B M]l@stdZddlmZmZmZmZddlmZddlm Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZdd lmZdd lmZmZmZdd lmZmZmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>ddl?m@Z@mAZAmBZBmCZCGddde*ZDGddde*ZEGddde*ZFGddde0ZGGddde3ZHGddde4ZIGddde"ZJGddde3ZKGdd d e7ZLed!d"ZMGd#d$d$e%ZNGd%d&d&e.ZOGd'd(d(e3ZPGd)d*d*e6ZQGd+d,d,e4ZRGd-d.d.e%ZSGd/d0d0e3ZTGd1d2d2e%ZUGd3d4d4e%ZVGd5d6d6e%ZWGd7d8d8e5ZXGd9d:d:e5ZYGd;d<dd>e4Z[Gd?d@d@e3Z\GdAdBdBe3Z]GdCdDdDe4Z^GdEdFdFe3Z_GdGdHdHe4Z`GdIdJdJe%ZaGdKdLdLe%ZbGdMdNdNe5ZcGdOdPdPe4ZdGdQdRdRe5ZeGdSdTdTe3ZfGdUdVdVe6ZgGdWdXdXe3ZhGdYdZdZe%ZiGd[d\d\e+ZjGd]d^d^e+ZkGd_d`d`e3ZlGdadbdbe4ZmGdcdddde3ZnGdedfdfe3ZoGdgdhdhe%ZpGdidjdje4ZqGdkdldle%ZrGdmdndne3ZsGdodpdpe3ZtGdqdrdre3ZuGdsdtdte%ZvGdudvdve"ZwGdwdxdxe3ZxGdydzdze4ZyGd{d|d|e3ZzGd}d~d~e3Z{Gddde4Z|Gddde%Z}Gddde4Z~Gddde3ZGddde3ZGddde.ZGddde3ZGddde4ZGddde.ZGddde3ZGddde4ZGddde3ZGddde4ZGddde3ZGddde.ZGddde4ZGddde.ZGddde3ZGddde4ZGddde4ZGddde4ZGddde3ZGddde"ZGddde+ZGddde3ZGddde6ZGddde3ZGddde3ZGddde6ZGddde'ZGddde'ZGddde'ZGddde'ZGdd„de'ZGddĄde'ZGddƄde3ZGddȄde3ZGddʄde'ZGdd̄de3ZGdd΄de3ZGddЄde6ZGdd҄de.ZGddԄde6ZGddքde6ZGdd؄de6ZGddڄde3ZGdd܄de6ZGddބde3ZGddde4ZGddde.ZGddde3ZGddde4ZGddde3ZGddde3ZGddde4ZGddde4ZGddde3ZGddde&ZdS)z ASN.1 type classes for X.509 certificates. Exports the following items: - Attributes() - Certificate() - Extensions() - GeneralName() - GeneralNames() - Name() Other type classes are defined that help compose the types listed above. )unicode_literalsdivisionabsolute_importprint_function)contextmanager)idnaN)unwrap) iri_to_uri uri_to_iri) OrderedDict) type_namestr_cls bytes_to_list)AlgorithmIdentifierAnyAlgorithmIdentifierDigestAlgorithmSignedDigestAlgorithm)Any BitString BMPStringBooleanChoiceConcat EnumeratedGeneralizedTime GeneralString IA5StringIntegerNull NumericStringObjectIdentifierOctetBitString OctetStringParsableOctetStringPrintableStringSequence SequenceOfSetSetOf TeletexStringUniversalStringUTCTime UTF8String VisibleStringVOID) PublicKeyInfo) int_to_bytesint_from_bytes inet_ntop inet_ptonc@s,eZdZdZdZddZddZddZd S) DNSNamer) cCs ||k S)N)selfotherr8r8.lib/python3.7/site-packages/asn1crypto/x509.py__ne__LszDNSName.__ne__cCs&t|tsdS||kS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.2 :param other: Another DNSName object :return: A boolean F) isinstancer5 __unicode__lower)r9r:r8r8r;__eq__Os zDNSName.__eq__cCsxt|ts"ttdt|t||drFd|dd|j}n ||j}||_||_ d|_ |j dkrtd|_ dS)zd Sets the value of the DNS name :param value: A unicode string zK %s value must be a unicode string, not %s ..rN) r=r TypeErrorr r startswithencode _encoding_unicodecontents_header_trailer)r9value encoded_valuer8r8r;set_s     z DNSName.setN)__name__ __module__ __qualname__rG_bad_tagr<r@rNr8r8r8r;r5Gs r5c@s,eZdZddZddZddZddZd S) URIcCsLt|ts"ttdt|t|||_t||_d|_|j dkrHd|_ dS)zb Sets the value of the string :param value: A unicode string zK %s value must be a unicode string, not %s NrC) r=rrDr r rHr rIrJrK)r9rLr8r8r;rN~s    zURI.setcCs ||k S)Nr8)r9r:r8r8r;r<sz URI.__ne__cCs&t|tsdSt|jdt|jdkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.4 :param other: Another URI object :return: A boolean FT)r=rSr native)r9r:r8r8r;r@s z URI.__eq__cCs,|jdkrdS|jdkr&t||_|jS)z7 :return: A unicode string N)rIrHr _merge_chunks)r9r8r8r;r>s   zURI.__unicode__N)rOrPrQrNr<r@r>r8r8r8r;rS|srSc@sReZdZdZdZdZeddZejddZddZ d d Z d d Z d dZ dS) EmailAddressNF)r6r7cCs|jS)z` :return: A byte string of the DER-encoded contents of the sequence ) _contents)r9r8r8r;rIszEmailAddress.contentscCsd|_||_dS)ze :param value: A byte string of the DER-encoded contents of the sequence FN) _normalizedrX)r9rLr8r8r;rIscCst|ts"ttdt|t||ddkrZ|dd\}}|dd|d}n |d}d|_||_ ||_ d |_ |j d krd |_ d S) zb Sets the value of the string :param value: A unicode string zK %s value must be a unicode string, not %s @rascii@rTNrC) r=rrDr r findrsplitrFrYrHrIrJrK)r9rLmailboxhostnamerMr8r8r;rNs    zEmailAddress.setcCs^|jdkrX|}|ddkr.|d|_n*|dd\}}|dd|d|_|jS)z7 :return: A unicode string Nr]r[cp1252rrZr)rHrVr^decoder_)r9rIr`rar8r8r;r>s zEmailAddress.__unicode__cCs ||k S)Nr8)r9r:r8r8r;r<szEmailAddress.__ne__cCst|tsdS|js ||j|js2||j|jddksR|jddkr^|j|jkS|jdd\}}|jdd\}}||krdS||krdSdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.5 :param other: Another EmailAddress object :return: A boolean Fr]r[rT) r=rWrYrNrTrXr^r_r?)r9r:Z other_mailboxZother_hostnamer`rar8r8r;r@s     zEmailAddress.__eq__) rOrPrQrXrYrRpropertyrIsetterrNr>r<r@r8r8r8r;rWs  rWc@s:eZdZd ddZddZeddZdd Zd d ZdS) IPAddressNcCsttddS)z? This method is not applicable to IP addresses z= IP address values can not be parsed N) ValueErrorr )r9specZ spec_paramsr8r8r;parse'szIPAddress.parsec CsTt|ts"ttdt|t||}|ddk}d}|rv|dd}|d}t|d}|dkrvttdt||ddkrt j }|dkrttd t|d}n$t j }|d krttd t|d }d }|rd |} | d|t | 7} t t| d}d|dt ||}||_t||||_|j|_d|_|jd krPd |_dS)z Sets the value of the object :param value: A unicode string containing an IPv4 address, IPv4 address with CIDR, an IPv6 address or IPv6 address with CIDR zK %s value must be a unicode string, not %s /r[rrzT %s value contains a CIDR range less than 0 :z %s value contains a CIDR range bigger than 128, the maximum value for an IPv6 address z %s value contains a CIDR range bigger than 32, the maximum value for an IPv4 address rC10N)r=rrDr r r^splitintrgsocketAF_INET6AF_INETlenr1_nativer4rIZ_bytesrJrK) r9rLoriginal_valueZhas_cidrcidrpartsfamilyZ cidr_sizeZ cidr_bytesZ cidr_maskr8r8r;rN2sR        z IPAddress.setcCs|jdkrdS|jdkr|}t|}d}d}|tddgkrnttj|dd}|dkrt|dd}n<|tddgkrttj |dd}|dkrt|dd}|dk rd |}t| d}|d t |}||_|jS) z The native Python datatype representation of this value :return: A unicode string or None Nrmrrrz{0:b}rorj) rIry __bytes__rxrNr3rurvr2rwformatrstripr)r9Z byte_stringZbyte_lenrLZcidr_intZ cidr_bitsr{r8r8r;rTys*   zIPAddress.nativecCs ||k S)Nr8)r9r:r8r8r;r<szIPAddress.