h ddlZddlZddlZddlZddlmZddlmZddl m Z m Z ddl m Z mZmZmZmZmZmZddlmZmZmZddlmZmZmZmZddlmZmZdd l m!Z!ejd d d Z"ej#e j$e j%e j&e j'e j(e j)e j*e j+fZ,Gd d e-Z.deedej/eeddfdZ0de!dej/ej1e!e2ej3e4fddfdZ5dejdejfdZ6GddZ7GddZ8Gddej9Z:Gdde-Z;Gdd ej<!Z=e=>ej=Gd"d#ej<!Z?e?>ej?Gd$d%e?Z@Gd&d'ej<!ZAeA>ejAGd(d)ej<!ZBeB>ejB d)rrBrHs r$__repr__zAttribute.__repr__rsCCC4:CCCCr%otherct|tstS|j|jko|j|jko|j|jkSr) isinstancerANotImplementedrrBrCr"rMs r$__eq__zAttribute.__eq__usO%++ "! ! H ! * ek) * ek) r%cDt|j|j|jfSr)hashrrBrCrHs r$__hash__zAttribute.__hash__sTXtz4:6777r%)r&r'r(r UTF8StringrBrbytesintr!propertyrr)rLobjectboolrRrUr%r$rArA_s  )/     %XuXD#DDDD F t    8#888888r%rAcneZdZdejeddfdZed\ZZ Z de fdZ de defdZdS) Attributesr2rNc.t||_dSr)list _attributes)r"r2s r$r!zAttributes.__init__s ++r%racd|jdS)Nz Not after time (represented as UTC datetime) Nr\rHs r$not_valid_afterzCertificate.not_valid_afterr{r%cdS)z1 Returns the issuer name object. Nr\rHs r$issuerzCertificate.issuerr{r%cdSz2 Returns the subject name object. Nr\rHs r$subjectzCertificate.subjectr{r%cdSzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. Nr\rHs r$signature_hash_algorithmz$Certificate.signature_hash_algorithmr{r%cdSzJ Returns the ObjectIdentifier of the signature algorithm. Nr\rHs r$signature_algorithm_oidz#Certificate.signature_algorithm_oidr{r%cdS)z/ Returns an Extensions object. Nr\rHs r$r-zCertificate.extensionsr{r%cdSz. Returns the signature bytes. Nr\rHs r$ signaturezCertificate.signaturer{r%cdS)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. Nr\rHs r$tbs_certificate_bytesz!Certificate.tbs_certificate_bytesr{r%cdS)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. Nr\rHs r$tbs_precertificate_bytesz$Certificate.tbs_precertificate_bytesr{r%rMcdSz" Checks equality. Nr\rQs r$rRzCertificate.__eq__r{r%cdSz" Computes a hash. Nr\rHs r$rUzCertificate.__hash__ r{r%encodingcdS)zB Serializes the certificate to PEM or DER format. Nr\r"rs r$ public_byteszCertificate.public_bytesr{r%rNcdS)z This method verifies that certificate issuer name matches the issuer subject name and that the certificate is signed by the issuer's private key. No other validation is performed. Nr\)r"rs r$verify_directly_issued_byz%Certificate.verify_directly_issued_byr{r%)rrurN)(r&r'r(abcabstractmethodr HashAlgorithmrWrzrYrXr}rlrrrr;rrrrrrfOptionalrrrrr-rrrrZr[rRrUrEncodingrrr\r%r$rurus V%9 e     s   X     X   5     ("3   X  !2   X     X     X  - .   X  )9   X  J   X  5   X  u   X  %   X   F t      #      ]%;            r%ru) metaclassceZdZeejdefdZeejdejfdZ eejde fdZ dS)RevokedCertificatercdS)zG Returns the serial number of the revoked certificate. Nr\rHs r$r}z RevokedCertificate.serial_number'r{r%cdS)zH Returns the date of when this certificate was revoked. Nr\rHs r$revocation_datez"RevokedCertificate.revocation_date.r{r%cdS)zW Returns an Extensions object containing a list of Revoked extensions. Nr\rHs r$r-zRevokedCertificate.extensions5r{r%N) r&r'r(rYrrrXr}r;rrr-r\r%r$rr&s  s   X  !2   X  J   X   r%rceZdZdedejdefdZedefdZedejfdZ edefdZ d S) _RawRevokedCertificater}rr-c0||_||_||_dSr_serial_number_revocation_date _extensionsr"r}rr-s r$r!z_RawRevokedCertificate.