3 2Zh@stdZddlmZmZmZmZddlmZddlm Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZdd lmZdd lmZmZmZdd lmZmZmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>ddl?m@Z@mAZAmBZBmCZCGddde*ZDGddde*ZEGddde*ZFGddde0ZGGddde3ZHGddde4ZIGddde"ZJGddde3ZKGdd d e7ZLed!d"ZMGd#d$d$e%ZNGd%d&d&e.ZOGd'd(d(e3ZPGd)d*d*e6ZQGd+d,d,e4ZRGd-d.d.e%ZSGd/d0d0e3ZTGd1d2d2e%ZUGd3d4d4e%ZVGd5d6d6e%ZWGd7d8d8e5ZXGd9d:d:e5ZYGd;d<dd>e4Z[Gd?d@d@e3Z\GdAdBdBe3Z]GdCdDdDe4Z^GdEdFdFe3Z_GdGdHdHe4Z`GdIdJdJe%ZaGdKdLdLe%ZbGdMdNdNe5ZcGdOdPdPe4ZdGdQdRdRe5ZeGdSdTdTe3ZfGdUdVdVe6ZgGdWdXdXe3ZhGdYdZdZe%ZiGd[d\d\e+ZjGd]d^d^e+ZkGd_d`d`e3ZlGdadbdbe4ZmGdcdddde3ZnGdedfdfe3ZoGdgdhdhe%ZpGdidjdje4ZqGdkdldle%ZrGdmdndne3ZsGdodpdpe3ZtGdqdrdre3ZuGdsdtdte%ZvGdudvdve"ZwGdwdxdxe3ZxGdydzdze4ZyGd{d|d|e3ZzGd}d~d~e3Z{Gddde4Z|Gddde%Z}Gddde4Z~Gddde3ZGddde3ZGddde.ZGddde3ZGddde4ZGddde.ZGddde3ZGddde4ZGddde3ZGddde4ZGddde3ZGddde.ZGddde4ZGddde.ZGddde3ZGddde4ZGddde4ZGddde4ZGddde3ZGddde"ZGddde+ZGddde3ZGddde6ZGddde3ZGddde3ZGddde6ZGddde'ZGddde'ZGddde'ZGddde'ZGdd„de'ZGddĄde'ZGddƄde3ZGddȄde3ZGddʄde'ZGdd̄de3ZGdd΄de3ZGddЄde6ZGdd҄de.ZGddԄde6ZGddքde6ZGdd؄de6ZGddڄde3ZGdd܄de6ZGddބde3ZGddde4ZGddde.ZGddde3ZGddde4ZGddde3ZGddde3ZGddde4ZGddde4ZGddde3ZGddde&ZdS)z ASN.1 type classes for X.509 certificates. Exports the following items: - Attributes() - Certificate() - Extensions() - GeneralName() - GeneralNames() - Name() Other type classes are defined that help compose the types listed above. )unicode_literalsdivisionabsolute_importprint_function)contextmanager)idnaN)unwrap) iri_to_uri uri_to_iri) OrderedDict) type_namestr_cls bytes_to_list)AlgorithmIdentifierAnyAlgorithmIdentifierDigestAlgorithmSignedDigestAlgorithm)Any BitString BMPStringBooleanChoiceConcat EnumeratedGeneralizedTime GeneralString IA5StringIntegerNull NumericStringObjectIdentifierOctetBitString OctetStringParsableOctetStringPrintableStringSequence SequenceOfSetSetOf TeletexStringUniversalStringUTCTime UTF8String VisibleStringVOID) PublicKeyInfo) int_to_bytesint_from_bytes inet_ntop inet_ptonc@s,eZdZdZdZddZddZddZd S) DNSNamercCs ||k S)N)selfotherr7r71/usr/lib/python3/dist-packages/asn1crypto/x509.py__ne__LszDNSName.__ne__cCs&t|tsdS|jj|jjkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.2 :param other: Another DNSName object :return: A boolean F) isinstancer5 __unicode__lower)r8r9r7r7r:__eq__Os zDNSName.__eq__cCsxt|ts"ttdt|t||jdrFd|ddj|j}n |j|j}||_||_ d|_ |j dkrtd|_ dS)zd Sets the value of the DNS name :param value: A unicode string zK %s value must be a unicode string, not %s ..rN) r<r TypeErrorr r startswithencode _encoding_unicodecontents_header_trailer)r8value encoded_valuer7r7r:set_s     z DNSName.setN)__name__ __module__ __qualname__rFZ_bad_tagr;r?rMr7r7r7r:r5Gs r5c@s,eZdZddZddZddZddZd S) URIcCsLt|ts"ttdt|t|||_t||_d|_|j dkrHd|_ dS)zb Sets the value of the string :param value: A unicode string zK %s value must be a unicode string, not %s NrB) r<rrCr r rGr rHrIrJ)r8rKr7r7r:rM~s    zURI.setcCs ||k S)Nr7)r8r9r7r7r:r;sz URI.__ne__cCs"t|tsdSt|jt|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.4 :param other: Another URI object :return: A boolean F)r<rQr native)r8r9r7r7r:r?s z URI.__eq__cCs,|jdkrdS|jdkr&t|j|_|jS)z7 :return: A unicode string N)rHrGr _merge_chunks)r8r7r7r:r=s   zURI.__unicode__N)rNrOrPrMr;r?r=r7r7r7r:rQ|srQc@sNeZdZdZdZeddZejddZddZdd Z d d Z d d Z dS) EmailAddressNFcCs|jS)z` :return: A byte string of the DER-encoded contents of the sequence ) _contents)r8r7r7r:rHszEmailAddress.contentscCsd|_||_dS)ze :param value: A byte string of the DER-encoded contents of the sequence FN) _normalizedrV)r8rKr7r7r:rHscCst|ts"ttdt|t||jdd krZ|jdd\}}|jdd|jd}n |jd}d|_||_ ||_ d|_ |j d krd |_ dS) zb Sets the value of the string :param value: A unicode string zK %s value must be a unicode string, not %s @rascii@rTNrB) r<rrCr r findrsplitrErWrGrHrIrJ)r8rKmailboxhostnamerLr7r7r:rMs    zEmailAddress.setcCs^|jdkrX|j}|jddkr.|jd|_n*|jdd\}}|jdd|jd|_|jS)z7 :return: A unicode string NrZrrYrXrr[)rGrTr\decoder])r8rHr^r_r7r7r:r=s zEmailAddress.__unicode__cCs ||k S)Nr7)r8r9r7r7r:r;szEmailAddress.__ne__cCst|tsdS|js |j|j|js2|j|j|jjddksR|jjddkr^|j|jkS|jjdd\}}|jjdd\}}||krdS|j|jkrdSdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.5 :param other: Another EmailAddress object :return: A boolean FrZrTr[r[) r<rUrWrMrRrVr\r]r>)r8r9Z other_mailboxZother_hostnamer^r_r7r7r:r?s     zEmailAddress.__eq__) rNrOrPrVrWpropertyrHsetterrMr=r;r?r7r7r7r:rUs  rUc@s:eZdZd ddZddZeddZdd Zd d ZdS) IPAddressNcCsttddS)z? This method is not applicable to IP addresses z= IP address values can not be parsed N) ValueErrorr )r8specZ spec_paramsr7r7r:parse"szIPAddress.parsec CsTt|ts"ttdt|t||}|jddk}d}|rv|jdd}|d}t|d}|dkrvttdt||jddkrt j }|dkrttdt|d}n$t j }|d krttd t|d }d }|rd |} | d |t | 7} t t| d}d|dt ||}||_t||||_|j|_d|_|jd krPd |_dS)z Sets the value of the object :param value: A unicode string containing an IPv4 address, IPv4 address with CIDR, an IPv6 address or IPv6 address with CIDR zK %s value must be a unicode string, not %s /rrzT %s value contains a CIDR range less than 0 :z %s value contains a CIDR range bigger than 128, the maximum value for an IPv6 address z %s value contains a CIDR range bigger than 32, the maximum value for an IPv4 address rB10Nr[r[)r<rrCr r r\splitintrdsocketAF_INET6AF_INETlenr1_nativer4rHZ_bytesrIrJ) r8rKoriginal_valueZhas_cidrcidrpartsfamilyZ cidr_sizeZ cidr_bytesZ cidr_maskr7r7r:rM-sR        z IPAddress.setcCs|jdkrdS|jdkr|j}t|}d}|tddgkrjttj|dd}|dkrt|dd}n<|tddgkrttj |dd}|dkrt|dd}|dk rdj |}t|j d}|d t |}||_|jS) z The a native Python datatype representation of this value :return: A unicode string or None Nrjrroz{0:b}rlrg) rHrv __bytes__rurMr3rrrsr2rtformatrstripr)r8Z byte_stringZbyte_lenZcidr_intrKZ cidr_bitsrxr7r7r:rRts(   zIPAddress.nativecCs ||k S)Nr7)r8r9r7r7r:r;szIPAddress.__ne__cCst|tsdS|j|jkS)zl :param other: Another IPAddress object :return: A boolean F)r<rcr})r8r9r7r7r:r?s zIPAddress.__eq__)NN) rNrOrPrfrMrarRr;r?r7r7r7r:rc!s  G rcc@s"eZdZdefdedeifgZdS) AttributetypevaluesreN)rNrOrPr!r)r_fieldsr7r7r7r:rsrc@seZdZeZdS) AttributesN)rNrOrPr _child_specr7r7r7r:rsrc @s$eZdZddddddddd d Zd S) KeyUsageZdigital_signatureZnon_repudiationZkey_enciphermentZdata_enciphermentZ key_agreementZ key_cert_signZcrl_signZ encipher_onlyZ decipher_only) rrrmr|roN)rNrOrP_mapr7r7r7r:rsrc@s,eZdZdedddfdedddfgZdS)PrivateKeyUsagePeriod not_beforerT)implicitoptional not_afterrN)rNrOrPrrr7r7r7r:rsrc@seZdZdZdZddZdS)NotReallyTeletexStringa6 OpenSSL (and probably some other libraries) puts ISO-8859-1 into TeletexString instead of ITU T.61. We use Windows-1252 when decoding since it is a superset of ISO-8859-1, and less likely to cause encoding issues, but we stay strict with encoding to prevent us from creating bad data. cp1252cCs0|jdkrdS|jdkr*|jj|j|_|jS)z7 :return: A unicode string NrS)rHrGrTr`_decoding_encoding)r8r7r7r:r=s   z"NotReallyTeletexString.__unicode__N)rNrOrP__doc__rr=r7r7r7r:rsrc cszdt_dVWddt_XdS)Nteletexr)rrr7r7r7r:strict_teletexs rc@s4eZdZdefdefdefdefdefdefgZ dS)DirectoryStringteletex_stringprintable_stringZuniversal_string utf8_string bmp_string ia5_stringN) rNrOrPrr%r+r-rr _alternativesr7r7r7r:rs rc"@seZdZddddddddd d d d d ddddddddddddddddddd d!d"!Zdddd ddd ddddd d ddddddddd dd d!dddddddg Zed#d$Zed%d&Zd'S)(NameType common_namesurname serial_number country_name locality_namestate_or_province_namestreet_addressorganization_nameorganizational_unit_nametitlebusiness_category postal_codetelephone_numbername given_nameinitialsgeneration_qualifierunique_identifier dn_qualifier pseudonymorganization_identifiertpm_manufacturer tpm_model tpm_versionplatform_manufacturerplatform_modelplatform_version email_addressincorporation_localityincorporation_state_or_provinceincorporation_countrydomain_componentname_distinguisher)!z2.5.4.3z2.5.4.4z2.5.4.5z2.5.4.6z2.5.4.7z2.5.4.8z2.5.4.9z2.5.4.10z2.5.4.11z2.5.4.12z2.5.4.15z2.5.4.17z2.5.4.20z2.5.4.41z2.5.4.42z2.5.4.43z2.5.4.44z2.5.4.45z2.5.4.46z2.5.4.65z2.5.4.97z 2.23.133.2.1z 2.23.133.2.2z 2.23.133.2.3z 2.23.133.2.4z 2.23.133.2.5z 2.23.133.2.6z1.2.840.113549.1.9.1z1.3.6.1.4.1.311.60.2.1.1z1.3.6.1.4.1.311.60.2.1.2z1.3.6.1.4.1.311.60.2.1.3z0.9.2342.19200300.100.1.25z0.2.262.1.10.7.20cCs4|j|}||jkr"|jj|}n t|j}||fS)z Returns an ordering value for a particular attribute key. Unrecognized attributes and OIDs will be sorted lexically at the end. :return: An orderable value. )mappreferred_orderindexru)clsZ attr_nameZordinalr7r7r:preferred_ordinalBs   zNameType.preferred_ordinalc"CsTddddddddd d d d d ddddddddddddddddddd d!d"!j|j|jS)#zZ :return: A human-friendly unicode string to display to users z Common NameZSurnamez Serial NumberCountryZLocalityzState/ProvincezStreet AddressZ OrganizationzOrganizational UnitZTitlezBusiness Categoryz Postal CodezTelephone NumberNamez Given NameZInitialszGeneration QualifierzUnique Identifierz DN QualifierZ Pseudonymz Email AddresszIncorporation LocalityzIncorporation State/ProvincezIncorporation CountryzDomain ComponentzName DistinguisherzOrganization IdentifierzTPM Manufacturerz TPM Modelz TPM VersionzPlatform ManufacturerzPlatform ModelzPlatform Version)!rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr)getrR)r8r7r7r:human_friendlyVsDzNameType.human_friendlyN) rNrOrPrr classmethodrrarr7r7r7r:rs rc"@seZdZdefdefgZd Zeeeeeeeeeeeeeeeeee eee eeee eee e e e e e d!Z dZeddZddZd d Zd d ZdS)NameTypeAndValuerrK)!rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrNcCs"|jdkr|j|dj|_|jS)z Returns the value after being processed by the internationalized string preparation as specified by RFC 5280 :return: A unicode string NrK)_prepped_ldap_string_preprR)r8r7r7r: prepped_values zNameTypeAndValue.prepped_valuecCs ||k S)Nr7)r8r9r7r7r:r;szNameTypeAndValue.__ne__cCs2t|tsdS|dj|djkr&dS|j|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another NameTypeAndValue object :return: A boolean Fr)r<rrRr)r8r9r7r7r:r?s zNameTypeAndValue.__eq__cCstjdd|}tjdd|}tjdkr6tjdd|}ntjdd|}tjdd|}|jd d}tjd d|}djttj|}t j d |}x|D]}tj |rt t d tj|rt t d tj|rt t dtj|rt t dtj|rt t d|dkrt t dqWd}d}x0|D](}tj|r@d}ntj|r*d}q*W|rtj|d}tj|d}|s| s| rt t ddtjdd|jd}|S)a" Implements the internationalized string preparation algorithm from RFC 4518. https://tools.ietf.org/html/rfc4518#section-2 :param string: A unicode string to prepare :return: A prepared unicode string, ready for comparison u[­᠆͏᠋-᠍️-＀]+rSu [ …] iu[-]|[-]|󠀁u[𝅳-𝅺󠀠-󠁿󠀁]u?[---„†-Ÿ۝܏᠎‌-‏‪-‮⁠-⁣--]+u​u[   - 
-
   ]ZNFKCzc X.509 Name objects may not contain unassigned code points z X.509 Name objects may not contain change display or zzzzdeprecated characters zc X.509 Name objects may not contain private use characters zf X.509 Name objects may not contain non-character code points zb X.509 Name objects may not contain surrogate code points u�zf X.509 Name objects may not contain the replacement character FTrrz{ X.509 Name object contains a malformed bidirectional sequence z +z r[)resubsys maxunicodereplacejoinr stringprepZ map_table_b2 unicodedataZ normalizeZ in_table_a1rdr Z in_table_c8Z in_table_c3Z in_table_c4Z in_table_c5Z in_table_d1Z in_table_d2strip)r8stringcharZhas_r_and_al_catZ has_l_catZfirst_is_r_and_alZlast_is_r_and_alr7r7r:rs^               z"NameTypeAndValue._ldap_string_prep)rrK)rNrOrPrrr _oid_pairrr%r"rUr5r- _oid_specsrrarr;r?rr7r7r7r:rsR  rc@s<eZdZeZeddZddZddZddZ d d Z d S) RelativeDistinguishedNamecCsDg}|j|}x*t|jD]}|jd|||fqWdj|S)zb :return: A unicode string that can be used as a dict key or in a set z%s: %s) _get_valuessortedkeysappendr)r8outputrkeyr7r7r:hashableEs  z"RelativeDistinguishedName.hashablecCs ||k S)Nr7)r8r9r7r7r:r;Usz RelativeDistinguishedName.