__ne__cCst|tsdS||kS)zl :param other: Another IPAddress object :return: A boolean F)r=rfr)r9r:r8r8r;r@s zIPAddress.__eq__)NN) rOrPrQrirNrdrTr<r@r8r8r8r;rf&s  G rfc@s"eZdZdefdedeifgZdS) AttributetypevaluesrhN)rOrPrQr!r)r_fieldsr8r8r8r;rsrc@seZdZeZdS) AttributesN)rOrPrQr _child_specr8r8r8r;rsrc @s$eZdZddddddddd d Zd S) KeyUsageZdigital_signatureZnon_repudiationZkey_enciphermentZdata_enciphermentZ key_agreementZ key_cert_signZcrl_signZ encipher_onlyZ decipher_only) rrrprrrN)rOrPrQ_mapr8r8r8r;rsrc@s,eZdZdedddfdedddfgZdS)PrivateKeyUsagePeriod not_beforerT)implicitoptional not_afterrN)rOrPrQrrr8r8r8r;rsrc@seZdZdZdZddZdS)NotReallyTeletexStringa6 OpenSSL (and probably some other libraries) puts ISO-8859-1 into TeletexString instead of ITU T.61. We use Windows-1252 when decoding since it is a superset of ISO-8859-1, and less likely to cause encoding issues, but we stay strict with encoding to prevent us from creating bad data. rbcCs0|jdkrdS|jdkr*||j|_|jS)z7 :return: A unicode string NrU)rIrHrVrc_decoding_encoding)r9r8r8r;r>s   z"NotReallyTeletexString.__unicode__N)rOrPrQ__doc__rr>r8r8r8r;rsrccszdt_dVWddt_XdS)Nteletexrb)rrr8r8r8r;strict_teletexs rc@s4eZdZdefdefdefdefdefdefgZ dS)DirectoryStringteletex_stringprintable_stringZuniversal_string utf8_string bmp_string ia5_stringN) rOrPrQrr%r+r-rr _alternativesr8r8r8r;rs rc#@seZdZddddddddd d d d d ddddddddddddddddddd d!d"d#"Zdddd ddd ddddd d dd dddddddd dd!d"dddddddg!Zed$d%Zed&d'Zd(S))NameType common_namesurname serial_number country_name locality_namestate_or_province_namestreet_addressorganization_nameorganizational_unit_nametitlebusiness_category postal_codetelephone_numbername given_nameinitialsgeneration_qualifierunique_identifier dn_qualifier pseudonymorganization_identifiertpm_manufacturer tpm_model tpm_versionplatform_manufacturerplatform_modelplatform_version email_addressincorporation_localityincorporation_state_or_provinceincorporation_countryuser_iddomain_componentname_distinguisher)"z2.5.4.3z2.5.4.4z2.5.4.5z2.5.4.6z2.5.4.7z2.5.4.8z2.5.4.9z2.5.4.10z2.5.4.11z2.5.4.12z2.5.4.15z2.5.4.17z2.5.4.20z2.5.4.41z2.5.4.42z2.5.4.43z2.5.4.44z2.5.4.45z2.5.4.46z2.5.4.65z2.5.4.97z 2.23.133.2.1z 2.23.133.2.2z 2.23.133.2.3z 2.23.133.2.4z 2.23.133.2.5z 2.23.133.2.6z1.2.840.113549.1.9.1z1.3.6.1.4.1.311.60.2.1.1z1.3.6.1.4.1.311.60.2.1.2z1.3.6.1.4.1.311.60.2.1.3z0.9.2342.19200300.100.1.1z0.9.2342.19200300.100.1.25z0.2.262.1.10.7.20cCs4||}||jkr"|j|}n t|j}||fS)z Returns an ordering value for a particular attribute key. Unrecognized attributes and OIDs will be sorted lexically at the end. :return: An orderable value. )mappreferred_orderindexrx)clsZ attr_nameZordinalr8r8r;preferred_ordinalKs   zNameType.preferred_ordinalc#CsVddddddddd d d d d ddddddddddddddddddd d!d"d#"|j|jS)$zZ :return: A human-friendly unicode string to display to users z Common NameZSurnamez Serial NumberCountryZLocalityzState/ProvincezStreet AddressZ OrganizationzOrganizational UnitZTitlezBusiness Categoryz Postal CodezTelephone NumberNamez Given NameZInitialszGeneration QualifierzUnique Identifierz DN QualifierZ Pseudonymz Email AddresszIncorporation LocalityzIncorporation State/ProvincezIncorporation CountryzDomain ComponentzName DistinguisherzOrganization IdentifierzTPM Manufacturerz TPM Modelz TPM VersionzPlatform ManufacturerzPlatform ModelzPlatform VersionzUser ID)"rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr)getrT)r9r8r8r;human_friendly_sFzNameType.human_friendlyN) rOrPrQrr classmethodrrdrr8r8r8r;rs rc#@seZdZdefdefgZdZeeeeeeeeeeeeeeeeee eee eeee eee e e e e e ed"Z dZeddZdd Zd d Zd d ZdS)NameTypeAndValuerrL)rrL)"rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrNcCs"|jdkr||dj|_|jS)z Returns the value after being processed by the internationalized string preparation as specified by RFC 5280 :return: A unicode string NrL)_prepped_ldap_string_preprT)r9r8r8r; prepped_values zNameTypeAndValue.prepped_valuecCs ||k S)Nr8)r9r:r8r8r;r<szNameTypeAndValue.__ne__cCs2t|tsdS|dj|djkr&dS|j|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another NameTypeAndValue object :return: A boolean Fr)r=rrTr)r9r:r8r8r;r@s zNameTypeAndValue.__eq__cCstdd|}tdd|}tjdkr6tdd|}ntdd|}tdd|}|d d}td d|}dttj|}t d |}x|D]}t |rt t d t|rt t d t|rt t dt|rt t dt|rt t d|dkrt t dqWd}d}x0|D](}t|r@d}nt|r*d}q*W|rt|d}t|d}|s|r|st t ddtdd|d}|S)a" Implements the internationalized string preparation algorithm from RFC 4518. https://tools.ietf.org/html/rfc4518#section-2 :param string: A unicode string to prepare :return: A prepared unicode string, ready for comparison u[­᠆͏᠋-᠍️-＀]+rUu [ …] iu[-]|[-]|󠀁u[𝅳-𝅺󠀠-󠁿󠀁]u?[---„†-Ÿ۝܏᠎‌-‏‪-‮⁠-⁣--]+u​u[   - 
-
