pg3A$ddlZddlZddlZddlmZddlmZddlmZddlm Z m Z ddl m Z ddl mZmZmZGdd ejZGd d ejZe je je je je jfZd e jd dfdZGddejZGddZGddejZGddejZ GddejZ!GddZ"GddZ#de$d efdZ%de$d e!fd Z&dS)!N)utils)x509)ocsp)hashes serialization)CERTIFICATE_PRIVATE_KEY_TYPES)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionceZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAME8/usr/lib/python3/dist-packages/cryptography/x509/ocsp.pyr r s D DDDrr c&eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) rrr SUCCESSFULMALFORMED_REQUESTINTERNAL_ERROR TRY_LATER SIG_REQUIRED UNAUTHORIZEDrrrrrs-JNILLLLrr algorithmreturncNt|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError)r#s r_verify_algorithmr)/s3 i 1 1  G     rceZdZdZdZdZdS)OCSPCertStatusrrrN)rrrGOODREVOKEDUNKNOWNrrrr+r+6s DGGGGrr+ceZdZdejdejdejdedejde j ejde j ejde j ej fd Z d S) _SingleResponsecertissuerr# cert_status this_update next_updaterevocation_timerevocation_reasonc ft|tjrt|tjstdt |t|t jstd|)t|t jstd||_||_||_||_ ||_ t|tstd|tj ur#|td|tdn}t|t jstdt|}|tkrtd|)t|tjstd ||_||_||_dS) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r&r Certificate TypeErrorr)datetime_cert_issuer _algorithm _this_update _next_updater+r-r(r r ReasonFlags _cert_status_revocation_time_revocation_reason) selfr1r2r#r3r4r5r6r7s r__init__z_SingleResponse.__init__=s$ 011 E D$: :  ECDD D)$$$+x'899 ECDD D  ": *, , "KLL L  #''+~66 J  n4 4 4* !!, "- ox/@AA M KLLL8IIO!333 ' !,Z!4#366, # ( /"3rN) rrrrr:r HashAlgorithmr+r<typingOptionalrBrGrrrr0r0<sB4B4 B4' B4 $ B4 & B4_X%67B4 ):;B4"?4+;<B4B4B4B4B4B4rr0ceZdZejdefdZejdefdZejdej fdZ ejde fdZ ej dejdefdZejdejfdZd S) OCSPRequestr$cdSz3 The hash of the issuer public key NrrFs rissuer_key_hashzOCSPRequest.issuer_key_hashrcdSz- The hash of the issuer name NrrOs rissuer_name_hashzOCSPRequest.issuer_name_hashrQrcdSzK The hash algorithm used in the issuer name and key hashes NrrOs rhash_algorithmzOCSPRequest.hash_algorithmrQrcdSzM The serial number of the cert whose status is being checked NrrOs r serial_numberzOCSPRequest.serial_numberrQrencodingcdS)z/ Serializes the request to DER NrrFr[s r public_byteszOCSPRequest.public_bytesrQrcdS)zP The list of request extensions. Not single request extensions. NrrOs r extensionszOCSPRequest.extensionsrQrN)rrrabcabstractpropertybytesrPrTrrHrWintrZabstractmethodrEncodingr^r Extensionsr`rrrrLrLs#       %       4      s      ]%;       DO      rrL) metaclassceZdZejdefdZejdeje j fdZ ejdeje j fdZ ejde j fdZejdeje j fdZejdefdZejdefdZejdejfd Zejdefd Zd S) OCSPSingleResponser$cdSzY The status of the certificate (an element from the OCSPCertStatus enum) NrrOs rcertificate_statusz%OCSPSingleResponse.certificate_statusrQrcdSz^ The date of when the certificate was revoked or None if not revoked. NrrOs rr6z"OCSPSingleResponse.revocation_timerQrcdSzi The reason the certificate was revoked or None if not specified or not revoked. NrrOs rr7z$OCSPSingleResponse.revocation_reasonrQrcdSz The most recent time at which the status being indicated is known by the responder to