3 l_\ @sddlmZmZmZddlZddlZddlZddlmZm Z ddl m Z m Z m Z ddlmZddlmZmZmZddZd d Zd d Zd dZddZddZddZddZddZddZddZddZdd Z d!d"Z!d#d$Z"d%d&Z#d'd(Z$d)d*Z%d+d,Z&d-d.Z'd/d0Z(d1d2Z)d3d4Z*d5d6Z+d7d8Z,d9d:Z-d;d<Z.d=d>Z/d?d@Z0e j1j2dAe j1j3dBe j1j4dCe j1j5dDe j1j6dEe j1j7dFe j1j8dGe j1j9dHiZ:dIdJZ;dKdLZdQdRZ?dSdTZ@dUdVZAdWdXZBejCe)ejDe-ejEe'ejFe,ejGe,ejHe0ejIe(ejJe"ejKe*ejLe*ejMe>ejNe>ejOeejPe&ejQe?ejRe@iZSejGe,ejIe(ejKe*ejTeejUeejVeejNe>iZWejXe,ejYe ejZe!iZ[ej\eBiZ]ej\eBiZ^dS)Y)absolute_importdivisionprint_functionN)utilsx509)_CRL_ENTRY_REASON_ENUM_TO_CODE_DISTPOINT_TYPE_FULLNAME_DISTPOINT_TYPE_RELATIVENAME) _ASN1Type)CRLEntryExtensionOID ExtensionOIDOCSPExtensionOIDcCsD|j|}|jj||jj}|jj||jj}|j||jjk|S)a Converts a python integer to an ASN1_INTEGER. The returned ASN1_INTEGER will not be garbage collected (to support adding them to structs that take ownership of the object). Be sure to register it for GC if it will be discarded after use. )Z _int_to_bn_ffigc_libZBN_freeZBN_to_ASN1_INTEGERNULLopenssl_assert)backendxir#/usr/lib64/python3.6/encode_asn1.py_encode_asn1_ints rcCs t||}|jj||jj}|S)N)rrrrZASN1_INTEGER_free)rrrrrr_encode_asn1_int_gc.s rcCs0|jj}|jj||t|}|j|dk|S)z@ Create an ASN1_OCTET_STRING from a Python byte string. )rZASN1_OCTET_STRING_newZASN1_OCTET_STRING_setlenr)rdatasresrrr_encode_asn1_str4s rcCs<|jj}|jj||jdt|jd}|j|dk|S)z Create an ASN1_UTF8STRING from a Python unicode string. This object will be an ASN1_STRING with UTF8 type in OpenSSL and can be decoded with ASN1_STRING_to_UTF8. utf8r)rZASN1_UTF8STRING_newASN1_STRING_setencoderr)rstringrrrrr_encode_asn1_utf8_str>s  r$cCs t||}|jj||jj}|S)N)rrrrZASN1_OCTET_STRING_free)rrrrrr_encode_asn1_str_gcLs r%cCs t||jS)N)rZ skip_certs)rZinhibit_any_policyrrr_encode_inhibit_any_policyRsr&cCsp|jj}x`|jD]V}d}xL|D]D}t||}|jj||jj}|jj||d|}|j|dkd}q WqW|S)zP The X509_NAME created will not be gc'd. Use _encode_name_gc if needed. rrr') rZ X509_NAME_newZrdns_encode_name_entryrrZX509_NAME_ENTRY_freeZX509_NAME_add_entryr)rnamesubjectZrdnZset_flag attribute name_entryrrrr _encode_nameVs       r-cCs t||}|jj||jj}|S)N)r-rrrZX509_NAME_free)r attributesr*rrr_encode_name_gcks r/cCsB|jj}x2|D]*}t||}|jj||}|j|dkqW|S)z: The sk_X509_NAME_ENTRY created will not be gc'd. r)rZsk_X509_NAME_ENTRY_new_nullr(Zsk_X509_NAME_ENTRY_pushr)rr.stackr+r,rrrr_encode_sk_name_entryqs    r1cCsr|jtjkr|jjd}n&|jtjkr4|jjd}n |jjd}t||jj}|j j |j j ||jj|t |}|S)N utf_16_be utf_32_ber )Z_typer Z BMPStringvaluer"ZUniversalString _txt2obj_gcoid