B \2@sxddlmZmZmZddlZddlZddlmZddlZddl m Z ddl m Z ddl mZmZmZe e e e e dZGdd d eZGd d d eZed d eDZe je je je je jfZddZGdddeZedd eDZddZddZ Gddde!Z"Gddde!Z#Gddde!Z$e%ej&Gddde!Z'e%ej&Gdd d e!Z(dS)!)absolute_importdivisionprint_functionN)Enum)x509)hashes)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extension)z 1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__ZHASHNAMErr5lib/python3.7/site-packages/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULZMALFORMED_REQUESTZINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIREDZ UNAUTHORIZEDrrrrr"s rccs|]}|j|fVqdS)N)value).0xrrr +srcCst|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError) algorithmrrr_verify_algorithm2s r!c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r rZGOODREVOKEDZUNKNOWNrrrrr"9sr"ccs|]}|j|fVqdS)N)r)rrrrrr?scCsddlm}||S)Nr)backend),cryptography.hazmat.backends.openssl.backendr$load_der_ocsp_request)datar$rrrr&Bs r&cCsddlm}||S)Nr)r$)r%r$load_der_ocsp_response)r'r$rrrr(Gs r(c@s2eZdZdgfddZddZddZdd ZdS) OCSPRequestBuilderNcCs||_||_dS)N)_request _extensions)selfZrequest extensionsrrr__init__MszOCSPRequestBuilder.__init__cCsL|jdk rtdt|t|tjr2t|tjs:tdt|||f|jS)Nz.Only one certificate can be added to a requestz%cert and issuer must be a Certificate) r*rr!rr Certificate TypeErrorr)r+)r,certissuerr rrradd_certificateQs   z"OCSPRequestBuilder.add_certificatecCsDt|tjstdt|j||}t||jt|j |j|gS)Nz"extension must be an ExtensionType) rr ExtensionTyper0 Extensionoidr r+r)r*)r, extensioncriticalrrr add_extension^s   z OCSPRequestBuilder.add_extensioncCs(ddlm}|jdkrtd||S)Nr)r$z*You must add a certificate before building)r%r$r*rZcreate_ocsp_request)r,r$rrrbuildis  zOCSPRequestBuilder.build)r r rr.r3r9r:rrrrr)Ls  r)c@seZdZddZdS)_SingleResponsec Cst|tjrt|tjs tdt|t|tjsr?r@rAZ singleresprrr add_responses  z OCSPResponseBuilder.add_responsecCsP|jdk rtdt|tjs&tdt|ts8tdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rDrrrr/r0r rBrCrEr+)r,encodingZresponder_certrrrrFs    z OCSPResponseBuilder.responder_idcCs\|jdk rtdt|}t|dkr.tdtdd|DsHtdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|]}t|tjVqdS)N)rrr/)rrrrrrsz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rErlistlenallr0rBrCrDr+)r,rGrrr certificatess  z OCSPResponseBuilder.certificatescCsLt|tjstdt|j||}t||jt|j |j |j |j|gS)Nz"extension must be an ExtensionType) rrr4r0r5r6r r+rBrCrDrE)r,r7r8rrrr9s  z!OCSPResponseBuilder.add_extensioncCsVddlm}|jdkrtd|jdkr0tdt|tjsDtd| t j |||S)Nr)r$z&You must add a response before signingz*You must add a responder_id before signingz.Algorithm must be a registered hash algorithm.) r%r$rCrrDrrZ HashAlgorithmr0create_ocsp_responserr)r,Z private_keyr r$rrrsigns    zOCSPResponseBuilder.signcCs@ddlm}t|tstd|tjkr0td||dddS)Nr)r$z7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r%r$rrr0rrrN)clsresponse_statusr$rrrbuild_unsuccessfuls   z&OCSPResponseBuilder.build_unsuccessful) r r rr.rHrFrMr9rO classmethodrRrrrrrBs   rBc@s`eZdZejddZejddZejddZejddZej d d Z ejd d Z d S) OCSPRequestcCsdS)z3 The hash of the issuer public key Nr)r,rrrissuer_key_hash szOCSPRequest.issuer_key_hashcCsdS)z- The