3 y_Y~ @sddlmZmZmZddlZddlZddlZddlmZddl m Z m Z m Z m Z ddlmZddlmZddlmZmZmZmZdd Zd d Zd d ZddZddZddZddZddZGdddeZ ddZ!ddZ"ddZ#d d!Z$d"d#Z%d$d%Z&d&d'Z'd(d)Z(d*d+Z)d,d-Z*d.d/Z+d0d1Z,d2d3Z-d4d5Z.d6d7Z/d8d9Z0d:d;Z1dZ2dZ4ej5j6ej5j7ej5j8ej5j9ej5j:ej5j;ej5jd@dAZ?dBdCZ@dDdEZAdFdGZBdHdIZCdJdKZDdLdMZEdNdOZFej5jGej5j6ej5j7ej5j8ej5j9ej5j:ej5j;ej5jHej5jKsz$_decode_x509_name..r)) rZX509_NAME_entry_countrangeZX509_NAME_get_entryr%Z Cryptography_X509_NAME_ENTRY_setappendaddrName) rZ x509_namecount attributesZ prev_set_idxentryZ attributeZset_idrrr_decode_x509_name<s   r2cCsV|jj|}g}x@t|D]4}|jj||}|j||jjk|jt||qW|S)N) rZsk_GENERAL_NAME_numr*Zsk_GENERAL_NAME_valuerrrr+_decode_general_name)rgnsnumnamesignrrr_decode_general_namesNs r9c Cs|j|jjkr.t||jjjd}tjj |S|j|jj kr\t||jj jd}tj j |S|j|jj krt||jj}tjtj|S|j|jjkrbt||jj}t|}|dks|dkrNtj|d|d}tj||dd}tt|dd}|jd}|d krt|}d||dkr6tdtj|jd j|} n tj|} tj| S|j|jjkrtj t!||jj"S|j|jj#krt||jj$jd}tj%j |S|j|jj&krt||jj'j(} t)||jj'j*} tj+tj| | Stj,d jtj-j.|j|j|jdS) Nutf8 0r1zInvalid netmaskz/{}z{} is not a supported typer))/r rZGEN_DNS_asn1_string_to_bytesdZdNSNamerrZDNSNameZ_init_without_validationZGEN_URIZuniformResourceIdentifierZUniformResourceIdentifierZGEN_RIDrZ registeredIDZ RegisteredIDr!Z GEN_IPADDZ iPAddresslen ipaddressZ ip_addressbinintfind ValueErrorZ ip_networkZexplodedformatZ IPAddressZ GEN_DIRNAMEZ DirectoryNamer2Z directoryNameZ GEN_EMAILZ rfc822NameZ RFC822NameZ GEN_OTHERNAMEZ otherNametype_id _asn1_to_derr#Z OtherNameZUnsupportedGeneralNameTypeZ_GENERAL_NAMESget) rr8r"r$Zdata_lenbaseZnetmaskbitsprefixZiprIr#rrrr3YsP        r3cCstjS)N)rZ OCSPNoCheck)rextrrr_decode_ocsp_no_checksrPcCs0|jjd|}|jj||jj}tjt||S)NzASN1_INTEGER *)rcastgcrASN1_INTEGER_freerZ CRLNumber_asn1_integer_to_int)rrOasn1_intrrr_decode_crl_numbersrVcCs0|jjd|}|jj||jj}tjt||S)NzASN1_INTEGER *)rrQrRrrSrZDeltaCRLIndicatorrT)rrOrUrrr_decode_delta_crl_indicatorsrWc@seZdZddZddZdS)_X509ExtensionParsercCs||_||_||_||_dS)N) ext_countget_exthandlers_backend)selfrrYrZr[rrr__init__sz_X509ExtensionParser.__init__cCspg}t}xXt|j|D]D}|j||}|jj||jjjk|jjj |}|dk}t j t |j|jjj |}||krt jdj|||tjkr |jjj|} t|j| } t| jt} g} x | js| j| jtjqWt jdd| D} |jt j||| |j|qn\|tjkr||jjj|} tt|j| }|jtj |jt j||t j!