fِ ddlmZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z mZddlmZmZmZmZmZmZmZmZddlmZmZmZddlmZmZmZm Z dd l!m"Z"m#Z#dd l$m%Z%ejd d d Z&ejNe jPe jRe jTe jVe jXe jZe j\e j^fZ0Gd de1Z2 d.dZ3 d/dZ4d0dZ5GddZ6GddZ7GddejpZ9Gdde1Z:GddejvZe>j{e j|Gdd e>Z?Gd!d"ejvZ@e@j{e jGd#d$ejvZAeAj{e je jZBe jZCe jZDe jZEe jZFe jZGe jZHGd%d&ZIGd'd(ZJGd)d*ZKGd+d,ZLd1d-ZMy)2) annotationsN)utils)x509)hashes serialization)dsaeced448ed25519paddingrsax448x25519) CertificateIssuerPrivateKeyTypesCertificateIssuerPublicKeyTypesCertificatePublicKeyTypes) Extension Extensions ExtensionType_make_sequence_methods)Name _ASN1Type)ObjectIdentifieric eZdZdfd ZxZS)AttributeNotFoundc2t||||_yN)super__init__oid)selfmsgr! __class__s P/var/www/html/py/new-venv/lib/python3.12/site-packages/cryptography/x509/base.pyr zAttributeNotFound.__init__9s )r#strr!rreturnNone__name__ __module__ __qualname__r __classcell__r$s@r%rr8s r&rcZ|D]&}|j|jk(stdy)Nz$This extension has already been set.)r! ValueError) extension extensionses r%_reject_duplicate_extensionr5>s1 E 55IMM !CD DEr&c:|D]\}}}||k(s tdy)Nz$This attribute has already been set.)r1)r! attributesattr_oid_s r%_reject_duplicate_attributer:Hs. %E!Q s?CD DEr&c|j=|j}|r|ntj}|j d|z S|S)zNormalizes a datetime to a naive datetime in UTC. time -- datetime to normalize. Assumed to be in UTC if not timezone aware. Ntzinfo)r= utcoffsetdatetime timedeltareplace)timeoffsets r%_convert_to_naive_utc_timerDRsG  {{!!x'9'9';||4|(611 r&ceZdZejj f ddZed dZed dZd dZ d dZ d dZ y) Attributec.||_||_||_yr)_oid_value_type)r"r!valuerJs r%r zAttribute.__init__as    r&c|jSr)rHr"s r%r!z Attribute.oidks yyr&c|jSr)rIrMs r%rKzAttribute.valueos {{r&c<d|jd|jdS)Nz)r!rKrMs r%__repr__zAttribute.__repr__ss  (4::.CCr&ct|tstS|j|jk(xr4|j|jk(xr|j |j k(Sr) isinstancerFNotImplementedr!rKrJr"others r%__eq__zAttribute.__eq__vsS%+! ! HH ! * ekk) * ekk) r&cZt|j|j|jfSr)hashr!rKrJrMs r%__hash__zAttribute.__hash__s TXXtzz4::677r&N)r!rrKbytesrJintr(r)r(rr(r[r(r'rVobjectr(boolr(r\) r+r,r-r UTF8StringrKr propertyr!rQrWrZr&r%rFrF`sv ))//     D 8r&rFcDeZdZ ddZed\ZZZddZddZ y) Attributesc$t||_yr)list _attributes)r"r7s r%r zAttributes.__init__s +r&rkc"d|jdS)Nz ?EEr&N)r7ztyping.Iterable[Attribute]r(r)r_)r!rr(rF) r+r,r-r r__len____iter__ __getitem__rQrorfr&r%rhrhs7,., , & Not after time (represented as UTC datetime) NrfrMs r%not_valid_afterzCertificate.not_valid_afterrr&cy)zJ Not after time (represented as a non-naive UTC datetime) NrfrMs r%not_valid_after_utczCertificate.not_valid_after_utcrr&cy)z1 Returns the issuer name object. NrfrMs r%issuerzCertificate.issuerrr&cyz2 Returns the subject name object. NrfrMs r%subjectzCertificate.subjectrr&cyzt Returns a HashAlgorithm corresponding to the type of the digest signed in the certificate. NrfrMs r%signature_hash_algorithmz$Certificate.signature_hash_algorithmrr&cyzJ Returns the ObjectIdentifier of the signature algorithm. NrfrMs r%signature_algorithm_oidz#Certificate.signature_algorithm_oidrr&cyz= Returns the