o >b9@snddlZddlZddlZddlmZddlmZddlmZmZddl m Z m Z m Z m Z eeeeedZGdddejZGd d d ejZd d eDZejejejejejfZd dZGdddejZdd eDZGdddeZGdddejdZGdddejdZ GdddeZ!GdddeZ"de#defdd Z$de#de fd!d"Z%dS)#N)utils)x509)hashes serialization)_EARLIEST_UTC_TIME_PRIVATE_KEY_TYPES_convert_to_naive_utc_time_reject_duplicate_extension)z 1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__ZHASHNAMErr8/usr/lib/python3/dist-packages/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULZMALFORMED_REQUESTZINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIREDZ UNAUTHORIZEDrrrrr#srcCi|]}|j|qSrvalue.0xrrr ,rcCst|ts tddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError) algorithmrrr_verify_algorithm6s r$c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r r ZGOODREVOKEDZUNKNOWNrrrrr%=sr%cCrrrrrrrrCrc@seZdZddZdS)_SingleResponsec Cst|tjr t|tjstdt|t|tjstd|dur,t|tjs,td||_||_||_||_ ||_ t|t sDtd|t j urZ|durQt d|durYt dn$t|tjsdtdt|}|tkrpt d|dur~t|tjs~td ||_||_||_dS) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r r Certificate TypeErrorr$datetimeZ_certZ_issuerZ _algorithmZ _this_updateZ _next_updater%r&r"rr ReasonFlagsZ _cert_statusZ_revocation_timeZ_revocation_reason) selfcertissuerr# cert_status this_update next_updaterevocation_timerevocation_reasonrrr__init__Gs\        z_SingleResponse.__init__N)r r r r5rrrrr'Fs r'c@seZdZejdefddZejdefddZejdej fddZ ejde fdd Z ej d ejdefd d Zejdejfd dZdS) OCSPRequestreturncCdSz3 The hash of the issuer public key Nrr-rrrissuer_key_hashzOCSPRequest.issuer_key_hashcCr8z- The hash of the issuer name Nrr:rrrissuer_name_hashr<zOCSPRequest.issuer_name_hashcCr8zK The hash algorithm used in the issuer name and key hashes Nrr:rrrhash_algorithmr<zOCSPRequest.hash_algorithmcCr8zM The serial number of the cert whose status is being checked Nrr:rrr serial_numberr<zOCSPRequest.serial_numberencodingcCr8)z/ Serializes the request to DER Nrr-rCrrr public_bytesr<zOCSPRequest.public_bytescCr8)zP The list of request extensions. Not single request extensions. Nrr:rrr extensionsr<zOCSPRequest.extensionsN)r r r abcabstractpropertybytesr;r>r HashAlgorithmr@intrBabstractmethodrEncodingrEr ExtensionsrFrrrrr6sr6) metaclassc@seZdZejdefddZejdejfddZ ejde j e j fddZejdefdd Zejdefd d Zejde jejfd d Zejde j efddZejde j ejfddZejdejfddZejdefddZejde j ejfddZejde j ejfddZejdejfddZejde j ejfddZ ejdefddZ!ejdefd d!Z"ejde j fd"d#Z#ejde$fd$d%Z%ejdej&fd&d'Z'ejdej&fd(d)Z(ej)d*e*j+defd+d,Z,d-S). OCSPResponser7cCr8)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nrr:rrrresponse_statusr<zOCSPResponse.response_statuscCr8)zA The ObjectIdentifier of the signature algorithm Nrr:rrrsignature_algorithm_oidr<z$OCSPResponse.signature_algorithm_oidcCr8)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nrr:rrrsignature_hash_algorithmr<z%OCSPResponse.signature_hash_algorithmcCr8)z% The signature bytes Nrr:rrr signaturer<zOCSPResponse.signaturecCr8)z+ The tbsResponseData bytes Nrr:rrrtbs_response_bytesr<zOCSPResponse.tbs_response_bytescCr8)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nrr:rrr certificatesr<zOCSPResponse.certificatescCr8)z2 The responder's key hash or None Nrr:rrrresponder_key_hashr<zOCSPResponse.responder_key_hashcCr8)z. The responder's Name or None Nrr:rrrresponder_namer<zOCSPResponse.responder_namecCr8)z4 The time the response was produced Nrr:rrr produced_atr<zOCSPResponse.produced_atcCr8)zY The status of the certificate (an element from the OCSPCertStatus enum) Nrr:rrrcertificate_statusr<zOCSPResponse.certificate_statuscCr8)z^ The date of when the certificate was revoked or None if not