|j|qy|j"|}Wnvt#k r|jjj|} |jj| |jjjk|jjj$| j%| j&dd}t j'||}|jt j|||YnXX|jjj(|}||jjjkr8|jj)t*dj|||j|} |jt j||| |j|qWt j+|S)NrzDuplicate {} extension foundcSsg|] }t|qSr)r )r'r0rrr sz._X509ExtensionParser.parse..z/The {} extension is invalid and can't be parsed),setr*rYrZr\rrrrZX509_EXTENSION_get_criticalrr!rZX509_EXTENSION_get_objectZDuplicateExtensionrHrZ TLS_FEATUREZX509_EXTENSION_get_datar@rZread_single_elementr Zis_emptyr+Z read_elementrZ as_integerZ TLSFeatureZ Extensionr,ZPRECERT_POISONZ check_emptyZ PrecertPoisonr[KeyErrorrr"lengthZUnrecognizedExtensionZX509V3_EXT_d2iZ_consume_errorsrGZ Extensions)r]Zx509_obj extensionsZ seen_oidsr7rOZcritZcriticalr$r"Z data_bytesZfeaturesZparsedr#readerZhandlerZderZ unrecognizedZext_datarrrparsesh          z_X509ExtensionParser.parseN)__name__ __module__ __qualname__r^rerrrrrXsrXcCs@|jjd|}|jj||jj}|jj|}g}xt|D]}d}|jj||}tj t ||j }|j |jj kr |jj|j }g}xt|D]} |jj|j | } tj t || j} | tjkr|jj| jjj| jjjddjd} |j| q| tjkstt|| jj} |j| qW|jtj||qW|S)Nz*Cryptography_STACK_OF_ACCESS_DESCRIPTION *csjj|jjjjdS)NZACCESS_DESCRIPTION_free)rZsk_ACCESS_DESCRIPTION_pop_freerZ addressofZ _original_lib)r0)rrrvsz,_decode_information_access..)rrQrRrZsk_ACCESS_DESCRIPTION_numr*Zsk_ACCESS_DESCRIPTION_valuermethodrrr!rlocationr3r+ZAccessDescription)rZiar5access_descriptionsr7Zadr$r8r)rr_decode_information_accessrs  rcCst||}tj|S)N)rrZAuthorityInformationAccess)raiar~rrr$_decode_authority_information_accesss rcCst||}tj|S)N)rrZSubjectInformationAccess)rrr~rrr"_decode_subject_information_accesss rc Cs|jjd|}|jj||jj}|jj}||ddk}||ddk}||ddk}||ddk}||ddk}||ddk}||ddk} ||d dk} ||d dk} tj||||||| | | S) NzASN1_BIT_STRING *rrr=r;)rrQrRrZASN1_BIT_STRING_freeASN1_BIT_STRING_get_bitrZKeyUsage) rZ bit_stringZget_bitZdigital_signatureZcontent_commitmentZkey_enciphermentZdata_enciphermentZ key_agreementZ key_cert_signZcrl_signZ encipher_onlyZ decipher_onlyrrr_decode_key_usages,rcCs.|jjd|}|jj||jj}t||}|S)NzGENERAL_NAMES *)rrQrRrGENERAL_NAMES_freer9)rr4 general_namesrrr_decode_general_names_extensions rcCstjt||S)N)rZSubjectAlternativeNamer)rrOrrr_decode_subject_alt_namesrcCstjt||S)N)rZIssuerAlternativeNamer)rrOrrr_decode_issuer_alt_namesrcCsF|jjd|}|jj||jj}t||j}t||j}tj ||dS)NzNAME_CONSTRAINTS *)Zpermitted_subtreesZexcluded_subtrees) rrQrRrZNAME_CONSTRAINTS_free_decode_general_subtreesZpermittedSubtreesZexcludedSubtreesrZNameConstraints)rZncZ permittedZexcludedrrr_decode_name_constraintss   rcCsl||jjkrdS|jj|}g}xFt|D]:}|jj||}|j||jjkt||j}|j |q*W|S)N) rrrZsk_GENERAL_SUBTREE_numr*Zsk_GENERAL_SUBTREE_valuerr3rLr+)rZstack_subtreesr5Zsubtreesr7rnamerrrrs   rc Cs|jjd|}|jj||jj}|j|jjkr@t||j\}}nd}d}|jdk}|j dk}|j dk}|j dk}|j |jjkrt ||j }nd}tj|||||||S)NzISSUING_DIST_POINT *rr)rrQrRrZISSUING_DIST_POINT_free distpointr_decode_distpointZonlyuserZonlyCAZ indirectCRLZonlyattrZonlysomereasons_decode_reasonsrZIssuingDistributionPoint) rZidp full_name relative_nameZ only_userZonly_caZ indirect_crlZ only_attrZonly_some_reasonsrrr_decode_issuing_dist_points*    rcCsD|jjd|}|jj||jj}t||j}t||j}tj ||S)NzPOLICY_CONSTRAINTS *) rrQrRrZPOLICY_CONSTRAINTS_freertZrequireExplicitPolicyZinhibitPolicyMappingrZPolicyConstraints)rZpcZrequire_explicit_policyZinhibit_policy_mappingrrr_decode_policy_constraintss  rcCs|jjd|}|jj||jj}|jj|}g}xJt|D]>}|jj||}|j||jj kt j t ||}|j |q:Wt j|S)Nz#Cryptography_STACK_OF_ASN1_OBJECT *)rrQrRrZsk_ASN1_OBJECT_freeZsk_ASN1_OBJECT_numr*Zsk_ASN1_OBJECT_valuerrrr!rr+ZExtendedKeyUsage)rZskr5Zekusr7rr$rrr_decode_extended_key_usages rrc Cs|jjd|}|jj||jj}|jj|}g}xt|D]}d}d}d}d}|jj||} | j|jj krvt || j}| j |jj krt || j }| j |jj krt|| j \}}|jtj||||q:W|S)Nz"Cryptography_STACK_OF_DIST_POINT *)rrQrRrZCRL_DIST_POINTS_freeZsk_DIST_POINT_numr*Zsk_DIST_POINT_valuereasonsrrZ CRLissuerr9rrr+rZDistributionPoint) rcdpsr5 dist_pointsr7rrZ crl_issuerrZcdprrr_decode_dist_pointss*   r)rr=rrrrrr;cCs<g}x.tjtD] \}}|jj||r|j|qWt|S)N)sixZ iteritems_REASON_BIT_MAPPINGrrr+ frozenset)rrZ enum_reasonsZ bit_positionreasonrrrrSs rc Cs|jtkr t||jj}|dfS|jj}|jj|}t}x@t |D]4}|jj ||}|j ||j j k|jt||qDWtj|}d|fS)N)r _DISTPOINT_TYPE_FULLNAMEr9rfullnameZ relativenamerZsk_X509_NAME_ENTRY_numr`r*Zsk_X509_NAME_ENTRY_valuerrrr,r%rr&) rrrZrnsZrnumr/r7Zrnrrrrr]s    rcCst||}tj|S)N)rrZCRLDistributionPoints)rrrrrr_decode_crl_distribution_pointsvs rcCst||}tj|S)N)rrZ FreshestCRL)rrrrrr_decode_freshest_crl{s rcCs4|jjd|}|jj||jj}t||}tj|S)NzASN1_INTEGER *)rrQrRrrSrTrZInhibitAnyPolicy)rrUZ skip_certsrrr_decode_inhibit_any_policys rcCsnddlm}|jjd|}|jj||jj}g}x8t|jj|D]$}|jj ||}|j ||||qBW|S)Nr)_SignedCertificateTimestampzCryptography_STACK_OF_SCT *) Z)cryptography.hazmat.backends.openssl.x509rrrQrRrZ SCT_LIST_freer*Z sk_SCT_numZ sk_SCT_valuer+)r asn1_sctsrZsctsr7Zsctrrr _decode_sctss rcCstjt||S)N)rZ)PrecertificateSignedCertificateTimestampsr)rrrrr-_decode_precert_signed_certificate_timestampssrcCstjt||S)N)rZSignedCertificateTimestampsr)rrrrr%_decode_signed_certificate_timestampssr) rrr=rrrrr; r=rrrrr;rrc Csb|jjd|}|jj||jj}|jj|}ytjt|St k r\t dj |YnXdS)NzASN1_ENUMERATED *zUnsupported reason code: {}) rrQrRrZASN1_ENUMERATED_freeZASN1_ENUMERATED_getrZ CRLReason_CRL_ENTRY_REASON_CODE_TO_ENUMrarGrH)renumcoderrr_decode_crl_reasons