   ]ZNFKCzc X.509 Name objects may not contain unassigned code points z X.509 Name objects may not contain change display or zzzzdeprecated characters zc X.509 Name objects may not contain private use characters zf X.509 Name objects may not contain non-character code points zb X.509 Name objects may not contain surrogate code points u�zf X.509 Name objects may not contain the replacement character FTrr[z{ X.509 Name object contains a malformed bidirectional sequence z +z )resubsys maxunicodereplacejoinr stringprepZ map_table_b2 unicodedataZ normalizeZ in_table_a1rgr Z in_table_c8Z in_table_c3Z in_table_c4Z in_table_c5Z in_table_d1Z in_table_d2strip)r9stringcharZhas_r_and_al_catZ has_l_catZfirst_is_r_and_alZlast_is_r_and_alr8r8r;rs^               z"NameTypeAndValue._ldap_string_prep)rOrPrQrrr _oid_pairrr%r"rWr5r- _oid_specsrrdrr<r@rr8r8r8r;rsT  rc@s<eZdZeZeddZddZddZddZ d d Z d S) RelativeDistinguishedNamecCsDg}||}x*t|D]}|d|||fqWd|S)zb :return: A unicode string that can be used as a dict key or in a set z%s: %s) _get_valuessortedkeysappendr)r9outputrkeyr8r8r;hashablePs  z"RelativeDistinguishedName.hashablecCs ||k S)Nr8)r9r:r8r8r;r<`sz RelativeDistinguishedName.__ne__cCs|t|tsdSt|t|kr"dS||}||}||krBdS||}||}x |D]}||||kr\dSq\WdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RelativeDistinguishedName object :return: A boolean FT)r=rrx _get_typesr)r9r:Z self_typesZ other_typesZ self_valuesZ other_valuesZ type_name_r8r8r;r@cs      z RelativeDistinguishedName.__eq__cCstdd|DS)z Returns a set of types contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A set object with unicode strings of NameTypeAndValue type field values cSsg|]}|djqS)r)rT).0ntvr8r8r; sz8RelativeDistinguishedName._get_types..)rN)r9rdnr8r8r;rs z$RelativeDistinguishedName._get_typescsifdd|DS)a$ Returns a dict of prepped values contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A dict object with unicode strings of NameTypeAndValue value field values that have been prepped for comparison cs$g|]}|dj|jfgqS)r)updaterTr)rr)rr8r;rsz9RelativeDistinguishedName._get_values..r8)r9rr8)rr;rs z%RelativeDistinguishedName._get_valuesN) rOrPrQrrrdrr<r@rrr8r8r8r;rMs   rc@s,eZdZeZeddZddZddZdS) RDNSequencecCsddd|DS)zb :return: A unicode string that can be used as a dict key or in a set css|] }|jVqdS)N)r)rrr8r8r; sz'RDNSequence.hashable..)r)r9r8r8r;rs zRDNSequence.hashablecCs ||k S)Nr8)r9r:r8r8r;r<szRDNSequence.__ne__cCsLt|tsdSt|t|kr"dSx$t|D]\}}|||kr,dSq,WdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RDNSequence object :return: A boolean FT)r=rrx enumerate)r9r:rZself_rdnr8r8r;r@s  zRDNSequence.__eq__N) rOrPrQrrrdrr<r@r8r8r8r;rs rc@seZdZdefgZdZdZdZedddZ e ddZ dd Z d d Z d d Ze ddZe ddZddZe ddZe ddZdS)rrUNFc Csg}|sd}t}nd}t}tt|ddd}x|D]\}}t|}|dkr`t|}nF|dkrrt|}n4|t dd d gkrt dt|d }nt |||d }| t t ||d gqrCzName.build..)rrrrrr)rrL)rrLrU)r-r%r ritemsrrrWr5rNrrrrr) rZ name_dictZ use_printableZrdnsZ encoding_nameZencoding_classattribute_nameZattribute_valuerLr8r8r;builds8    z Name.buildcCs|jjS)zb :return: A unicode string that can be used as a dict key or in a set )chosenr)r9r8r8r;rsz Name.hashablecCs t|jS)N)rxr)r9r8r8r;__len__sz Name.__len__cCs ||k S)Nr8)r9r:r8r8r;r<sz Name.__ne__cCst|tsdS|j|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another Name object :return: A boolean F)r=rr)r9r:r8r8r;r@!s z Name.__eq__cCs|jdkrt|_xr|jjD]f}x`|D]X}|d}||jkrp|j|}t|ts`|g}|j|<||dq&|d|j|<q&WqW|jS)NrrL)ryr rrTr=listr)r9rtype_val field_nameexistingr8r8r;rT0s     z Name.nativecCs|jdkrt}d}x`|jD]V}xP|D]H}|dj}|}||krd||g||<|||dq(|d||<q(WqWg}|}|dkrtt|}x0|D](}||} || } |d|| fqWd} x |D]} | ddkrd } PqW| sd nd } | |ddd|_|jS) zg :return: A human-friendly unicode string containing the parts of the name NrrLrz%s: %sF,r[Tz, z; ) _human_friendlyr rrrrreversedr_recursive_humanizer^r)r9dataZ last_fieldrrrZto_joinrrrLZ native_valueZ has_commaelementZ separatorr8r8r;r@s6         zName.human_friendlycs,t|tr&dtfdd|DS|jS)z Recursively serializes data compiled from the RDNSequence :param value: An Asn1Value object, or a list of Asn1Value objects :return: A unicode string z, csg|]}|qSr8)r)rZ sub_value)r9r8r;rtsz,Name._recursive_humanize..)r=rrrrT)r9rLr8)r9r;rgs zName._recursive_humanizecCs$|jdkrt||_|jS)zZ :return: The SHA1 hash of the DER-encoded bytes of this name N)_sha1hashlibsha1dumpdigest)r9r8r8r;rxs z Name.sha1cCs$|jdkrt||_|jS)z] :return: The SHA-256 hash of the DER-encoded bytes of this name N)_sha256rsha256rr)r9r8r8r;r s z Name.sha256)F)rOrPrQrrrrrrrrdrrr<r@rTrrrr r8r8r8r;rs  <   ' rc@s"eZdZdefdeddifgZdS) AnotherNameZtype_idrLexplicitrN)rOrPrQr!rrr8r8r8r;r sr c@s$eZdZdZdZdefdefgZdS) CountryNamer x121_dcc_codeiso_3166_alpha2_codeN)rOrPrQclass_tagr r%rr8r8r8r;r sr c@s$eZdZdZdZdefdefgZdS)AdministrationDomainNamerrpnumeric printableN)rOrPrQrrr r%rr8r8r8r;rsrc@seZdZdefdefgZdS)PrivateDomainNamerrN)rOrPrQr r%rr8r8r8r;rsrc@sFeZdZdeddifdedddfded ddfd ed ddfgZd S) PersonalNamerrrrrT)rrrrprrN)rOrPrQr%rr8r8r8r;rs rc@sFeZdZdeddifdedddfded ddfd ed ddfgZd S) TeletexPersonalNamerrrrrT)rrrrprrN)rOrPrQr*rr8r8r8r;rs rc@seZdZeZdS)OrganizationalUnitNamesN)rOrPrQr%rr8r8r8r;rsrc@seZdZeZdS)TeletexOrganizationalUnitNamesN)rOrPrQr*rr8r8r8r;rsrc @seZdZdeddifdeddifdedddfded ddfd ed dd fd edddfdedddfdedddfde dddfg Z dS)BuiltInStandardAttributesrrTZadministration_domain_nameZnetwork_addressr)rrZterminal_identifierrZprivate_domain_namerp)r rrrZnumeric_user_identifierrZ personal_namerZorganizational_unit_namesrN) rOrPrQr rr r%rrrrr8r8r8r;rs  rc@seZdZdefdefgZdS)BuiltInDomainDefinedAttributerrLN)rOrPrQr%rr8r8r8r;rsrc@seZdZeZdS)BuiltInDomainDefinedAttributesN)rOrPrQrrr8r8r8r;rsrc@seZdZdefdefgZdS)TeletexDomainDefinedAttributerrLN)rOrPrQr*rr8r8r8r;rsrc@seZdZeZdS)TeletexDomainDefinedAttributesN)rOrPrQrrr8r8r8r;rsrc@seZdZdefdefgZdS)PhysicalDeliveryCountryNamer rN)rOrPrQr r%rr8r8r8r;rsrc@seZdZdefdefgZdS) PostalCodeZ numeric_codeZprintable_codeN)rOrPrQr r%rr8r8r8r;rsrc@s(eZdZdeddifdeddifgZdS) PDSParameterrrTrN)rOrPrQr%r*rr8r8r8r;r s r c@seZdZeZdS)PrintableAddressN)rOrPrQr%rr8r8r8r;r!sr!c@s(eZdZdeddifdeddifgZdS)UnformattedPostalAddressZprintable_addressrTrN)rOrPrQr!r*rr8r8r8r;r"s r"c@s*eZdZdeddifdedddfgZdS) E1634AddressZnumberrrZ sub_addressrT)rrN)rOrPrQr rr8r8r8r;r#s r#c@seZdZeZdS) NAddressesN)rOrPrQr#rr8r8r8r;r$sr$c@sFeZdZdedddfdedddfdedddfd ed d ifgZd S) PresentationAddressZ p_selectorrT)r rZ s_selectorrZ t_selectorrpZ n_addressesr rN)rOrPrQr#r$rr8r8r8r;r%sr%c@s"eZdZdefdeddifgZdS)ExtendedNetworkAddressZe163_4_addressZ psap_addressrrN)rOrPrQr#r%rr8r8r8r;r&#sr&c@seZdZdddddddZdS) TerminalTypeZtelexrZ g3_facsimileZ g4_facsimileZ ia5_terminalZvideotex)rrrrrrrN)rOrPrQrr8r8r8r;r'*s r'c@s@eZdZddddddddd d d d d dddddddddddZdS)ExtensionAttributeTyperteletex_common_nameteletex_organization_nameteletex_personal_nameteletex_organization_unit_names!teletex_domain_defined_attributespds_namephysical_delivery_country_namerphysical_delivery_office_namephysical_delivery_office_numberextension_of_address_componentsphysical_delivery_personal_name#physical_delivery_organization_name.extension_physical_delivery_address_componentsunformatted_postal_addressrpost_office_box_addressposte_restante_addressunique_postal_namelocal_postal_attributesextended_network_address terminal_type)rrprrrrrrr r6 r~r7N)rOrPrQrr8r8r8r;r(5s.r(c@s`eZdZdeddifdeddifgZdZeeee e e ee e eeeeeeeeeeeeeedZd S) ExtensionAttributeextension_attribute_typerrextension_attribute_valuer r)rJrK)rr)r*r+r,r-r.r/rr0r1r2r3r4r5r6rr7r8r9r:r;r<N)rOrPrQr(rrrr%r*rrrrrr r"r&r'rr8r8r8r;rIQs4 rIc@seZdZeZdS)ExtensionAttributesN)rOrPrQrIrr8r8r8r;rLssrLc@s.eZdZdefdeddifdeddifgZdS) ORAddressZbuilt_in_standard_attributesZ"built_in_domain_defined_attributesrTZextension_attributesN)rOrPrQrrrLrr8r8r8r;rMws rMc@s*eZdZdedddfdeddifgZdS) EDIPartyNameZ name_assignerrT)rrZ party_namerrN)rOrPrQrrr8r8r8r;rNsrNc @seZdZdeddifdeddifdeddifdedd ifd ed d ifd eddifde ddifde ddifde ddifg Z ddZ ddZdS) GeneralName other_namerrZ rfc822_namerdns_namerp x400_addressrZdirectory_namer redi_party_nameruniform_resource_identifierr ip_addressrZ registered_idrrcCs ||k S)Nr8)r9r:r8r8r;r<szGeneralName.__ne__cCsP|jdkrttd|j|jdkr4ttd|j|j|jkrDdS|j|jkS)z Does not support other_name, x400_address or edi_party_name :param other: The other GeneralName to compare to :return: A boolean )rPrRrSzr Comparison is not supported for GeneralName objects of choice %s za Comparison is not supported for GeneralName objects of choice %sF)rrgr r)r9r:r8r8r;r@s     zGeneralName.__eq__N)rOrPrQr rWr5rMrrNrSrfr!rr<r@r8r8r8r;rOs        rOc@seZdZeZdS) GeneralNamesN)rOrPrQrOrr8r8r8r;rVsrVc@seZdZdefdefgZdS)TimeZutc_timeZ general_timeN)rOrPrQr,rrr8r8r8r;rWsrWc@seZdZdefdefgZdS)ValidityrrN)rOrPrQrWrr8r8r8r;rXsrXc@s(eZdZdeddifdeddifgZdS)BasicConstraintscadefaultFpath_len_constraintrTN)rOrPrQrrrr8r8r8r;rYs rYc@s:eZdZdedddfdedddfdedddfgZd S) AuthorityKeyIdentifierkey_identifierrT)rrauthority_cert_issuerrauthority_cert_serial_numberrpN)rOrPrQr#rVrrr8r8r8r;r]sr]c@s(eZdZdeddifdeddifgZdS)DistributionPointName full_namerrname_relative_to_crl_issuerrN)rOrPrQrVrrr8r8r8r;ras rac @s$eZdZddddddddd d Zd S) ReasonFlagsZunusedZkey_compromiseZ ca_compromiseZaffiliation_changedZ supersededZcessation_of_operationZcertificate_holdZprivilege_withdrawnZ aa_compromise) rrrprrrrrrrN)rOrPrQrr8r8r8r;rdsrdc@s2eZdZdefdedddfdedddfgZd S) GeneralSubtreebaseZminimumr)rr[ZmaximumrT)rrN)rOrPrQrOrrr8r8r8r;resrec@seZdZeZdS)GeneralSubtreesN)rOrPrQrerr8r8r8r;rgsrgc@s,eZdZdedddfdedddfgZdS)NameConstraintsZpermitted_subtreesrT)rrZexcluded_subtreesrN)rOrPrQrgrr8r8r8r;rhsrhc@sJeZdZdedddfdedddfded ddfgZd Zed d Z d S)DistributionPointdistribution_pointrT)r rZreasonsr)rrZ crl_issuerrpFcCsj|jdkrdd|_|d}|jdkr.ttdx4|jD]*}|jdkr6|j}|dr6||_Pq6W|jS)z_ :return: None or a unicode string of the distribution point's URL FNrjrbz CRL distribution points that are relative to the issuer are not supported rT)zhttp://zhttps://zldap://zldaps://)_urlrrgr rrTr?rE)r9r general_nameurlr8r8r;rm s    zDistributionPoint.urlN) rOrPrQrardrVrrkrdrmr8r8r8r;ris ric@seZdZeZdS)CRLDistributionPointsN)rOrPrQrirr8r8r8r;rn&srnc@s(eZdZdefdefdefdefgZdS) DisplayTextrZvisible_stringrrN)rOrPrQrr.rr-rr8r8r8r;ro*sroc@seZdZeZdS) NoticeNumbersN)rOrPrQrrr8r8r8r;rp3srpc@seZdZdefdefgZdS)NoticeReferenceZ organizationZnotice_numbersN)rOrPrQrorprr8r8r8r;rq7srqc@s(eZdZdeddifdeddifgZdS) UserNoticeZ notice_refrTZ explicit_textN)rOrPrQrqrorr8r8r8r;rr>s rrc@seZdZdddZdS)PolicyQualifierId certification_practice_statement user_notice)z1.3.6.1.5.5.7.2.1z1.3.6.1.5.5.7.2.2N)rOrPrQrr8r8r8r;rsEsrsc@s*eZdZdefdefgZdZeedZ dS)PolicyQualifierInfopolicy_qualifier_id qualifier)rwrx)rtruN) rOrPrQrsrrrrrrrr8r8r8r;rvLs  rvc@seZdZeZdS)PolicyQualifierInfosN)rOrPrQrvrr8r8r8r;ryYsryc@seZdZddiZdS)PolicyIdentifierz 2.5.29.32.0Z any_policyN)rOrPrQrr8r8r8r;rz]srzc@s"eZdZdefdeddifgZdS)PolicyInformationZpolicy_identifierZpolicy_qualifiersrTN)rOrPrQrzryrr8r8r8r;r{csr{c@seZdZeZdS)CertificatePoliciesN)rOrPrQr{rr8r8r8r;r|jsr|c@seZdZdefdefgZdS) PolicyMappingZissuer_domain_policyZsubject_domain_policyN)rOrPrQrzrr8r8r8r;r}nsr}c@seZdZeZdS)PolicyMappingsN)rOrPrQr}rr8r8r8r;r~usr~c@s,eZdZdedddfdedddfgZdS)PolicyConstraintsZrequire_explicit_policyrT)rrZinhibit_policy_mappingrN)rOrPrQrrr8r8r8r;rysrcV@seZdZddddddddd d d d d ddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;dd?d@dAdBdCdDdEdFdGdHdIdJdKdLdMdNdOdPdQdRdSdTdUdVUZdWS)X KeyPurposeIdZany_extended_key_usageZ server_authZ client_authZ code_signingZemail_protectionZipsec_end_systemZ ipsec_tunnelZ ipsec_user time_stampingZ ocsp_signingZdvcsZ eap_over_pppZ eap_over_lanZ scvp_serverZ scvp_clientZ ipsec_ikeZ capwap_acZ capwap_wtpZ sip_domainZsecure_shell_clientZsecure_shell_serverZ send_routerZsend_proxied_routerZ send_ownerZsend_proxied_ownerZcmc_caZcmc_raZ cmc_archiveZbgpspec_routerZike_intermediateZmicrosoft_trust_list_signingZmicrosoft_time_stamp_signingZmicrosoft_server_gatedZmicrosoft_serializedZ microsoft_efsZmicrosoft_efs_recoveryZmicrosoft_whqlZ microsoft_nt5Zmicrosoft_oem_whqlZmicrosoft_embedded_ntZmicrosoft_root_list_signerZ!microsoft_qualified_subordinationZmicrosoft_key_recoveryZmicrosoft_document_signingZmicrosoft_lifetime_signingZ microsoft_mobile_device_softwareZmicrosoft_smart_card_logonZapple_x509_basicZ apple_sslZapple_local_cert_genZ apple_csr_genZapple_revocation_crlZapple_revocation_ocspZ apple_smimeZ apple_eapZapple_software_update_signingZ apple_ipsecZ apple_ichatZapple_resource_signingZapple_pkinit_clientZapple_pkinit_serverZapple_code_signingZapple_package_signingZapple_id_validationZapple_time_stampingZapple_revocationZapple_passbook_signingZapple_mobile_storeZapple_escrow_serviceZapple_profile_signerZapple_qa_profile_signerZapple_test_mobile_storeZapple_otapki_signerZapple_test_otapki_signerZ)apple_id_validation_record_signing_policyZapple_smp_encryptionZapple_test_smp_encryptionZapple_server_authenticationZapple_pcs_escrow_serviceZpiv_card_authenticationZpiv_content_signingZpkinit_kpclientauthZ pkinit_kpkdcZadobe_authentic_documents_trustZfpki_pivi_content_signing)Uz 2.5.29.37.0z1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2z1.3.6.1.5.5.7.3.3z1.3.6.1.5.5.7.3.4z1.3.6.1.5.5.7.3.5z1.3.6.1.5.5.7.3.6z1.3.6.1.5.5.7.3.7z1.3.6.1.5.5.7.3.8z1.3.6.1.5.5.7.3.9z1.3.6.1.5.5.7.3.10z1.3.6.1.5.5.7.3.13z1.3.6.1.5.5.7.3.14z1.3.6.1.5.5.7.3.15z1.3.6.1.5.5.7.3.16z1.3.6.1.5.5.7.3.17z1.3.6.1.5.5.7.3.18z1.3.6.1.5.5.7.3.19z1.3.6.1.5.5.7.3.20z1.3.6.1.5.5.7.3.21z1.3.6.1.5.5.7.3.22z1.3.6.1.5.5.7.3.23z1.3.6.1.5.5.7.3.24z1.3.6.1.5.5.7.3.25z1.3.6.1.5.5.7.3.26z1.3.6.1.5.5.7.3.27z1.3.6.1.5.5.7.3.28z1.3.6.1.5.5.7.3.29z1.3.6.1.5.5.7.3.30z1.3.6.1.5.5.8.2.2z1.3.6.1.4.1.311.10.3.1z1.3.6.1.4.1.311.10.3.2z1.3.6.1.4.1.311.10.3.3z1.3.6.1.4.1.311.10.3.3.1z1.3.6.1.4.1.311.10.3.4z1.3.6.1.4.1.311.10.3.4.1z1.3.6.1.4.1.311.10.3.5z1.3.6.1.4.1.311.10.3.6z1.3.6.1.4.1.311.10.3.7z1.3.6.1.4.1.311.10.3.8z1.3.6.1.4.1.311.10.3.9z1.3.6.1.4.1.311.10.3.10z1.3.6.1.4.1.311.10.3.11z1.3.6.1.4.1.311.10.3.12z1.3.6.1.4.1.311.10.3.13z1.3.6.1.4.1.311.10.3.14z1.3.6.1.4.1.311.20.2.2z1.2.840.113635.100.1.2z1.2.840.113635.100.1.3z1.2.840.113635.100.1.4z1.2.840.113635.100.1.5z1.2.840.113635.100.1.6z1.2.840.113635.100.1.7z1.2.840.113635.100.1.8z1.2.840.113635.100.1.9z1.2.840.113635.100.1.10z1.2.840.113635.100.1.11z1.2.840.113635.100.1.12z1.2.840.113635.100.1.13z1.2.840.113635.100.1.14z1.2.840.113635.100.1.15z1.2.840.113635.100.1.16z1.2.840.113635.100.1.17z1.2.840.113635.100.1.18z1.2.840.113635.100.1.20z1.2.840.113635.100.1.21z1.2.840.113635.100.1.22z1.2.840.113635.100.1.23z1.2.840.113635.100.1.24z1.2.840.113635.100.1.25z1.2.840.113635.100.1.26z1.2.840.113635.100.1.27z1.2.840.113635.100.1.28z1.2.840.113635.100.1.29z1.2.840.113625.100.1.30z1.2.840.113625.100.1.31z1.2.840.113625.100.1.32z1.2.840.113635.100.1.33z1.2.840.113635.100.1.34z2.16.840.1.101.3.6.8z2.16.840.1.101.3.6.7z1.3.6.1.5.2.3.4z1.3.6.1.5.2.3.5z1.2.840.113583.1.1.5z2.16.840.1.101.3.8.7N)rOrPrQrr8r8r8r;rsrc@seZdZeZdS)ExtKeyUsageSyntaxN)rOrPrQrrr8r8r8r;rsrc@seZdZdddddZdS) AccessMethodocspZ ca_issuersrZ ca_repository)z1.3.6.1.5.5.7.48.1z1.3.6.1.5.5.7.48.2z1.3.6.1.5.5.7.48.3z1.3.6.1.5.5.7.48.5N)rOrPrQrr8r8r8r;rsrc@seZdZdefdefgZdS)AccessDescription access_methodaccess_locationN)rOrPrQrrOrr8r8r8r;rsrc@seZdZeZdS)AuthorityInfoAccessSyntaxN)rOrPrQrrr8r8r8r;rsrc@seZdZeZdS)SubjectInfoAccessSyntaxN)rOrPrQrrr8r8r8r;rsrc@seZdZeZdS)FeaturesN)rOrPrQrrr8r8r8r;r src@seZdZdefdefgZdS)EntrustVersionInfoZ entrust_versZentrust_info_flagsN)rOrPrQrrrr8r8r8r;rsrc @s"eZdZddddddddd Zd S) NetscapeCertificateTypeZ ssl_clientZ ssl_serverZemailZobject_signingZreservedZssl_caZemail_caZobject_signing_ca)rrrprrrrrN)rOrPrQrr8r8r8r;rsrc@seZdZddddZdS)Versionv1Zv2Zv3)rrrpN)rOrPrQrr8r8r8r;r%src@s"eZdZdefdefdefgZdS)TPMSpecificationr}levelrevisionN)rOrPrQr-rrr8r8r8r;r-src@seZdZeZdS)SetOfTPMSpecificationN)rOrPrQrrr8r8r8r;r5src@s"eZdZdefdefdefgZdS)TCGSpecificationVersionZ major_versionZ minor_versionrN)rOrPrQrrr8r8r8r;r9src@seZdZdefdefgZdS)TCGPlatformSpecificationversionZplatform_classN)rOrPrQrr#rr8r8r8r;rAsrc@seZdZeZdS)SetOfTCGPlatformSpecificationN)rOrPrQrrr8r8r8r;rHsrc@seZdZdddddZdS)EKGenerationTypeZinternalZinjectedZinternal_revocableZinjected_revocable)rrrprN)rOrPrQrr8r8r8r;rLsrc@seZdZddddZdS)EKGenerationLocationrrek_cert_signer)rrrpN)rOrPrQrr8r8r8r;rUsrc@seZdZddddZdS)EKCertificateGenerationLocationrrr)rrrpN)rOrPrQrr8r8r8r;r]src@s eZdZddddddddZd S) EvaluationAssuranceLevellevel1level2level3level4Zlevel5Zlevel6Zlevel7)rrprrrrrN)rOrPrQrr8r8r8r;resrc@seZdZddddZdS)EvaluationStatusZdesigned_to_meetZevaluation_in_progressZevaluation_completed)rrrpN)rOrPrQrr8r8r8r;rqsrc@seZdZddddZdS)StrengthOfFunctionZbasicZmediumZhigh)rrrpN)rOrPrQrr8r8r8r;rysrc@s.eZdZdefdeddifdeddifgZdS) URIReferencerTZhash_algorithmrTZ hash_valueN)rOrPrQrrrrr8r8r8r;rs rc @steZdZdefdefdefdeddifdedd d fd ed d d fd e dd d fdedd d fde dd d fg Z dS)CommonCriteriaMeasuresrZassurance_levelZevaluation_statusplusr[FZstrengh_of_functionrT)rrZ profile_oidrZ profile_urlrpZ target_oidrZ target_urirN) rOrPrQrrrrrr!rrr8r8r8r;rs rc@seZdZdddddZdS) SecurityLevelrrrr)rrprrN)rOrPrQrr8r8r8r;rsrc@s(eZdZdefdefdeddifgZdS) FIPSLevelrrrr[FN)rOrPrQrrrrr8r8r8r;rsrc @seZdZdeddifdeddifdeddd fd ed dd fd ed dd fdeddd fde ddd fdedddfde ddifg Z dS)TPMSecurityAssertionsrr[rZfield_upgradableFZek_generation_typerT)rrZek_generation_locationrZ"ek_certificate_generation_locationrpZcc_inforZ fips_levelrZiso_9000_certifiedr)rr[Z iso_9000_urirN) rOrPrQrrrrrrrrrr8r8r8r;rs  rc@seZdZeZdS)SetOfTPMSecurityAssertionsN)rOrPrQrrr8r8r8r;rsrc @s&eZdZddddddddd d d Zd S) SubjectDirectoryAttributeIdsupported_algorithmstpm_specificationtcg_platform_specificationtpm_security_assertionspda_date_of_birthpda_place_of_birth