o >b0n@sJddlZddlZddlZddlZddlmZddlmZmZddl m Z ddl m Z m Z ddlmZmZmZmZmZddlmZmZmZddlmZdd lmZed d d ZGd d d eZdedejefddZ dedejej!ee"ffddZ#dejdejfddZ$Gdddej%Z&GdddeZ'Gdddej(d Z)Gd!d"d"ej(d Z*Gd#d$d$ej(d Z+Gd%d&d&ej(d Z,d>d'e"de)fd(d)Z-d>d'e"de)fd*d+Z.d>d'e"de,fd,d-Z/d>d'e"de,fd.d/Z0d>d'e"de+fd0d1Z1d>d'e"de+fd2d3Z2Gd4d5d5e3Z4Gd6d7d7e3Z5Gd8d9d9e3Z6Gd:d;d;e3Z7de8fd Not after time (represented as UTC datetime) NrrBrrrnot_valid_afterorAzCertificate.not_valid_aftercCr=)z1 Returns the issuer name object. NrrBrrrissuerurAzCertificate.issuercCr=z2 Returns the subject name object. NrrBrrrsubject{rAzCertificate.subjectcCr=zt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. NrrBrrrsignature_hash_algorithmrAz$Certificate.signature_hash_algorithmcCr=zJ Returns the ObjectIdentifier of the signature algorithm. NrrBrrrsignature_algorithm_oidrAz#Certificate.signature_algorithm_oidcCr=)z/ Returns an Extensions object. NrrBrrrr(rAzCertificate.extensionscCr=z. Returns the signature bytes. NrrBrrr signaturerAzCertificate.signaturecCr=)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. NrrBrrrtbs_certificate_bytesrAz!Certificate.tbs_certificate_bytesothercCr=z" Checks equality. NrrrSrrr__eq__rAzCertificate.__eq__cCr=z# Checks not equal. NrrUrrr__ne__rAzCertificate.__ne__cCr=z" Computes a hash. NrrBrrr__hash__rAzCertificate.__hash__encodingcCr=)zB Serializes the certificate to PEM or DER format. Nrrr[rrr public_bytesrAzCertificate.public_bytesN)'r"r#r$abcabstractmethodr HashAlgorithmbytesr@abstractpropertyintrCr6rDrrFr2rGrHrrIrKtypingOptionalrMrrOrr(rQrRobjectboolrVrXrZrEncodingr]rrrrr;PsJ  r;) metaclassc@sJeZdZejdefddZejdejfddZejde fddZ dS) RevokedCertificater0cCr=)zG Returns the serial number of the revoked certificate. NrrBrrrrCrAz RevokedCertificate.serial_numbercCr=)zH Returns the date of when this certificate was revoked. NrrBrrrrevocation_daterAz"RevokedCertificate.revocation_datecCr=)zW Returns an Extensions object containing a list of Revoked extensions. NrrBrrrr(rAzRevokedCertificate.extensionsN) r"r#r$r^rbrcrCr2rkrr(rrrrrjsrjc@s|eZdZejdejdefddZejde j defddZ ejde de jefd d Zejde j fd d Zejdefd dZejdefddZejdejfddZejdejfddZejdefddZejdefddZejdefddZejdedefddZ ejdedefddZ!ejde fd d!Z"ejd"d#Z#ejd$d%Z$ejd&e%defd'd(Z&d)S)*CertificateRevocationListr[r0cCr=)z: Serializes the CRL to PEM or DER format. Nrr\rrrr]rAz&CertificateRevocationList.public_bytesr<cCr=r>rr?rrrr@rAz%CertificateRevocationList.fingerprintrCcCr=)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nr)rrCrrr(get_revoked_certificate_by_serial_numberrAzBCertificateRevocationList.get_revoked_certificate_by_serial_numbercCr=rLrrBrrrrMrAz2CertificateRevocationList.signature_hash_algorithmcCr=rNrrBrrrrOrAz1CertificateRevocationList.signature_algorithm_oidcCr=)zC Returns the X509Name with the issuer of this CRL. NrrBrrrrIrAz CertificateRevocationList.issuercCr=)z? Returns the date of next update for this CRL. NrrBrrr next_updaterAz%CertificateRevocationList.next_updatecCr=)z? Returns the date of last update for this CRL. NrrBrrr last_updaterAz%CertificateRevocationList.last_updatecCr=)zS Returns an Extensions object containing a list of CRL extensions. NrrBrrrr(rAz$CertificateRevocationList.extensionscCr=rPrrBrrrrQ rAz#CertificateRevocationList.signaturecCr=)zO Returns the tbsCertList payload bytes as defined in RFC 5280. NrrBrrrtbs_certlist_bytesrAz,CertificateRevocationList.tbs_certlist_bytesrScCr=rTrrUrrrrVrAz CertificateRevocationList.