U ʹh]m @s@ddlmZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddlmZddlmZmZmZmZmZmZmZmZddlmZmZdd lmZmZmZm Z dd l!m"Z"m#Z#dd l$m%Z%ed d d Z&ej'ej(ej)ej*ej+ej,ej-ej.ej/fZ0Gddde1Z2ddddddZ3ddddddZ4dddddZ5Gdd d Z6Gd!d"d"Z7Gd#d$d$e j8Z9Gd%d&d&e1Z:e j;Z;Gd'd(d(eje j=Gd*d+d+e=Z?e j@Z@e jAZAe jBZBe jCZCe jDZDe jEZEe jFZFe jGZGe jHZHGd,d-d-ZIGd.d/d/ZJGd0d1d1ZKGd2d3d3ZLd4d5d6d7ZMdS)8) annotationsN)Iterable)utils)x509)hashes)dsaeced448ed25519paddingrsax448x25519) CertificateIssuerPrivateKeyTypesCertificatePublicKeyTypes) Extension Extensions ExtensionType_make_sequence_methods)Name _ASN1Type)ObjectIdentifierics&eZdZddddfdd ZZS)AttributeNotFoundstrrNone)msgoidreturncst|||_dSN)super__init__r)selfrr __class__<./venv/lib/python3.8/site-packages/cryptography/x509/base.pyr!9s zAttributeNotFound.__init____name__ __module__ __qualname__r! __classcell__r%r%r#r&r8srzExtension[ExtensionType]list[Extension[ExtensionType]]r) extension extensionsrcCs"|D]}|j|jkrtdqdS)Nz$This extension has already been set.)r ValueError)r-r.er%r%r&_reject_duplicate_extension>s r1r0list[tuple[ObjectIdentifier, bytes, int | None]])r attributesrcCs$|D]\}}}||krtdqdS)Nz$This attribute has already been set.)r/)rr3Zattr_oid_r%r%r&_reject_duplicate_attributeHsr5datetime.datetimetimercCs:|jdk r2|}|r|nt}|jdd|S|SdS)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. Ntzinfo)r:Z utcoffsetdatetimeZ timedeltareplace)r8offsetr%r%r&_convert_to_naive_utc_timeRs  r>c@sxeZdZejjfdddddddZeddd d Zeddd d Zd dddZ dddddZ ddddZ dS) Attributerbytesintr)rvalue_typercCs||_||_||_dSr)_oid_valuerC)r"rrBrCr%r%r&r!aszAttribute.__init__rcCs|jSr)rDr"r%r%r&rksz Attribute.oidcCs|jSr)rErGr%r%r&rBoszAttribute.valuercCsd|jd|jdS)Nz)rrBrGr%r%r&__repr__sszAttribute.__repr__objectbool)otherrcCs2t|tstS|j|jko0|j|jko0|j|jkSr) isinstancer?NotImplementedrrBrC)r"rLr%r%r&__eq__vs    zAttribute.__eq__cCst|j|j|jfSr)hashrrBrCrGr%r%r&__hash__szAttribute.__hash__N) r(r)r*rZ UTF8StringrBr!propertyrrIrOrQr%r%r%r&r?`s  r?c@sHeZdZdddddZed\ZZZddd d Zd d d ddZ dS) AttributeszIterable[Attribute]r)r3rcCst||_dSr)list _attributes)r"r3r%r%r&r!szAttributes.__init__rUrrFcCsd|jdS)Nz t|ts>tdt||j|dk rZ|j}nd}t|j |j |j|||ffS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rMrrzr@rr5rUrBrrrurl)r"rrBrtagr%r%r& add_attribute's   z.CertificateSigningRequestBuilder.add_attribute rsa_paddingecdsa_deterministicr_AllowedHashTypes | None typing.Any%padding.PSS | padding.PKCS1v15 | None bool | NoneCertificateSigningRequest private_key algorithmbackendrrrcCsv|jdkrtd|dk rHt|tjtjfs4tdt|tjsHtd|dk rdt|t j sdtdt |||||S)zF Signs the request using the requestor's private key. Nz/A CertificateSigningRequest must have a subjectPadding must be PSS or PKCS1v15&Padding is only supported for RSA keys1Deterministic ECDSA is only supported for EC keys) rur/rMr PSSPKCS1v15rzr RSAPrivateKeyrEllipticCurvePrivateKey rust_x509Zcreate_x509_csrr"rrrrrr%r%r&signGs&   