˺h#NddlmZddlZddlZddlZddlmZmZddlm Z ddl m Z m Z ddl mZddlmZmZmZGdd ejZGd d ejZe je je je je jfZd dZGddejZGddZGddejZ GddejZ!GddejZ"e #e j e"#e j"e!#e j!GddZ$GddZ%e j&Z&e j'Z'dS)!) annotationsN)utilsx509)ocsp)hashes serialization) CertificateIssuerPrivateKeyTypes)_EARLIEST_UTC_TIME_convert_to_naive_utc_time_reject_duplicate_extensionceZdZdZdZdS)OCSPResponderEncodingzBy HashzBy NameN)__name__ __module__ __qualname__HASHNAMEx/builddir/build/BUILD/imunify360-venv-2.5.2/opt/imunify360/venv/lib64/python3.11/site-packages/cryptography/x509/ocsp.pyrrs D DDDrrc&eZdZdZdZdZdZdZdZdS)OCSPResponseStatusrN) rrr SUCCESSFULMALFORMED_REQUESTINTERNAL_ERROR TRY_LATER SIG_REQUIRED UNAUTHORIZEDrrrrrs-JNILLLLrr algorithmhashes.HashAlgorithmreturnNonecNt|tstddS)Nz9Algorithm must be SHA1, SHA224, SHA256, SHA384, or SHA512) isinstance_ALLOWED_HASHES ValueError)r$s r_verify_algorithmr,/s3 i 1 1  G     rceZdZdZdZdZdS)OCSPCertStatusrrrN)rrrGOODREVOKEDUNKNOWNrrrr.r.6s DGGGGrr.ceZdZddZdS)_SingleResponsecertx509.Certificateissuerr$r% cert_statusr. this_updatedatetime.datetime next_updatedatetime.datetime | Nonerevocation_timerevocation_reasonx509.ReasonFlags | Nonec ft|tjrt|tjstdt |t|t jstd|)t|t jstd||_||_||_||_ ||_ t|tstd|tj ur#|td|tdn}t|t jstdt|}|tkrtd|)t|tjstd ||_||_||_dS) N%cert and issuer must be a Certificatez%this_update must be a datetime objectz-next_update must be a datetime object or Nonez8cert_status must be an item from the OCSPCertStatus enumzBrevocation_time can only be provided if the certificate is revokedzDrevocation_reason can only be provided if the certificate is revokedz)revocation_time must be a datetime objectz7The revocation_time must be on or after 1950 January 1.zCrevocation_reason must be an item from the ReasonFlags enum or None)r)r Certificate TypeErrorr,datetime_cert_issuer _algorithm _this_update _next_updater.r0r+r r ReasonFlags _cert_status_revocation_time_revocation_reason) selfr4r6r$r7r8r:r<r=s r__init__z_SingleResponse.__init__=s$ 011 E D$: :  ECDD D)$$$+x'899 ECDD D  ": *, , "KLL L  #''+~66 J  n4 4 4* !!, "- ox/@AA M KLLL8IIO!333 ' !,Z!4#366, # ( /"3rN)r4r5r6r5r$r%r7r.r8r9r:r;r<r;r=r>)rrrrNrrrr3r3<s.B4B4B4B4B4B4rr3c*eZdZeejddZeejddZeejddZeejddZ ejdd Z eejdd Z dS) OCSPRequestr&bytescdSz3 The hash of the issuer public key NrrMs rissuer_key_hashzOCSPRequest.issuer_key_hashrcdSz- The hash of the issuer name NrrTs rissuer_name_hashzOCSPRequest.issuer_name_hashrVrr%cdSzK The hash algorithm used in the issuer name and key hashes NrrTs rhash_algorithmzOCSPRequest.hash_algorithmrVrintcdSzM The serial number of the cert whose status is being checked NrrTs r serial_numberzOCSPRequest.serial_numberrVrencodingserialization.EncodingcdS)z/ Serializes the request to DER NrrMras r public_byteszOCSPRequest.public_bytesrVrx509.ExtensionscdS)zP The list of request extensions. Not