pda_genderpda_country_of_citizenshippda_country_of_residenceZentrust_user_role) z2.5.4.52z 2.23.133.2.16z 2.23.133.2.17z 2.23.133.2.18z1.3.6.1.5.5.7.9.1z1.3.6.1.5.5.7.9.2z1.3.6.1.5.5.7.9.3z1.3.6.1.5.5.7.9.4z1.3.6.1.5.5.7.9.5z1.2.840.113533.7.68.29N)rOrPrQrr8r8r8r;rsrc@seZdZeZdS)SetOfGeneralizedTimeN)rOrPrQrrr8r8r8r;rsrc@seZdZeZdS)SetOfDirectoryStringN)rOrPrQrrr8r8r8r;rsrc@seZdZeZdS)SetOfPrintableStringN)rOrPrQr%rr8r8r8r;rsrc@s2eZdZdefdedddfdedddfgZdS) SupportedAlgorithmZalgorithm_identifierZintended_usagerT)r rZintended_certificate_policiesrN)rOrPrQrrr|rr8r8r8r;rsrc@seZdZeZdS)SetOfSupportedAlgorithmN)rOrPrQrrr8r8r8r;rsrc @sHeZdZdefdefgZdZeee e e e e e e d ZddZdeiZdS)SubjectDirectoryAttributerr)rr) rrrrrrrrrcCs"|dj}||jkr|j|StS)Nr)rTrr))r9Ztype_r8r8r; _values_specs   z&SubjectDirectoryAttribute._values_specN)rOrPrQrrrrrrrrrrrrrZ_spec_callbacksr8r8r8r;rs rc@seZdZeZdS)SubjectDirectoryAttributesN)rOrPrQrrr8r8r8r;rsrc@s@eZdZddddddddd d d d d dddddddddddZdS) ExtensionIdsubject_directory_attributesr^ key_usageprivate_key_usage_periodsubject_alt_nameissuer_alt_namebasic_constraintsname_constraintscrl_distribution_pointscertificate_policiespolicy_mappingsauthority_key_identifierpolicy_constraintsextended_key_usage freshest_crlinhibit_any_policyauthority_information_accesssubject_information_access tls_feature ocsp_no_checkentrust_version_extensionnetscape_certificate_type!signed_certificate_timestamp_list)z2.5.29.9z 2.5.29.14z 2.5.29.15z 2.5.29.16z 2.5.29.17z 2.5.29.18z 2.5.29.19z 2.5.29.30z 2.5.29.31z 2.5.29.32z 2.5.29.33z 2.5.29.35z 2.5.29.36z 2.5.29.37z 2.5.29.46z 2.5.29.54z1.3.6.1.5.5.7.1.1z1.3.6.1.5.5.7.1.11z1.3.6.1.5.5.7.1.24z1.3.6.1.5.5.7.48.1.5z1.2.840.113533.7.65.0z2.16.840.1.113730.1.1z1.3.6.1.4.1.11129.2.4.2N)rOrPrQrr8r8r8r;rs.rc@s`eZdZdefdeddifdefgZdZee e e e e e eeeeeeeeeeeeeeee dZdS) Extensionextn_idcriticalr[F extn_value)rr)rr^rrrrrrrrrrrrrrrrrrrrrN)rOrPrQrrr$rrrr#rrrVrYrhrnr|r~r]rrrrrrrrrrr8r8r8r;r%s6  rc@seZdZeZdS) ExtensionsN)rOrPrQrrr8r8r8r;rHsrc@sleZdZdedddfdefdefdefdefd efd efd e d d dfde dd dfde dd dfg Z dS)TbsCertificaterrr)r r[r signatureissuervaliditysubjectsubject_public_key_infoZissuer_unique_idrT)rrZsubject_unique_idrp extensionsr)r rN) rOrPrQrrrrrXr0r"rrr8r8r8r;rLsrc@seZdZdefdefdefgZdZdZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&ddZ'e(dd Z)e(d d Z*e(d d Z+e(ddZ,e(ddZ-e(ddZ.e(ddZ/e(ddZ0e(ddZ1e(ddZ2e(ddZ3e(ddZ4e(d d!Z5e(d"d#Z6e(d$d%Z7e(d&d'Z8e(d(d)Z9e(d*d+Z:e(d,d-Z;e(d.d/Ze(d4d5Z?e(d6d7Z@e(d8d9ZAe(d:d;ZBe(dd?ZDe(d@dAZEe(dBdCZFe(dDdEZGe(dFdGZHe(dHdIZIe(dJdKZJe(dLdMZKe(dNdOZLdPdQZMe(dRdSZNe(dTdUZOe(dVdWZPe(dXdYZQe(dZd[ZRe(d\d]ZSe(d^d_ZTe(d`daZUe(dbdcZVe(dddeZWe(dfdgZXdhdiZYdjdkZZdldmZ[dS)n Certificatetbs_certificatesignature_algorithmsignature_valueFNcCslt|_xX|ddD]H}|dj}d|}t||rHt|||dj|djr|j|qWd|_dS) zv Sets common named extensions to private attributes and creates a list of critical extensions rrrz _%s_valuerrTN)rN_critical_extensionsrThasattrsetattrZparsedadd_processed_extensions)r9 extensionrrr8r8r;_set_extensionss   zCertificate._set_extensionscCs|js||jS)z Returns a set of the names (or OID if not a known extension) of the extensions marked as critical :return: A set of unicode strings )rrr)r9r8r8r;critical_extensionss zCertificate.critical_extensionscCs|js||jS)z This extension is used to constrain the period over which the subject private key may be used :return: None or a PrivateKeyUsagePeriod object )rr_private_key_usage_period_value)r9r8r8r;private_key_usage_period_values z*Certificate.private_key_usage_period_valuecCs|js||jS)z This extension is used to contain additional identification attributes about the subject. :return: None or a SubjectDirectoryAttributes object )rr_subject_directory_attributes)r9r8r8r;"subject_directory_attributes_values z.Certificate.subject_directory_attributes_valuecCs|js||jS)z This extension is used to help in creating certificate validation paths. It contains an identifier that should generally, but is not guaranteed to, be unique. :return: None or an OctetString object )rr_key_identifier_value)r9r8r8r;key_identifier_values z Certificate.key_identifier_valuecCs|js||jS)z This extension is used to define the purpose of the public key contained within the certificate. :return: None or a KeyUsage )rr_key_usage_value)r9r8r8r;key_usage_values zCertificate.key_usage_valuecCs|js||jS)aT This extension allows for additional names to be associate with the subject of the certificate. While it may contain a whole host of possible names, it is usually used to allow certificates to be used with multiple different domain names. :return: None or a GeneralNames object )rr_subject_alt_name_value)r9r8r8r;subject_alt_name_values z"Certificate.subject_alt_name_valuecCs|js||jS)z This extension allows associating one or more alternative names with the issuer of the certificate. :return: None or an x509.GeneralNames object )rr_issuer_alt_name_value)r9r8r8r;issuer_alt_name_values z!Certificate.issuer_alt_name_valuecCs|js||jS)a' This extension is used to determine if the subject of the certificate is a CA, and if so, what the maximum number of intermediate CA certs after this are, before an end-entity certificate is found. :return: None or a BasicConstraints object )rr_basic_constraints_value)r9r8r8r;basic_constraints_values z#Certificate.basic_constraints_valuecCs|js||jS)z This extension is used in CA certificates, and is used to limit the possible names of certificates issued. :return: None or a NameConstraints object )rr_name_constraints_value)r9r8r8r;name_constraints_value s z"Certificate.name_constraints_valuecCs|js||jS)z This extension is used