B `9@sdddlZddlZddlZddlmZddlmZddlmZm Z ddl m Z m Z m Z mZeeeeedZGdddeZGd d d eZd d eDZejejejejejfZd dZGdddeZdd eDZGdddeZGdddejdZGdddejdZ GdddeZ!GdddeZ"e#edddZ$e#e dd d!Z%dS)"N)Enum)x509)hashes serialization)_EARLIEST_UTC_TIME_PRIVATE_KEY_TYPES_convert_to_naive_utc_time_reject_duplicate_extension)z 1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAMErrE/home/dcms/DCMS/lib/python3.7/site-packages/cryptography/x509/ocsp.pyr sr c@s$eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) r r r SUCCESSFULZMALFORMED_REQUESTINTERNAL_ERRORZ TRY_LATERZ SIG_REQUIRED UNAUTHORIZEDrrrrr#s rcCsi|] }||jqSr)value).0xrrr ,srcCst|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError) algorithmrrr_verify_algorithm6s r#c@seZdZdZdZdZdS)OCSPCertStatusrrrN)r r r ZGOODREVOKEDUNKNOWNrrrrr$=sr$cCsi|] }||jqSr)r)rrrrrrCsc@seZdZddZdS)_SingleResponsec Cst|tjrt|tjs tdt|t|tjsrrrrr6sr6) metaclassc@seZdZejedddZejejdddZ eje j e j dddZejeddd Zejedd d Zeje jejdd d Zeje j edddZeje j ejdddZejejdddZejedddZeje j ejdddZeje j ejdddZejejdddZeje j ejdddZ ejedddZ!ejedd d!Z"eje j dd"d#Z#eje$dd$d%Z%ejej&dd&d'Z'ejej&dd(d)Z(ej)e*j+ed*d+d,Z,d-S). OCSPResponse)r7cCsdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nr)r-rrrresponse_statusszOCSPResponse.response_statuscCsdS)zA The ObjectIdentifier of the signature algorithm Nr)r-rrrsignature_algorithm_oidsz$OCSPResponse.signature_algorithm_oidcCsdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nr)r-rrrsignature_hash_algorithmsz%OCSPResponse.signature_hash_algorithmcCsdS)z% The signature bytes Nr)r-rrr signatureszOCSPResponse.signaturecCsdS)z+ The tbsResponseData bytes Nr)r-rrrtbs_response_bytesszOCSPResponse.tbs_response_bytescCsdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nr)r-rrr certificatesszOCSPResponse.certificatescCsdS)z2 The responder's key hash or None Nr)r-rrrresponder_key_hashszOCSPResponse.responder_key_hashcCsdS)z. The responder's Name or None Nr)r-rrrresponder_nameszOCSPResponse.responder_namecCsdS)z4 The time the response was produced Nr)r-rrr produced_atszOCSPResponse.produced_atcCsdS)zY The status of the certificate (an element from the OCSPCertStatus enum) Nr)r-rrrcertificate_statusszOCSPResponse.certificate_statuscCsdS)z^ The date of when the certificate was revoked or None if not revoked. Nr)r-rrrr3szOCSPResponse.revocation_timecCsdS)zi The reason the certificate was revoked or None if not specified or not revoked. Nr)r-rrrr4szOCSPResponse.revocation_reasoncCsdS)z The most recent time at which the status being indicated is known by the responder to have been correct Nr)r-rrrr1szOCSPResponse.this_updatecCsdS)zC The time when newer information will be available Nr)r-rrrr2 szOCSPResponse.next_updatecCsdS)z3 The hash of the issuer public key Nr)r-rrrr8szOCSPResponse.issuer_key_hashcCsdS)z- The hash of the issuer name Nr)r-rrrr9szOCSPResponse.issuer_name_hashcCsdS)zK The hash algorithm used in the issuer name and key hashes Nr)r-rrrr:szOCSPResponse.hash_algorithmcCsdS)zM The serial number of the cert whose status is being checked Nr)r-rrrr;!szOCSPResponse.serial_numbercCsdS)zR The list