single request extensions. NrrTs r extensionszOCSPRequest.extensionsrVrNr&rQr&r%r&r]rarbr&rQr&rf) rrrpropertyabcabstractmethodrUrYr\r`rerhrrrrPrPs    X    X    X    X         X   rrP) metaclasscfeZdZeejddZeejddZeejddZeejddZ eejdd Z eejdd Z eejdd Z eejdd Z eejddZeejddZeejddZeejddZdS)OCSPSingleResponser&r.cdSzY The status of the certificate (an element from the OCSPCertStatus enum) NrrTs rcertificate_statusz%OCSPSingleResponse.certificate_statusrVrr;cdSz^ The date of when the certificate was revoked or None if not revoked. NrrTs rr<z"OCSPSingleResponse.revocation_timerVrcdSz The date of when the certificate was revoked or None if not revoked. Represented as a non-naive UTC datetime. NrrTs rrevocation_time_utcz&OCSPSingleResponse.revocation_time_utcrVrr>cdSzi The reason the certificate was revoked or None if not specified or not revoked. NrrTs rr=z$OCSPSingleResponse.revocation_reasonrVrr9cdSz The most recent time at which the status being indicated is known by the responder to have been correct NrrTs rr8zOCSPSingleResponse.this_updaterVrcdSz The most recent time at which the status being indicated is known by the responder to have been correct. Represented as a non-naive UTC datetime. NrrTs rthis_update_utcz"OCSPSingleResponse.this_update_utcrVrcdSzC The time when newer information will be available NrrTs rr:zOCSPSingleResponse.next_updaterVrcdSzu The time when newer information will be available. Represented as a non-naive UTC datetime. NrrTs rnext_update_utcz"OCSPSingleResponse.next_update_utcrVrrQcdSrSrrTs rrUz"OCSPSingleResponse.issuer_key_hashrVrcdSrXrrTs rrYz#OCSPSingleResponse.issuer_name_hashrVrr%cdSr[rrTs rr\z!OCSPSingleResponse.hash_algorithmrVrr]cdSr_rrTs rr`z OCSPSingleResponse.serial_numberrVrNr&r.r&r;r&r>r&r9rirjrk)rrrrnrorprvr<r{r=r8rr:rrUrYr\r`rrrrsrss:    X    X    X    X    X    X    X    X    X    X    X    X   rrsceZdZeejd.dZeejd/dZeejd0dZeejd1d Z eejd2d Z eejd2d Z eejd3dZ eejd4dZ eejd5dZeejd6dZeejd6dZeejd7dZeejd8dZeejd8dZeejd9dZeejd6dZeejd6dZeejd8dZeejd8d Zeejd2d!Zeejd2d"Zeejd:d$Zeejd;d&Zeejd OCSPResponser&#typing.Iterator[OCSPSingleResponse]cdS)z_ An iterator over the individual SINGLERESP structures in the response NrrTs r responseszOCSPResponse.responses rVrrcdS)zm The status of the response. This is a value from the OCSPResponseStatus enumeration NrrTs rresponse_statuszOCSPResponse.response_statusrVrx509.ObjectIdentifiercdS)zA The ObjectIdentifier of the signature algorithm NrrTs rsignature_algorithm_oidz$OCSPResponse.signature_algorithm_oidrVrhashes.HashAlgorithm | NonecdS)zX Returns a HashAlgorithm corresponding to the type of the digest signed NrrTs rsignature_hash_algorithmz%OCSPResponse.signature_hash_algorithm"rVrrQcdS)z% The signature bytes NrrTs r signaturezOCSPResponse.signature+rVrcdS)z+ The tbsResponseData bytes NrrTs