z%CertificateSigningRequestBuilder.sign)N)r(r)r*r!rtrrrr%r%r%r&rrs  $rrc @seZdZUded<ddddddgfddddddddd d d Zd dd ddZd dd ddZdddddZdddddZdddddZ dddddZ d d!dd"d#d$Z d/ddd%d&d'd(d)d*d+d,d-d.Z dS)0CertificateBuilderr,rlNrsz CertificatePublicKeyTypes | None int | Nonedatetime.datetime | Noner) issuer_namert public_keyranot_valid_beforenot_valid_afterr.rcCs6tj|_||_||_||_||_||_||_||_ dSr) r[r]Z_version _issuer_nameru _public_keyrj_not_valid_before_not_valid_afterrl)r"rrtrrarrr.r%r%r&r!ns zCertificateBuilder.__init__rrvcCsDt|tstd|jdk r$tdt||j|j|j|j |j |j S)z3 Sets the CA's distinguished name. rxN%The issuer name may only be set once.) rMrrzrr/rrurrjrrrlr{r%r%r&rs  zCertificateBuilder.issuer_namecCsDt|tstd|jdk r$tdt|j||j|j|j |j |j S)z: Sets the requestor's distinguished name. rxNry) rMrrzrur/rrrrjrrrlr{r%r%r&rts  zCertificateBuilder.subject_namer)keyrc Cs`t|tjtjtjtjt j t j t jfs.td|jdk r@tdt|j|j||j|j|j|jS)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.Nz$The public key may only be set once.)rMrZ DSAPublicKeyr Z RSAPublicKeyrZEllipticCurvePublicKeyr ZEd25519PublicKeyr ZEd448PublicKeyrZX25519PublicKeyr Z X448PublicKeyrzrr/rrrurjrrrl)r"rr%r%r&rs2  zCertificateBuilder.public_keyrAnumberrcCsht|tstd|jdk r$td|dkr4td|dkrHtdt|j|j|j ||j |j |j S)z5 Sets the certificate serial number. 'Serial number must be of integral type.N'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rMrArzrjr/ bit_lengthrrrurrrrlr"rr%r%r&ras&   z CertificateBuilder.serial_numberr6r7cCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j ||j|j S)z7 Sets the certificate activation time. Expecting datetime object.Nz*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rMr;rzrr/r>_EARLIEST_UTC_TIMErrrrurrjrlr"r8r%r%r&rs,  z#CertificateBuilder.not_valid_beforecCszt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j |j |j |j||j S)z7 Sets the certificate expiration time. rNz)The not valid after may only be set once.zrrrrrurrjrlrr%r%r&rs2  z"CertificateBuilder.not_valid_afterrrKr|c CsTt|tstdt|j||}t||jt|j|j |j |j |j |j |j|fS)z= Adds an X.509 extension to the certificate. r)rMrrzrrr1rlrrrurrjrrrr%r%r&r!s   z CertificateBuilder.add_extensionrrrrrr CertificatercCs|jdkrtd|jdkr$td|jdkr6td|jdkrHtd|jdkrZtd|jdkrltd|dk rt|tj tj fst dt|t j st d |dk rt|tjst d t|||||S) zC Signs the certificate using the CA's private key. Nz&A certificate must have a subject namez&A certificate must have an issuer namez'A certificate must have a serial numberz/A certificate must have a not valid before timez.A certificate must have a not valid after timez$A certificate must have a public keyrrr)rur/rrjrrrrMr rrrzr rrrrZcreate_x509_certificaterr%r%r&r7s:        zCertificateBuilder.sign)N) r(r)r*__annotations__r!rrtrrarrrrr%r%r%r&rks* %rc @seZdZUded<ded<dddggfddddddd d Zd dd d dZdddddZdddddZddddddZdddddZ d)dddd d!d"d#d$d%d&d'd(Z dS)* CertificateRevocationListBuilderr,rlzlist[RevokedCertificate]_revoked_certificatesNrsr)r last_update next_updater.revoked_certificatescCs"||_||_||_||_||_dSr)r _last_update _next_updaterlr)r"rrrr.rr%r%r&r!ns z)CertificateRevocationListBuilder.