U /2‹i›1ã@s ddlmZddlZddlmZddlmZmZddlm Z ddl m Z ddl m Z ddlmZGd d „d ejƒZGd d „d ejƒZe je je je je jfZd ddœdd„ZGdd„dejƒZGdd„dƒZe jZe jZe jZGdd„dƒZGdd„dƒZ e j!Z!e j"Z"dS)é)Ú annotationsN)ÚIterable)ÚutilsÚx509)Úocsp)Úhashes)Ú CertificateIssuerPrivateKeyTypes)Ú_reject_duplicate_extensionc@seZdZdZdZdS)ÚOCSPResponderEncodingzBy HashzBy NameN)Ú__name__Ú __module__Ú __qualname__ÚHASHÚNAME©rrú:/tmp/pip-unpacked-wheel-d9r6v89i/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)ÚOCSPResponseStatusréééééN) r r r Ú SUCCESSFULZMALFORMED_REQUESTÚINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIREDÚ UNAUTHORIZEDrrrrrs rúhashes.HashAlgorithmÚNone)Ú algorithmÚreturncCst|tƒstdƒ‚dS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512)Ú isinstanceÚ_ALLOWED_HASHESÚ ValueError)rrrrÚ_verify_algorithm*s ÿr"c@seZdZdZdZdZdS)ÚOCSPCertStatusrrrN)r r r ZGOODÚREVOKEDÚUNKNOWNrrrrr#1sr#c @s(eZdZdddddddddœd d „Zd S) Ú_SingleResponsez0tuple[x509.Certificate, x509.Certificate] | Noneztuple[bytes, bytes, int] | Nonerr#údatetime.datetimeúdatetime.datetime | Noneúx509.ReasonFlags | None)ÚrespÚ resp_hashrÚ cert_statusÚ this_updateÚ next_updateÚrevocation_timeÚrevocation_reasonc CsÚt|ƒt|tjƒstdƒ‚|dk r8t|tjƒs8tdƒ‚||_||_||_||_||_t|t ƒshtdƒ‚|t j k r”|dk r‚t dƒ‚|dk rÄt dƒ‚n0t|tjƒs¨tdƒ‚|dk rÄt|t j ƒsÄtdƒ‚||_||_||_dS)Nz%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectzCrevocation_reason must be an item from the ReasonFlags enum or None)r"rÚdatetimeÚ TypeErrorZ_respZ _resp_hashÚ _algorithmZ _this_updateZ _next_updater#r$r!rZ ReasonFlagsZ _cert_statusZ_revocation_timeZ_revocation_reason) Úselfr*r+rr,r-r.r/r0rrrÚ__init__8sL   ÿ ÿ ÿÿ  ÿÿz_SingleResponse.__init__N)r r r r5rrrrr&7sr&c@sreZdZddgfdddddœdd„Zd d d dd œd d „Zdddd ddœdd„Zddddœdd„Zddœdd„ZdS)ÚOCSPRequestBuilderNzFtuple[x509.Certificate, x509.Certificate, hashes.HashAlgorithm] | Nonez5tuple[bytes, bytes, int, hashes.HashAlgorithm] | Noneú(list[x509.Extension[x509.ExtensionType]]r)ÚrequestÚ request_hashÚ extensionsrcCs||_||_||_dS©N)Ú_requestÚ _request_hashÚ _extensions)r4r8r9r:rrrr5ws zOCSPRequestBuilder.__init__úx509.Certificater)ÚcertÚissuerrrcCsZ|jdk s|jdk rtdƒ‚t|ƒt|tjƒr)r4r@rArrrrÚadd_certificate…sÿÿz"OCSPRequestBuilder.add_certificateÚbytesÚint)Úissuer_name_hashÚissuer_key_hashÚ serial_numberrrcCsŠ|jdk s|jdk rtdƒ‚t|tƒs.tdƒ‚t|ƒt d|¡t d|¡|j t |ƒksj|j t |ƒkrrtdƒ‚t |j||||f|j ƒS)NrBú serial_number must be an integerrHrIú`issuer_name_hash and issuer_key_hash must be the same length as the digest size of the algorithm) r<r=r!rrGr2r"rÚ _check_bytesÚ digest_sizeÚlenr6r>)r4rHrIrJrrrrÚadd_certificate_by_hash˜s(   ÿ þÿ ýz*OCSPRequestBuilder.add_certificate_by_hashúx509.ExtensionTypeÚbool©ÚextvalÚcriticalrcCsHt|tjƒstdƒ‚t |j||¡}t||jƒt|j |j |j|f•ƒS©Nz"extension must be an ExtensionType) rrÚ ExtensionTyper2Ú ExtensionÚoidr r>r6r<r=©r4rTrUÚ extensionrrrÚ add_extension¶s   ÿz OCSPRequestBuilder.add_extensionÚ OCSPRequest)rcCs&|jdkr|jdkrtdƒ‚t |¡S)Nz*You must add a certificate before building)r<r=r!rZcreate_ocsp_request)r4rrrÚbuildÃszOCSPRequestBuilder.build)r r r r5rErPr\r^rrrrr6vsø r6c @sÂeZdZdddgfdddddœdd„Zd d d d d d d dddœ dd„Zdddd d d d d dddœ dd„Zdd ddœdd„Zdddœdd„Zdd dd!œd"d#„Zd$d%d&d'œd(d)„Z e d*d&d+œd,d-„ƒZ dS).ÚOCSPResponseBuilderNz_SingleResponse | Nonez5tuple[x509.Certificate, OCSPResponderEncoding] | Nonezlist[x509.Certificate] | Noner7)ÚresponseÚ responder_idÚcertsr:cCs||_||_||_||_dSr;)Ú _responseÚ _responder_idÚ_certsr>)r4r`rarbr:rrrr5ËszOCSPResponseBuilder.__init__r?rr#r'r(r)) r@rArr,r-r.r/r0rc Cs`|jdk rtdƒ‚t|tjƒr*t|tjƒs2tdƒ‚t||fd||||||ƒ} t| |j|j |j ƒS)Nú#Only one response per OCSPResponse.rC) rcr!rrrDr2r&r_rdrer>) r4r@rArr,r-r.r/r0Ú singleresprrrÚ add_responseØs. ÿø üz OCSPResponseBuilder.add_responserFrG) rHrIrJrr,r-r.r/r0rc Cs˜|jdk rtdƒ‚t|tƒs$tdƒ‚t d|¡t d|¡t|ƒ|jt |ƒks`|jt |ƒkrhtdƒ‚t d|||f|||||| ƒ} t | |j |j |jƒS)NrfrKrHrIrL)rcr!rrGr2rrMr"rNrOr&r_rdrer>) r4rHrIrJrr,r-r.r/r0rgrrrÚadd_response_by_hashüs>    ÿ þÿø üz(OCSPResponseBuilder.add_response_by_hashr )ÚencodingÚresponder_certrcCsP|jdk rtdƒ‚t|tjƒs&tdƒ‚t|tƒs8tdƒ‚t|j||f|j |j ƒS)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rdr!rrrDr2r r_rcrer>)r4rjrkrrrra*s   ÿüz OCSPResponseBuilder.responder_idzIterable[x509.Certificate])rbrcCs\|jdk rtdƒ‚t|ƒ}t|ƒdkr.tdƒ‚tdd„|DƒƒsHtdƒ‚t|j|j||j ƒS)Nz!certificates may only be set oncerzcerts must not be an empty listcss|]}t|tjƒVqdSr;)rrrD)Ú.0ÚxrrrÚ Esz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rer!ÚlistrOÚallr2r_rcrdr>)r4rbrrrÚ certificates=s  üz OCSPResponseBuilder.certificatesrQrRrScCsLt|tjƒstdƒ‚t |j||¡}t||jƒt|j |j |j |j|f•ƒSrV) rrrWr2rXrYr r>r_rcrdrerZrrrr\Ns   üz!OCSPResponseBuilder.add_extensionrzhashes.HashAlgorithm | NoneÚ OCSPResponse)Ú private_keyrrcCs6|jdkrtdƒ‚|jdkr$tdƒ‚t tj|||¡S)Nz&You must add a response before signingz*You must add a responder_id before signing)rcr!rdrÚcreate_ocsp_responserr)r4rsrrrrÚsign^s  ÿzOCSPResponseBuilder.signr)Úresponse_statusrcCs4t|tƒstdƒ‚|tjkr$tdƒ‚t |ddd¡S)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)rrr2rr!rrt)ÚclsrvrrrÚbuild_unsuccessfulls ÿ z&OCSPResponseBuilder.build_unsuccessful) r r r r5rhrirarqr\ruÚ classmethodrxrrrrr_Êsú $ .r_)#Ú __future__rr1Úcollections.abcrZ cryptographyrrZ"cryptography.hazmat.bindings._rustrZcryptography.hazmat.primitivesrZ/cryptography.hazmat.primitives.asymmetric.typesrZcryptography.x509.baser ÚEnumr rÚSHA1ÚSHA224ÚSHA256ÚSHA384ÚSHA512r r"r#r&r]rrZOCSPSingleResponser6r_Zload_der_ocsp_requestZload_der_ocsp_responserrrrÚs4       û :T1