hJPdZddlZddlZddlmZddlmZmZddlmZm Z ddl m Z m Z ddl mZgd Zegd Z ejGd d ejZed GddZeejejZ eejejZ eejejeejejedZ ejGddejZed GddZdeedeedeefdZ ed GddZ!ed GddZ"Gdd ej#Z$Gd!d"e$Z%Gd#d$e$Z&dS)%z .. versionadded:: 0.20.0 N) dataclass)datetime timedelta) FrozenSetOptional)algoskeys) PKIXSubtrees) RevocationCheckingRuleRevocationCheckingPolicyFreshnessReqTypeCertRevTrustPolicyPKIXValidationParamsAlgorithmUsageConstraintAlgorithmUsagePolicyDisallowWeakAlgorithmsPolicyAcceptAllAlgorithmsDEFAULT_WEAK_HASH_ALGOSREQUIRE_REVINFO NO_REVOCATION)md2md5sha1ceZdZdZdZ dZ dZ dZ dZ dZ dZ e d e fd Z e d e fd Ze d e fd Ze d e fd Ze d e fdZe d e fdZdS)r zg Rules determining in what circumstances revocation data has to be checked, and what kind. clrcheck ocspcheck bothcheck eitherchecknocheckifdeclaredcheckifdeclaredsoftcheckreturncL|tjtjtjfvSN)r CHECK_IF_DECLAREDCHECK_IF_DECLARED_SOFTNO_CHECKselfs ]/var/www/html/Sam_Eipo/venv/lib/python3.11/site-packages/pyhanko_certvalidator/policy_decl.pystrictzRevocationCheckingRule.strictas( " 4 " 9 " +   c6|tjtjfvSr%)r r'r(r)s r+tolerantzRevocationCheckingRule.tolerantjs  " 9 " +   r-c6|tjtjfvSr%)r CRL_REQUIREDCRL_AND_OCSP_REQUIREDr)s r+ crl_mandatoryz$RevocationCheckingRule.crl_mandatoryqs  " / " 8   r-c6|tjtjfvSr%)r r( OCSP_REQUIREDr)s r+ crl_relevantz#RevocationCheckingRule.crl_relevantxs  " + " 0   r-c6|tjtjfvSr%)r r5r2r)s r+ocsp_mandatoryz%RevocationCheckingRule.ocsp_mandatorys  " 0 " 8   r-c6|tjtjfvSr%)r r(r1r)s r+ ocsp_relevantz$RevocationCheckingRule.ocsp_relevants  " + " /   r-N)__name__ __module__ __qualname____doc__r1r5r2CRL_OR_OCSP_REQUIREDr(r&r'propertyboolr,r/r3r6r8r:r-r+r r $s`L M()H* 3     X  $   X  t   X  d   X     X  t   X   r-r T)frozencdeZdZUdZeed< eed< edefdZe de fdZ dS) r zu Class describing a revocation checking policy based on the types defined in the ETSI TS 119 172 series. ee_certificate_ruleintermediate_ca_cert_rulepolicyc` t|S#t$rtd|dwxYw)N'z ' is not a valid revocation mode)LEGACY_POLICY_MAPKeyError ValueError)clsrGs r+ from_legacyz$RevocationCheckingPolicy.from_legacysL K$V, , K K KIIIIJJ J Ks -r#c4|jjo |jj Sr%)rEr/r)s r+ essentialz"RevocationCheckingPolicy.essentials%  $ - 2(1  r-N) r;r<r=r>r __annotations__ classmethodstrrNr@rArPrBr-r+r r s 0/// 6555KKKK[K  4   X   r-r )rErF)z soft-failz hard-failrequirecpeZdZdZejZ ejZ ejZdS)rz% Freshness requirement type. N) r;r<r=r>enumautoDEFAULTMAX_DIFF_REVOCATION_VALIDATIONTIME_AFTER_SIGNATURErBr-r+rrsWdikkG &/TY[[" %49;;r-rceZdZUdZeed< dZeeed< e j Z e ed< dZ eeed< dZ eed<dS) rzz Class describing conditions for trusting revocation info. Based on CertificateRevTrust in ETSI TS 119 172-3. revocation_checking_policyN freshnessfreshness_req_type!expected_post_expiry_revinfo_timeFretroactive_revinfo)r;r<r=r>r rQr]rrrrXr^r_r`rArBr-r+rrs !9888&*Ix "))) ,<+C(CCC >B%x ':AAA !&%%%  r-ra_polsb_polsr#cTd|v}d|v}|r|rtdgS|r|S|r|S||zS)z Intersect two sets of policies, taking into account the special 'any_policy'. :param a_pols: A set of policies. :param b_pols: Another set of policies. :return: The intersection of both. any_policy) frozenset)rarba_anyb_anys r+intersect_policy_setsrhs[ F "E F "E ,(((   r-ceZdZUedgZeed< dZeed< dZeed< dZ eed< dZ e e ed< dZ e e ed < d d ZdS)rrduser_initial_policy_setFinitial_policy_mapping_inhibitinitial_explicit_policyinitial_any_policy_inhibitNinitial_permitted_subtreesinitial_excluded_subtreesotherr#cd|jvr|j}n d|jvr|j}n|j|jz}|jo|j}|jo|j}|jo|j}t ||||S)aa Combine the conditions of these PKIX validation params with another set of parameters, producing the most lenient set of parameters that is stricter than both inputs. :param other: Another set of PKIX validation parameters. :return: A combined set of PKIX validation parameters. rd)rjrmrlrk)rjrmrlrkr)r*rpinit_policy_setrmrlrks r+mergezPKIXValidationParams.merges 47 7 7#;OO U: : :":OO-0LL   + P0P #  ( JU-J   / 54 '$$3'A$;+I     r-)rprr#r)r;r<r=rerjrQrkrArlrmrnrr rorsrBr-r+rr8s)2L>)B)BYBBB ,1"D000%*T)))"(-,,, :> 6===9=x 5<<<$ $ $ $ $ $ r-rc^eZdZUdZeed< dZeeed< dZ ee ed< dZ dS)rzh Expression of a constraint on the usage of an algorithm (possibly with parameter choices). allowedNnot_allowed_afterfailure_reasonc|jSr%rur)s r+__bool__z!AlgorithmUsageConstraint.