rtbs_response_byteszOCSPResponse.tbs_response_bytes2rVrlist[x509.Certificate]cdS)z A list of certificates used to help build a chain to verify the OCSP response. This situation occurs when the OCSP responder uses a delegate certificate. NrrTs r certificateszOCSPResponse.certificates9rVr bytes | NonecdS)z2 The responder's key hash or None NrrTs rresponder_key_hashzOCSPResponse.responder_key_hashBrVrx509.Name | NonecdS)z. The responder's Name or None NrrTs rresponder_namezOCSPResponse.responder_nameIrVrr9cdS)z4 The time the response was produced NrrTs r produced_atzOCSPResponse.produced_atPrVrcdS)zf The time the response was produced. Represented as a non-naive UTC datetime. NrrTs rproduced_at_utczOCSPResponse.produced_at_utcWrVrr.cdSrurrTs rrvzOCSPResponse.certificate_status_rVrr;cdSrxrrTs rr<zOCSPResponse.revocation_timefrVrcdSrzrrTs rr{z OCSPResponse.revocation_time_utcnrVrr>cdSr}rrTs rr=zOCSPResponse.revocation_reasonvrVrcdSrrrTs rr8zOCSPResponse.this_update~rVrcdSrrrTs rrzOCSPResponse.this_update_utcrVrcdSrrrTs rr:zOCSPResponse.next_updaterVrcdSrrrTs rrzOCSPResponse.next_update_utcrVrcdSrSrrTs rrUzOCSPResponse.issuer_key_hashrVrcdSrXrrTs rrYzOCSPResponse.issuer_name_hashrVrr%cdSr[rrTs rr\zOCSPResponse.hash_algorithmrVrr]cdSr_rrTs rr`zOCSPResponse.serial_numberrVrrfcdS)zR The list of response extensions. Not single response extensions. NrrTs rrhzOCSPResponse.extensionsrVrcdS)zR The list of single response extensions. Not response extensions. NrrTs rsingle_extensionszOCSPResponse.single_extensionsrVrrarbcdS)z0 Serializes the response to DER Nrrds rrezOCSPResponse.public_bytesrVrN)r&r)r&r)r&r)r&rri)r&r)r&r)r&rrrrrrjrkrmrl) rrrrnrorprrrrrrrrrrrrvr<r{r=r8rr:rrUrYr\r`rhrrerrrrr s    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X    X        rrc>eZdZddgfdd ZddZd dZd!dZd"dZdS)#OCSPRequestBuilderNrequestFtuple[x509.Certificate, x509.Certificate, hashes.HashAlgorithm] | None request_hash5tuple[bytes, bytes, int, hashes.HashAlgorithm] | Nonerh(list[x509.Extension[x509.ExtensionType]]r&r'c0||_||_||_dSN)_request _request_hash _extensions)rMrrrhs rrNzOCSPRequestBuilder.__init__s!  )%rr4r5r6r$r%c|j|jtdt|t |t jrt |t jstdt|||f|j|j S)N.Only one certificate can be added to a requestr@) rrr+r,r)rrArBrr)rMr4r6r$s radd_certificatez"OCSPRequestBuilder.add_certificates = $(:(FMNN N)$$$$ 011 E D$: :  ECDD D! 69 %t'94;K   rrYrQrUr`r]c|j|jtdt|tst dt |tjd|tjd||j t|ks|j t|krtdt|j||||f|j S)Nrz serial_number must be an integerrYrUz`issuer_name_hash and issuer_key_hash must be the same length as the digest size of the algorithm) rrr+r)r]rBr,r _check_bytes digest_sizelenrr)rMrYrUr`r$s radd_certificate_by_hashz*OCSPRequestBuilder.add_certificate_by_hashs = $(:(FMNN N--- @>?? ?)$$$ -/?