__eq__cCr=rWrrUrrrrXrAz CertificateRevocationList.__ne__cCr=)z< Number of revoked certificates in the CRL. NrrBrrr__len__"rAz!CertificateRevocationList.__len__cCr=)zS Returns a revoked certificate (or slice of revoked certificates). Nr)ridxrrr __getitem__(rAz%CertificateRevocationList.__getitem__cCr=)z8 Iterator over the revoked certificates NrrBrrr__iter__.rAz"CertificateRevocationList.__iter__rFcCr=)zQ Verifies signature of revocation list against given public key. Nr)rrFrrris_signature_valid4rAz,CertificateRevocationList.is_signature_validN)'r"r#r$r^r_rrhrar]rr`r@rcrdrerjrmrbrMrrOrrIr2rnrorr(rQrprfrgrVrXrqrsrtrrurrrrrlsN   rlc@s$eZdZejdedefddZejdedefddZejde fddZ ejde fd d Z ej defd d Zej dejfd dZej defddZej defddZejdejdefddZej defddZej defddZej defddZejdedefddZdS) CertificateSigningRequestrSr0cCr=rTrrUrrrrV<rAz CertificateSigningRequest.__eq__cCr=rWrrUrrrrXBrAz CertificateSigningRequest.__ne__cCr=rYrrBrrrrZHrAz"CertificateSigningRequest.__hash__cCr=rErrBrrrrFNrAz$CertificateSigningRequest.public_keycCr=rJrrBrrrrKTrAz!CertificateSigningRequest.subjectcCr=rLrrBrrrrMZrAz2CertificateSigningRequest.signature_hash_algorithmcCr=rNrrBrrrrOarAz1CertificateSigningRequest.signature_algorithm_oidcCr=)z@ Returns the extensions in the signing request. NrrBrrrr(grAz$CertificateSigningRequest.extensionsr[cCr=)z; Encodes the request to PEM or DER format. Nrr\rrrr]mrAz&CertificateSigningRequest.public_bytescCr=rPrrBrrrrQsrAz#CertificateSigningRequest.signaturecCr=)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. NrrBrrrtbs_certrequest_bytesyrAz/CertificateSigningRequest.tbs_certrequest_bytescCr=)z8 Verifies signature of signing request. NrrBrrrrurAz,CertificateSigningRequest.is_signature_validrcCr=)z: Get the attribute value for a given OID. Nr)rrrrrget_attribute_for_oidrAz/CertificateSigningRequest.get_attribute_for_oidN)r"r#r$r^r_rfrgrVrXrcrZrrFrbrrKrr`rMrrOrr(rrhrar]rQrwrurxrrrrrv;s6rvdatacCt|}||Sr)rload_pem_x509_certificaterybackendrrrr{ r{cCrzr)rload_der_x509_certificater|rrrrr~rcCrzr)rload_pem_x509_csrr|rrrrr~rcCrzr)rload_der_x509_csrr|rrrrr~rcCrzr)rload_pem_x509_crlr|rrrrr~rcCrzr)rload_der_x509_crlr|rrrrr~rc@sjeZdZdggfddZdefddZdedefd d Zd e d e fd dZ dde de jdefddZdS) CertificateSigningRequestBuilderNcCs||_||_||_dS)zB Creates an empty X.509 certificate request (v1). N) _subject_name _extensions _attributes)r subject_namer(r,rrrrs z)CertificateSigningRequestBuilder.