__bool__s |r-) r;r<r=r>rArQrvrrrwrSrzrBr-r+rrsw MMM-1x)000 %)NHSM(((r-rceZdZdZdejdeedefdZ dej deedee j defdZ dS) rzR Abstract interface defining a usage policy for cryptographic algorithms. algomomentr#ct)a Determine if the indicated digest algorithm can be used at the point in time indicated. :param algo: A digest algorithm description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. NotImplementedErrorr*r|r}s r+digest_algorithm_allowedz-AlgorithmUsagePolicy.digest_algorithm_alloweds "!r- public_keyct)a' Determine if the indicated signature algorithm (including the associated digest function and any parameters, if applicable) can be used at the point in time indicated. :param algo: A signature mechanism description in ASN.1 form. :param moment: The point in time at which the algorithm should be usable. If ``None``, then the returned judgment applies at all times. :param public_key: The public key associated with the operation, if available. .. note:: This parameter can be used to enforce key size limits or to filter out keys with known structural weaknesses. :return: A :class:`.AlgorithmUsageConstraint` expressing the judgment. rr*r|r}rs r+signature_algorithm_allowedz0AlgorithmUsagePolicy.signature_algorithm_alloweds 2"!r-N)r;r<r=r>rDigestAlgorithmrrrrSignedDigestAlgorithmr PublicKeyInforrBr-r+rrs")"3;H3E" !"""""")"""T/0 " " """"""r-rceZdZdZeeddfdZdejde e de fdZ dej de e d e ejde fd Zd S) ra Primitive usage policy that forbids a list of user-specified "weak" algorithms and allows everything else. It also ignores the time parameter completely. .. note:: This denial-based strategy is supplied to provide a backwards-compatible default. In many scenarios, an explicit allow-based strategy is more appropriate. Users with specific security requirements are encouraged to implement :class:`.AlgorithmUsagePolicy` themselves. :param weak_hash_algos: The list of digest algorithms considered weak. Defaults to :const:`.DEFAULT_WEAK_HASH_ALGOS`. :param weak_signature_algos: The list of digest algorithms considered weak. Defaults to the empty set. :param rsa_key_size_threshold: The key length threshold for RSA keys, in bits. :param dsa_key_size_threshold: The key length threshold for DSA keys, in bits. iix c>||_||_||_||_dSr%)weak_hash_algosweak_signature_algosrsa_key_size_thresholddsa_key_size_threshold)r*rrrrs r+__init__z%DisallowWeakAlgorithmsPolicy.__init__ s* /$8!&<#&<###r-r|r}r#cDt|dj|jvS)N algorithm)rnativerrs r+rz5DisallowWeakAlgorithmsPolicy.digest_algorithm_alloweds)(   $D,@ @   r-rc |j}||jv}|d}|dk}|rT|R|s|rN|j}d} |r||jkr|j} n|r||jkr|j} | t dd|d|d| S |j} n#t$rd} YnwxYw|r\| Z| tj d|ji|} | s)t dd | d |dj d | j St | S)NrsadsaFz Key size z for algorithm z- is considered too small; policy mandates >= )rurwrzDigest algorithm z< is not allowed, which disqualifies the signature mechanism z as well.)rurwrvry)signature_algor startswithbit_sizerrr hash_algorLrrrrrv) r*r|r}r algo_name algo_allowedis_rsais_dsakey_szfailed_thresholdrdigest_alloweds r+rz8DisallowWeakAlgorithmsPolicy.signature_algorithm_allowed!s '  (AA %%e,,e#  J22&2(F#  ?&4#>>>#'#>   ?FT%@@@#'#> +/!AFAA9AA.>AA II   III   I1!::%{DN&CDDfN" /!?N?? ,3???'5&F( ====sB BBN)r;r<r=r>rrerrrrrrrrr rrrBr-r+rrs40&Y[[## = = = = ) 3;H3E !    ,>),>",>T/0 ,> " ,>,>,>,>,>,>r-rc|eZdZdejdeedefdZdej deedee j defdZ dS)rr|r}r#c"tdSNTryrrs r+rz,AcceptAllAlgorithms.digest_algorithm_allowedQs(5555r-rc"tdSrrrs r+rz/AcceptAllAlgorithms.signature_algorithm_allowedVs (5555r-N) r;r<r=rrrrrrrr rrrBr-r+rrPs6)63;H3E6 !6666 6)6"6T/0 6 " 666666r-r)'r>abcrV dataclassesrrrtypingrr asn1cryptorr name_treesr __all__reruniqueEnumr r r?rr(rr'r&rJrrrSrhrrABCrrrrBr-r+rs !!!!!!((((((((&&&&&&&&""""""""$$$$$$    $)$:$:$:;; f f f f f TYf f  f R $        >+*// )(.74=  *)55*)00   ty 6 $********Z cN$-cNs^8 $k k k k k k k k \ $4/"/"/"/"/"37/"/"/"dY>Y>Y>Y>Y>#7Y>Y>Y>x 6 6 6 6 6. 6 6 6 6 6r-