__init__B" , /%r%rc|jSr)rrHs r$r}z$_RawRevokedCertificate.serial_numberLs ""r%c|jSr)rrHs r$rz&_RawRevokedCertificate.revocation_datePs $$r%c|jSr)rrHs r$r-z!_RawRevokedCertificate.extensionsTs r%N) r&r'r(rXr;rr!rYr}rr-r\r%r$rrAs&&"*& &&&&#s###X#%!2%%%X% J   X   r%rcDeZdZejdejdefdZejde j defdZ ejde de jefdZeejde je j fdZeejdefd Zeejdefd Zeejde jejfd Zeejdejfd Zeejdefd ZeejdefdZeejdefdZejdedefdZ ejde fdZ!e j"de defdZ#e j"de$de j%efdZ#ejde j&e e$fde j&ee j%effdZ#ejde j'efdZ(ejde)defdZ*dS)CertificateRevocationListrrcdS)z: Serializes the CRL to PEM or DER format. Nr\rs r$rz&CertificateRevocationList.public_bytesZr{r%rvcdSrxr\rys r$rzz%CertificateRevocationList.fingerprint`r{r%r}cdS)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr\)r"r}s r$(get_revoked_certificate_by_serial_numberzBCertificateRevocationList.get_revoked_certificate_by_serial_numberfr{r%cdSrr\rHs r$rz2CertificateRevocationList.signature_hash_algorithmor{r%cdSrr\rHs r$rz1CertificateRevocationList.signature_algorithm_oidyr{r%cdS)zC Returns the X509Name with the issuer of this CRL. Nr\rHs r$rz CertificateRevocationList.issuerr{r%cdS)z? Returns the date of next update for this CRL. Nr\rHs r$ next_updatez%CertificateRevocationList.next_updater{r%cdS)z? Returns the date of last update for this CRL. Nr\rHs r$ last_updatez%CertificateRevocationList.last_updater{r%cdS)zS Returns an Extensions object containing a list of CRL extensions. Nr\rHs r$r-z$CertificateRevocationList.extensionsr{r%cdSrr\rHs r$rz#CertificateRevocationList.signaturer{r%cdS)zO Returns the tbsCertList payload bytes as defined in RFC 5280. Nr\rHs r$tbs_certlist_bytesz,CertificateRevocationList.tbs_certlist_bytesr{r%rMcdSrr\rQs r$rRz CertificateRevocationList.__eq__r{r%cdS)z< Number of revoked certificates in the CRL. Nr\rHs r$rhz!CertificateRevocationList.__len__r{r%idxcdSrr\r"rs r$rjz%CertificateRevocationList.__getitem__ r%cdSrr\rs r$rjz%CertificateRevocationList.__getitem__rr%cdS)zS Returns a revoked certificate (or slice of revoked certificates). Nr\rs r$rjz%CertificateRevocationList.__getitem__r{r%cdS)z8 Iterator over the revoked certificates Nr\rHs r$riz"CertificateRevocationList.__iter__r{r%rcdS)zQ Verifies signature of revocation list against given public key. Nr\)r"rs r$is_signature_validz,CertificateRevocationList.is_signature_validr{r%N)+r&r'r(rrrrrWrrrrzrXrfrrrrYrrrrrr;rrrr-rrrZr[rRrhoverloadrjsliceListUnionIteratorrirrr\r%r$rrYs ]%;       V%9 e        + ,     - .   X  )9   X     X  V_X->?   X  X.   X  J   X  5   X  E   X   F t           _ s '9   _  _ u 5G)H   _   <U + (&+6H*II J      &/*<=      9       r%rceZdZejdedefdZejdefdZ ejde fdZ e ejde fdZe ejdejejfdZe ejdefdZe ejdefd Ze ejdefd Zejd ejdefd Ze ejdefd Ze ejdefdZe ejdefdZ ejdedefdZ!dS)CertificateSigningRequestrMrcdSrr\rQs r$rRz CertificateSigningRequest.__eq__r{r%cdSrr\rHs r$rUz"CertificateSigningRequest.