of response extensions. Not single response extensions. Nr)r-rrrr>'szOCSPResponse.extensionscCsdS)zR The list of single response extensions. Not response extensions. Nr)r-rrrsingle_extensions-szOCSPResponse.single_extensions)r<r7cCsdS)z0 Serializes the response to DER Nr)r-r<rrrr=3szOCSPResponse.public_bytesN)-r r r r?r@rrIrZObjectIdentifierrJtypingOptionalrrBrKrArLrMListr(rNrONamerPr*rQr$rRr3r,r4r1r2r8r9r:rCr;rFr>rSrDrrEr=rrrrrHsTrHc@sVeZdZdgfddZejejejddddZej e dddd Z e d d d Z dS) OCSPRequestBuilderNcCs||_||_dS)N)_request _extensions)r-requestr>rrrr5;szOCSPRequestBuilder.__init__)r.r/r"r7cCsL|jdk rtdt|t|tjr2t|tjs:tdt|||f|jS)Nz.Only one certificate can be added to a requestz%cert and issuer must be a Certificate) rYr!r#rrr(r)rXrZ)r-r.r/r"rrradd_certificate?s  z"OCSPRequestBuilder.add_certificate)extvalcriticalr7cCsDt|tjstdt|j||}t||jt|j |j|gS)Nz"extension must be an ExtensionType) rr ExtensionTyper) Extensionoidr rZrXrY)r-r]r^ extensionrrr add_extensionPs   z OCSPRequestBuilder.add_extension)r7cCs(ddlm}|jdkrtd||S)Nr)backendz*You must add a certificate before building),cryptography.hazmat.backends.openssl.backendrdrYr!Zcreate_ocsp_request)r-rdrrrbuild]s  zOCSPRequestBuilder.build)r r r r5rr(rrBr\r_boolrcr6rfrrrrrX:s  rXc @seZdZdddgfddZejejejee j e j e j e j e j e j ej dd ddZ eejdddd Ze jejdd d d Zejedd ddZee j ejedddZeeedddZdS)OCSPResponseBuilderNcCs||_||_||_||_dS)N) _response _responder_id_certsrZ)r-response responder_idcertsr>rrrr5gszOCSPResponseBuilder.__init__) r.r/r"r0r1r2r3r4r7c Cs<|jdk rtdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rir!r'rhrjrkrZ) r-r.r/r"r0r1r2r3r4Z singleresprrr add_responseos z OCSPResponseBuilder.add_response)r<responder_certr7cCsP|jdk rtdt|tjs&tdt|ts8tdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rjr!rrr(r)r rhrirkrZ)r-r<rprrrrms   z OCSPResponseBuilder.responder_id)rnr7cCs\|jdk rtdt|}t|dkr.tdtdd|DsHtdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|]}t|tjVqdS)N)rrr()rrrrr sz3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rkr!listlenallr)rhrirjrZ)r-rnrrrrNs  z OCSPResponseBuilder.certificates)r]r^r7cCsLt|tjstdt|j||}t||jt|j |j |j |j|gS)Nz"extension must be an ExtensionType) rrr_r)r`rar rZrhrirjrk)r-r]r^rbrrrrcs  z!OCSPResponseBuilder.add_extension) private_keyr"r7cCsBddlm}|jdkrtd|jdkr0td|tj|||S)Nr)rdz&You must add a response before signingz*You must add a responder_id before signing)rerdrir!rjcreate_ocsp_responserr)r-rur"rdrrrsigns   zOCSPResponseBuilder.sign)rIr7cCs@ddlm}t|tstd|tjkr0td||dddS)Nr)rdz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)rerdrrr)rr!rv)clsrIrdrrrbuild_unsuccessfuls   z&OCSPResponseBuilder.build_unsuccessful)r r r r5rr(rrBr$r*rTrUr,ror rmIterablerNr_rgrcrrHrw classmethodrryrrrrrhfs,       rh)datar7cCsddlm}||S)Nr)rd)rerdload_der_ocsp_request)r|rdrrrr}s r}cCsddlm}||S)Nr)rd)rerdload_der_ocsp_response)r|rdrrrr~s r~)&r?r*rTenumrZ cryptographyrZcryptography.hazmat.primitivesrrZcryptography.x509.baserrrr SHA1SHA224SHA256SHA384SHA512Z _OIDS_TO_HASHr rZ_RESPONSE_STATUS_TO_ENUMr r#r$Z_CERT_STATUS_TO_ENUMobjectr'ABCMetar6rHrXrhrAr}r~rrrrs<     F& ,|