hash of the issuer name Nr)r,rrrissuer_name_hashszOCSPRequest.issuer_name_hashcCsdS)zK The hash algorithm used in the issuer name and key hashes Nr)r,rrrhash_algorithmszOCSPRequest.hash_algorithmcCsdS)zM The serial number of the cert whose status is being checked Nr)r,rrr serial_numberszOCSPRequest.serial_numbercCsdS)z/ Serializes the request to DER Nr)r,rIrrr public_bytes!szOCSPRequest.public_bytescCsdS)zP The list of request extensions. Not single request extensions. Nr)r,rrrr-'szOCSPRequest.extensionsN) r r rabcabstractpropertyrUrVrWrXabstractmethodrYr-rrrrrTs rTc@seZdZejddZejddZejddZejddZejd d Z ejd d Z ejd dZ ejddZ ejddZ ejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zejd#d$Zejd%d&Zd'S)( OCSPResponsecCsdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nr)r,rrrrQ0szOCSPResponse.response_statuscCsdS)zA The ObjectIdentifier of the signature algorithm Nr)r,rrrsignature_algorithm_oid7sz$OCSPResponse.signature_algorithm_oidcCsdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nr)r,rrrsignature_hash_algorithm=sz%OCSPResponse.signature_hash_algorithmcCsdS)z% The signature bytes Nr)r,rrr signatureCszOCSPResponse.signaturecCsdS)z+ The tbsResponseData bytes Nr)r,rrrtbs_response_bytesIszOCSPResponse.tbs_response_bytescCsdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nr)r,rrrrMOszOCSPResponse.certificatescCsdS)z2 The responder's key hash or None Nr)r,rrrresponder_key_hashWszOCSPResponse.responder_key_hashcCsdS)z. The responder's Name or None Nr)r,rrrresponder_name]szOCSPResponse.responder_namecCsdS)z4 The time the response was produced Nr)r,rrr produced_atcszOCSPResponse.produced_atcCsdS)zY The status of the certificate (an element from the OCSPCertStatus enum) Nr)r,rrrcertificate_statusiszOCSPResponse.certificate_statuscCsdS)z^ The date of when the certificate was revoked or None if not revoked. Nr)r,rrrr@oszOCSPResponse.revocation_timecCsdS)zi The reason the certificate was revoked or None if not specified or not revoked. Nr)r,rrrrAvszOCSPResponse.revocation_reasoncCsdS)z The most recent time at which the status being indicated is known by the responder to have been correct Nr)r,rrrr>}szOCSPResponse.this_updatecCsdS)zC The time when newer information will be available Nr)r,rrrr?szOCSPResponse.next_updatecCsdS)z3 The hash of the issuer public key Nr)r,rrrrUszOCSPResponse.issuer_key_hashcCsdS)z- The hash of the issuer name Nr)r,rrrrVszOCSPResponse.issuer_name_hashcCsdS)zK The hash algorithm used in the issuer name and key hashes Nr)r,rrrrWszOCSPResponse.hash_algorithmcCsdS)zM The serial number of the cert whose status is being checked Nr)r,rrrrXszOCSPResponse.serial_numbercCsdS)zR The list of response extensions. Not single response extensions. Nr)r,rrrr-szOCSPResponse.extensionsN)r r rrZr[rQr^r_r`rarMrbrcrdrer@rAr>r?rUrVrWrXr-rrrrr].s&r]))Z __future__rrrrZr<enumrZsixZ cryptographyrZcryptography.hazmat.primitivesrZcryptography.x509.baserr r ZSHA1ZSHA224ZSHA256ZSHA384ZSHA512Z _OIDS_TO_HASHr rdictZ_RESPONSE_STATUS_TO_ENUMrr!r"Z_CERT_STATUS_TO_ENUMr&r(objectr)r;rBZ add_metaclassABCMetarTr]rrrrs:       %>Y%