signature algorithm parameters. NrfrMs r%signature_algorithm_parametersz*Certificate.signature_algorithm_parametersrr&cy)z/ Returns an Extensions object. NrfrMs r%r3zCertificate.extensions rr&cyz. Returns the signature bytes. NrfrMs r% signaturezCertificate.signaturerr&cy)zR Returns the tbsCertificate payload bytes as defined in RFC 5280. NrfrMs r%tbs_certificate_bytesz!Certificate.tbs_certificate_bytesrr&cy)zh Returns the tbsCertificate payload bytes with the SCT list extension stripped. NrfrMs r%tbs_precertificate_bytesz$Certificate.tbs_precertificate_bytesrr&cyz" Checks equality. NrfrUs r%rWzCertificate.__eq__&rr&cyz" Computes a hash. NrfrMs r%rZzCertificate.__hash__,rr&cy)zB Serializes the certificate to PEM or DER format. Nrfr"encodings r% public_byteszCertificate.public_bytes2rr&cy)z This method verifies that certificate issuer name matches the issuer subject name and that the certificate is signed by the issuer's private key. No other validation is performed. Nrf)r"rs r%verify_directly_issued_byz%Certificate.verify_directly_issued_by8rr&Nrzhashes.HashAlgorithmr(r[rc)r(rtr(rr]r(datetime.datetimer(rr(zhashes.HashAlgorithm | Noner(z0None | padding.PSS | padding.PKCS1v15 | ec.ECDSAr(rr^r`rzserialization.Encodingr(r[)rr}r(r))r+r,r-abcabstractmethodrrerrrrrrrrrrrrrr3rrrrWrZrrrfr&r%r}r}s                        $     9                      r&r}) metaclassceZdZeej ddZeej ddZeej ddZeej ddZ y) RevokedCertificatecy)zG Returns the serial number of the revoked certificate. NrfrMs r%rz RevokedCertificate.serial_numberFrr&cy)zH Returns the date of when this certificate was revoked. NrfrMs r%revocation_datez"RevokedCertificate.revocation_dateMrr&cy)zl Returns the date of when this certificate was revoked as a non-naive UTC datetime. NrfrMs r%revocation_date_utcz&RevokedCertificate.revocation_date_utcTrr&cy)zW Returns an Extensions object containing a list of Revoked extensions. NrfrMs r%r3zRevokedCertificate.extensions\rr&Nrcrr) r+r,r-rerrrrrr3rfr&r%rrEs         r&rcheZdZ ddZeddZed dZed dZed dZy) _RawRevokedCertificatec.||_||_||_yr_serial_number_revocation_date _extensionsr"rrr3s r%r z_RawRevokedCertificate.__init__i , /%r&c|jSr)rrMs r%rz$_RawRevokedCertificate.serial_numberss"""r&cftjdtjd|jS)NukProperties that return a naïve datetime object have been deprecated. Please switch to revocation_date_utc.ru) stacklevel)warningswarnrDeprecatedIn42rrMs r%rz&_RawRevokedCertificate.revocation_datews.  @    $$$r&cj|jjtjjS)Nr<)rrAr?timezoneutcrMs r%rz*_RawRevokedCertificate.revocation_date_utcs($$,,H4E4E4I4I,JJr&c|jSr)rrMs r%r3z!