dotted_stringrZX509_NAME_ENTRY_create_by_OBJrrr)rr+r4objr,rrrr(}s   r(cCs t||jS)N)rZ crl_number)rextrrr&_encode_crl_number_delta_crl_indicatorsr:cCs|jj}|j||jjk|jj||jj}|jr8dnd|_|j rHdnd|_ |j rXdnd|_ |j rhdnd|_|jrt||j|_|jrt||j|_|jrt||j|_|S)Nr)rZISSUING_DIST_POINT_newrrrrZISSUING_DIST_POINT_freeZonly_contains_user_certsZonlyuserZonly_contains_ca_certsZonlyCAZ indirect_crlZ indirectCRLZonly_contains_attribute_certsZonlyattrZonly_some_reasons_encode_reasonflagsZonlysomereasons full_name_encode_full_name distpoint relative_name_encode_relative_name)rr9Zidprrr_encode_issuing_dist_points  rBcCsT|jj}|j||jjk|jj||jj}|jj|t|j }|j|dk|S)Nr) rZASN1_ENUMERATED_newrrrrZASN1_ENUMERATED_freeZASN1_ENUMERATED_setrreason)rZ crl_reasonZasn1enumrrrr_encode_crl_reasons rDcCsF|jj|jjtj|jj}|j||jjk|jj ||jj }|S)N) rZASN1_GENERALIZEDTIME_setrrcalendarZtimegminvalidity_dateZ timetuplerrZASN1_GENERALIZEDTIME_free)rrFZtimerrr_encode_invalidity_dates rGc Cs|jj}|j||jjk|jj||jj}xV|D]L}|jj}|j||jjk|jj||}|j|dkt ||j j }||_ |j r6|jj}|j||jjkx|j D]}|jj} |j| |jjk|jj|| }|j|dkt|tjr"t |tjj | _t||jd| j_qt |tjj | _|jj} |j| |jjk| | j_|jrlt||j| _ t!||j"| _#qW||_$q6W|S)Nrascii)%rZsk_POLICYINFO_new_nullrrrrZsk_POLICYINFO_freeZPOLICYINFO_newZsk_POLICYINFO_push_txt2objZpolicy_identifierr7ZpolicyidZpolicy_qualifiersZsk_POLICYQUALINFO_new_nullZPOLICYQUALINFO_newZsk_POLICYQUALINFO_push isinstancesixZ text_typerZOID_CPS_QUALIFIERZpqualidrr"dZcpsuriZOID_CPS_USER_NOTICEZUSERNOTICE_newZ usernoticeZ explicit_textr$Zexptext_encode_notice_referenceZnotice_referenceZ noticerefZ qualifiers) rZcertificate_policiesZcpZ policy_infoZpirr6ZpqisZ qualifierZpqiZunrrr_encode_certificate_policiessH        rNcCs|dkr|jjS|jj}|j||jjkt||j|_|jj}||_x4|j D]*}t ||}|jj ||}|j|dkqRW|SdS)Nr) rrrZ NOTICEREF_newrr$Z organizationZsk_ASN1_INTEGER_new_nullZ noticenosZnotice_numbersrZsk_ASN1_INTEGER_push)rZnoticeZnrZ notice_stackZnumberZnumrrrrrMs    rMcCs.|jd}|jj|d}|j||jjk|S)z_ Converts a Python string with an ASN.1 object ID in dotted form to a ASN1_OBJECT. rHr)r"r OBJ_txt2objrrr)rr)r8rrrrIs rIcCs t||}|jj||jj}|S)N)rIrrrZASN1_OBJECT_free)rr)r8rrrr5 s r5cCs |jjS)N)rZ ASN1_NULL_new)rr9rrr_encode_ocsp_nochecksrPcCsb|jj}|jj}|jj||jj}||d|j}|j|dk||d|j}|j|dk||d|j }|j|dk||d|j }|j|dk||d|j }|j|dk||d|j }|j|dk||d|j }|j|dk|j r*||d|j}|j|dk||d |j}|j|dkn4||dd}|j|dk||d d}|j|dk|S) Nrr)rASN1_BIT_STRING_set_bitASN1_BIT_STRING_newrrZASN1_BIT_STRING_freeZdigital_signaturerZcontent_commitmentZkey_enciphermentZdata_enciphermentZ key_agreementZ key_cert_signZcrl_signZ encipher_onlyZ decipher_only)rZ key_usageZset_bitZkurrrr_encode_key_usages6   rZcCsz|jj}|j||jjk|jj||jj}|jdk rFt||j|_ |j dk r^t ||j |_ |j dk rvt||j |_|S)N)rZAUTHORITY_KEYID_newrrrrZAUTHORITY_KEYID_freeZkey_identifierrZkeyidZauthority_cert_issuer_encode_general_namesZissuerZauthority_cert_serial_numberrserial)rZauthority_keyidZakidrrr _encode_authority_key_identifier8s       r]cCsN|jj}|jj||jj}|jr&dnd|_|jrJ|jdk rJt||j|_|S)Nr;r) rZBASIC_CONSTRAINTS_newrrZBASIC_CONSTRAINTS_freeZcaZ path_lengthrZpathlen)rZbasic_constraintsZ constraintsrrr_encode_basic_constraintsOs   r^csjj}j|jjkjj|fdd}xV|D]N}jj}t|jj }t |j |j ||_ jj||}j|dkq8W|S)Ncsjj|jjjjdS)NZACCESS_DESCRIPTION_free)rZsk_ACCESS_DESCRIPTION_pop_freerZ addressofZ _original_lib)r)rrrbsz,_encode_information_access..r)rZsk_ACCESS_DESCRIPTION_new_nullrrrrZACCESS_DESCRIPTION_newrIZ access_methodr7!_encode_general_name_preallocatedZaccess_locationlocationmethodZsk_ACCESS_DESCRIPTION_push)rZ info_accessZaiaZaccess_descriptionZadrbrr)rr_encode_information_access]s    rccCsT|jj}|j||jjkx2|D]*}t||}|jj||}|j|dkq"W|S)Nr)rZGENERAL_NAMES_newrrr_encode_general_nameZsk_GENERAL_NAME_push)rnames general_namesr)gnrrrrr[xs   r[cCs t||}|jj||jj}|S)N)r[rrrZGENERAL_NAMES_free)rZsanrfrrr_encode_alt_names  rhcCs t||jS)N)r%Zdigest)rZskirrr_encode_subject_key_identifiersricCs|jj}t||||S)N)rZGENERAL_NAME_newr`)rr)rgrrrrds  rdcCsRt|tjr~|j||jjk|jj|_|jj }|j||jjk|j j d}|jj ||t |}|j|dk||j_nt|tjr|j||jjk|jj|_|jj|j jj dd}|j||jjk||j_nrt|tjr|j||jjkt||j }|jj|_||j_n0t|tjr|j||jjkt|j tjrn|j jjtjd |j j d}n|j j d}n|j j}t"||} |jj#|_| |j_$nt|tj%r|j||jjk|jj&} |j| |jjk|jj|j'jj dd} |j| |jjk|jj(d|j } |jj(d } | | d <|jj)|jj| t |j }||jjkr|j*t+d | | _'|| _ |jj,|_| |j_-nt|tj.r|j||jjk|j j d} t"|| }|jj/|_||j_0nXt|tj1r@|j||jjk|j j d} t"|| }|jj2|_||j_3nt+d j4|dS)Nr rrH rSzunsigned char[]zunsigned char **rzInvalid ASN.1 dataz!{} is an unknown GeneralName typel)5rJrZDNSNamerrrrZGEN_DNStypeZASN1_IA5STRING_newr4r"r!rrLZdNSNameZ RegisteredIDZGEN_RIDrOr7Z registeredIDZ DirectoryNamer-Z GEN_DIRNAMEZ directoryNameZ IPAddress ipaddressZ IPv4NetworkZnetwork_addresspackedrZ int_to_bytesZ num_addressesZ IPv6NetworkrZ GEN_IPADDZ iPAddressZ OtherNameZ OTHERNAME_newtype_idnewZ d2i_ASN1_TYPEZ_consume_errors ValueErrorZ GEN_OTHERNAMEZ otherNameZ RFC822NameZ GEN_EMAILZ rfc822NameZUniformResourceIdentifierZGEN_URIZuniformResourceIdentifierformat)rr)rgZia5r4rr8Zdir_nameroZipaddrZ other_namerprZ data_ptr_ptrZasn1_strrrrr`s                            r`cCsV|jj}|jj||jj}x4|D],}t||j}|jj||}|j|dkq"W|S)Nr) rZsk_ASN1_OBJECT_new_nullrrZsk_ASN1_OBJECT_freerIr7Zsk_ASN1_OBJECT_pushr)rZextended_key_usageZekur6r8rrrr_encode_extended_key_usages   rtrrQrRrSrTrUrVrWcCsP|jj}|j||jjkx.