revoked. Nrr:rrrr3r<zOCSPResponse.revocation_timecCr8)zi The reason the certificate was revoked or None if not specified or not revoked. Nrr:rrrr4r<zOCSPResponse.revocation_reasoncCr8)z The most recent time at which the status being indicated is known by the responder to have been correct Nrr:rrrr1r<zOCSPResponse.this_updatecCr8)zC The time when newer information will be available Nrr:rrrr2 r<zOCSPResponse.next_updatecCr8r9rr:rrrr;r<zOCSPResponse.issuer_key_hashcCr8r=rr:rrrr>r<zOCSPResponse.issuer_name_hashcCr8r?rr:rrrr@r<zOCSPResponse.hash_algorithmcCr8rArr:rrrrB!r<zOCSPResponse.serial_numbercCr8)zR The list of response extensions. Not single response extensions. Nrr:rrrrF'r<zOCSPResponse.extensionscCr8)zR The list of single response extensions. Not response extensions. Nrr:rrrsingle_extensions-r<zOCSPResponse.single_extensionsrCcCr8)z0 Serializes the response to DER NrrDrrrrE3r<zOCSPResponse.public_bytesN)-r r r rGrHrrQrZObjectIdentifierrRtypingOptionalrrJrSrIrTrUZListr)rVrWNamerXr+rYr%rZr3r,r4r1r2r;r>r@rKrBrNrFr[rLrrMrErrrrrPsZ  rPc@s`eZdZdgfddZdejdejdejddfdd Zd ej d e ddfd d Z de fddZ dS)OCSPRequestBuilderNcCs||_||_dSN)_request _extensions)r-ZrequestrFrrrr5;s zOCSPRequestBuilder.__init__r.r/r#r7cCsL|jdur tdt|t|tjrt|tjstdt|||f|jS)Nz.Only one certificate can be added to a requestr() rar"r$r rr)r*r_rb)r-r.r/r#rrradd_certificate?s z"OCSPRequestBuilder.add_certificateextvalcriticalcCsDt|tjs tdt|j||}t||jt|j |j|gSNz"extension must be an ExtensionType) r r ExtensionTyper* Extensionoidr rbr_rar-rdre extensionrrr add_extensionPs  z OCSPRequestBuilder.add_extensioncCs(ddlm}|jdurtd||S)Nrbackendz*You must add a certificate before building),cryptography.hazmat.backends.openssl.backendrnrar"Zcreate_ocsp_request)r-rnrrrbuild]s   zOCSPRequestBuilder.build)r r r r5rr)rrJrcrgboolrlr6rprrrrr_:s&   r_c@seZdZdddgfddZdejdejdejdede j d e j e j d e j e j d e j ej d dfd dZ dedejd dfddZde jejd dfddZdejded dfddZdede j ejd efddZeded efddZdS) OCSPResponseBuilderNcCs||_||_||_||_dSr`) _response _responder_id_certsrb)r-Zresponse responder_idcertsrFrrrr5gs zOCSPResponseBuilder.__init__r.r/r#r0r1r2r3r4r7c Cs<|jdur tdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rsr"r'rrrtrurb) r-r.r/r#r0r1r2r3r4Z singleresprrr add_responseos$  z OCSPResponseBuilder.add_responserCresponder_certcCsP|jdur tdt|tjstdt|tstdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rtr"r rr)r*r rrrsrurb)r-rCryrrrrvs   z OCSPResponseBuilder.responder_idrwcCs\|jdur tdt|}t|dkrtdtdd|Ds$tdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|] }t|tjVqdSr`)r rr)rrrr sz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rur"listlenallr*rrrsrtrb)r-rwrrrrVs  z OCSPResponseBuilder.certificatesrdrecCsLt|tjs tdt|j||}t||jt|j |j |j |j|gSrf) r rrgr*rhrir rbrrrsrtrurjrrrrls   z!OCSPResponseBuilder.add_extension private_keycCsBddlm}|jdurtd|jdurtd|tj|||S)Nrrmz&You must add a response before signingz*You must add a responder_id before signing)rornrsr"rtcreate_ocsp_responserr)r-r~r#rnrrrsigns    zOCSPResponseBuilder.signrQcCs@ddlm}t|tstd|tjurtd||dddS)Nrrmz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)rornr rr*rr"r)clsrQrnrrrbuild_unsuccessfuls   z&OCSPResponseBuilder.build_unsuccessful)r r r r5rr)rrJr%r+r\r]r,rxr rvIterablerVrgrqrlrrPr classmethodrrrrrrrrfsl           rrdatar7cCddlm}||SNrrm)rornload_der_ocsp_requestrrnrrrr  rcCrr)rornload_der_ocsp_responserrrrrrr)&rGr+r\Z cryptographyrrZcryptography.hazmat.primitivesrrZcryptography.x509.baserrrr ZSHA1ZSHA224ZSHA256ZSHA384ZSHA512Z _OIDS_TO_HASHEnumr rZ_RESPONSE_STATUS_TO_ENUMr!r$r%Z_CERT_STATUS_TO_ENUMobjectr'ABCMetar6rPr_rrrIrrrrrrsB      F& ,|