a ϏPfE @sddlmZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z mZddlmZmZmZmZmZmZmZmZddlmZmZmZddlmZmZmZm Z dd l!m"Z"m#Z#dd l$m%Z%ed d d Z&ej'e j(e j)e j*e j+e j,e j-e j.e j/fZ0Gd dde1Z2ddddddZ3ddddddZ4dddddZ5GdddZ6Gd d!d!Z7Gd"d#d#ej8Z9Gd$d%d%e1Z:Gd&d'd'ej;d(Ze>=e j>Gd+d,d,e>Z?Gd-d.d.ej;d(Z@e@=e j@Gd/d0d0ej;d(ZAeA=e jAe jBZBe jCZCe jDZDe jEZEe jFZFe jGZGe jHZHGd1d2d2ZIGd3d4d4ZJGd5d6d6ZKGd7d8d8ZLd9d:d;d<ZMdS)=) annotationsN)utils)x509)hashes serialization)dsaeced448ed25519paddingrsax448x25519) CertificateIssuerPrivateKeyTypesCertificateIssuerPublicKeyTypesCertificatePublicKeyTypes) Extension Extensions ExtensionType_make_sequence_methods)Name _ASN1Type)ObjectIdentifierics&eZdZddddfdd ZZS)AttributeNotFoundstrrNone)msgoidreturncst|||_dSN)super__init__r)selfrr __class__W/var/www/html/python-backend/venv/lib/python3.9/site-packages/cryptography/x509/base.pyr"9s zAttributeNotFound.__init____name__ __module__ __qualname__r" __classcell__r&r&r$r'r8srzExtension[ExtensionType]list[Extension[ExtensionType]]r) extension extensionsrcCs"|D]}|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError)r.r/er&r&r'_reject_duplicate_extension>s r2r0list[tuple[ObjectIdentifier, bytes, int | None]])r attributesrcCs$|D]\}}}||krtdqdS)Nz$This attribute has already been set.)r0)rr4Zattr_oid_r&r&r'_reject_duplicate_attributeHsr6datetime.datetimetimercCs:|jdur2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. Ntzinfo)r; utcoffsetdatetime timedeltareplace)r9offsetr&r&r'_convert_to_naive_utc_timeRs  rAc@sxeZdZejjfdddddddZeddd d Zeddd d Zd dddZ dddddZ ddddZ dS) Attributerbytesintr)rvalue_typercCs||_||_||_dSr )_oid_valuerF)r#rrErFr&r&r'r"aszAttribute.__init__rcCs|jSr )rGr#r&r&r'rksz Attribute.oidcCs|jSr )rHrJr&r&r'rEoszAttribute.valuercCsd|jd|jdS)Nz)rrErJr&r&r'__repr__sszAttribute.__repr__objectboolotherrcCs2t|tstS|j|jko0|j|jko0|j|jkSr ) isinstancerBNotImplementedrrErFr#rPr&r&r'__eq__vs    zAttribute.__eq__cCst|j|j|jfSr )hashrrErFrJr&r&r'__hash__szAttribute.__hash__N) r)r*r+rZ UTF8StringrEr"propertyrrLrTrVr&r&r&r'rB`s  rBc@sHeZdZdddddZed\ZZZddd d Zd d d ddZ dS) Attributesztyping.Iterable[Attribute]r)r4rcCst||_dSr )list _attributes)r#r4r&r&r'r"szAttributes.__init__rZrrIcCsd|jdS)Nz Zd?S)@ Certificatehashes.HashAlgorithmrC algorithmrcCsdSz4 Returns bytes using digest passed. Nr&r#rir&r&r' fingerprintszCertificate.fingerprintrDrIcCsdS)z3 Returns certificate serial number Nr&rJr&r&r' serial_numberszCertificate.serial_numberracCsdS)z1 Returns the certificate version Nr&rJr&r&r'versionszCertificate.versionrcCsdSz( Returns the public key Nr&rJr&r&r' public_keyszCertificate.public_keyr7cCsdS)z? Not before time (represented as UTC datetime) Nr&rJr&r&r'not_valid_beforeszCertificate.not_valid_beforecCsdS)zK Not before time (represented as a non-naive UTC datetime) Nr&rJr&r&r'not_valid_before_utcsz Certificate.not_valid_before_utccCsdS)z> Not after time (represented as UTC datetime) Nr&rJr&r&r'not_valid_afterszCertificate.not_valid_aftercCsdS)zJ Not