__hash__r{r%cdSrr\rHs r$rz$CertificateSigningRequest.public_keyr{r%cdSrr\rHs r$rz!CertificateSigningRequest.subjectr{r%cdSrr\rHs r$rz2CertificateSigningRequest.signature_hash_algorithmr{r%cdSrr\rHs r$rz1CertificateSigningRequest.signature_algorithm_oidr{r%cdS)z@ Returns the extensions in the signing request. Nr\rHs r$r-z$CertificateSigningRequest.extensionsr{r%cdS)z/ Returns an Attributes object. Nr\rHs r$r2z$CertificateSigningRequest.attributes r{r%rcdS)z; Encodes the request to PEM or DER format. Nr\rs r$rz&CertificateSigningRequest.public_bytesr{r%cdSrr\rHs r$rz#CertificateSigningRequest.signaturer{r%cdS)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. Nr\rHs r$tbs_certrequest_bytesz/CertificateSigningRequest.tbs_certrequest_bytesr{r%cdS)z8 Verifies signature of signing request. Nr\rHs r$rz,CertificateSigningRequest.is_signature_valid&r{r%rcdS)z: Get the attribute value for a given OID. Nr\)r"rs r$rez/CertificateSigningRequest.get_attribute_for_oid-r{r%N)"r&r'r(rrrZr[rRrXrUrrrYrrrfrrrrrrrr-r^r2rrrWrrrrrer\r%r$rrs F t      #      5        X  - .   X  )9   X  J   X  J   X   ]%;      5   X  u   X  D   X   )9 e      r%rdatabackendc*tj|Sr) rust_x509load_pem_x509_certificaterrs r$rr9  .t 4 44r%c*tj|Sr)rload_pem_x509_certificates)rs r$rr?s  / 5 55r%c*tj|Sr)rload_der_x509_certificaters r$rrDrr%c*tj|Sr)rload_pem_x509_csrrs r$rrK  &t , ,,r%c*tj|Sr)rload_der_x509_csrrs r$rrRrr%c*tj|Sr)rload_pem_x509_crlrs r$rrYrr%c*tj|Sr)rload_der_x509_crlrs r$rr`rr%c >eZdZdggfdejedejeedejej e e eje ffdZ deddfdZd ed eddfd Zdd d e de dejeddfdZ ddedejedejdefdZdS) CertificateSigningRequestBuilderN subject_namer-r2c0||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_namerra)r"rr-r2s r$r!z)CertificateSigningRequestBuilder.__init__gs"*%%r%namerct|tstd|jt dt ||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.)rOr TypeErrorrr/rrrar"rs r$rz-CertificateSigningRequestBuilder.subject_namevs\$%% ;9:: :   )EFF F/ $"D$4   r%extvalcriticalct|tstdt|j||}t ||jt|j|j|gz|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rOrr rrr1rrrrar"r r r,s r$ add_extensionz.CertificateSigningRequestBuilder.add_extensionsw &-00 B@AA Afj(F;; #It/?@@@/     { *     r%)_tagrrBrcnt|tstdt|tstd|$t|tstdt ||j||j}nd}t|j |j |j|||fgzS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rOrr rWrr6rarBrrr)r"rrBrtags r$ add_attributez.CertificateSigningRequestBuilder.add_attributes#/00 ?=>> >%'' 3122 2  JtY$?$? 344 4#C)9:::  *CCC/      eS 12 2   r% private_keyrvrcZ|jtdtj|||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rr/rcreate_x509_csrr"rrvrs r$signz%CertificateSigningRequestBuilder.signs1   %NOO O({IFFFr%r)r&r'r(rfrrrrrTuplerrWrXr!rr[rrrr_AllowedHashTypesAnyrrr\r%r$rrfs/3<>  & &od+ &K - 89 &K L)5&/#2FF G & & & &    *L      # /3 +    .,0      oi(  ,     H# G G5 G?#45 G G # G G G G G Gr%rceZdZUejeeed<ddddddgfdeje deje deje deje deje j deje j d ejeed dfd Z d e d dfd Zd e d dfdZde d dfdZde d dfdZde j d dfdZde j d dfdZdeded dfdZ ddedejedejd efdZdS)CertificateBuilderrN issuer_namerrr}rrr-rctj|_||_||_||_||_||_||_||_ dSr) rlro_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r"r rrr}rrr-s r$r!zCertificateBuilder.