3 l_3@spddlmZmZmZddlZddlZddlmZddlZddl m Z ddl m Z ddl mZmZmZe je je je je jdZGdd d eZGd d d eZd d eDZe je je je je jfZddZGdddeZdd eDZddZddZGddde Z!Gddde Z"Gddde Z#ej$ej%Gddde Z&ej$ej%Gdd d e Z'dS)!)absolute_importdivisionprint_functionN)Enum)x509)hashes)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extension)z 1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__ZHASHNAMErr/usr/lib64/python3.6/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULZMALFORMED_REQUESTZINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIREDZ UNAUTHORIZEDrrrrr$s rcCsi|] }||jqSr)value).0xrrr -srcCst|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError) algorithmrrr_verify_algorithm7s r!c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r rZGOODREVOKEDZUNKNOWNrrrrr">sr"cCsi|] }||jqSr)r)rrrrrrDscCsddlm}|j|S)Nr)backend),cryptography.hazmat.backends.openssl.backendr$load_der_ocsp_request)datar$rrrr&Gs r&cCsddlm}|j|S)Nr)r$)r%r$load_der_ocsp_response)r'r$rrrr(Ms r(c@s2eZdZdgfddZddZddZdd ZdS) OCSPRequestBuilderNcCs||_||_dS)N)_request _extensions)selfZrequest extensionsrrr__init__TszOCSPRequestBuilder.__init__cCsP|jdk rtdt|t|tj s6t|tj r>tdt|||f|jS)Nz.Only one certificate can be added to a requestz%cert and issuer must be a Certificate) r*rr!rr Certificate TypeErrorr)r+)r,certissuerr rrradd_certificateXs  z"OCSPRequestBuilder.add_certificatecCsDt|tjstdtj|j||}t||jt|j |j|gS)Nz"extension must be an ExtensionType) rr ExtensionTyper0 Extensionoidr r+r)r*)r, extensioncriticalrrr add_extensionds   z OCSPRequestBuilder.add_extensioncCs(ddlm}|jdkrtd|j|S)Nr)r$z*You must add a certificate before building)r%r$r*rZcreate_ocsp_request)r,r$rrrbuildos  zOCSPRequestBuilder.build)r r rr.r3r9r:rrrrr)Ss  r)c@seZdZddZdS)_SingleResponsec Cst|tj st|tj r$tdt|t|tjs@td|dk r^t|tj r^td||_||_||_||_ ||_ t|t std|t j k r|dk rt d|dk rt dnNt|tjstdt|}|tkrt d|dk rt|tj rtd ||_||_||_dS) Nz%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)rrr/r0r!datetimeZ_certZ_issuerZ _algorithmZ _this_updateZ _next_updater"r#rr rZ ReasonFlagsZ _cert_statusZ_revocation_timeZ_revocation_reason) r,r1r2r cert_status this_update next_updaterevocation_timerevocation_reasonrrrr.ysJ         z_SingleResponse.__init__N)r r rr.rrrrr;xsr;c@sReZdZdddgfddZddZddZdd Zd d Zd d Ze ddZ dS)OCSPResponseBuilderNcCs||_||_||_||_dS)N) _response _responder_id_certsr+)r,Zresponse responder_idcertsr-rrrr.szOCSPResponseBuilder.__init__c Cs<|jdk rtdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rCrr;rBrDrEr+) r,r1r2r r=r>r?r@rAZ singleresprrr add_responses z OCSPResponseBuilder.add_responsecCsP|jdk rtdt|tjs&tdt|ts8tdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rDrrrr/r0r rBrCrEr+)r,encodingZresponder_certrrrrFs   z OCSPResponseBuilder.responder_idcCs\|jdk rtdt|}t|dkr.tdtdd|DsHtdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|]}t|tjVqdS)N)rrr/)rrrrr sz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rErlistlenallr0rBrCrDr+)r,rGrrr certificatess  z OCSPResponseBuilder.certificatescCsLt|tjstdtj|j||}t||jt|j |j |j |j|gS)Nz"extension must be an ExtensionType) rrr4r0r5r6r r+rBrCrDrE)r,r7r8rrrr9s  z!OCSPResponseBuilder.add_extensioncCsBddlm}|jdkrtd|jdkr0td|jtj|||S)Nr)r$z&You must add a response before signingz*You must add a responder_id before signing)r%r$rCrrDcreate_ocsp_responserr)r,Z private_keyr r$rrrsigns   zOCSPResponseBuilder.signcCs@ddlm}t|tstd|tjkr0td|j|dddS)Nr)r$z7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r%r$rrr0rrrO)clsresponse_statusr$rrrbuild_unsuccessful