|D]&}|jj|t|d}|j|dkq"W|S)Nr)rrYrrrrX_CRLREASONFLAGS)rreasonsZbitmaskrCrrrrr<s  r<cCs4|jj}|j||jjkt|_t|||j_ |S)N) rDIST_POINT_NAME_newrrrrrmr[r)fullname)rr=dpnrrrr> s  r>cCs4|jj}|j||jjkt|_t|||j_ |S)N) rrwrrrr rmr1r)Z relativename)rr@ryrrrrAs  rAcCs|jj}|jj||jj}x|D]}|jj}|j||jjk|jrVt ||j|_|j rjt ||j |_ |j r~t||j |_ |jrt||j|_|jj||}|j|dkq"W|S)Nr)rZsk_DIST_POINT_new_nullrrZsk_DIST_POINT_freeZDIST_POINT_newrrrvr<r=r>r?r@rAZ crl_issuerr[Z CRLissuerZsk_DIST_POINT_push)rZcdpsZcdpZpointZdprrrr_encode_cdps_freshest_crls    rzcCsV|jj}|j||jjk|jj||jj}t||j}||_ t||j }||_ |S)N) rZNAME_CONSTRAINTS_newrrrrZNAME_CONSTRAINTS_free_encode_general_subtreeZpermitted_subtreesZpermittedSubtreesZexcluded_subtreesZexcludedSubtrees)rZname_constraintsZncZ permittedZexcludedrrr_encode_name_constraints5s   r|cCsb|jj}|j||jjk|jj||jj}|jdk rFt||j|_ |j dk r^t||j |_ |S)N) rZPOLICY_CONSTRAINTS_newrrrrZPOLICY_CONSTRAINTS_freeZrequire_explicit_policyrZrequireExplicitPolicyZinhibit_policy_mappingZinhibitPolicyMapping)rZpolicy_constraintsZpcrrr_encode_policy_constraintsEs     r}cCsT|dkr|jjS|jj}x0|D](}|jj}t|||_|jj||}q W|SdS)N)rrrZsk_GENERAL_SUBTREE_new_nullZGENERAL_SUBTREE_newrdbaseZsk_GENERAL_SUBTREE_push)rZsubtreesZgeneral_subtreesr)Zgsrrrrr{Vs    r{cCs t||jS)N)r%nonce)rrrrr _encode_noncedsr)_Z __future__rrrrErnrKZ cryptographyrrZ0cryptography.hazmat.backends.openssl.decode_asn1rrr Zcryptography.x509.namer Zcryptography.x509.oidr r r rrrr$r%r&r-r/r1r(r:rBrDrGrNrMrIr5rPrZr]r^rcr[rhrirdr`rtZ ReasonFlagsZkey_compromiseZ ca_compromiseZaffiliation_changedZ supersededZcessation_of_operationZcertificate_holdZprivilege_withdrawnZ aa_compromiserur<r>rArzr|r}r{rZBASIC_CONSTRAINTSZSUBJECT_KEY_IDENTIFIERZ KEY_USAGEZSUBJECT_ALTERNATIVE_NAMEZISSUER_ALTERNATIVE_NAMEZEXTENDED_KEY_USAGEZAUTHORITY_KEY_IDENTIFIERZCERTIFICATE_POLICIESZAUTHORITY_INFORMATION_ACCESSZSUBJECT_INFORMATION_ACCESSZCRL_DISTRIBUTION_POINTSZ FRESHEST_CRLZINHIBIT_ANY_POLICYZ OCSP_NO_CHECKZNAME_CONSTRAINTSZPOLICY_CONSTRAINTSZ_EXTENSION_ENCODE_HANDLERSZ CRL_NUMBERZDELTA_CRL_INDICATORZISSUING_DISTRIBUTION_POINTZ_CRL_EXTENSION_ENCODE_HANDLERSZCERTIFICATE_ISSUERZ CRL_REASONZINVALIDITY_DATEZ$_CRL_ENTRY_EXTENSION_ENCODE_HANDLERSZNONCEZ'_OCSP_REQUEST_EXTENSION_ENCODE_HANDLERSZ)_OCSP_BASICRESP_EXTENSION_ENCODE_HANDLERSrrrrs     1   T