have been correct NrrOs rr4zOCSPSingleResponse.this_updaterQrcdSzC The time when newer information will be available NrrOs rr5zOCSPSingleResponse.next_updaterQrcdSrNrrOs rrPz"OCSPSingleResponse.issuer_key_hashrQrcdSrSrrOs rrTz#OCSPSingleResponse.issuer_name_hashrQrcdSrVrrOs rrWz!OCSPSingleResponse.hash_algorithmrQrcdSrYrrOs rrZz OCSPSingleResponse.serial_numberrQrN)rrrrarbr+rmrIrJr<r6rrBr7r4r5rcrPrTrrHrWrdrZrrrrjrjs N      1B!C      6?43C#D      X.      V_X->?            %       4      s      rrjceZdZejdejefdZejde fdZ ejde j fdZ ejdejejfdZejdefdZejdefdZejdeje jfdZejdejefd Zejdeje jfd Zejdejfd Zejdefd Zejdejejfd Zejdeje j fdZ!ejdejfdZ"ejdejejfdZ#ejdefdZ$ejdefdZ%ejdejfdZ&ejde'fdZ(ejde j)fdZ*ejde j)fdZ+ej,de-j.defdZ/dS) OCSPResponser$cdS)z_ An iterator over the individual SINGLERESP structures in the response NrrOs r responseszOCSPResponse.responsesrQrcdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration NrrOs rresponse_statuszOCSPResponse.response_statusrQrcdS)zA The ObjectIdentifier of the signature algorithm NrrOs rsignature_algorithm_oidz$OCSPResponse.signature_algorithm_oidrQrcdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed NrrOs rsignature_hash_algorithmz%OCSPResponse.signature_hash_algorithmrQrcdS)z% The signature bytes NrrOs r signaturezOCSPResponse.signaturerQrcdS)z+ The tbsResponseData bytes NrrOs rtbs_response_byteszOCSPResponse.tbs_response_bytesrQrcdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. NrrOs r certificateszOCSPResponse.certificates rQrcdS)z2 The responder's key hash or None NrrOs rresponder_key_hashzOCSPResponse.responder_key_hashrQrcdS)z. The responder's Name or None NrrOs rresponder_namezOCSPResponse.responder_namerQrcdS)z4 The time the response was produced NrrOs r produced_atzOCSPResponse.produced_at rQrcdSrlrrOs rrmzOCSPResponse.certificate_status&rQrcdSrorrOs rr6zOCSPResponse.revocation_time,rQrcdSrqrrOs rr7zOCSPResponse.revocation_reason3rQrcdSrsrrOs rr4zOCSPResponse.this_update:rQrcdSrurrOs rr5zOCSPResponse.next_updateArQrcdSrNrrOs rrPzOCSPResponse.issuer_key_hashGrQrcdSrSrrOs rrTzOCSPResponse.issuer_name_hashMrQrcdSrVrrOs rrWzOCSPResponse.hash_algorithmSrQrcdSrYrrOs rrZzOCSPResponse.serial_numberYrQrcdS)zR The list of response extensions. Not single response extensions. NrrOs rr`zOCSPResponse.extensions_rQrcdS)zR The list of single response extensions. Not response extensions. NrrOs rsingle_extensionszOCSPResponse.single_extensionserQrr[cdS)z0 Serializes the response to DER Nrr]s rr^zOCSPResponse.public_byteskrQrN)0rrrrarbrIIteratorrjr}rrrObjectIdentifierrrJrrHrrcrrListr:rrNamerr<rr+rmr6rBr7r4r5rPrTrWrdrZrgr`rrerrfr^rrrr{r{s* 6?+=>      !3      )>      - .      5      E      fk$*:;      FOE$:       :      X.      N      1B!C      6?43C#D      X.      V_X->?            %       4      s      DO      4?      ]%;       rr{ceZdZdgfdejejejejej fdej ej ej ddfdZ dejdejdej ddfd Zd ej d eddfd Zdefd ZdS)OCSPRequestBuilderNrequestr`r$c"||_||_dSN)_request _extensions)rFrr`s rrGzOCSPRequestBuilder.