_RawRevokedCertificate.extensionssr&N)rr\rrr3rrcrr) r+r,r-r rerrrr3rfr&r%rrhsu&&+& &##%%KK  r&rceZdZejddZejddZej ddZeej ddZ eejddZ eej ddZ eejddZ eejddZ eejdd Zeejdd Zeejdd Zeejd d Zeejd!d Zeejd!dZejd"dZejd#dZej.d$dZej.d%dZej d&dZejd'dZej d(dZy))CertificateRevocationListcy)z: Serializes the CRL to PEM or DER format. Nrfrs r%rz&CertificateRevocationList.public_bytesrr&cyrrfrs r%rz%CertificateRevocationList.fingerprintrr&cy)zs Returns an instance of RevokedCertificate or None if the serial_number is not in the CRL. Nrf)r"rs r%(get_revoked_certificate_by_serial_numberzBCertificateRevocationList.get_revoked_certificate_by_serial_numberrr&cyrrfrMs r%rz2CertificateRevocationList.signature_hash_algorithmrr&cyrrfrMs r%rz1CertificateRevocationList.signature_algorithm_oidrr&cyrrfrMs r%rz8CertificateRevocationList.signature_algorithm_parametersrr&cy)zC Returns the X509Name with the issuer of this CRL. NrfrMs r%rz CertificateRevocationList.issuerrr&cy)z? Returns the date of next update for this CRL. NrfrMs r% next_updatez%CertificateRevocationList.next_updaterr&cy)zc Returns the date of next update for this CRL as a non-naive UTC datetime. NrfrMs r%next_update_utcz)CertificateRevocationList.next_update_utcrr&cy)z? Returns the date of last update for this CRL. NrfrMs r% last_updatez%CertificateRevocationList.last_updaterr&cy)zc Returns the date of last update for this CRL as a non-naive UTC datetime. NrfrMs r%last_update_utcz)CertificateRevocationList.last_update_utcrr&cy)zS Returns an Extensions object containing a list of CRL extensions. NrfrMs r%r3z$CertificateRevocationList.extensionsrr&cyrrfrMs r%rz#CertificateRevocationList.signaturerr&cy)zO Returns the tbsCertList payload bytes as defined in RFC 5280. NrfrMs r%tbs_certlist_bytesz,CertificateRevocationList.tbs_certlist_bytesrr&cyrrfrUs r%rWz CertificateRevocationList.__eq__rr&cy)z< Number of revoked certificates in the CRL. NrfrMs r%rpz!CertificateRevocationList.__len__rr&cyrrfr"idxs r%rrz%CertificateRevocationList.__getitem__s;>r&cyrrfrs r%rrz%CertificateRevocationList.__getitem__sCFr&cy)zS Returns a revoked certificate (or slice of revoked certificates). Nrfrs r%rrz%CertificateRevocationList.__getitem__rr&cy)z8 Iterator over the revoked certificates NrfrMs r%rqz"CertificateRevocationList.__iter__rr&cy)zQ Verifies signature of revocation list against given public key. Nrf)r"rs r%is_signature_validz,CertificateRevocationList.is_signature_validrr&Nrr)rr\r(zRevokedCertificate | Nonerr]rr)r(datetime.datetime | Nonerrr^r`rc)rr\r(r)rslicer(list[RevokedCertificate])rz int | slicer(z-RevokedCertificate | list[RevokedCertificate])r(z#typing.Iterator[RevokedCertificate])rrr(rb)r+r,r-rrrrrrerrrrrrrrr3rrrWrptypingoverloadrrrqrrfr&r%rrs         "   $     9                         __>> __FF  6       9   r&rceZdZejddZejddZejddZeejddZ eej ddZ eejddZ eej ddZ eejddZ eejdd Zejdd Zeejdd Zeejdd Zeejdd ZejddZy)CertificateSigningRequestcyrrfrUs r%rWz CertificateSigningRequest.__eq__!rr&cyrrfrMs r%rZz"CertificateSigningRequest.