B
    `9                 @   sd  d dl Z d dlZd dlZd dlmZ d dlmZ d dlmZm	Z	 d dl
mZmZmZmZ e e e e e dZG dd deZG d	d
 d
eZdd eD ZejejejejejfZdd ZG dd deZdd eD ZG dd deZG dd de jdZG dd de jdZ G dd deZ!G dd deZ"e#edddZ$e#e dd d!Z%dS )"    N)Enum)x509)hashesserialization)_EARLIEST_UTC_TIME_PRIVATE_KEY_TYPES_convert_to_naive_utc_time_reject_duplicate_extension)z1.3.14.3.2.26z2.16.840.1.101.3.4.2.4z2.16.840.1.101.3.4.2.1z2.16.840.1.101.3.4.2.2z2.16.840.1.101.3.4.2.3c               @   s   e Zd ZdZdZdS )OCSPResponderEncodingzBy HashzBy NameN)__name__
__module____qualname__HASHNAME r   r   E/home/dcms/DCMS/lib/python3.7/site-packages/cryptography/x509/ocsp.pyr
      s   r
   c               @   s$   e Zd ZdZdZdZdZdZdZdS )OCSPResponseStatusr                  N)	r   r   r   
SUCCESSFULZMALFORMED_REQUESTINTERNAL_ERRORZ	TRY_LATERZSIG_REQUIREDUNAUTHORIZEDr   r   r   r   r   #   s   r   c             C   s   i | ]}||j qS r   )value).0xr   r   r   
<dictcomp>,   s    r   c             C   s   t | tstdd S )Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512)
isinstance_ALLOWED_HASHES
ValueError)	algorithmr   r   r   _verify_algorithm6   s    
r#   c               @   s   e Zd ZdZdZdZdS )OCSPCertStatusr   r   r   N)r   r   r   ZGOODREVOKEDUNKNOWNr   r   r   r   r$   =   s   r$   c             C   s   i | ]}||j qS r   )r   )r   r   r   r   r   r   C   s    c               @   s   e Zd Zdd ZdS )_SingleResponsec	       	      C   s  t |tjrt |tjs tdt| t |tjs<td|d k	rXt |tjsXtd|| _|| _|| _|| _	|| _
t |tstd|tjk	r|d k	rtd|d k	rtdnHt |tjstdt|}|tk rtd|d k	rt |tjstd	|| _|| _|| _d S )
Nz%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r   r   Certificate	TypeErrorr#   datetimeZ_certZ_issuer
_algorithmZ_this_updateZ_next_updater$   r%   r!   r   r   ReasonFlagsZ_cert_statusZ_revocation_timeZ_revocation_reason)	selfcertissuerr"   cert_statusthis_updatenext_updaterevocation_timerevocation_reasonr   r   r   __init__G   sJ    