s   z&OCSPResponseBuilder.build_unsuccessful) r r rr.rHrFrNr9rP classmethodrSrrrrrBs rBc@s`eZdZejddZejddZejddZejddZej d d Z ejd d Z d S) OCSPRequestcCsdS)z3 The hash of the issuer public key Nr)r,rrrissuer_key_hash0szOCSPRequest.issuer_key_hashcCsdS)z- The hash of the issuer name Nr)r,rrrissuer_name_hash6szOCSPRequest.issuer_name_hashcCsdS)zK The hash algorithm used in the issuer name and key hashes Nr)r,rrrhash_algorithm<szOCSPRequest.hash_algorithmcCsdS)zM The serial number of the cert whose status is being checked Nr)r,rrr serial_numberBszOCSPRequest.serial_numbercCsdS)z/ Serializes the request to DER Nr)r,rIrrr public_bytesHszOCSPRequest.public_bytescCsdS)zP The list of request extensions. Not single request extensions. Nr)r,rrrr-NszOCSPRequest.extensionsN) r r rabcabstractpropertyrVrWrXrYabstractmethodrZr-rrrrrU.s rUc@s$eZdZejddZejddZejddZejddZejd d Z ejd d Z ejd dZ ejddZ ejddZ ejddZejddZejddZejddZejddZejddZejdd Zejd!d"Zejd#d$Zejd%d&Zejd'd(Zd)S)* OCSPResponsecCsdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nr)r,rrrrRWszOCSPResponse.response_statuscCsdS)zA The ObjectIdentifier of the signature algorithm Nr)r,rrrsignature_algorithm_oid^sz$OCSPResponse.signature_algorithm_oidcCsdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nr)r,rrrsignature_hash_algorithmdsz%OCSPResponse.signature_hash_algorithmcCsdS)z% The signature bytes Nr)r,rrr signaturejszOCSPResponse.signaturecCsdS)z+ The tbsResponseData bytes Nr)r,rrrtbs_response_bytespszOCSPResponse.tbs_response_bytescCsdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nr)r,rrrrNvszOCSPResponse.certificatescCsdS)z2 The responder's key hash or None Nr)r,rrrresponder_key_hash~szOCSPResponse.responder_key_hashcCsdS)z. The responder's Name or None Nr)r,rrrresponder_nameszOCSPResponse.responder_namecCsdS)z4 The time the response was produced Nr)r,rrr produced_atszOCSPResponse.produced_atcCsdS)zY The status of the certificate (an element from the OCSPCertStatus enum) Nr)r,rrrcertificate_statusszOCSPResponse.certificate_statuscCsdS)z^ The date of when the certificate was revoked or None if not revoked. Nr)r,rrrr@szOCSPResponse.revocation_timecCsdS)zi The reason the certificate was revoked or None if not specified or not revoked. Nr)r,rrrrAszOCSPResponse.revocation_reasoncCsdS)z The most recent time at which the status being indicated is known by the responder to have been correct Nr)r,rrrr>szOCSPResponse.this_updatecCsdS)zC The time when newer information will be available Nr)r,rrrr?szOCSPResponse.next_updatecCsdS)z3 The hash of the issuer public key Nr)r,rrrrVszOCSPResponse.issuer_key_hashcCsdS)z- The hash of the issuer name Nr)r,rrrrWszOCSPResponse.issuer_name_hashcCsdS)zK The hash algorithm used in the issuer name and key hashes Nr)r,rrrrXszOCSPResponse.hash_algorithmcCsdS)zM The serial number of the cert whose status is being checked Nr)r,rrrrYszOCSPResponse.serial_numbercCsdS)zR The list of response extensions. Not single response extensions. Nr)r,rrrr-szOCSPResponse.extensionscCsdS)zR The list of single response extensions. Not response extensions. Nr)r,rrrsingle_extensionsszOCSPResponse.single_extensionsN)r r rr[r\rRr_r`rarbrNrcrdrerfr@rAr>r?rVrWrXrYr-rgrrrrr^Us(r^)(Z __future__rrrr[r<enumrZsixZ cryptographyrZcryptography.hazmat.primitivesrZcryptography.x509.baserr r ZSHA1ZSHA224ZSHA256ZSHA384ZSHA512Z _OIDS_TO_HASHr rZ_RESPONSE_STATUS_TO_ENUMrr!r"Z_CERT_STATUS_TO_ENUMr&r(objectr)r;rBZ add_metaclassABCMetarUr^rrrrs@     %Fp&