after time (represented as a non-naive UTC datetime) Nr&rJr&r&r'not_valid_after_utcszCertificate.not_valid_after_utcrcCsdS)z1 Returns the issuer name object. Nr&rJr&r&r'issuerszCertificate.issuercCsdSz2 Returns the subject name object. Nr&rJr&r&r'subjectszCertificate.subjecthashes.HashAlgorithm | NonecCsdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr&rJr&r&r'signature_hash_algorithmsz$Certificate.signature_hash_algorithmrcCsdSzJ Returns the ObjectIdentifier of the signature algorithm. Nr&rJr&r&r'signature_algorithm_oidsz#Certificate.signature_algorithm_oid0None | padding.PSS | padding.PKCS1v15 | ec.ECDSAcCsdSz= Returns the signature algorithm parameters. Nr&rJr&r&r'signature_algorithm_parameterssz*Certificate.signature_algorithm_parametersrcCsdS)z/ Returns an Extensions object. Nr&rJr&r&r'r/szCertificate.extensionscCsdSz. Returns the signature bytes. Nr&rJr&r&r' signature szCertificate.signaturecCsdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr&rJr&r&r'tbs_certificate_bytessz!Certificate.tbs_certificate_bytescCsdS)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. Nr&rJr&r&r'tbs_precertificate_bytessz$Certificate.tbs_precertificate_bytesrMrNrOcCsdSz" Checks equality. Nr&rSr&r&r'rTszCertificate.__eq__cCsdSz" Computes a hash. Nr&rJr&r&r'rV%szCertificate.__hash__serialization.EncodingencodingrcCsdS)zB Serializes the certificate to PEM or DER format. Nr&r#rr&r&r' public_bytes+szCertificate.public_bytesr)rurcCsdS)z This method verifies that certificate issuer name matches the issuer subject name and that the certificate is signed by the issuer's private key. No other validation is performed. Nr&)r#rur&r&r'verify_directly_issued_by1sz%Certificate.verify_directly_issued_byN)r)r*r+abcabstractmethodrlrWrmrnrprqrrrsrtrurwrzr|rr/rrrrTrVrrr&r&r&r'rfsrrf) metaclassc@sleZdZeejddddZeejddddZeejdddd Zeejd dd d Z d S)RevokedCertificaterDrIcCsdS)zG Returns the serial number of the revoked certificate. Nr&rJr&r&r'rm?sz RevokedCertificate.serial_numberr7cCsdS)zH Returns the date of when this certificate was revoked. Nr&rJr&r&r'revocation_dateFsz"RevokedCertificate.revocation_datecCsdS)zl Returns the date of when this certificate was revoked as a non-naive UTC datetime. Nr&rJr&r&r'revocation_date_utcMsz&RevokedCertificate.revocation_date_utcrcCsdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr&rJr&r&r'r/UszRevokedCertificate.extensionsN) r)r*r+rWrrrmrrr/r&r&r&r'r>src@sfeZdZddddddZedddd Zeddd d Zeddd d ZeddddZdS)_RawRevokedCertificaterDr7rrmrr/cCs||_||_||_dSr _serial_number_revocation_date _extensionsr#rmrr/r&r&r'r"bsz_RawRevokedCertificate.__init__rIcCs|jSr )rrJr&r&r'rmlsz$_RawRevokedCertificate.serial_numbercCstjdtjdd|jS)NukProperties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.rb) stacklevel)warningswarnrZDeprecatedIn42rrJr&r&r'rps z&_RawRevokedCertificate.revocation_datecCs|jjtjjdS)Nr:)rr?r=timezoneutcrJr&r&r'rzsz*_RawRevokedCertificate.revocation_date_utccCs|jSr )rrJr&r&r'r/~sz!