__ne__cCs|t|tsdSt|t|kr"dS|j|}|j|}||krBdS|j|}|j|}x |D]}||||kr\dSq\WdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RelativeDistinguishedName object :return: A boolean FT)r<rru _get_typesr)r8r9Z self_typesZ other_typesZ self_valuesZ other_valuesZ type_name_r7r7r:r?Xs      z RelativeDistinguishedName.__eq__cCstdd|DS)z Returns a set of types contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A set object with unicode strings of NameTypeAndValue type field values cSsg|]}|djqS)r)rR).0ntvr7r7r: sz8RelativeDistinguishedName._get_types..)rM)r8rdnr7r7r:rxs z$RelativeDistinguishedName._get_typescsifdd|DS)a$ Returns a dict of prepped values contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A dict object with unicode strings of NameTypeAndValue value field values that have been prepped for comparison cs$g|]}j|dj|jfgqS)r)updaterRr)rr)rr7r:rsz9RelativeDistinguishedName._get_values..r7)r8rr7)rr:rs z%RelativeDistinguishedName._get_valuesN) rNrOrPrrrarr;r?rrr7r7r7r:rBs   rc@s,eZdZeZeddZddZddZdS) RDNSequencecCsdjdd|DS)zb :return: A unicode string that can be used as a dict key or in a set css|] }|jVqdS)N)r)rrr7r7r: sz'RDNSequence.hashable..)r)r8r7r7r:rs zRDNSequence.hashablecCs ||k S)Nr7)r8r9r7r7r:r;szRDNSequence.__ne__cCsLt|tsdSt|t|kr"dSx$t|D]\}}|||kr,dSq,WdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RDNSequence object :return: A boolean FT)r<rru enumerate)r8r9rZself_rdnr7r7r:r?s  zRDNSequence.__eq__N) rNrOrPrrrarr;r?r7r7r7r:rs rc@seZdZdefgZdZdZdZedddZ e ddZ dd Z d d Z d d Ze ddZe ddZddZe ddZe ddZdS)rrSNFc Csg}|sd}t}nd}t}tt|jddd}x|jD]\}}tj|}|dkr`t|}nF|dkrrt|}n4|t dd d gkrt dt|d }nt |||d }|j t t ||d gqszName.build..)rrrrrr)rrK)rrKrS)r-r%r ritemsrrrUr5rMrrrrr) rZ name_dictZ use_printableZrdnsZ encoding_nameZencoding_classattribute_nameZattribute_valuerKr7r7r:builds8    z Name.buildcCs|jjS)zb :return: A unicode string that can be used as a dict key or in a set )chosenr)r8r7r7r:rsz Name.hashablecCs t|jS)N)rur)r8r7r7r:__len__sz Name.__len__cCs ||k S)Nr7)r8r9r7r7r:r;sz Name.__ne__cCst|tsdS|j|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another Name object :return: A boolean F)r<rr)r8r9r7r7r:r?s z Name.__eq__cCs|jdkrt|_xr|jjD]f}x`|D]X}|d}||jkrp|j|}t|ts`|g}|j|<|j|dq&|d|j|<q&WqW|jS)NrrK)rvr rrRr<listr)r8rtype_val field_nameexistingr7r7r:rR%s     z Name.nativecCs|jdkrt}d}x`|jD]V}xP|D]H}|dj}|}||krd||g||<||j|dq(|d||<q(WqWg}|j}|dkrtt|}x0|D](}||} |j| } |jd|| fqWd} x |D]} | j dd krd } PqW| sd nd } | j |ddd |_|jS)zg :return: A human-friendly unicode string containing the parts of the name NrrKrz%s: %sF,rTz, z; r[r[) _human_friendlyr rrrrreversedr_recursive_humanizer\r)r8dataZ last_fieldrrrZto_joinrrrKZ native_valueZ has_commaelementZ separatorr7r7r:r5s6         zName.human_friendlycs,t|tr&djtfdd|DS|jS)z Recursively serializes data compiled from the RDNSequence :param value: An Asn1Value object, or a list of Asn1Value objects :return: A unicode string z, csg|]}j|qSr7)r)rZ sub_value)r8r7r:risz,Name._recursive_humanize..)r<rrrrR)r8rKr7)r8r:r\s zName._recursive_humanizecCs$|jdkrtj|jj|_|jS)zZ :return: The SHA1 hash of the DER-encoded bytes of this name N)_sha1hashlibsha1dumpdigest)r8r7r7r:rms z Name.sha1cCs$|jdkrtj|jj|_|jS)z] :return: The SHA-256 hash of the DER-encoded bytes of this name N)_sha256rsha256rr)r8r7r7r:rxs z Name.sha256)F)rNrOrPrrrrrrrrarrr;r?rRrrrrr7r7r7r:rs  <   ' rc@s"eZdZdefdeddifgZdS) AnotherNameZtype_idrKexplicitrN)rNrOrPr!rrr7r7r7r:rsrc@s$eZdZdZdZdefdefgZdS) CountryNamer x121_dcc_codeiso_3166_alpha2_codeN)rNrOrPclass_tagr r%rr7r7r7r:r sr c@s$eZdZdZdZdefdefgZdS)AdministrationDomainNamerrmnumeric printableN)rNrOrPr r r r%rr7r7r7r:rsrc@seZdZdefdefgZdS)PrivateDomainNamerrN)rNrOrPr r%rr7r7r7r:rsrc@sFeZdZdeddifdedddfded ddfd ed ddfgZd S) PersonalNamerrrrrT)rrrrmrrN)rNrOrPr%rr7r7r7r:rs rc@sFeZdZdeddifdedddfded ddfd ed ddfgZd S) TeletexPersonalNamerrrrrT)rrrrmrrN)rNrOrPr*rr7r7r7r:rs rc@seZdZeZdS)OrganizationalUnitNamesN)rNrOrPr%rr7r7r7r:rsrc@seZdZeZdS)TeletexOrganizationalUnitNamesN)rNrOrPr*rr7r7r7r:rsrc @seZdZdeddifdeddifdedddfded ddfd ed dd fd edddfdedddfdedddfde dddfg Z dS)BuiltInStandardAttributesrrTZadministration_domain_nameZnetwork_addressr)rrZterminal_identifierrZprivate_domain_namerm)rrrrZnumeric_user_identifierr|Z personal_namerZorganizational_unit_namesrN) rNrOrPr rr r%rrrrr7r7r7r:rs  rc@seZdZdefdefgZdS)BuiltInDomainDefinedAttributerrKN)rNrOrPr%rr7r7r7r:rsrc@seZdZeZdS)BuiltInDomainDefinedAttributesN)rNrOrPrrr7r7r7r:rsrc@seZdZdefdefgZdS)TeletexDomainDefinedAttributerrKN)rNrOrPr*rr7r7r7r:rsrc@seZdZeZdS)TeletexDomainDefinedAttributesN)rNrOrPrrr7r7r7r:rsrc@seZdZdefdefgZdS)PhysicalDeliveryCountryNamer r N)rNrOrPr r%rr7r7r7r:rsrc@seZdZdefdefgZdS) PostalCodeZ numeric_codeZprintable_codeN)rNrOrPr r%rr7r7r7r:rsrc@s(eZdZdeddifdeddifgZdS) PDSParameterrrTrN)rNrOrPr%r*rr7r7r7r:rs rc@seZdZeZdS)PrintableAddressN)rNrOrPr%rr7r7r7r:rsrc@s(eZdZdeddifdeddifgZdS)UnformattedPostalAddressZprintable_addressrTrN)rNrOrPrr*rr7r7r7r:rs rc@s*eZdZdeddifdedddfgZdS) E1634AddressZnumberrrZ sub_addressrT)rrN)rNrOrPr rr7r7r7r:r s r c@seZdZeZdS) NAddressesN)rNrOrPr#rr7r7r7r:r! sr!c@sFeZdZdedddfdedddfdedddfd ed d ifgZd S) PresentationAddressZ p_selectorrT)rrZ s_selectorrZ t_selectorrmZ n_addressesrrN)rNrOrPr#r!rr7r7r7r:r"sr"c@s"eZdZdefdeddifgZdS)ExtendedNetworkAddressZe163_4_addressZ psap_addressrrN)rNrOrPr r"rr7r7r7r:r#sr#c@seZdZdddddddZdS) TerminalTypeZtelexrZ g3_facsimileZ g4_facsimileZ ia5_terminalZvideotex)rr|rrrroN)rNrOrPrr7r7r7r:r$s r$c@s@eZdZddddddddd d d d d dddddddddddZdS)ExtensionAttributeTyperteletex_common_nameteletex_organization_nameteletex_personal_nameteletex_organization_unit_names!teletex_domain_defined_attributespds_namephysical_delivery_country_namerphysical_delivery_office_namephysical_delivery_office_numberextension_of_address_componentsphysical_delivery_personal_name#physical_delivery_organization_name.extension_physical_delivery_address_componentsunformatted_postal_addressrpost_office_box_addressposte_restante_addressunique_postal_namelocal_postal_attributesextended_network_address terminal_type)rrmrr|rrrro r{r6N)rNrOrPrr7r7r7r:r%*s.r%c@s`eZdZdeddifdeddifgZd Zeeee e e ee e eeeeeeeeeeeeeedZdS) ExtensionAttributeextension_attribute_typerrextension_attribute_valuerr)rr&r'r(r)r*r+r,rr-r.r/r0r1r2r3rr4r5r6r7r8r9N)rHrI)rNrOrPr%rrrr%r*rrrrrrrr#r$rr7r7r7r:rGFs4 rGc@seZdZeZdS)ExtensionAttributesN)rNrOrPrGrr7r7r7r:rJhsrJc@s.eZdZdefdeddifdeddifgZdS) ORAddressZbuilt_in_standard_attributesZ"built_in_domain_defined_attributesrTZextension_attributesN)rNrOrPrrrJrr7r7r7r:rKls rKc@s*eZdZdedddfdeddifgZdS) EDIPartyNameZ name_assignerrT)rrZ party_namerrN)rNrOrPrrr7r7r7r:rLtsrLc @seZdZdeddifdeddifdeddifdedd ifd ed d ifd eddifde ddifde ddifde ddifg Z ddZ ddZdS) GeneralName other_namerrZ rfc822_namerdns_namerm x400_addressrZdirectory_namerr|edi_party_nameruniform_resource_identifierr ip_addressrZ registered_idrocCs ||k S)Nr7)r8r9r7r7r:r;szGeneralName.__ne__cCsP|jdkrttd|j|jdkr4ttd|j|j|jkrDdS|j|jkS) z Does not support other_name, x400_address or edi_party_name :param other: The other GeneralName to compare to :return: A boolean rNrPrQzr Comparison is not supported for GeneralName objects of choice %s za Comparison is not supported for GeneralName objects of choice %sF)rNrPrQ)rNrPrQ)rrdr r)r8r9r7r7r:r?s     zGeneralName.__eq__N)rNrOrPrrUr5rKrrLrQrcr!rr;r?r7r7r7r:rM{s        rMc@seZdZeZdS) GeneralNamesN)rNrOrPrMrr7r7r7r:rTsrTc@seZdZdefdefgZdS)TimeZutc_timeZ general_timeN)rNrOrPr,rrr7r7r7r:rUsrUc@seZdZdefdefgZdS)ValidityrrN)rNrOrPrUrr7r7r7r:rVsrVc@s(eZdZdeddifdeddifgZdS)BasicConstraintscadefaultFpath_len_constraintrTN)rNrOrPrrrr7r7r7r:rWs rWc@s:eZdZdedddfdedddfdedddfgZd S) AuthorityKeyIdentifierkey_identifierrT)rrauthority_cert_issuerrauthority_cert_serial_numberrmN)rNrOrPr#rTrrr7r7r7r:r[sr[c@s(eZdZdeddifdeddifgZdS)DistributionPointName full_namerrname_relative_to_crl_issuerrN)rNrOrPrTrrr7r7r7r:r_s r_c @s$eZdZddddddddd d Zd S) ReasonFlagsZunusedZkey_compromiseZ ca_compromiseZaffiliation_changedZ supersededZcessation_of_operationZcertificate_holdZprivilege_withdrawnZ aa_compromise) rrrmrr|rrrroN)rNrOrPrr7r7r7r:rbsrbc@s2eZdZdefdedddfdedddfgZd S) GeneralSubtreebaseZminimumr)rrYZmaximumrT)rrN)rNrOrPrMrrr7r7r7r:rcsrcc@seZdZeZdS)GeneralSubtreesN)rNrOrPrcrr7r7r7r:resrec@s,eZdZdedddfdedddfgZdS)NameConstraintsZpermitted_subtreesrT)rrZexcluded_subtreesrN)rNrOrPrerr7r7r7r:rfsrfc@sJeZdZdedddfdedddfded ddfgZd Zed d Z d S)DistributionPointdistribution_pointrT)rrZreasonsr)rrZ crl_issuerrmFcCsj|jdkrdd|_|d}|jdkr.ttdx4|jD]*}|jdkr6|j}|jjd r6||_Pq6W|jS) z_ :return: None or a unicode string of the distribution point's URL FNrhr`z CRL distribution points that are relative to the issuer are not supported rRhttp://https://ldap://ldaps://)rirjrkrl)_urlrrdr rrRr>rD)r8r general_nameurlr7r7r:ros    zDistributionPoint.urlN) rNrOrPr_rbrTrrmraror7r7r7r:rgs rgc@seZdZeZdS)CRLDistributionPointsN)rNrOrPrgrr7r7r7r:rpsrpc@s(eZdZdefdefdefdefgZdS) DisplayTextrZvisible_stringrrN)rNrOrPrr.rr-rr7r7r7r:rqsrqc@seZdZeZdS) NoticeNumbersN)rNrOrPrrr7r7r7r:rr(srrc@seZdZdefdefgZdS)NoticeReferenceZ organizationZnotice_numbersN)rNrOrPrqrrrr7r7r7r:rs,srsc@s(eZdZdeddifdeddifgZdS) UserNoticeZ notice_refrTZ explicit_textN)rNrOrPrsrqrr7r7r7r:rt3s rtc@seZdZdddZdS)PolicyQualifierId certification_practice_statement user_notice)z1.3.6.1.5.5.7.2.1z1.3.6.1.5.5.7.2.2N)rNrOrPrr7r7r7r:ru:sruc@s*eZdZdefdefgZdZeedZ dS)PolicyQualifierInfopolicy_qualifier_id qualifier)rvrwN)ryrz) rNrOrPrurrrrrtrr7r7r7r:rxAs  rxc@seZdZeZdS)PolicyQualifierInfosN)rNrOrPrxrr7r7r7r:r{Nsr{c@seZdZddiZdS)PolicyIdentifierz 2.5.29.32.0Z any_policyN)rNrOrPrr7r7r7r:r|Rsr|c@s"eZdZdefdeddifgZdS)PolicyInformationZpolicy_identifierZpolicy_qualifiersrTN)rNrOrPr|r{rr7r7r7r:r}Xsr}c@seZdZeZdS)CertificatePoliciesN)rNrOrPr}rr7r7r7r:r~_sr~c@seZdZdefdefgZdS) PolicyMappingZissuer_domain_policyZsubject_domain_policyN)rNrOrPr|rr7r7r7r:rcsrc@seZdZeZdS)PolicyMappingsN)rNrOrPrrr7r7r7r:rjsrc@s,eZdZdedddfdedddfgZdS)PolicyConstraintsZrequire_explicit_policyrT)rrZinhibit_policy_mappingrN)rNrOrPrrr7r7r7r:rnsrcU@seZdZddddddddd d d d d ddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;dd?d@dAdBdCdDdEdFdGdHdIdJdKdLdMdNdOdPdQdRdSdTdUTZdVS)W KeyPurposeIdZany_extended_key_usageZ server_authZ client_authZ code_signingZemail_protectionZipsec_end_systemZ ipsec_tunnelZ ipsec_user time_stampingZ ocsp_signingZdvcsZ eap_over_pppZ eap_over_lanZ scvp_serverZ scvp_clientZ ipsec_ikeZ capwap_acZ capwap_wtpZ sip_domainZsecure_shell_clientZsecure_shell_serverZ send_routerZsend_proxied_routerZ send_ownerZsend_proxied_ownerZcmc_caZcmc_raZ cmc_archiveZbgpspec_routerZmicrosoft_trust_list_signingZmicrosoft_time_stamp_signingZmicrosoft_server_gatedZmicrosoft_serializedZ microsoft_efsZmicrosoft_efs_recoveryZmicrosoft_whqlZ microsoft_nt5Zmicrosoft_oem_whqlZmicrosoft_embedded_ntZmicrosoft_root_list_signerZ!microsoft_qualified_subordinationZmicrosoft_key_recoveryZmicrosoft_document_signingZmicrosoft_lifetime_signingZ microsoft_mobile_device_softwareZmicrosoft_smart_card_logonZapple_x509_basicZ apple_sslZapple_local_cert_genZ apple_csr_genZapple_revocation_crlZapple_revocation_ocspZ apple_smimeZ apple_eapZapple_software_update_signingZ apple_ipsecZ apple_ichatZapple_resource_signingZapple_pkinit_clientZapple_pkinit_serverZapple_code_signingZapple_package_signingZapple_id_validationZapple_time_stampingZapple_revocationZapple_passbook_signingZapple_mobile_storeZapple_escrow_serviceZapple_profile_signerZapple_qa_profile_signerZapple_test_mobile_storeZapple_otapki_signerZapple_test_otapki_signerZ)apple_id_validation_record_signing_policyZapple_smp_encryptionZapple_test_smp_encryptionZapple_server_authenticationZapple_pcs_escrow_serviceZpiv_card_authenticationZpiv_content_signingZpkinit_kpclientauthZ pkinit_kpkdcZadobe_authentic_documents_trustZfpki_pivi_content_signing)Tz 2.5.29.37.0z1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2z1.3.6.1.5.5.7.3.3z1.3.6.1.5.5.7.3.4z1.3.6.1.5.5.7.3.5z1.3.6.1.5.5.7.3.6z1.3.6.1.5.5.7.3.7z1.3.6.1.5.5.7.3.8z1.3.6.1.5.5.7.3.9z1.3.6.1.5.5.7.3.10z1.3.6.1.5.5.7.3.13z1.3.6.1.5.5.7.3.14z1.3.6.1.5.5.7.3.15z1.3.6.1.5.5.7.3.16z1.3.6.1.5.5.7.3.17z1.3.6.1.5.5.7.3.18z1.3.6.1.5.5.7.3.19z1.3.6.1.5.5.7.3.20z1.3.6.1.5.5.7.3.21z1.3.6.1.5.5.7.3.22z1.3.6.1.5.5.7.3.23z1.3.6.1.5.5.7.3.24z1.3.6.1.5.5.7.3.25z1.3.6.1.5.5.7.3.26z1.3.6.1.5.5.7.3.27z1.3.6.1.5.5.7.3.28z1.3.6.1.5.5.7.3.29z1.3.6.1.5.5.7.3.30z1.3.6.1.4.1.311.10.3.1z1.3.6.1.4.1.311.10.3.2z1.3.6.1.4.1.311.10.3.3z1.3.6.1.4.1.311.10.3.3.1z1.3.6.1.4.1.311.10.3.4z1.3.6.1.4.1.311.10.3.4.1z1.3.6.1.4.1.311.10.3.5z1.3.6.1.4.1.311.10.3.6z1.3.6.1.4.1.311.10.3.7z1.3.6.1.4.1.311.10.3.8z1.3.6.1.4.1.311.10.3.9z1.3.6.1.4.1.311.10.3.10z1.3.6.1.4.1.311.10.3.11z1.3.6.1.4.1.311.10.3.12z1.3.6.1.4.1.311.10.3.13z1.3.6.1.4.1.311.10.3.14z1.3.6.1.4.1.311.20.2.2z1.2.840.113635.100.1.2z1.2.840.113635.100.1.3z1.2.840.113635.100.1.4z1.2.840.113635.100.1.5z1.2.840.113635.100.1.6z1.2.840.113635.100.1.7z1.2.840.113635.100.1.8z1.2.840.113635.100.1.9z1.2.840.113635.100.1.10z1.2.840.113635.100.1.11z1.2.840.113635.100.1.12z1.2.840.113635.100.1.13z1.2.840.113635.100.1.14z1.2.840.113635.100.1.15z1.2.840.113635.100.1.16z1.2.840.113635.100.1.17z1.2.840.113635.100.1.18z1.2.840.113635.100.1.20z1.2.840.113635.100.1.21z1.2.840.113635.100.1.22z1.2.840.113635.100.1.23z1.2.840.113635.100.1.24z1.2.840.113635.100.1.25z1.2.840.113635.100.1.26z1.2.840.113635.100.1.27z1.2.840.113635.100.1.28z1.2.840.113635.100.1.29z1.2.840.113625.100.1.30z1.2.840.113625.100.1.31z1.2.840.113625.100.1.32z1.2.840.113635.100.1.33z1.2.840.113635.100.1.34z2.16.840.1.101.3.6.8z2.16.840.1.101.3.6.7z1.3.6.1.5.2.3.4z1.3.6.1.5.2.3.5z1.2.840.113583.1.1.5z2.16.840.1.101.3.8.7N)rNrOrPrr7r7r7r:rusrc@seZdZeZdS)ExtKeyUsageSyntaxN)rNrOrPrrr7r7r7r:rsrc@seZdZdddddZdS) AccessMethodocspZ ca_issuersrZ ca_repository)z1.3.6.1.5.5.7.48.1z1.3.6.1.5.5.7.48.2z1.3.6.1.5.5.7.48.3z1.3.6.1.5.5.7.48.5N)rNrOrPrr7r7r7r:rsrc@seZdZdefdefgZdS)AccessDescription access_methodaccess_locationN)rNrOrPrrMrr7r7r7r:rsrc@seZdZeZdS)AuthorityInfoAccessSyntaxN)rNrOrPrrr7r7r7r:rsrc@seZdZeZdS)SubjectInfoAccessSyntaxN)rNrOrPrrr7r7r7r:rsrc@seZdZeZdS)FeaturesN)rNrOrPrrr7r7r7r:rsrc@seZdZdefdefgZdS)EntrustVersionInfoZ entrust_versZentrust_info_flagsN)rNrOrPrrrr7r7r7r:rsrc @s"eZdZddddddddd Zd S) NetscapeCertificateTypeZ ssl_clientZ ssl_serverZemailZobject_signingZreservedZssl_caZemail_caZobject_signing_ca)rrrmrr|rrrN)rNrOrPrr7r7r7r:r src@seZdZddddZdS)Versionv1Zv2Zv3)rrrmN)rNrOrPrr7r7r7r:rsrc@s"eZdZdefdefdefgZdS)TPMSpecificationrzlevelrevisionN)rNrOrPr-rrr7r7r7r:r src@seZdZeZdS)SetOfTPMSpecificationN)rNrOrPrrr7r7r7r:r(src@s"eZdZdefdefdefgZdS)TCGSpecificationVersionZ major_versionZ minor_versionrN)rNrOrPrrr7r7r7r:r,src@seZdZdefdefgZdS)TCGPlatformSpecificationversionZplatform_classN)rNrOrPrr#rr7r7r7r:r4src@seZdZeZdS)SetOfTCGPlatformSpecificationN)rNrOrPrrr7r7r7r:r;src@seZdZdddddZdS)EKGenerationTypeZinternalZinjectedZinternal_revocableZinjected_revocable)rrrmrN)rNrOrPrr7r7r7r:r?src@seZdZddddZdS)EKGenerationLocationrrek_cert_signer)rrrmN)rNrOrPrr7r7r7r:rHsrc@seZdZddddZdS)EKCertificateGenerationLocationrrr)rrrmN)rNrOrPrr7r7r7r:rPsrc@s eZdZddddddddZd S) EvaluationAssuranceLevellevel1level2level3level4Zlevel5Zlevel6Zlevel7)rrmrr|rrrN)rNrOrPrr7r7r7r:rXsrc@seZdZddddZdS)EvaluationStatusZdesigned_to_meetZevaluation_in_progressZevaluation_completed)rrrmN)rNrOrPrr7r7r7r:rdsrc@seZdZddddZdS)StrengthOfFunctionZbasicZmediumZhigh)rrrmN)rNrOrPrr7r7r7r:rlsrc@s.eZdZdefdeddifdeddifgZdS) URIReferencerRZhash_algorithmrTZ hash_valueN)rNrOrPrrrrr7r7r7r:rts rc @steZdZdefdefdefdeddifdedd d fd ed d d fd e dd d fdedd d fde dd d fg Z dS)CommonCriteriaMeasuresrZassurance_levelZevaluation_statusplusrYFZstrengh_of_functionrT)rrZ profile_oidrZ profile_urlrmZ target_oidrZ target_urir|N) rNrOrPrrrrrr!rrr7r7r7r:r|s rc@seZdZdddddZdS) SecurityLevelrrrr)rrmrr|N)rNrOrPrr7r7r7r:rsrc@s(eZdZdefdefdeddifgZdS) FIPSLevelrrrrYFN)rNrOrPrrrrr7r7r7r:rsrc @seZdZdeddifdeddifdeddd fd ed dd fd ed dd fdeddd fde ddd fdedddfde ddifg Z dS)TPMSecurityAssertionsrrYrZfield_upgradableFZek_generation_typerT)rrZek_generation_locationrZ"ek_certificate_generation_locationrmZcc_inforZ fips_levelr|Ziso_9000_certifiedr)rrYZ iso_9000_urirN) rNrOrPrrrrrrrrrr7r7r7r:rs  rc@seZdZeZdS)SetOfTPMSecurityAssertionsN)rNrOrPrrr7r7r7r:rsrc @s&eZdZddddddddd d d Zd S) SubjectDirectoryAttributeIdsupported_algorithmstpm_specificationtcg_platform_specificationtpm_security_assertionspda_date_of_birthpda_place_of_birth pda_genderpda_country_of_citizenshippda_country_of_residenceZentrust_user_role) z2.5.4.52z 2.23.133.2.16z 2.23.133.2.17z 