to help in locating the CRL for this certificate. :return: None or a CRLDistributionPoints object extension )rr_crl_distribution_points_value)r9r8r8r;crl_distribution_points_value s z)Certificate.crl_distribution_points_valuecCs|js||jS)a; This extension defines policies in CA certificates under which certificates may be issued. In end-entity certificates, the inclusion of a policy indicates the issuance of the certificate follows the policy. :return: None or a CertificatePolicies object )rr_certificate_policies_value)r9r8r8r;certificate_policies_value% s z&Certificate.certificate_policies_valuecCs|js||jS)z This extension allows mapping policy OIDs to other OIDs. This is used to allow different policies to be treated as equivalent in the process of validation. :return: None or a PolicyMappings object )rr_policy_mappings_value)r9r8r8r;policy_mappings_value5 s z!Certificate.policy_mappings_valuecCs|js||jS)z This extension helps in identifying the public key with which to validate the authenticity of the certificate. :return: None or an AuthorityKeyIdentifier object )rr_authority_key_identifier_value)r9r8r8r;authority_key_identifier_valueD s z*Certificate.authority_key_identifier_valuecCs|js||jS)z This extension is used to control if policy mapping is allowed and when policies are required. :return: None or a PolicyConstraints object )rr_policy_constraints_value)r9r8r8r;policy_constraints_valueR s z$Certificate.policy_constraints_valuecCs|js||jS)z This extension is used to help locate any available delta CRLs :return: None or an CRLDistributionPoints object )rr_freshest_crl_value)r9r8r8r;freshest_crl_value` s zCertificate.freshest_crl_valuecCs|js||jS)z This extension is used to prevent mapping of the any policy to specific requirements :return: None or a Integer object )rr_inhibit_any_policy_value)r9r8r8r;inhibit_any_policy_valuem s z$Certificate.inhibit_any_policy_valuecCs|js||jS)z This extension is used to define additional purposes for the public key beyond what is contained in the basic constraints. :return: None or an ExtKeyUsageSyntax object )rr_extended_key_usage_value)r9r8r8r;extended_key_usage_value{ s z$Certificate.extended_key_usage_valuecCs|js||jS)z This extension is used to locate the CA certificate used to sign this certificate, or the OCSP responder for this certificate. :return: None or an AuthorityInfoAccessSyntax object )rr#_authority_information_access_value)r9r8r8r;"authority_information_access_value s z.Certificate.authority_information_access_valuecCs|js||jS)z This extension is used to access information about the subject of this certificate. :return: None or a SubjectInfoAccessSyntax object )rr!_subject_information_access_value)r9r8r8r; subject_information_access_value s z,Certificate.subject_information_access_valuecCs|js||jS)z This extension is used to list the TLS features a server must respond with if a client initiates a request supporting them. :return: None or a Features object )rr_tls_feature_value)r9r8r8r;tls_feature_value s zCertificate.tls_feature_valuecCs|js||jS)a- This extension is used on certificates of OCSP responders, indicating that revocation information for the certificate should never need to be verified, thus preventing possible loops in path validation. :return: None or a Null object (if present) )rr_ocsp_no_check_value)r9r8r8r;ocsp_no_check_value s zCertificate.ocsp_no_check_valuecCs |djS)zE :return: A byte string of the signature r)rT)r9r8r8r;r szCertificate.signaturecCs |djS)zj :return: A unicode string of "rsassa_pkcs1v15", "rsassa_pss", "dsa", "ecdsa" r)signature_algo)r9r8r8r;r szCertificate.signature_algocCs |djS)z :return: A unicode string of "md2", "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512_224", "sha512_256" r) hash_algo)r9r8r8r;r szCertificate.hash_algocCs |ddS)zT :return: The PublicKeyInfo object for this certificate rrr8)r9r8r8r; public_key szCertificate.public_keycCs |ddS)zZ :return: The Name object for the subject of this certificate rrr8)r9r8r8r;r szCertificate.subjectcCs |ddS)zY :return: The Name object for the issuer of this certificate rrr8)r9r8r8r;r szCertificate.issuercCs|ddjS)zT :return: An integer of the certificate's serial number rr)rT)r9r8r8r;r szCertificate.serial_numbercCs|js dS|jjS)z :return: None or a byte string of the certificate's key identifier from the key identifier extension N)rrT)r9r8r8r;r^ szCertificate.key_identifiercCs.|jdkr(|jjdt|jd|_|jS)z :return: A byte string of the SHA-256 hash of the issuer concatenated with the ascii character ":", concatenated with the serial number as an ascii string N:r\)_issuer_serialrr rrrF)r9r8r8r; issuer_serial s zCertificate.issuer_serialcCs|dddjS)zd :return: A datetime of latest time when the certificate is still valid rrr)rT)r9r8r8r;not_valid_after szCertificate.not_valid_aftercCs|dddjS)zd :return: A datetime of the earliest time when the certificate is valid rrr)rT)r9r8r8r;not_valid_before$ szCertificate.not_valid_beforecCs|js dS|jdjS)z :return: None or a byte string of the key_identifier from the authority key identifier extension Nr^)rrT)r9r8r8r;r, sz$Certificate.authority_key_identifiercCsj|jdkrd|j}|r^|djr^|jddj}|}|jdj}|jdt|d|_nd|_|jS)a; :return: None or a byte string of the SHA-256 hash of the isser from the authority key identifier extension concatenated with the ascii character ":", concatenated with the serial number from the authority key identifier extension as an ascii string Fr_rr`rr\N)_authority_issuer_serialrrTrZuntagr rrF)r9ZakivrZauthority_serialr8r8r;authority_issuer_serial9 s  z#Certificate.authority_issuer_serialcCs|jdkr||j|_|jS)z Returns complete CRL URLs - does not include delta CRLs :return: A list of zero or more DistributionPoint objects N)_crl_distribution_points!