__init__sK  ')%+!1 /%r%rc t|tstd|jt dt ||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rOrr r#r/rrr$rr%r&rr s r$r zCertificateBuilder.issuer_namesv$%% ;9:: :   (DEE E!         "  !     r%c t|tstd|jt dt |j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr ) rOrr rr/rr#r$rr%r&rr s r$rzCertificateBuilder.subject_namesv$%% ;9:: :   )EFF F!         "  !     r%keyc lt|tjtjt jtjtj tj tjfstd|jt#dt%|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rOr DSAPublicKeyr RSAPublicKeyrEllipticCurvePublicKeyr Ed25519PublicKeyr Ed448PublicKeyr X25519PublicKeyr X448PublicKeyr r$r/rr#rrr%r&r)r"r*s r$rzCertificateBuilder.public_keys   )($&"     !    'CDD D!         "  !     r%numberc Tt|tstd|jt d|dkrt d|dkrt dt |j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rOrXr rr/ bit_lengthrr#rr$r%r&rr"r3s r$r}z CertificateBuilder.serial_number!s&#&& GEFF F   *FGG G Q;;DEE E     # % %H "         "  !     r%r7c zt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rOr;r r%r/r?_EARLIEST_UTC_TIMEr&rr#rr$rrr"r7s r$rz#CertificateBuilder.not_valid_before<s $ 122 :899 9  ! -IJJ J)$// $ $ $$   ,8M1M1M "           !     r%c zt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. r<Nz)The not valid after may only be set once.zs r$rz"CertificateBuilder.not_valid_after[s$ 122 :899 9  ,HII I)$// $ $ $#   " .t--- "          "      r%r r c t|tstdt|j||}t ||jt|j|j |j |j |j |j |j|gzS)z= Adds an X.509 extension to the certificate. r)rOrr rrr1rrr#rr$rr%r&rs r$rz CertificateBuilder.add_extension{s &-00 B@AA Afj(F;; #It/?@@@!          "  !   { *   r%rrvrc6|jtd|jtd|jtd|jtd|jtd|jtdtj|||S)zC Signs the certificate using the CA's private key. Nz&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public key) rr/r#rr%r&r$rcreate_x509_certificaters r$rzCertificateBuilder.signs   %EFF F   $EFF F   &FGG G  ! )NOO O  (MNN N   #CDD D0{INNNr%r)r&r'r(rfrrr__annotations__rrrrXr;r!r rrr}rrr[rrrrrurr\r%r$rrsLY}56666.2.2AE.2?C>B<>&&_T*&od+&O$=> & s+ & !/(*;< & ):;&K - 89& &&&&&  )=    $  *>    $# &#  # # # # J C ,@    6 %     > H$5 :N    @ # /3     4# OO5O?#45O O  OOOOOOr%rc eZdZUejeeed<ejeed<dddggfdej e dej e j dej e j dejeedejef d Z de d dfd Z de j d dfd Zde j d dfd Zdeded dfdZded dfdZ ddedej edejd efdZdS) CertificateRevocationListBuilderr_revoked_certificatesNr rrr-revoked_certificatescL||_||_||_||_||_dSr)r# _last_update _next_updaterrF)r"r rrr-rGs r$r!z)CertificateRevocationListBuilder.__init__s2(''%%9"""r%rct|tstd|jt dt ||j|j|j|j S)Nrr() rOrr r#r/rErIrJrrF)r"r s r$r z,CertificateRevocationListBuilder.issuer_namesj+t,, ;9:: :   (DEE E/         &    r%cbt|tjstd|jt dt |}|t krt d|j||jkrt dt|j ||j|j |j S)Nr<!