2.23.133.2.18z1.3.6.1.5.5.7.9.1z1.3.6.1.5.5.7.9.2z1.3.6.1.5.5.7.9.3z1.3.6.1.5.5.7.9.4z1.3.6.1.5.5.7.9.5z1.2.840.113533.7.68.29N)rNrOrPrr7r7r7r:rsrc@seZdZeZdS)SetOfGeneralizedTimeN)rNrOrPrrr7r7r7r:rsrc@seZdZeZdS)SetOfDirectoryStringN)rNrOrPrrr7r7r7r:rsrc@seZdZeZdS)SetOfPrintableStringN)rNrOrPr%rr7r7r7r:rsrc@s2eZdZdefdedddfdedddfgZdS) SupportedAlgorithmZalgorithm_identifierZintended_usagerT)rrZintended_certificate_policiesrN)rNrOrPrrr~rr7r7r7r:rsrc@seZdZeZdS)SetOfSupportedAlgorithmN)rNrOrPrrr7r7r7r:rsrc @sHeZdZdefdefgZdZeee e e e e e e d ZddZdeiZdS)SubjectDirectoryAttributerr) rrrrrrrrrcCs"|dj}||jkr|j|StS)Nr)rRrr))r8Ztype_r7r7r: _values_specs   z&SubjectDirectoryAttribute._values_specN)rr)rNrOrPrrrrrrrrrrrrrZ_spec_callbacksr7r7r7r:rs rc@seZdZeZdS)SubjectDirectoryAttributesN)rNrOrPrrr7r7r7r:rsrc@s@eZdZddddddddd d d d d dddddddddddZdS) ExtensionIdsubject_directory_attributesr\ key_usageprivate_key_usage_periodsubject_alt_nameissuer_alt_namebasic_constraintsname_constraintscrl_distribution_pointscertificate_policiespolicy_mappingsauthority_key_identifierpolicy_constraintsextended_key_usage freshest_crlinhibit_any_policyauthority_information_accesssubject_information_access tls_feature ocsp_no_checkentrust_version_extensionnetscape_certificate_type!signed_certificate_timestamp_list)z2.5.29.9z 2.5.29.14z 2.5.29.15z 2.5.29.16z 2.5.29.17z 2.5.29.18z 2.5.29.19z 2.5.29.30z 2.5.29.31z 2.5.29.32z 2.5.29.33z 2.5.29.35z 2.5.29.36z 2.5.29.37z 2.5.29.46z 2.5.29.54z1.3.6.1.5.5.7.1.1z1.3.6.1.5.5.7.1.11z1.3.6.1.5.5.7.1.24z1.3.6.1.5.5.7.48.1.5z1.2.840.113533.7.65.0z2.16.840.1.113730.1.1z1.3.6.1.4.1.11129.2.4.2N)rNrOrPrr7r7r7r:rs.rc@s`eZdZdefdeddifdefgZdZee e e e e e eeeeeeeeeeeeeeee dZdS) Extensionextn_idcriticalrYF extn_value)rr\rrrrrrrrrrrrrrrrrrrrrN)rr)rNrOrPrrr$rrrr#rrrTrWrfrpr~rr[rrrrrrrrrrr7r7r7r:rs6  rc@seZdZeZdS) ExtensionsN)rNrOrPrrr7r7r7r:r;src@sleZdZdedddfdefdefdefdefd efd efd e d d dfde dd dfde dd dfg Z dS)TbsCertificaterrr)rrYr signatureissuerZvaliditysubjectsubject_public_key_infoZissuer_unique_idrT)rrZsubject_unique_idrm extensionsr)rrN) rNrOrPrrrrrVr0r"rrr7r7r7r:r?src@seZdZdefdefdefgZdZdZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&ddZ'e(dd Z)e(d d Z*e(d d Z+e(ddZ,e(ddZ-e(ddZ.e(ddZ/e(ddZ0e(ddZ1e(ddZ2e(ddZ3e(ddZ4e(d d!Z5e(d"d#Z6e(d$d%Z7e(d&d'Z8e(d(d)Z9e(d*d+Z:e(d,d-Z;e(d.d/Ze(d4d5Z?e(d6d7Z@e(d8d9ZAe(d:d;ZBe(dd?ZDe(d@dAZEe(dBdCZFe(dDdEZGe(dFdGZHe(dHdIZIe(dJdKZJdLdMZKe(dNdOZLe(dPdQZMe(dRdSZNe(dTdUZOe(dVdWZPe(dXdYZQe(dZd[ZRe(d\d]ZSe(d^d_ZTe(d`daZUe(dbdcZVdddeZWdfdgZXdhdiZYdS)j Certificatetbs_certificatesignature_algorithmsignature_valueFNcCslt|_xX|ddD]H}|dj}d|}t||rHt|||dj|djr|jj|qWd|_dS) zv Sets common named extensions to private attributes and creates a list of critical extensions rrrz _%s_valuerrTN)rM_critical_extensionsrRhasattrsetattrZparsedadd_processed_extensions)r8 extensionrrr7r7r:_set_extensionsvs   zCertificate._set_extensionscCs|js|j|jS)z Returns a set of the names (or OID if not a known extension) of the extensions marked as critical :return: A set of unicode strings )rrr)r8r7r7r:critical_extensionss zCertificate.critical_extensionscCs|js|j|jS)z This extension is used to constrain the period over which the subject private key may be used :return: None or a PrivateKeyUsagePeriod object )rr_private_key_usage_period_value)r8r7r7r:private_key_usage_period_values z*Certificate.private_key_usage_period_valuecCs|js|j|jS)z This extension is used to contain additional identification attributes about the subject. :return: None or a SubjectDirectoryAttributes object )rr_subject_directory_attributes)r8r7r7r:"subject_directory_attributes_values z.Certificate.subject_directory_attributes_valuecCs|js|j|jS)z This extension is used to help in creating certificate validation paths. It contains an identifier that should generally, but is not guaranteed to, be unique. :return: None or an OctetString object )rr_key_identifier_value)r8r7r7r:key_identifier_values z Certificate.key_identifier_valuecCs|js|j|jS)z This extension is used to define the purpose of the public key contained within the certificate. :return: None or a KeyUsage )rr_key_usage_value)r8r7r7r:key_usage_values zCertificate.key_usage_valuecCs|js|j|jS)aT This extension allows for additional names to be associate with the subject of the certificate. While it may contain a whole host of possible names, it is usually used to allow certificates to be used with multiple different domain names. :return: None or a GeneralNames object )rr_subject_alt_name_value)r8r7r7r:subject_alt_name_values z"Certificate.subject_alt_name_valuecCs|js|j|jS)z This extension allows associating one or more alternative names with the issuer of the certificate. :return: None or an x509.GeneralNames object )rr_issuer_alt_name_value)r8r7r7r:issuer_alt_name_values z!Certificate.issuer_alt_name_valuecCs|js|j|jS)a' This extension is used to determine if the subject of the certificate is a CA, and if so, what the maximum number of intermediate CA certs after this are, before an end-entity certificate is found. :return: None or a BasicConstraints object )rr_basic_constraints_value)r8r7r7r:basic_constraints_values z#Certificate.basic_constraints_valuecCs|js|j|jS)z This extension is used in CA certificates, and is used to limit the possible names of certificates issued. :return: None or a NameConstraints object )rr_name_constraints_value)r8r7r7r:name_constraints_values z"Certificate.name_constraints_valuecCs|js|j|jS)z This extension is used to help in locating the CRL for this certificate. :return: None or a CRLDistributionPoints object extension )rr_crl_distribution_points_value)r8r7r7r:crl_distribution_points_value s