__hash__'rr&cyrrfrMs r%rz$CertificateSigningRequest.public_key-rr&cyrrfrMs r%rz!CertificateSigningRequest.subject3rr&cyrrfrMs r%rz2CertificateSigningRequest.signature_hash_algorithm:rr&cyrrfrMs r%rz1CertificateSigningRequest.signature_algorithm_oidDrr&cyrrfrMs r%rz8CertificateSigningRequest.signature_algorithm_parametersKrr&cy)z@ Returns the extensions in the signing request. NrfrMs r%r3z$CertificateSigningRequest.extensionsTrr&cy)z/ Returns an Attributes object. NrfrMs r%r7z$CertificateSigningRequest.attributes[rr&cy)z; Encodes the request to PEM or DER format. Nrfrs r%rz&CertificateSigningRequest.public_bytesbrr&cyrrfrMs r%rz#CertificateSigningRequest.signaturehrr&cy)zd Returns the PKCS#10 CertificationRequestInfo bytes as defined in RFC 2986. NrfrMs r%tbs_certrequest_bytesz/CertificateSigningRequest.tbs_certrequest_bytesorr&cy)z8 Verifies signature of signing request. NrfrMs r%rz,CertificateSigningRequest.is_signature_validwrr&cy)z: Get the attribute value for a given OID. Nrf)r"r!s r%roz/CertificateSigningRequest.get_attribute_for_oid~rr&Nr`rcrrrr]rr)r(rhrr^)r(rb)r!rr(r[)r+r,r-rrrWrZrrerrrrr3r7rrrrrorfr&r%rr s           $     9                  r&rceZdZdggf d dZd dZ d dZdd d dZ d dd ddZy) CertificateSigningRequestBuilderNc.||_||_||_y)zB Creates an empty X.509 certificate request (v1). N) _subject_namerrk)r" subject_namer3r7s r%r z)CertificateSigningRequestBuilder.__init__s*%%r&ct|ts td|j t dt ||j |jS)zF Sets the certificate requestor's distinguished name. Expecting x509.Name object.&The subject name may only be set once.)rSr TypeErrorrr1rrrkr"names r%rz-CertificateSigningRequestBuilder.subject_namesR$%9: :    )EF F/ $""D$4$4  r&ct|ts tdt|j||}t ||j t|jg|j ||jS)zE Adds an X.509 extension to the certificate request. "extension must be an ExtensionType) rSrrrr!r5rrrrkr"extvalcriticalr2s r% add_extensionz.CertificateSigningRequestBuilder.add_extensionsn &-0@A Afjj(F; #It/?/?@/    *d * *     r&)_tagcZt|ts tdt|ts td|t|ts tdt ||j | |j}nd}t|j|jg|j |||fS)zK Adds an X.509 attribute with an OID and associated value. zoid must be an ObjectIdentifierzvalue must be bytesNztag must be _ASN1Type) rSrrr[rr:rkrKrrr)r"r!rKr#tags r% add_attributez.CertificateSigningRequestBuilder.add_attributes#/0=> >%'12 2  JtY$?34 4#C)9)9:  **CC/       2d 2eS 1 2  r& rsa_paddingc|j td|Zt|tjtj fs t dt|tjs t dtj||||S)zF Signs the request using the requestor's private key. z/A CertificateSigningRequest must have a subjectPadding must be PSS or PKCS1v15&Padding is only supported for RSA keys) rr1rSr PSSPKCS1v15rr RSAPrivateKey rust_x509create_x509_csrr" private_keyrbackendr(s r%signz%CertificateSigningRequestBuilder.signs    %NO O  "kGKK9I9I+JK ABBk3+<+<= HII(( +y+  r&)r Name | Noner3list[Extension[ExtensionType]]r70list[tuple[ObjectIdentifier, bytes, int | None]])rrr(r)r rr!rbr(r)r!rrKr[r#z_ASN1Type | Noner(rr) r2rr_AllowedHashTypes | Noner3 typing.Anyr(%padding.PSS | padding.PKCS1v15 | Noner(r)r+r,r-r rr"r&r4rfr&r%rrs%)57GI &! &3 &E &   # /3 ) ."&      *  H#  >B  5 ,   ;   # r&rceZdZUded<ddddddgf ddZddZddZ ddZddZdd Z dd Z dd Z ddd  dd Z y)CertificateBuilderr6rNctj|_||_||_||_||_||_||_||_ yr) rtrw_version _issuer_namer _public_keyr_not_valid_before_not_valid_afterr)r" issuer_namerrrrrr3s r%r zCertificateBuilder.