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rOr;r rIr/r?r=rJrEr#rrF)r"rs r$rz,CertificateRevocationListBuilder.last_updates+x'899 :899 9   (@AA A0== + + +M    ([4;L-L-LK 0         &    r%cbt|tjstd|jt dt |}|t krt d|j||jkrt dt|j |j||j |j S)Nr<rMrNz8The next update date must be after the last update date.) rOr;r rJr/r?r=rIrEr#rrF)r"rs r$rz,CertificateRevocationListBuilder.next_updates+x'899 :899 9   (@AA A0== + + +M    ([4;L-L-LJ 0         &    r%r r ct|tstdt|j||}t ||jt|j|j |j |j|gz|j S)zM Adds an X.509 extension to the certificate revocation list. r) rOrr rrr1rrEr#rIrJrFrs r$rz.CertificateRevocationListBuilder.add_extensions &-00 B@AA Afj(F;; #It/?@@@/         { *  &    r%revoked_certificatect|tstdt|j|j|j|j|j|gzS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rOrr rEr#rIrJrrF)r"rQs r$add_revoked_certificatez8CertificateRevocationListBuilder.add_revoked_certificatesa -/ABB IGHH H/          &*=)> >    r%rrvrc|jtd|jtd|jtdt j|||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update time)r#r/rIrJrcreate_x509_crlrs r$rz%CertificateRevocationListBuilder.sign$sa   $=>> >   $ABB B   $ABB B({IFFFr%r)r&r'r(rfrrrrCrrrr;r!r rrr[rrSrrrrrr\r%r$rErEsY}56666!;'9::::.2:>:><>@B : :_T* :_X%67 :_X%67 : K - 89 : %k*<= : : : :    +      #, +    0 #, +    0 # /3 +    & #5 +    *# GG5G?#45G G # GGGGGGr%rEc eZdZddgfdejedejejdejee fdZ deddfdZ d ejddfd Z d e d e ddfd ZddejdefdZdS)RevokedCertificateBuilderNr}rr-c0||_||_||_dSrrrs r$r!z"RevokedCertificateBuilder.__init__7rr%r3rc$t|tstd|jt d|dkrt d|dkrt dt ||j|jS)Nr5r6rz$The serial number should be positiver7r8) rOrXr rr/r9rWrrr:s r$r}z'RevokedCertificateBuilder.serial_numberAs&#&& GEFF F   *FGG G Q;;CDD D     # % %H ) D)4+;   r%r7ct|tjstd|jt dt |}|t krt dt|j||j S)Nr<z)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rOr;r rr/r?r=rWrrr>s r$rz)RevokedCertificateBuilder.revocation_dateSs$ 122 :899 9  ,HII I)$// $ $ $L )  t'7   r%r r ct|tstdt|j||}t ||jt|j|j |j|gzS)Nr) rOrr rrr1rrWrrrs r$rz'RevokedCertificateBuilder.add_extensioncsw&-00 B@AA Afj(F;; #It/?@@@(    !   { *   r%rc|jtd|jtdt|j|jt |jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr/rrrr)r"rs r$buildzRevokedCertificateBuilder.buildqsf   &NOO O  (C &    ! t' ( (   r%r)r&r'r(rfrrXr;rrrr!r}rr[rrrr]r\r%r$rWrW6s/3>B<> &&s+& ):;&K - 89 &&&& C ,G    $ % $     #  /3  $        VZ  3E       r%rWcbttjdddz S)Nbigr)rX from_bytesosurandomr\r%r$random_serial_numberrds# >>"*R..% 0 0A 55r%r)Prr;rbrf cryptographyr"cryptography.hazmat.bindings._rustrrcryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrrr r r r r /cryptography.hazmat.primitives.asymmetric.typesrrrcryptography.x509.extensionsrrrrcryptography.x509.namerrcryptography.x509.oidrr=rSHA224SHA256SHA384SHA512SHA3_224SHA3_256SHA3_384SHA3_512r Exceptionrrr1rrWrrXr6r?rAr^EnumrlrqABCMetaruregisterrrrrrrrrrrrrrrrErWrdr\r%r$rys5   @@@@@@@@@@@@@@  32222222222222&X&tQ22L M M M M O O O O   E'E Im45E EEEE E  E  %ufoc.BBC E  E E E E X%6 8;L    !8!8!8!8!8!8!8!8HFFFFFFFF(     ej   -----Y--- } } } } } CK} } } } B Y*+++     3;    0I8999     /   0y y y y y #+y y y y x""9#FGGGY Y Y Y Y #+Y Y Y Y z""9#FGGG (,55 5 *55555 6U6v{;/G6666 (,55 5 *55555(,-- - *-----(,-- - *-----(,-- - *-----(,-- - *----- YGYGYGYGYGYGYGYGxjOjOjOjOjOjOjOjOZDGDGDGDGDGDGDGDGNF F F F F F F F R6c666666r%