z)Certificate.crl_distribution_points_valuecCs|js|j|jS)a; This extension defines policies in CA certificates under which certificates may be issued. In end-entity certificates, the inclusion of a policy indicates the issuance of the certificate follows the policy. :return: None or a CertificatePolicies object )rr_certificate_policies_value)r8r7r7r:certificate_policies_value s z&Certificate.certificate_policies_valuecCs|js|j|jS)z This extension allows mapping policy OIDs to other OIDs. This is used to allow different policies to be treated as equivalent in the process of validation. :return: None or a PolicyMappings object )rr_policy_mappings_value)r8r7r7r:policy_mappings_value( s z!Certificate.policy_mappings_valuecCs|js|j|jS)z This extension helps in identifying the public key with which to validate the authenticity of the certificate. :return: None or an AuthorityKeyIdentifier object )rr_authority_key_identifier_value)r8r7r7r:authority_key_identifier_value7 s z*Certificate.authority_key_identifier_valuecCs|js|j|jS)z This extension is used to control if policy mapping is allowed and when policies are required. :return: None or a PolicyConstraints object )rr_policy_constraints_value)r8r7r7r:policy_constraints_valueE s z$Certificate.policy_constraints_valuecCs|js|j|jS)z This extension is used to help locate any available delta CRLs :return: None or an CRLDistributionPoints object )rr_freshest_crl_value)r8r7r7r:freshest_crl_valueS s zCertificate.freshest_crl_valuecCs|js|j|jS)z This extension is used to prevent mapping of the any policy to specific requirements :return: None or a Integer object )rr_inhibit_any_policy_value)r8r7r7r:inhibit_any_policy_value` s z$Certificate.inhibit_any_policy_valuecCs|js|j|jS)z This extension is used to define additional purposes for the public key beyond what is contained in the basic constraints. :return: None or an ExtKeyUsageSyntax object )rr_extended_key_usage_value)r8r7r7r:extended_key_usage_valuen s z$Certificate.extended_key_usage_valuecCs|js|j|jS)z This extension is used to locate the CA certificate used to sign this certificate, or the OCSP responder for this certificate. :return: None or an AuthorityInfoAccessSyntax object )rr#_authority_information_access_value)r8r7r7r:"authority_information_access_value| s z.Certificate.authority_information_access_valuecCs|js|j|jS)z This extension is used to access information about the subject of this certificate. :return: None or a SubjectInfoAccessSyntax object )rr!_subject_information_access_value)r8r7r7r: subject_information_access_value s z,Certificate.subject_information_access_valuecCs|js|j|jS)z This extension is used to list the TLS features a server must respond with if a client initiates a request supporting them. :return: None or a Features object )rr_tls_feature_value)r8r7r7r:tls_feature_value s zCertificate.tls_feature_valuecCs|js|j|jS)a- This extension is used on certificates of OCSP responders, indicating that revocation information for the certificate should never need to be verified, thus preventing possible loops in path validation. :return: None or a Null object (if present) )rr_ocsp_no_check_value)r8r7r7r:ocsp_no_check_value s zCertificate.ocsp_no_check_valuecCs |djS)zE :return: A byte string of the signature r)rR)r8r7r7r:r szCertificate.signaturecCs |djS)zj :return: A unicode string of "rsassa_pkcs1v15", "rsassa_pss", "dsa", "ecdsa" r)signature_algo)r8r7r7r:r szCertificate.signature_algocCs |djS)z :return: A unicode string of "md2", "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512_224", "sha512_256" r) hash_algo)r8r7r7r:r szCertificate.hash_algocCs |ddS)zT :return: The PublicKeyInfo object for this certificate rrr7)r8r7r7r: public_key szCertificate.public_keycCs |ddS)zZ :return: The Name object for the subject of this certificate rrr7)r8r7r7r:r szCertificate.subjectcCs |ddS)zY :return: The Name object for the issuer of this certificate rrr7)r8r7r7r:r szCertificate.issuercCs|ddjS)zT :return: An integer of the certificate's serial number rr)rR)r8r7r7r:r szCertificate.serial_numbercCs|js dS|jjS)z :return: None or a byte string of the certificate's key identifier from the key identifier extension N)rrR)r8r7r7r:r\ szCertificate.key_identifiercCs.|jdkr(|jjdt|jjd|_|jS)z :return: A byte string of the SHA-256 hash of the issuer concatenated with the ascii character ":", concatenated with the serial number as an ascii string N:rY)_issuer_serialrrrrrE)r8r7r7r: issuer_serial s zCertificate.issuer_serialcCs|js dS|jdjS)z :return: None or a byte string of the key_identifier from the authority key identifier extension Nr\)rrR)r8r7r7r:r sz$Certificate.authority_key_identifiercCsj|jdkrd|j}|r^|djr^|jddj}|j}|jdj}|jdt|jd|_nd|_|jS)a; :return: None or a byte string of the SHA-256 hash of the isser from the authority key identifier extension concatenated with the ascii character ":", concatenated with the serial number from the authority key identifier extension as an ascii string Fr]rr^rrYN)_authority_issuer_serialrrRrZuntagrrrE)r8ZakivrZauthority_serialr7r7r:authority_issuer_serial s  z#Certificate.authority_issuer_serialcCs|jdkr|j|j|_|jS)z Returns complete CRL URLs - does not include delta CRLs :return: A list of zero or more DistributionPoint objects N)_crl_distribution_points!