z_SingleResponse.__init__N)r   r   r   r5   r   r   r   r   r'   F   s   r'   c               @   s   e Zd ZejedddZejedddZejej	dddZ
ejeddd	Zejejed
ddZejejdddZdS )OCSPRequest)returnc             C   s   dS )z3
        The hash of the issuer public key
        Nr   )r-   r   r   r   issuer_key_hash   s    zOCSPRequest.issuer_key_hashc             C   s   dS )z-
        The hash of the issuer name
        Nr   )r-   r   r   r   issuer_name_hash   s    zOCSPRequest.issuer_name_hashc             C   s   dS )zK
        The hash algorithm used in the issuer name and key hashes
        Nr   )r-   r   r   r   hash_algorithm   s    zOCSPRequest.hash_algorithmc             C   s   dS )zM
        The serial number of the cert whose status is being checked
        Nr   )r-   r   r   r   serial_number   s    zOCSPRequest.serial_number)encodingr7   c             C   s   dS )z/
        Serializes the request to DER
        Nr   )r-   r<   r   r   r   public_bytes   s    zOCSPRequest.public_bytesc             C   s   dS )zP
        The list of request extensions. Not single request extensions.
        Nr   )r-   r   r   r   
extensions   s    zOCSPRequest.extensionsN)r   r   r   abcabstractpropertybytesr8   r9   r   HashAlgorithmr:   intr;   abstractmethodr   Encodingr=   r   
Extensionsr>   r   r   r   r   r6      s   r6   )	metaclassc               @   s  e Zd ZejedddZejejdddZ	eje
jej dddZejeddd	Zejedd
dZeje
jej dddZeje
je dddZeje
jej dddZejejdddZejedddZeje
jej dddZeje
jej dddZejejdddZeje
jej dddZ ejedddZ!ejedd d!Z"ejejdd"d#Z#eje$dd$d%Z%ejej&dd&d'Z'ejej&dd(d)Z(ej)e*j+ed*d+d,Z,d-S ).OCSPResponse)r7   c             C   s   dS )zm
        The status of the response. This is a value from the OCSPResponseStatus
        enumeration
        Nr   )r-   r   r   r   response_status   s    zOCSPResponse.response_statusc             C   s   dS )zA
        The ObjectIdentifier of the signature algorithm
        Nr   )r-   r   r   r   signature_algorithm_oid   s    z$OCSPResponse.signature_algorithm_oidc             C   s   dS )zX
        Returns a HashAlgorithm corresponding to the type of the digest signed
        Nr   )r-   r   r   r   signature_hash_algorithm   s    z%OCSPResponse.signature_hash_algorithmc             C   s   dS )z%
        The signature bytes
        Nr   )r-   r   r   r   	signature   s    zOCSPResponse.signaturec             C   s   dS )z+
        The tbsResponseData bytes
        Nr   )r-   r   r   r   tbs_response_bytes   s    zOCSPResponse.tbs_response_bytesc             C   s   dS )z
        A list of certificates used to help build a chain to verify the OCSP
        response. This situation occurs when the OCSP responder uses a delegate
        certificate.
        Nr   )r-   r   r   r   certificates   s    zOCSPResponse.certificatesc             C   s   dS )z2
        The responder's key hash or None
        Nr   )r-   r   r   r   responder_key_hash   s    zOCSPResponse.responder_key_hashc             C   s   dS )z.
        The responder's Name or None
        Nr   )r-   r   r   r   responder_name   s    zOCSPResponse.responder_namec             C   s   dS )z4
        The time the response was produced
        Nr   )r-   r   r   r   produced_at   s    zOCSPResponse.produced_atc             C   s   dS )zY
        The status of the certificate (an element from the OCSPCertStatus enum)
        Nr   )r-   r   r   r   certificate_status   s    zOCSPResponse.certificate_statusc             C   s   dS )z^
        The date of when the certificate was revoked or None if not
        revoked.
        Nr   )r-   r   r   r   r3      s    zOCSPResponse.revocation_timec             C   s   dS )zi
        The reason the certificate was revoked or None if not specified or
        not revoked.
        Nr   )r-   r   r   r   r4      s    zOCSPResponse.revocation_reasonc             C   s   dS )z
        The most recent time at which the status being indicated is known by
        the responder to have been correct
        Nr   )r-   r   r   r   r1     s    zOCSPResponse.this_updatec             C   s   dS )zC
        The time when newer information will be available
        Nr   )r-   r   r   r   r2   	  s    zOCSPResponse.next_updatec             C   s   dS )z3
        The hash of the issuer public key
        Nr   )r-   r   r   r   r8     s    zOCSPResponse.issuer_key_hashc             C   s   dS )z-
        The hash of the issuer name
        Nr   )r-   r   r   r   r9     s    zOCSPResponse.issuer_name_hashc             C   s   dS )zK
        The hash algorithm used in the issuer name and key hashes
        Nr   )r-   r   r   r   r:     s    zOCSPResponse.hash_algorithmc             C   s   dS )zM
        The serial number of the cert whose status is being checked
        Nr   )r-   r   r   r   r;   !  s    zOCSPResponse.serial_numberc             C   s   dS )zR
        The list of response extensions. Not single response extensions.
        Nr   )r-   r   r   r   r>   '  s    zOCSPResponse.extensionsc             C   s   dS )zR
        The list of single response extensions. Not response extensions.
        Nr   )r-   r   r   r   single_extensions-  s    zOCSPResponse.single_extensions)r<   r7   c             C   s   dS )z0
        Serializes the response to DER
        Nr   )r-   r<   r   r   r   r=   3  s    zOCSPResponse.public_bytesN)-r   r   r   r?   r@   r   rI   r   ZObjectIdentifierrJ   typingOptionalr   rB   rK   rA   rL   rM   Listr(   rN   rO   NamerP   r*   rQ   r$   rR   r3   r,   r4   r1   r2   r8   r9   r:   rC   r;   rF   r>   rS   rD   r   rE   r=   r   r   r   r   rH      sT   rH   c               @   sV   e Zd Zdg fddZejejejd dddZej	e
d ddd	Zed
ddZdS )OCSPRequestBuilderNc             C   s   || _ || _d S )N)_request_extensions)r-   requestr>   r   r   r   r5   ;  s    zOCSPRequestBuilder.__init__)r.   r/   r"   r7   c             C   sL   | j d k	rtdt| t|tjr2t|tjs:tdt|||f| jS )Nz.Only one certificate can be added to a requestz%cert and issuer must be a Certificate)	rY   r!   r#   r   r   r(   r)   rX   rZ   )r-   r.   r/   r"   r   r   r   add_certificate?  s    