__init__namecCs4t|ts td|jdurtdt||j|jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.N&The subject name may only be set once.) isinstancer TypeErrorrr)rrrrrrrrrs   z-CertificateSigningRequestBuilder.subject_nameextvalcriticalcCsDt|ts tdt|j||}t||jt|j|j|g|j S)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rrrr rr+rrrrrrrr'rrr add_extensions   z.CertificateSigningRequestBuilder.add_extensionrvaluecCsLt|ts tdt|tstdt||jt|j|j|j||fgS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytes) rrrrar.rrrr)rrrrrr add_attributes   z.CertificateSigningRequestBuilder.add_attribute private_keyr<r0cCs(t|}|jdur td||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subject)rrr)Zcreate_x509_csrrrr<r}rrrsigns z%CertificateSigningRequestBuilder.signr)r"r#r$rrrrrgrrrarrrr`rvrrrrrrs rc@seZdZddddddgfddZdefddZdefddZd efd d Zd e fd dZ de j fddZ de j fddZ dedefddZ ddedejdefddZdS)CertificateBuilderNcCs6tj|_||_||_||_||_||_||_||_ dSr) r6r8Z_version _issuer_namer _public_key_serial_number_not_valid_before_not_valid_afterr)r issuer_namerrFrCrGrHr(rrrrs  zCertificateBuilder.__init__rcCsDt|ts td|jdurtdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rN%The issuer name may only be set once.) rrrrr)rrrrrrrrrrrrs  zCertificateBuilder.issuer_namecCsDt|ts td|jdurtdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rNr) rrrrr)rrrrrrrrrrrrs  zCertificateBuilder.subject_namekeycCsXt|tjtjtjtjt j fst d|j durt dt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zhExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey or Ed448PublicKey.Nz$The public key may only be set once.)rrZ DSAPublicKeyr Z RSAPublicKeyr ZEllipticCurvePublicKeyr ZEd25519PublicKeyr ZEd448PublicKeyrrr)rrrrrrr)rrrrrrF)s.  zCertificateBuilder.public_keynumbercCsht|ts td|jdurtd|dkrtd|dkr$tdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rrcrrr) bit_lengthrrrrrrrrrrrrrCKs&   z CertificateBuilder.serial_numberr/cCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rr2rrr)r5_EARLIEST_UTC_TIMErrrrrrrrr/rrrrGfs,  z#CertificateBuilder.not_valid_beforecCszt|tjs td|jdurtdt|}|tkrtd|jdur-||jkr-tdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.zs   z%CertificateRevocationListBuilder.signr)r"r#r$rrrr2rornrrgrrjrrrr`rlrrrrrrs(  rc@s\eZdZddgfddZdefddZdejfdd Zd ed e fd d Z dde fddZ dS)RevokedCertificateBuilderNcCs||_||_||_dSr)r_revocation_dater)rrCrkr(rrrrRs z"RevokedCertificateBuilder.__init__rcCsXt|ts td|jdurtd|dkrtd|dkr$tdt||j|jS)Nrrrz$The serial number should be positiverr) rrcrrr)rrrrrrrrrCYs    z'RevokedCertificateBuilder.serial_numberr/cCsNt|tjs td|jdurtdt|}|tkrtdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rr2rrr)r5rrrrrrrrrkks   z)RevokedCertificateBuilder.revocation_daterrcCsDt|ts tdt|j||}t||jt|j|j |j|gS)Nr) rrrr rr+rrrrrrrrrys   z'RevokedCertificateBuilder.add_extensionr0cCs6t|}|jdur td|jdurtd||S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rrr)rZcreate_x509_revoked_certificate)rr}rrrbuilds   zRevokedCertificateBuilder.buildr) r"r#r$rrcrCr2rkrrgrrjrrrrrrQs  rcCsttddd?S)NZbigr)rc from_bytesosurandomrrrrrandom_serial_numbersrr):r^r2rrdZ cryptographyrZcryptography.hazmat._typesrrZcryptography.hazmat.backendsrZcryptography.hazmat.primitivesrrZ)cryptography.hazmat.primitives.asymmetricrr r r r Zcryptography.x509.extensionsr rrZcryptography.x509.namerZcryptography.x509.oidrr ExceptionrZListr+ZTuplerar.r5Enumr6r9ABCMetar;rjrlrvr{rrrrrrfrrrrrcrrrrrsV        klRFf{@