_get_http_crl_distribution_pointsr)r8r7r7r:r2 s z#Certificate.crl_distribution_pointscCs|jdkr|j|j|_|jS)z Returns delta CRL URLs - does not include complete CRLs :return: A list of zero or more DistributionPoint objects N)_delta_crl_distribution_pointsrr)r8r7r7r:delta_crl_distribution_points? s z)Certificate.delta_crl_distribution_pointscCsdg}|dkrgSxN|D]F}|d}|tkr,q|jdkr8qx"|jD]}|jdkr@|j|q@WqW|S)a? Fetches the DistributionPoint object for non-relative, HTTP CRLs referenced by the certificate :param crl_distribution_points: A CRLDistributionPoints object to grab the DistributionPoints from :return: A list of zero or more DistributionPoint objects NrhrarR)r/rrr)r8rrrhZdistribution_point_namernr7r7r:rL s     z-Certificate._get_http_crl_distribution_pointscCsb|js gSg}xN|jD]D}|djdkr|d}|jdkrrDr)r8rentrylocationror7r7r: ocsp_urlsk s  zCertificate.ocsp_urlscCs|jdkrg|_|jrLx|jD](}|jdkr|j|jkr|jj|jqWnXtjd}xL|jjD]@}x:|D]2}|djdkrj|dj}|j |rj|jj|qjWq`W|jS)z :return: A list of unicode strings of valid domain names for the certificate. Wildcard certificates will have a domain in the form: *.example.com NrOzE^(\*\.)?(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$rrrK) _valid_domainsrrrRrrcompilerrmatch)r8rnpatternrZname_type_valuerKr7r7r: valid_domains s      zCertificate.valid_domainscCsD|jdkr>g|_|jr>x&|jD]}|jdkr|jj|jqW|jS)zj :return: A list of unicode strings of valid IP addresses for the certificate NrS) _valid_ipsrrrrR)r8rnr7r7r: valid_ips s   zCertificate.valid_ipscCs|jo|jdjS)zW :return; A boolean - if the certificate is marked as a CA rX)rrR)r8r7r7r:rX szCertificate.cacCs|js dS|jdjS)zT :return; None or an integer of the maximum path length NrZ)rXrrR)r8r7r7r:max_path_length szCertificate.max_path_lengthcCs|jdkr|j|jk|_|jS)zx :return: A boolean - if the certificate is self-issued, as defined by RFC 5280 N) _self_issuedrr)r8r7r7r: self_issued s zCertificate.self_issuedcCsJ|jdkrDd|_|jrD|jr>|js*d|_qD|j|jkrDd|_nd|_|jS)a :return: A unicode string of "no" or "maybe". The "maybe" result will be returned if the certificate issuer and subject are the same. If a key identifier and authority key identifier are present, they will need to match otherwise "no" will be returned. To verify is a certificate is truly self-signed, the signature will need to be verified. See the certvalidator package for one possible solution. Nnomaybe) _self_signedr/r\r)r8r7r7r: self_signed s  zCertificate.self_signedcCs$|jdkrtj|jj|_|jS)zk :return: The SHA-1 hash of the DER-encoded bytes of this complete certificate N)rrrrr)r8r7r7r:r s zCertificate.sha1cCsdjddt|jDS)z :return: A unicode string of the SHA-1 hash, formatted using hex encoding with a space between each pair of characters, all uppercase rcss|]}d|VqdS)z%02XNr7)rcr7r7r:r sz/Certificate.sha1_fingerprint..)rrr)r8r7r7r:sha1_fingerprint szCertificate.sha1_fingerprintcCs$|jdkrtj|jj|_|jS)zy :return: The SHA-256 hash of the DER-encoded bytes of this complete certificate N)rrrrr)r8r7r7r:r s zCertificate.sha256cCsdjddt|jDS)z :return: A unicode string of the SHA-256 hash, formatted using hex encoding with a space between each pair of characters, all uppercase rcss|]}d|VqdS)z%02XNr7)rr4r7r7r:r sz1Certificate.sha256_fingerprint..)rrr)r8r7r7r:sha256_fingerprint szCertificate.sha256_fingerprintcCsPt|tsttdt||jdjdj}|jdd k}| oNt j d|}| oZ| }|r|j sjdS|j d}xh|j D]^}|jdjdj}|j d} t | t |krq|| |krd S|j|} | r||j|| r|d Sq|WdS|jsdS|rtjntj} t| |} xD|jD]:} | jdd kr(tjntj}t|| }|| krd SqWdS) a Check if a domain name or IP address is valid according to the certificate :param domain_ip: A unicode string of a domain name or IP address :return: A boolean - if the domain or IP is valid for the certificate zL domain_ip must be a unicode string, not %s rrYrhrz^\d+\.\d+\.\d+\.\d+$Fr@Tr[r[)r<rrCr r rEr`r>r\rr(r*rpru_is_wildcard_domain_is_wildcard_matchr,rrrtrsr4)r8Z domain_ipZencoded_domain_ipZis_ipv6Zis_ipv4Z is_domain domain_labelsZ valid_domainZencoded_valid_domainvalid_domain_labelsZ is_wildcardrzZ normalized_ipZvalid_ipZ valid_familyZnormalized_valid_ipr7r7r:is_valid_domain_ip sB            zCertificate.is_valid_domain_ipcCsZ|jddkrdS|jjd}|s(dS|djdd kr>dS|ddddkrVdSdS) af Checks if a domain is a valid wildcard according to https://tools.ietf.org/html/rfc6125#section-6.4.3 :param domain: A unicode string of the domain name, where any U-labels from an IDN have been converted to A-labels :return: A boolean - if the domain is a valid wildcard domain *rFr@rr|zxn--Tr[)countr>rpr\)r8ZdomainZlabelsr7r7r:r7\ szCertificate._is_wildcard_domaincCsl|d}|dd}|d}|dd}||kr4dS|dkr@dStjd|jddd }|j|rhdSdS) a Determines if the labels in a domain are a match for labels from a wildcard valid domain name :param domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in the domain name to check :param valid_domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in a wildcard domain pattern :return: A boolean - if the domain matches the valid domain rrNFr<T^z.*$)rr'rr()r8r9r:Zfirst_domain_labelZother_domain_labelsZwildcard_labelZother_valid_domain_labelsZwildcard_regexr7r7r:r8} s   zCertificate._is_wildcard_match)ZrNrOrPrrr"rrrrrrrrrrrrrrrrrr r r rrrrrrrr&r+r.r2rrrrarrrrrrrrrrrrrrrrr r rrrrrrrrrrr\rrrrrrr%r*r,rXr-r/r3rr5rr6r;r7r8r7r7r7r:rNs                         #   B!rc@seZdZeZdS)KeyPurposeIdentifiersN)rNrOrPrrr7r7r7r:r@ sr@c@seZdZeZdS)SequenceOfAlgorithmIdentifiersN)rNrOrPrrr7r7r7r:rA srAc @sPeZdZdeddifdedddfdeddifdeddifd ed ddfgZd S) CertificateAuxZtrustrTZrejectr)rraliasZkeyidr9rN)rNrOrPr@r-r#rArr7r7r7r:rB s    rBc@seZdZeegZdS)TrustedCertificateN)rNrOrPrrBZ _child_specsr7r7r7r:rD srD)rZ __future__rrrr contextlibrZ encodingsrrrrrrrrZ_errorsr Z_irir r Z _ordereddictr Z_typesr rrZalgosrrrrZcorerrrrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/rr0utilr1r2r3r4r5rQrUrcrrrrrrrrrrrrrr rrrrrrrrrrrrrrrrr r!r"r#r$r%rGrJrKrLrMrTrUrVrWr[r_rbrcrerfrgrprqrrrsrtrurxr{r|r}r~rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr@rArBrDr7r7r7r:s    x 59l  AU*D      "2%  n     #_