_get_http_crl_distribution_pointsr)r9r8r8r;rO s z#Certificate.crl_distribution_pointscCs|jdkr||j|_|jS)z Returns delta CRL URLs - does not include complete CRLs :return: A list of zero or more DistributionPoint objects N)_delta_crl_distribution_pointsrr)r9r8r8r;delta_crl_distribution_points\ s z)Certificate.delta_crl_distribution_pointscCsdg}|dkrgSxN|D]F}|d}|tkr,q|jdkr8qx"|jD]}|jdkr@||q@WqW|S)a? Fetches the DistributionPoint object for non-relative, HTTP CRLs referenced by the certificate :param crl_distribution_points: A CRLDistributionPoints object to grab the DistributionPoints from :return: A list of zero or more DistributionPoint objects NrjrcrT)r/rrr)r9rrrjZdistribution_point_namerlr8r8r;ri s     z-Certificate._get_http_crl_distribution_pointscCsb|js gSg}xN|jD]D}|djdkr|d}|jdkrg|_|jr>x&|jD]}|jdkr|j|jqW|jS)zj :return: A list of unicode strings of valid IP addresses for the certificate NrU) _valid_ipsrrrrT)r9rlr8r8r; valid_ips s   zCertificate.valid_ipscCs|jo|jdjS)zW :return; A boolean - if the certificate is marked as a CA rZ)rrT)r9r8r8r;rZ szCertificate.cacCs|js dS|jdjS)zT :return; None or an integer of the maximum path length Nr\)rZrrT)r9r8r8r;max_path_length szCertificate.max_path_lengthcCs|jdkr|j|jk|_|jS)zx :return: A boolean - if the certificate is self-issued, as defined by RFC 5280 N) _self_issuedrr)r9r8r8r; self_issued s zCertificate.self_issuedcCsJ|jdkrDd|_|jrD|jr>|js*d|_qD|j|jkrDd|_nd|_|jS)a :return: A unicode string of "no" or "maybe". The "maybe" result will be returned if the certificate issuer and subject are the same. If a key identifier and authority key identifier are present, they will need to match otherwise "no" will be returned. To verify is a certificate is truly self-signed, the signature will need to be verified. See the certvalidator package for one possible solution. NZnomaybe) _self_signedr,r^r)r9r8r8r; self_signed s  zCertificate.self_signedcCs$|jdkrt||_|jS)zk :return: The SHA-1 hash of the DER-encoded bytes of this complete certificate N)rrrrr)r9r8r8r;r s zCertificate.sha1cCsdddt|jDS)z :return: A unicode string of the SHA-1 hash, formatted using hex encoding with a space between each pair of characters, all uppercase rcss|]}d|VqdS)z%02XNr8)rcr8r8r;r sz/Certificate.sha1_fingerprint..)rrr)r9r8r8r;sha1_fingerprint szCertificate.sha1_fingerprintcCs$|jdkrt||_|jS)zy :return: The SHA-256 hash of the DER-encoded bytes of this complete certificate N)rrr rr)r9r8r8r;r ! s zCertificate.sha256cCsdddt|jDS)z :return: A unicode string of the SHA-256 hash, formatted using hex encoding with a space between each pair of characters, all uppercase rcss|]}d|VqdS)z%02XNr8)rr0r8r8r;r5 sz1Certificate.sha256_fingerprint..)rrr )r9r8r8r;sha256_fingerprint- szCertificate.sha256_fingerprintcCsPt|tsttdt||dd}|ddk}| oNt d|}| oZ| }|r|j sjdS| d}xh|j D]^}|dd}| d} t | t |krq|| |krd S||} | r|||| r|d Sq|WdS|jsdS|rtjntj} t| |} xD|jD]:} | ddkr(tjntj}t|| }|| krd SqWdS) a Check if a domain name or IP address is valid according to the certificate :param domain_ip: A unicode string of a domain name or IP address :return: A boolean - if the domain or IP is valid for the certificate zL domain_ip must be a unicode string, not %s rr\rkr[z^\d+\.\d+\.\d+\.\d+$FrAT)r=rrDr r rFrcr?r^rr%r'rsrx_is_wildcard_domain_is_wildcard_matchr)rurwrvr4)r9Z domain_ipZencoded_domain_ipZis_ipv6Zis_ipv4Z is_domain domain_labelsZ valid_domainZencoded_valid_domainvalid_domain_labelsZ is_wildcardr}Z normalized_ipZvalid_ipZ valid_familyZnormalized_valid_ipr8r8r;is_valid_domain_ip7 sB            zCertificate.is_valid_domain_ipcCsZ|ddkrdS|d}|s(dS|dddkr>dS|ddddkrVdSd S) af Checks if a domain is a valid wildcard according to https://tools.ietf.org/html/rfc6125#section-6.4.3 :param domain: A unicode string of the domain name, where any U-labels from an IDN have been converted to A-labels :return: A boolean - if the domain is a valid wildcard domain *rFrArr[rzxn--T)countr?rsr^)r9Zdomainlabelsr8r8r;r3y szCertificate._is_wildcard_domaincCsl|d}|dd}|d}|dd}||kr4dS|dkr@dStd|ddd }||rhdSdS) a Determines if the labels in a domain are a match for labels from a wildcard valid domain name :param domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in the domain name to check :param valid_domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in a wildcard domain pattern :return: A boolean - if the domain matches the valid domain rrNFr8T^z.*$)rr$rr%)r9r5r6Zfirst_domain_labelZother_domain_labelsZwildcard_labelZother_valid_domain_labelsZwildcard_regexr8r8r;r4 s   zCertificate._is_wildcard_match)\rOrPrQrrr"rrrrrrrrrrrrrrrrrrr r rrrrrrrr#r(r+r.rrrrdrrrrrrrrrrrrrrrrr r r rrrrrrrrrr^rrrrrrrrr"r'r)rZr*r,r/rr1r r2r7r3r4r8r8r8r;r[s                           #   B!rc@seZdZeZdS)KeyPurposeIdentifiersN)rOrPrQrrr8r8r8r;r= sr=c@seZdZeZdS)SequenceOfAlgorithmIdentifiersN)rOrPrQrrr8r8r8r;r> sr>c @sPeZdZdeddifdedddfdeddifdeddifd ed ddfgZd S) CertificateAuxZtrustrTZrejectr)rraliasZkeyidr:rN)rOrPrQr=r-r#r>rr8r8r8r;r? s    r?c@seZdZeegZdS)TrustedCertificateN)rOrPrQrr?Z _child_specsr8r8r8r;rA srA)rZ __future__rrrr contextlibrZ encodingsrrrrurrrZ_errorsr Z_irir r Z _ordereddictr Z_typesr rrZalgosrrrrZcorerrrrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/rr0utilr1r2r3r4r5rSrWrfrrrrrrrrrrrrr r rrrrrrrrrrrrrr r!r"r#r$r%r&r'r(rIrLrMrNrOrVrWrXrYr]rardrergrhrirnrorprqrrrsrvryrzr{r|r}r~rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr=r>r?rAr8r8r8r;s    x 59q  BU*D      "2%  p     #o