__init__ss  %rr1r2r#c|jtdt|t|tjrt|tjst dt|||f|jS)Nz.Only one certificate can be added to a requestr9) rr(r)r&rr:r;rr)rFr1r2r#s radd_certificatez"OCSPRequestBuilder.add_certificates = $MNN N)$$$$ 011 E D$: :  ECDD D!4";T=MNNNrextvalcriticalct|tjstdtj|j||}t ||jt|j |j|gzSNz"extension must be an ExtensionType) r&r ExtensionTyper; Extensionoidr rrrrFrr extensions r add_extensionz OCSPRequestBuilder.add_extensionst&$"455 B@AA AN6:x@@ #It/?@@@! M4+yk9   rcV|jtdtj|S)Nz*You must add a certificate before building)rr(rcreate_ocsp_requestrOs rbuildzOCSPRequestBuilder.builds* = IJJ J'---r)rrrrIrJTuplerr:rrHrrrrGrboolrrLrrrrrrrs FH & & L $"2F4HH   &Kt/A BC &  & & & &OO O' O  OOOO"  (  48       .{......rrc`eZdZdddgfdejedejejeje fdejej ejdej ej ej fdZ dejdejd ejd ed ejd ejejd ejejdejejddfdZde dejddfdZdejejddfdZdej deddfdZded ejejdefdZededefdZdS)OCSPResponseBuilderNresponse responder_idcertsr`c>||_||_||_||_dSr) _response _responder_id_certsr)rFrrrr`s rrGzOCSPResponseBuilder.__init__s(") %rr1r2r#r3r4r5r6r7r$c |jtdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rr(r0rrrr) rFr1r2r#r3r4r5r6r7 singleresps r add_responsez OCSPResponseBuilder.add_responsesj > %BCC C$           #    K      rr[responder_certc|jtdt|tjst dt|t st dt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rr(r&rr:r;r rrrr)rFr[rs rrz OCSPResponseBuilder.responder_ids   )@AA A.$*:;; DBCC C($9:: H # N X & K      rc"|jtdt|}t|dkrtdt d|Dst dt |j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listc3JK|]}t|tjVdSr)r&rr:).0xs r z3OCSPResponseBuilder.certificates..s/BBq:a!122BBBBBBrz$certs must be a list of Certificates) rr(listlenallr;rrrr)rFrs rrz OCSPResponseBuilder.certificatess ; "@AA AU  u::??>?? ?BBEBBBBB DBCC C" N         rrrct|tjstdtj|j||}t ||jt|j |j |j |j|gzSr) r&rrr;rrr rrrrrrs rrz!OCSPResponseBuilder.add_extensions&$"455 B@AA AN6:x@@ #It/?@@@" N   K   { *    r private_keyc|jtd|jtdtjt j|||S)Nz&You must add a response before signingz*You must add a responder_id before signing)rr(rrcreate_ocsp_responserr)rFrr#s rsignzOCSPResponseBuilder.signsT > !EFF F   %IJJ J(  )4i   rrct|tstd|tjurt dt j|dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r&rr;rr(rr)clsrs rbuild_unsuccessfulz&OCSPResponseBuilder.build_unsuccessfulsc/+=>> I  0; ; ;CDD D($dKKKr)rrrrIrJr0rrr:r rrrrGrrHr+r<rBrrIterablerrrrr{r classmethodrrrrrrrs:6: @DFH & &//2 &o L)+@@ A  & v{4+;<= &Kt/A BC & & & &    '  $  &  _X%67  ):; "?4+;<      > - ?C?O     & _T%56     " ( 48      2  ?6#78         L0 L  L L L[ L L Lrrdatac*tj|Sr)rload_der_ocsp_requestrs rrr"s  %d + ++rc*tj|Sr)rload_der_ocsp_responsers rrr&s  &t , ,,r)'rar<rI cryptographyrr"cryptography.hazmat.bindings._rustrcryptography.hazmat.primitivesrr/cryptography.hazmat.primitives.asymmetric.typesrcryptography.x509.baser r r Enumr rSHA1SHA224SHA256SHA384SHA512r'rHr)r+r0ABCMetarLrjr{rrrcrrrrrrs    333333@@@@@@@@EJ  K M M M M  !5 $    UZ C4C4C4C4C4C4C4C4L# # # # # CK# # # # L8 8 8 8 8 3;8 8 8 8 vL L L L L S[L L L L ^/./././././././.d{L{L{L{L{L{L{L{L|,,+,,,,--<------r