__init__sG  ')%+!1 /%r&c t|ts td|j t dt ||j |j|j|j|j|jS)z3 Sets the CA's distinguished name. r%The issuer name may only be set once.) rSrrr?r1r<rr@rrArBrrs r%rCzCertificateBuilder.issuer_namesx$%9: :    (DE E!            " "  ! !     r&c t|ts td|j t dt |j ||j|j|j|j|jS)z: Sets the requestor's distinguished name. rr) rSrrrr1r<r?r@rrArBrrs r%rzCertificateBuilder.subject_name"sx$%9: :    )EF F!            " "  ! !     r&c t|tjtjt j tjtjtjtjfs td|j t#dt%|j&|j(||j*|j,|j.|j0S)zT Sets the requestor's public key (as found in the signing request). zExpecting one of DSAPublicKey, RSAPublicKey, EllipticCurvePublicKey, Ed25519PublicKey, Ed448PublicKey, X25519PublicKey, or X448PublicKey.z$The public key may only be set once.)rSr DSAPublicKeyr RSAPublicKeyr EllipticCurvePublicKeyr Ed25519PublicKeyr Ed448PublicKeyrX25519PublicKeyr X448PublicKeyrr@r1r<r?rrrArBr)r"keys r%rzCertificateBuilder.public_key4s     ))(($$&&""   !     'CD D!            " "  ! !     r&c \t|ts td|j t d|dkr t d|j dk\r t dt |j|j|j||j|j|jS)z5 Sets the certificate serial number. 'Serial number must be of integral type.'The serial number may only be set once.rz%The serial number should be positive.3The serial number should not be more than 159 bits.) rSr\rrr1 bit_lengthr<r?rr@rArBrr"numbers r%rz CertificateBuilder.serial_numberYs&#&EF F    *FG G Q;DE E    # %E "            " "  ! !     r&c t|tjs td|j t dt |}|t kr t d|j||jkDr t dt|j|j|j|j||j|jS)z7 Sets the certificate activation time. Expecting datetime object.z*The not valid before may only be set once.z>The not valid before date must be on or after 1950 January 1).zBThe not valid before date must be before the not valid after date.)rSr?rrAr1rD_EARLIEST_UTC_TIMErBr<r?rr@rrr"rBs r%rz#CertificateBuilder.not_valid_beforets$ 1 1289 9  ! ! -IJ J)$/ $ $$   ,8M8M1M "               ! !     r&c t|tjs td|j t dt |}|t kr t d|j||jkr t dt|j|j|j|j|j||jS)z7 Sets the certificate expiration time. rYz)The not valid after may only be set once.zB % 5% ,%  % ; %  % r&r<ceZdZUded<ded<dddggf ddZ ddZ ddZ dd Z dd Z dd Z ddd  dd Z y) CertificateRevocationListBuilderr6rr_revoked_certificatesNcJ||_||_||_||_||_yr)r? _last_update _next_updaterrd)r"rCrrr3revoked_certificatess r%r z)CertificateRevocationListBuilder.__init__s,(''%%9"r&ct|ts td|j t dt ||j |j|j|jS)NrrE) rSrrr?r1rcrfrgrrd)r"rCs r%rCz,CertificateRevocationListBuilder.issuer_namesf+t,9: :    (DE E/            & &   r&crt|tjs td|j t dt |}|t kr t d|j||jkDr t dt|j||j|j|jS)NrY!Last update may only be set once.8The last update date must be on or after 1950 January 1.z9The last update date must be before the next update date.) rSr?rrfr1rDrZrgrcr?rrd)r"rs r%rz,CertificateRevocationListBuilder.last_updates+x'8'8989 9    (@A A0= + +J     ([4;L;L-LK 0            & &   r&crt|tjs td|j t dt |}|t kr t d|j||jkr t dt|j|j||j|jS)NrYrkrlz8The next update date must be after the last update date.) rSr?rrgr1rDrZrfrcr?rrd)r"rs r%rz,CertificateRevocationListBuilder.next_update(s+x'8'8989 9    (@A A0= + +J     ([4;L;L-LJ 0            & &   r&ct|ts tdt|j||}t ||j t|j|j|jg|j ||jS)zM Adds an X.509 extension to the certificate revocation list. r) rSrrrr!r5rrcr?rfrgrdrs r%r"z.CertificateRevocationListBuilder.add_extension@s &-0@A Afjj(F; #It/?