_RawRevokedCertificate.extensionsN) r)r*r+r"rWrmrrr/r&r&r&r'ras  rc@seZdZejdddddZejddddd Zejd d d d dZeejddddZ eejddddZ eejddddZ eejddddZ eejddddZ eejdddd Zeejd!dd"d#Zeejd!dd$d%Zeejd&dd'd(Zeejddd)d*Zeejddd+d,Zejd-d.d/d0d1Zejd dd2d3Zejd d4d5d6d7Zejd8d9d5d:d7Zejd;ddd?d@ZejdAd.dBdCdDZdES)FCertificateRevocationListrrCrcCsdS)z: Serializes the CRL to PEM or DER format. Nr&rr&r&r'rsz&CertificateRevocationList.public_bytesrgrhcCsdSrjr&rkr&r&r'rlsz%CertificateRevocationList.fingerprintrDzRevokedCertificate | None)rmrcCsdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr&)r#rmr&r&r'(get_revoked_certificate_by_serial_numberszBCertificateRevocationList.get_revoked_certificate_by_serial_numberrxrIcCsdSryr&rJr&r&r'rzsz2CertificateRevocationList.signature_hash_algorithmrcCsdSr{r&rJr&r&r'r|sz1CertificateRevocationList.signature_algorithm_oidr}cCsdSr~r&rJr&r&r'rsz8CertificateRevocationList.signature_algorithm_parametersrcCsdS)zC Returns the X509Name with the issuer of this CRL. Nr&rJr&r&r'rusz CertificateRevocationList.issuerdatetime.datetime | NonecCsdS)z? Returns the date of next update for this CRL. Nr&rJr&r&r' next_updatesz%CertificateRevocationList.next_updatecCsdS)zc Returns the date of next update for this CRL as a non-naive UTC datetime. Nr&rJr&r&r'next_update_utcsz)CertificateRevocationList.next_update_utcr7cCsdS)z? Returns the date of last update for this CRL. Nr&rJr&r&r' last_updatesz%CertificateRevocationList.last_updatecCsdS)zc Returns the date of last update for this CRL as a non-naive UTC datetime. Nr&rJr&r&r'last_update_utcsz)CertificateRevocationList.last_update_utcrcCsdS)zS Returns an Extensions object containing a list of CRL extensions. Nr&rJr&r&r'r/sz$CertificateRevocationList.extensionscCsdSrr&rJr&r&r'rsz#CertificateRevocationList.signaturecCsdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr&rJr&r&r'tbs_certlist_bytessz,CertificateRevocationList.tbs_certlist_bytesrMrNrOcCsdSrr&rSr&r&r'rTsz CertificateRevocationList.__eq__cCsdS)z< Number of revoked certificates in the CRL. Nr&rJr&r&r'r^sz!CertificateRevocationList.__len__r)idxrcCsdSr r&r#rr&r&r'r`sz%CertificateRevocationList.__getitem__slicelist[RevokedCertificate]cCsdSr r&rr&r&r'r`sz int | slicez-RevokedCertificate | list[RevokedCertificate]cCsdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr&rr&r&r'r`sz#typing.Iterator[RevokedCertificate]cCsdS)z8 Iterator over the revoked certificates Nr&rJr&r&r'r_ sz"CertificateRevocationList.__iter__r)rprcCsdS)zQ Verifies signature of revocation list against given public key. Nr&)r#rpr&r&r'is_signature_validsz,CertificateRevocationList.is_signature_validN)r)r*r+rrrrlrrWrzr|rrurrrrr/rrrTr^typingoverloadr`r_rr&r&r&r'rsjrc@sNeZdZejdddddZejdddd Zejd dd d Zeejd dddZ eejddddZ eejddddZ eejddddZ eejddddZ eejddddZejdd d!d"d#Zeejd dd$d%Zeejd dd&d'Zeejddd(d)Zejdd d*d+d,Zd-S).CertificateSigningRequestrMrNrOcCsdSrr&rSr&r&r'rTsz CertificateSigningRequest.__eq__rDrIcCsdSrr&rJr&r&r'rV"sz"CertificateSigningRequest.