z"OCSPRequestBuilder.add_certificate)extvalcriticalr7   c             C   sD   t |tjstdt|j||}t|| j t| j	| j|g S )Nz"extension must be an ExtensionType)
r   r   ExtensionTyper)   	Extensionoidr	   rZ   rX   rY   )r-   r]   r^   	extensionr   r   r   add_extensionP  s    z OCSPRequestBuilder.add_extension)r7   c             C   s(   ddl m} | jd krtd|| S )Nr   )backendz*You must add a certificate before building),cryptography.hazmat.backends.openssl.backendrd   rY   r!   Zcreate_ocsp_request)r-   rd   r   r   r   build]  s    
zOCSPRequestBuilder.build)r   r   r   r5   r   r(   r   rB   r\   r_   boolrc   r6   rf   r   r   r   r   rX   :  s   rX   c            
   @   s   e Zd Zdddg fddZejejejee	j	e
je	j	 e
je	j	 e
jej d d	ddZeejd ddd	Ze
jej d d
ddZejed dddZee
jej edddZeeedddZdS )OCSPResponseBuilderNc             C   s   || _ || _|| _|| _d S )N)	_response_responder_id_certsrZ   )r-   responseresponder_idcertsr>   r   r   r   r5   g  s    zOCSPResponseBuilder.__init__)	r.   r/   r"   r0   r1   r2   r3   r4   r7   c	       
   	   C   s<   | j d k	rtdt||||||||}	t|	| j| j| jS )Nz#Only one response per OCSPResponse.)ri   r!   r'   rh   rj   rk   rZ   )
r-   r.   r/   r"   r0   r1   r2   r3   r4   Z
singlerespr   r   r   add_responseo  s     
z OCSPResponseBuilder.add_response)r<   responder_certr7   c             C   sP   | j d k	rtdt|tjs&tdt|ts8tdt| j||f| j	| j
S )Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding)rj   r!   r   r   r(   r)   r
   rh   ri   rk   rZ   )r-   r<   rp   r   r   r   rm     s    

z OCSPResponseBuilder.responder_id)rn   r7   c             C   s\   | j d k	rtdt|}t|dkr.tdtdd |D sHtdt| j| j|| j	S )Nz!certificates may only be set oncer   zcerts must not be an empty listc             s   s   | ]}t |tjV  qd S )N)r   r   r(   )r   r   r   r   r   	<genexpr>  s    z3OCSPResponseBuilder.certificates.<locals>.<genexpr>z$certs must be a list of Certificates)
rk   r!   listlenallr)   rh   ri   rj   rZ   )r-   rn   r   r   r   rN     s    
z OCSPResponseBuilder.certificates)r]   r^   r7   c             C   sL   t |tjstdt|j||}t|| j t| j	| j
| j| j|g S )Nz"extension must be an ExtensionType)r   r   r_   r)   r`   ra   r	   rZ   rh   ri   rj   rk   )r-   r]   r^   rb   r   r   r   rc     s    z!OCSPResponseBuilder.add_extension)private_keyr"   r7   c             C   sB   ddl m} | jd krtd| jd kr0td|tj| ||S )Nr   )rd   z&You must add a response before signingz*You must add a responder_id before signing)re   rd   ri   r!   rj   create_ocsp_responser   r   )r-   ru   r"   rd   r   r   r   sign  s    

zOCSPResponseBuilder.sign)rI   r7   c             C   s@   ddl m} t|tstd|tjkr0td||d d d S )Nr   )rd   z7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)re   rd   r   r   r)   r   r!   rv   )clsrI   rd   r   r   r   build_unsuccessful  s    

z&OCSPResponseBuilder.build_unsuccessful)r   r   r   r5   r   r(   r   rB   r$   r*   rT   rU   r,   ro   r
   rm   IterablerN   r_   rg   rc   r   rH   rw   classmethodr   ry   r   r   r   r   rh   f  s,   	




rh   )datar7   c             C   s   ddl m} || S )Nr   )rd   )re   rd   load_der_ocsp_request)r|   rd   r   r   r   r}     s    r}   c             C   s   ddl m} || S )Nr   )rd   )re   rd   load_der_ocsp_response)r|   rd   r   r   r   r~     s    r~   )&r?   r*   rT   enumr   Zcryptographyr   Zcryptography.hazmat.primitivesr   r   Zcryptography.x509.baser   r   r   r	   SHA1SHA224SHA256SHA384SHA512Z_OIDS_TO_HASHr
   r   Z_RESPONSE_STATUS_TO_ENUMr    r#   r$   Z_CERT_STATUS_TO_ENUMobjectr'   ABCMetar6   rH   rX   rh   rA   r}   r~   r   r   r   r   <module>   s<   		F& 	,|