certificate was revoked or None if not specified or not revoked. NrrJrrrrDrLzOCSPResponse.revocation_reasoncCrH)z The most recent time at which the status being indicated is known by the responder to have been correct NrrJrrrrArLzOCSPResponse.this_updatecCrH)zC The time when newer information will be available NrrJrrrrB rLzOCSPResponse.next_updatecCrHrIrrJrrrrKrLzOCSPResponse.issuer_key_hashcCrHrMrrJrrrrNrLzOCSPResponse.issuer_name_hashcCrHrOrrJrrrrPrLzOCSPResponse.hash_algorithmcCrHrQrrJrrrrR!rLzOCSPResponse.serial_numbercCrH)zR The list of response extensions. Not single response extensions. NrrJrrrrV'rLzOCSPResponse.extensionscCrH)zR The list of single response extensions. Not response extensions. NrrJrrrsingle_extensions-rLzOCSPResponse.single_extensionsrScCrH)z0 Serializes the response to DER NrrTrrrrU3rLzOCSPResponse.public_bytesN)-r r r rWrXrrarObjectIdentifierrbtypingOptionalrrZrcrYrdreListr1rfrgNamerhr3rir+rjrCr9rDrArBrKrNrPr[rRr^rVrkr\rr]rUrrrrr`sZ  r`c@s`eZdZdgfddZdejdejdejddfdd Zd ej d e ddfd d Z de fddZ dS)OCSPRequestBuilderNcCs||_||_dSN)_request _extensions)r=requestrVrrrrE;s zOCSPRequestBuilder.__init__r>r?r)rGcCsL|jdur tdt|t|tjrt|tjstdt|||f|jS)Nz.Only one certificate can be added to a requestr0) rsr(r*r&rr1r2rqrt)r=r>r?r)rrradd_certificate?s z"OCSPRequestBuilder.add_certificateextvalcriticalcCsDt|tjs tdt|j||}t||jt|j |j|gSNz"extension must be an ExtensionType) r&r ExtensionTyper2 Extensionoidr rtrqrsr=rwrx extensionrrr add_extensionPs  z OCSPRequestBuilder.add_extensioncCs(ddlm}|jdurtd||S)Nrbackendz*You must add a certificate before building),cryptography.hazmat.backends.openssl.backendrrsr(create_ocsp_request)r=rrrrbuild]s   zOCSPRequestBuilder.build)r r r rErr1rrZrvrzboolrrFrrrrrrq:s&   rqc@seZdZdddgfddZdejdejdejdede j d e j e j d e j e j d e j ej d dfd dZ dedejd dfddZde jejd dfddZdejded dfddZdede j ejd efddZeded efddZdS) OCSPResponseBuilderNcCs||_||_||_||_dSrr) _response _responder_id_certsrt)r=response responder_idcertsrVrrrrEgs zOCSPResponseBuilder.__init__r>r?r)r@rArBrCrDrGc Cs<|jdur tdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rr(r/rrrrt) r=r>r?r)r@rArBrCrD singleresprrr add_responseos$  z OCSPResponseBuilder.add_responserSresponder_certcCsP|jdur tdt|tjstdt|tstdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rr(r&rr1r2r rrrrt)r=rSrrrrrs   z OCSPResponseBuilder.responder_idrcCs\|jdur tdt|}t|dkrtdtdd|Ds$tdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|] }t|tjVqdSrr)r&rr1r!rrr sz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rr(listlenallr2rrrrt)r=rrrrrfs  z OCSPResponseBuilder.certificatesrwrxcCsLt|tjs tdt|j||}t||jt|j |j |j |j|gSry) r&rrzr2r{r|r rtrrrrr}rrrrs   z!OCSPResponseBuilder.add_extension private_keycCsBddlm}|jdurtd|jdurtd|tj|||S)Nrrz&You must add a response before signingz*You must add a responder_id before signing)rrrr(rcreate_ocsp_responserr)r=rr)rrrrsigns    zOCSPResponseBuilder.signracCs@ddlm}t|tstd|tjurtd||dddS)Nrrz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)rrr&rr2rr(r)clsrarrrrbuild_unsuccessfuls   z&OCSPResponseBuilder.build_unsuccessful)r r r rErr1rrZr+r3rmrnr9rr rIterablerfrzrrrr`r classmethodrrrrrrrfsl           rdatarGcCddlm}||SNrr)rrload_der_ocsp_requestrrrrrr  rcCrr)rrload_der_ocsp_responserrrrrrr)&rWr3rm cryptographyrrcryptography.hazmat.primitivesrrcryptography.x509.baserrrr SHA1SHA224SHA256SHA384SHA512 _OIDS_TO_HASHEnumr r_RESPONSE_STATUS_TO_ENUMr'r*r+_CERT_STATUS_TO_ENUMobjectr/ABCMetarFr`rqrrYrrrrrrsB      F& ,|