__hash__rcCsdSror&rJr&r&r'rp(sz$CertificateSigningRequest.public_keyrcCsdSrvr&rJr&r&r'rw.sz!CertificateSigningRequest.subjectrxcCsdSryr&rJr&r&r'rz5sz2CertificateSigningRequest.signature_hash_algorithmrcCsdSr{r&rJr&r&r'r|?sz1CertificateSigningRequest.signature_algorithm_oidr}cCsdSr~r&rJr&r&r'rFsz8CertificateSigningRequest.signature_algorithm_parametersrcCsdS)z@ Returns the extensions in the signing request. Nr&rJr&r&r'r/Osz$CertificateSigningRequest.extensionsrXcCsdS)z/ Returns an Attributes object. Nr&rJr&r&r'r4Vsz$CertificateSigningRequest.attributesrrCrcCsdS)z; Encodes the request to PEM or DER format. Nr&rr&r&r'r]sz&CertificateSigningRequest.public_bytescCsdSrr&rJr&r&r'rcsz#CertificateSigningRequest.signaturecCsdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr&rJr&r&r'tbs_certrequest_bytesjsz/CertificateSigningRequest.tbs_certrequest_bytescCsdS)z8 Verifies signature of signing request. Nr&rJr&r&r'rrsz,CertificateSigningRequest.is_signature_validr[cCsdS)z: Get the attribute value for a given OID. Nr&)r#rr&r&r'r]ysz/CertificateSigningRequest.get_attribute_for_oidN)r)r*r+rrrTrVrprWrwrzr|rr/r4rrrrr]r&r&r&r'rsJrc@seZdZdggfddddddZddd d d Zd d ddddZdddddddddZd!dddddddddd ZdS)" CertificateSigningRequestBuilderN Name | Noner-r3) subject_namer/r4cCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrZ)r#rr/r4r&r&r'r"s z)CertificateSigningRequestBuilder.__init__rnamercCs4t|tstd|jdur$tdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rQr TypeErrorrr0rrrZr#rr&r&r'rs   z-CertificateSigningRequestBuilder.subject_namerrNextvalcriticalrcCsFt|tstdt|j||}t||jt|jg|j||j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rQrrrrr2rrrrZr#rrr.r&r&r' add_extensions   z.CertificateSigningRequestBuilder.add_extension)_tagrrCz_ASN1Type | None)rrErrcCs~t|tstdt|ts$td|dur>t|ts>tdt||j|durZ|j}nd}t|j |j g|j|||fS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rQrrrCrr6rZrErrr)r#rrErtagr&r&r' add_attributes   z.CertificateSigningRequestBuilder.add_attribute rsa_paddingr_AllowedHashTypes | None typing.Any%padding.PSS | padding.PKCS1v15 | Noner private_keyribackendrrcCsX|jdurtd|durHt|tjtjfs4tdt|tjsHtdt ||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subjectPadding must be PSS or PKCS1v15&Padding is only supported for RSA keys) rr0rQr PSSPKCS1v15rr RSAPrivateKey rust_x509Zcreate_x509_csrr#rrirrr&r&r'signs  z%CertificateSigningRequestBuilder.sign)N)r)r*r+r"rrrrr&r&r&r'rs  $rc @seZdZUded<ddddddgfddddddddd d d Zd dd ddZd dd ddZdddddZdddddZdddddZ dddddZ d d!dd"d#d$Z d.dd%d&d'd(d)d*d+d,d-Z dS)/CertificateBuilderr-rNrz CertificatePublicKeyTypes | None int | Nonerr) issuer_namerrprmrqrsr/rcCs6tj|_||_||_||_||_||_||_||_ dSr ) rarc_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r#rrrprmrqrsr/r&r&r'r"s zCertificateBuilder.