/?@/          *d * *  & &   r&ct|ts tdt|j|j |j |jg|j|S)z8 Adds a revoked certificate to the CRL. z)Must be an instance of RevokedCertificate) rSrrrcr?rfrgrrd)r"revoked_certificates r%add_revoked_certificatez8CertificateRevocationListBuilder.add_revoked_certificateSsa -/ABGH H/             >d(( >*= >   r&r'ct|j td|j td|j td|Zt |t j t jfs tdt |tjs tdtj||||S)NzA CRL must have an issuer namez"A CRL must have a last update timez"A CRL must have a next update timer*r+) r?r1rfrgrSr r,r-rr r.r/create_x509_crlr1s r%r4z%CertificateRevocationListBuilder.signds    $=> >    $AB B    $AB B  "kGKK9I9I+JK ABBk3+<+<= HII(( +y+  r&) rCr5rrrrr3r6rhr)rCrr(rc)rrr(rc)rrr(rc)r rr!rbr(rc)rprr(rcr) r2rrr8r3r9r(r:r(r) r+r,r-rar rCrrr"rqr4rfr&r%rcrcs //33$(0404579; :  :. :. : 3 : 7 :    )   , ) 0 , ) 0 # /3 ) & #5 ) *#  >B  5 ,   ;   # r&rcc\eZdZddgf ddZddZ d dZ d dZd d dZy) RevokedCertificateBuilderNc.||_||_||_yrrrs r%r z"RevokedCertificateBuilder.__init__rr&ct|ts td|j t d|dkr t d|j dk\r t dt ||j|jS)NrQrRrz$The serial number should be positiverSrT) rSr\rrr1rUrurrrVs r%rz'RevokedCertificateBuilder.serial_numbers&#&EF F    *FG G Q;CD D    # %E ) D))4+;+;  r&ct|tjs td|j t dt |}|t kr t dt|j||jS)NrYz)The revocation date may only be set once.z7The revocation date must be on or after 1950 January 1.) rSr?rrr1rDrZrurrr[s r%rz)RevokedCertificateBuilder.revocation_dates}$ 1 1289 9  ,HI I)$/ $ $I )   t'7'7  r&ct|ts tdt|j||}t ||j t|j|jg|j |S)Nr) rSrrrr!r5rrurrrs r%r"z'RevokedCertificateBuilder.add_extensionsn&-0@A Afjj(F; #It/?/?@(     ! ! *d * *  r&c|j td|j tdt|j|jt |j S)Nz/A revoked certificate must have a serial numberz1A revoked certificate must have a revocation date)rr1rrrr)r"r3s r%buildzRevokedCertificateBuilder.buildse    &NO O  (C &     ! ! t'' (  r&)rr`rrr3r6)rWr\r(ru)rBrr(ru)r rr!rbr(rur)r3r9r(r)r+r,r-r rrr"r{rfr&r%rurusj%)4857 &!&2&3 & $ % "  #  /3  "    r&rucZtjtjdddz S)Nbigr)r\ from_bytesosurandomrfr&r%random_serial_numberrs >>"**R.% 0A 55r&)r2zExtension[ExtensionType]r3r6r(r))r!rr7r7r(r))rBrr(rrc)N __future__rrr?rrr cryptographyr"cryptography.hazmat.bindings._rustrr/cryptography.hazmat.primitivesrr)cryptography.hazmat.primitives.asymmetricrr r r r r rr/cryptography.hazmat.primitives.asymmetric.typesrrrcryptography.x509.extensionsrrrrcryptography.x509.namerrcryptography.x509.oidrrZUnionSHA224SHA256SHA384SHA512SHA3_224SHA3_256SHA3_384SHA3_512_AllowedHashTypes Exceptionrr5r:rDrFrhEnumrtryABCMetar}registerrrrrload_pem_x509_certificateload_der_x509_certificateload_pem_x509_certificatesload_pem_x509_csrload_der_x509_csrload_pem_x509_crlload_der_x509_crlrr<rcrurrfr&r%rs{ #  @@     32&X&&tQ2LL MM MM MM MM OO OO OO OO   E'E.E EE E@E E !8!8HFF( ejj -Y- [ CKK[ ~ Y**+ 3;; @I889 / DP #++P f""9#F#FGb #++b L""9#F#FG&??%??&AA////////b b Jr r jN N bF F R6r&