rcCs0|jjd|}|jj||jj}tjt||S)NzASN1_GENERALIZEDTIME *)rrQrRrASN1_GENERALIZEDTIME_freerZInvalidityDate_parse_asn1_generalized_time)rZinv_dategeneralized_timerrr_decode_invalidity_dates  rcCs4|jjd|}|jj||jj}t||}tj|S)NzGENERAL_NAMES *)rrQrRrrr9rZCertificateIssuer)rr4rrrr_decode_cert_issuers rcsnjjd}jj||}j|dkj|djjkjj|fdd}jj|d|ddS)Nzunsigned char **rcsjj|dS)Nr)r OPENSSL_free)r)rrrr{sz_asn1_to_der..)rrrZ i2d_ASN1_TYPErrrRr)rZ asn1_typerrr)rrrJs rJcCs@|jj||jj}|j||jjk|jj||jj}|j|S)N)rZASN1_INTEGER_to_BNrrrrRZBN_freeZ _bn_to_int)rrUZbnrrrrTsrTcCs||jjkrdSt||SdS)N)rrrT)rrUrrrrts rtcCs|jj|j|jddS)N)rrr"rb)rrwrrrr@sr@cCst||jdS)Nri)r@r)rrwrrr_asn1_string_to_asciisrcs~jjd}jj||}|dkr2tdj|jj|djjkjj |fdd}jj |d|ddj dS) Nzunsigned char **rz&Unsupported ASN1 string type. Type: {}rcsjj|dS)Nr)rr)r)rrrr{sz&_asn1_string_to_utf8..r:r)) rrrZASN1_STRING_to_UTF8rGrHr rrrRrr)rrwrrr)rrrs rcCs`|j||jjk|jj||jj}||jjkrDtdjt|||jj||jj }t ||S)Nz1Couldn't parse ASN.1 time as generalizedtime {!r}) rrrrZASN1_TIME_to_generalizedtimerGrHr@rRrr)rZ asn1_timerrrr_parse_asn1_times   rcCs"t||jjd|}tjj|dS)Nz ASN1_STRING *z %Y%m%d%H%M%SZ)rrrQdatetimeZstrptime)rrZtimerrrr'srcCs0|jjd|}|jj||jj}tjt||S)NzASN1_OCTET_STRING *)rrQrRrrvrZ OCSPNoncer@)rZnoncerrr _decode_nonce.sr)wZ __future__rrrrrCrZ cryptographyrZcryptography.hazmat._derrrrr Zcryptography.x509.extensionsr Zcryptography.x509.namer Zcryptography.x509.oidr r rrrr%r2r9r3rPrVrWobjectrXrprnrurxrzrrrrrrrrrrrrrZ_DISTPOINT_TYPE_RELATIVENAMErZ ReasonFlagsZkey_compromiseZ ca_compromiseZaffiliation_changedZ supersededZcessation_of_operationZcertificate_holdZprivilege_withdrawnZ aa_compromiserrrrrrrrrZ unspecifiedZremove_from_crlrZ_CRL_ENTRY_REASON_ENUM_TO_CODErrrrJrTrtr@rrrrrZBASIC_CONSTRAINTSZSUBJECT_KEY_IDENTIFIERZ KEY_USAGEZSUBJECT_ALTERNATIVE_NAMEZEXTENDED_KEY_USAGEZAUTHORITY_KEY_IDENTIFIERZAUTHORITY_INFORMATION_ACCESSZSUBJECT_INFORMATION_ACCESSZCERTIFICATE_POLICIESZCRL_DISTRIBUTION_POINTSZ FRESHEST_CRLZ OCSP_NO_CHECKZINHIBIT_ANY_POLICYZISSUER_ALTERNATIVE_NAMEZNAME_CONSTRAINTSZPOLICY_CONSTRAINTSZ_EXTENSION_HANDLERS_BASEZ%PRECERT_SIGNED_CERTIFICATE_TIMESTAMPSZ_EXTENSION_HANDLERS_SCTZ CRL_REASONZINVALIDITY_DATEZCERTIFICATE_ISSUERZ_REVOKED_EXTENSION_HANDLERSZ CRL_NUMBERZDELTA_CRL_INDICATORZISSUING_DISTRIBUTION_POINTZ_CRL_EXTENSION_HANDLERSZNONCEZ_OCSP_REQ_EXTENSION_HANDLERSZ"_OCSP_BASICRESP_EXTENSION_HANDLERSZSIGNED_CERTIFICATE_TIMESTAMPSZ'_OCSP_SINGLERESP_EXTENSION_HANDLERS_SCTrrrrs     NQ!  -