__init__rrcCsDt|tstd|jdur$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rQrrrr0rrrrrrrrr&r&r'r s  zCertificateBuilder.issuer_namecCsDt|tstd|jdur$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rQrrrr0rrrrrrrrr&r&r'rs  zCertificateBuilder.subject_namer)keyrc Cs`t|tjtjtjtjt j t j t jfs.td|jdur@tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rQrZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyr ZEd25519PublicKeyr ZEd448PublicKeyrZX25519PublicKeyr Z X448PublicKeyrrr0rrrrrrr)r#rr&r&r'rp/s2  zCertificateBuilder.public_keyrDnumberrcCsht|tstd|jdur$td|dkr4td|dkrHtdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rQrDrrr0 bit_lengthrrrrrrrr#rr&r&r'rmTs&   z CertificateBuilder.serial_numberr7r8cCszt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rQr=rrr0rA_EARLIEST_UTC_TIMErrrrrrrr#r9r&r&r'rqos,  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.ztd|jdurZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rQr=rrr0rArrrrrr)r#rr&r&r'r s(  z,CertificateRevocationListBuilder.last_update)rrcCsrt|tjstd|jdur&tdt|}|tkr>td|jdurZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rQr=rrr0rArrrrrr)r#rr&r&r'r#s(  z,CertificateRevocationListBuilder.next_updaterrNrcCsNt|tstdt|j||}t||jt|j|j |j g|j||j S)zM Adds an X.509 extension to the certificate revocation list. r) rQrrrrr2rrrrrrrr&r&r'r;s   z.CertificateRevocationListBuilder.add_extensionr)revoked_certificatercCs4t|tstdt|j|j|j|jg|j|S)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rQrrrrrrrr)r#rr&r&r'add_revoked_certificateNs  z8CertificateRevocationListBuilder.add_revoked_certificaterrrrrrrcCs||jdurtd|jdur$td|jdur6td|durlt|tjtjfsXtdt|t j sltdt ||||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update timerr) rr0rrrQr rrrr rrZcreate_x509_crlrr&r&r'r_s    z%CertificateRevocationListBuilder.sign)N) r)r*r+rr"rrrrrrr&r&r&r'rs" rc@sjeZdZddgfddddddZddd d d Zd dd ddZddddddZddddddZdS)RevokedCertificateBuilderNrrr-rcCs||_||_||_dSr rrr&r&r'r"|sz"RevokedCertificateBuilder.__init__rDrcCsXt|tstd|jdur$td|dkr4td|dkrHtdt||j|jS)Nrrrz$The serial number should be positiverr) rQrDrrr0rrrrrr&r&r'rms    z'RevokedCertificateBuilder.serial_numberr7r8cCsNt|tjstd|jdur&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rQr=rrr0rArrrrrr&r&r'rs   z)RevokedCertificateBuilder.revocation_daterrNrcCsFt|tstdt|j||}t||jt|j|j g|j|S)Nr) rQrrrrr2rrrrrr&r&r'rs   z'RevokedCertificateBuilder.add_extensionrr)rrcCs:|jdurtd|jdur$tdt|j|jt|jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr0rrrr)r#rr&r&r'builds  zRevokedCertificateBuilder.build)N)r)r*r+r"rmrrrr&r&r&r'r{s rrDrIcCsttddd?S)Nbigr)rD from_bytesosurandomr&r&r&r'random_serial_numbersr)N __future__rrr=rrrZ cryptographyrZ"cryptography.hazmat.bindings._rustrrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrrr r r r r rZ/cryptography.hazmat.primitives.asymmetric.typesrrrZcryptography.x509.extensionsrrrrZcryptography.x509.namerrZcryptography.x509.oidrrUnionSHA224SHA256SHA384SHA512ZSHA3_224ZSHA3_256ZSHA3_384ZSHA3_512Z_AllowedHashTypes Exceptionrr2r6rArBrXEnumrardABCMetarfregisterrrrrZload_pem_x509_certificateZload_der_x509_certificateZload_pem_x509_certificatesZload_pem_x509_csrZload_der_x509_csrZload_pem_x509_crlZload_der_x509_crlrrrrrr&r&r&r'st   (     $  " f evI