__init__r)rrcCs<t|tstd|jdk r$tdt||j|j|j|j S)Nrxr) rMrrzrr/rrrrlr)r"rr%r%r&r|s  z,CertificateRevocationListBuilder.issuer_namer6)rrcCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j ||j|j |j S)Nr!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rMr;rzrr/r>rrrrrlr)r"rr%r%r&rs(  z,CertificateRevocationListBuilder.last_update)rrcCsrt|tjstd|jdk r&tdt|}|tkr>td|jdk rZ||jkrZtdt|j |j||j |j S)Nrrrz8The next update date must be after the last update date.) rMr;rzrr/r>rrrrrlr)r"rr%r%r&rs(  z,CertificateRevocationListBuilder.next_updaterrKr|cCsLt|tstdt|j||}t||jt|j|j |j |j|f|j S)zM Adds an X.509 extension to the certificate revocation list. r) rMrrzrrr1rlrrrrrrr%r%r&rs   z.CertificateRevocationListBuilder.add_extensionr`)revoked_certificatercCs2t|tstdt|j|j|j|j|j|fS)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rMr`rzrrrrrlr)r"rr%r%r&add_revoked_certificates  z8CertificateRevocationListBuilder.add_revoked_certificaterrrrrrCertificateRevocationListrcCs|jdkrtd|jdkr$td|jdkr6td|dk rlt|tjtjfsXtdt|t j sltd|dk rt|t j stdt |||||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update timerrr)rr/rrrMr rrrzr rrrrZcreate_x509_crlrr%r%r&rs.     z%CertificateRevocationListBuilder.sign)N) r(r)r*rr!rrrrrrr%r%r%r&rjs$ rc@sjeZdZddgfddddddZddd d d Zd dd ddZddddddZddddddZdS)RevokedCertificateBuilderNrrr,rhcCs||_||_||_dSrrirmr%r%r&r!sz"RevokedCertificateBuilder.__init__rArcCsXt|tstd|jdk r$td|dkr4td|dkrHtdt||j|jS)Nrrrz$The serial number should be positiverr) rMrArzrjr/rrrkrlrr%r%r&ras   z'RevokedCertificateBuilder.serial_numberr6r7cCsNt|tjstd|jdk r&tdt|}|tkr>tdt|j||j S)Nrz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rMr;rzrkr/r>rrrjrlrr%r%r&rb#s  z)RevokedCertificateBuilder.revocation_daterrKr|cCsDt|tstdt|j||}t||jt|j|j |j|fS)Nr) rMrrzrrr1rlrrjrkrr%r%r&r3s   z'RevokedCertificateBuilder.add_extensionrr`)rrcCs:|jdkrtd|jdkr$tdt|j|jt|jS)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rjr/rkrgrrl)r"rr%r%r&buildAs  zRevokedCertificateBuilder.build)N)r(r)r*r!rarbrrr%r%r%r&rs rrArFcCsttddd?S)NZbigr)rA from_bytesosurandomr%r%r%r&random_serial_numberOsr)NZ __future__rrdr;rtypingroZcollections.abcrZ cryptographyrZ"cryptography.hazmat.bindings._rustrrZcryptography.hazmat.primitivesrZ)cryptography.hazmat.primitives.asymmetricrrr r r r r rZ/cryptography.hazmat.primitives.asymmetric.typesrrZcryptography.x509.extensionsrrrrZcryptography.x509.namerrZcryptography.x509.oidrrZUnionZSHA224ZSHA256ZSHA384ZSHA512ZSHA3_224ZSHA3_256ZSHA3_384ZSHA3_512Z_AllowedHashTypes Exceptionrr1r5r>r?rSEnumr[r^rABCMetar`registerrgrrZload_pem_x509_certificateZload_der_x509_certificateZload_pem_x509_certificatesZload_pem_x509_csrZload_der_x509_csrZload_pem_x509_crlZload_der_x509_crlrrrrrrr%r%r%r&sn     (     $ "pI