a a8@s6ddlZddlZddlZddlmZddlmZddlmZddlm Z m Z ddl m Z m Z mZmZGdddejZGd d d ejZe je je je je jfZd d ZGd ddejZGdddeZGdddejdZGdddejdZGdddeZ GdddeZ!e"edddZ#e"edddZ$dS)N)utils)x509)ocsp)hashes serialization)PRIVATE_KEY_TYPES_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionc@seZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__ZHASHNAMErrr Extensionsr?rrrrr/sr/) metaclassc@seZdZejedddZejejdddZ eje j e j dddZejeddd Zejedd d Zeje jejdd d Zeje j edddZeje j ejdddZejejdddZejedddZeje j ejdddZeje j ejdddZejejdddZeje j ejdddZ ejedddZ!ejedd d!Z"eje j dd"d#Z#eje$dd$d%Z%ejej&dd&d'Z'ejej&dd(d)Z(ej)e*j+ed*d+d,Z,d-S). OCSPResponser0cCsdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration Nrr3rrrresponse_statusszOCSPResponse.response_statuscCsdS)zA The ObjectIdentifier of the signature algorithm Nrr3rrrsignature_algorithm_oidsz$OCSPResponse.signature_algorithm_oidcCsdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed Nrr3rrrsignature_hash_algorithmsz%OCSPResponse.signature_hash_algorithmcCsdS)z% The signature bytes Nrr3rrr signatureszOCSPResponse.signaturecCsdS)z+ The tbsResponseData bytes Nrr3rrrtbs_response_bytesszOCSPResponse.tbs_response_bytescCsdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. Nrr3rrr certificatesszOCSPResponse.certificatescCsdS)z2 The responder's key hash or None Nrr3rrrresponder_key_hashszOCSPResponse.responder_key_hashcCsdS)z. The responder's Name or None Nrr3rrrresponder_nameszOCSPResponse.responder_namecCsdS)z4 The time the response was produced Nrr3rrr produced_atszOCSPResponse.produced_atcCsdS)zY The status of the certificate (an element from the OCSPCertStatus enum) Nrr3rrrcertificate_statusszOCSPResponse.certificate_statuscCsdS)z^ The date of when the certificate was revoked or None if not revoked. Nrr3rrrr,szOCSPResponse.revocation_timecCsdS)zi The reason the certificate was revoked or None if not specified or not revoked. Nrr3rrrr-szOCSPResponse.revocation_reasoncCsdS)z The most recent time at which the status being indicated is known by the responder to have been correct Nrr3rrrr*szOCSPResponse.this_updatecCsdS)zC The time when newer information will be available Nrr3rrrr+szOCSPResponse.next_updatecCsdSr2rr3rrrr4szOCSPResponse.issuer_key_hashcCsdSr5rr3rrrr6 szOCSPResponse.issuer_name_hashcCsdSr7rr3rrrr8szOCSPResponse.hash_algorithmcCsdSr9rr3rrrr:szOCSPResponse.serial_numbercCsdS)zR The list of response extensions. Not single response extensions. Nrr3rrrr?szOCSPResponse.extensionscCsdS)zR The list of single response extensions. Not response extensions. Nrr3rrrsingle_extensions!szOCSPResponse.single_extensionsr;cCsdS)z0 Serializes the response to DER Nrr=rrrr>'szOCSPResponse.public_bytesN)-r r rr@rArrJrZObjectIdentifierrKtypingOptionalrrCrLrBrMrNListr"rOrPNamerQr$rRrrSr,r%r-r*r+r4r6r8rDr:rGr?rTrErrFr>rrrrrIsV rIc@seZdZdgfejejejejej fej ej ej ddddZ ejejej ddddZej eddd d Zed d d ZdS)OCSPRequestBuilderN)requestr?r1cCs||_||_dSN)_request _extensions)r&rZr?rrrr./s zOCSPRequestBuilder.__init__)r'r(rr1cCsL|jdurtdt|t|tjr2t|tjs:tdt|||f|jS)Nz.Only one certificate can be added to a requestr!) r\rrrrr"r#rYr])r&r'r(rrrradd_certificate;s z"OCSPRequestBuilder.add_certificateextvalcriticalr1cCsDt|tjstdt|j||}t||jt|j |j|gSNz"extension must be an ExtensionType) rr ExtensionTyper# Extensionoidr r]rYr\r&r`ra extensionrrr add_extensionLs  z OCSPRequestBuilder.add_extensionr0cCs|jdurtdt|S)Nz*You must add a certificate before building)r\rrZcreate_ocsp_requestr3rrrbuildYs zOCSPRequestBuilder.build)r r rrUrVTuplerr"rrCrWrdrcr.r^boolrhr/rirrrrrY.s(   rYc @s eZdZdddgfejeejejeje fejej ejej ej ej dddZ ejejejeejejejejejejejdd ddZe ejddd d Zejejdd d d Zej eddddZeejejedddZeeedddZdS)OCSPResponseBuilderN)response responder_idcertsr?cCs||_||_||_||_dSr[) _response _responder_id_certsr])r&rmrnror?rrrr.as zOCSPResponseBuilder.__init__) r'r(rr)r*r+r,r-r1c Cs<|jdurtdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rprr rlrqrrr]) r&r'r(rr)r*r+r,r-Z singleresprrr add_responseos$  z OCSPResponseBuilder.add_response)r<responder_certr1cCsP|jdurtdt|tjs&tdt|ts8tdt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rqrrrr"r#r rlrprrr])r&r<rtrrrrns   z OCSPResponseBuilder.responder_id)ror1cCs\|jdurtdt|}t|dkr.tdtdd|DsHtdt|j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listcss|]}t|tjVqdSr[)rrr").0xrrr z3OCSPResponseBuilder.certificates..z$certs must be a list of Certificates) rrrlistlenallr#rlrprqr])r&rorrrrOs  z OCSPResponseBuilder.certificatesr_cCsLt|tjstdt|j||}t||jt|j |j |j |j|gSrb) rrrcr#rdrer r]rlrprqrrrfrrrrhs   z!OCSPResponseBuilder.add_extension) private_keyrr1cCs6|jdurtd|jdur$tdttj|||S)Nz&You must add a response before signingz*You must add a responder_id before signing)rprrqrcreate_ocsp_responserr)r&r|rrrrsigns   zOCSPResponseBuilder.sign)rJr1cCs4t|tstd|tjur$tdt|dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)rrr#rrrr})clsrJrrrbuild_unsuccessfuls  z&OCSPResponseBuilder.build_unsuccessful)r r rrUrVr rjrr"r rWrdrcr.rrCrr$r%rsrnIterablerOrkrhrrIr~ classmethodrrrrrrrl`sN           rl)datar1cCs t|Sr[)rload_der_ocsp_requestrrrrrsrcCs t|Sr[)rload_der_ocsp_responserrrrrsr)%r@r$rUZ cryptographyrrZ"cryptography.hazmat.bindings._rustrZcryptography.hazmat.primitivesrrZcryptography.x509.baserrr r Enumr rZSHA1ZSHA224ZSHA256ZSHA384ZSHA512rrrobjectr ABCMetar/rIrYrlrBrrrrrrs2     F& 2~