@@@ ,o>>>  C % %    "c/&:&: : :6  " M  y I     rextvalx509.ExtensionTypecriticalboolct|tjstdtj|j||}t ||jt|j |j g|j|SNz"extension must be an ExtensionType) r)r ExtensionTyperB Extensionoidr rrrrrMrr extensions r add_extensionz OCSPRequestBuilder.add_extensions}&$"455 B@AA AN6:x@@ #It/?@@@! M4-/M1A/M9/M   rrPcd|j|jtdtj|S)Nz*You must add a certificate before building)rrr+rcreate_ocsp_requestrTs rbuildzOCSPRequestBuilder.build!s2 = T%7%?IJJ J'---r)rrrrrhrr&r')r4r5r6r5r$r%r&r) rYrQrUrQr`r]r$r%r&r)rrrrr&r)r&rP)rrrrNrrrrrrrrrs ?A & & & & &    &    <     ......rrc`eZdZdddgfd.d Zd/dZd0dZd1d Zd2d%Zd3d*Ze d4d-Z dS)5OCSPResponseBuilderNresponse_SingleResponse | None responder_id5tuple[x509.Certificate, OCSPResponderEncoding] | Nonecertslist[x509.Certificate] | Nonerhrc>||_||_||_||_dSr) _response _responder_id_certsr)rMrrrrhs rrNzOCSPResponseBuilder.__init__)s(") %rr4r5r6r$r%r7r.r8r9r:r;r<r=r>r&c |jtdt||||||||} t| |j|j|jS)Nz#Only one response per OCSPResponse.)rr+r3rrrr) rMr4r6r$r7r8r:r<r= singleresps r add_responsez OCSPResponseBuilder.add_response6sj > %BCC C$           #    K      rrarresponder_certc|jtdt|tjst dt|t st dt|j||f|j |j S)Nz!responder_id can only be set oncez$responder_cert must be a Certificatez6encoding must be an element from OCSPResponderEncoding) rr+r)rrArBrrrrr)rMrars rrz OCSPResponseBuilder.responder_idUs   )@AA A.$*:;; DBCC C($9:: H # N X & K      r!typing.Iterable[x509.Certificate]c"|jtdt|}t|dkrtdt d|Dst dt |j|j||j S)Nz!certificates may only be set oncerzcerts must not be an empty listc3JK|]}t|tjVdSr)r)rrA).0xs r z3OCSPResponseBuilder.certificates..ps/BBq:a!122BBBBBBrz$certs must be a list of Certificates) rr+listrallrBrrrr)rMrs rrz OCSPResponseBuilder.certificateshs ; "@AA AU  u::??>?? ?BBEBBBBB DBCC C" N         rrrrrct|tjstdtj|j||}t ||jt|j |j |j g|j|Sr) r)rrrBrrr rrrrrrs rrz!OCSPResponseBuilder.add_extensionys&$"455 B@AA AN6:x@@ #It/?@@@" N   K *d * *    r private_keyr rrc|jtd|jtdtjt j|||S)Nz&You must add a response before signingz*You must add a responder_id before signing)rr+rrcreate_ocsp_responserr)rMrr$s rsignzOCSPResponseBuilder.signsT > !EFF F   %IJJ J(  )4i   rrrct|tstd|tjurt dt j|dddS)Nz7response_status must be an item from OCSPResponseStatusz$response_status cannot be SUCCESSFUL)r)rrBrr+rr)clsrs rbuild_unsuccessfulz&OCSPResponseBuilder.build_unsuccessfulsc/+=>> I  0; ; ;CDD D($dKKKr)rrrrrrrhr)r4r5r6r5r$r%r7r.r8r9r:r;r<r;r=r>r&r)rarrr5r&r)rrr&r)rrrrr&r)rr r$rr&r)rrr&r) rrrrNrrrrr classmethodrrrrrr(s,0/3?A & & & & &    >    &    "         L L L[ L L Lrr)r$r%r&r')( __future__rrorCtyping cryptographyrr"cryptography.hazmat.bindings._rustrcryptography.hazmat.primitivesrr/cryptography.hazmat.primitives.asymmetric.typesr cryptography.x509.baser r r EnumrrSHA1SHA224SHA256SHA384SHA512r*r,r.r3ABCMetarPrsrregisterrrload_der_ocsp_requestload_der_ocsp_responserrrrs$ #"""""  $$$$$$$$333333@@@@@@@@EJ  K M M M M     UZ C4C4C4C4C4C4C4C4L( ( ( ( ( CK( ( ( ( VZ Z Z Z Z 3;Z Z Z Z zB B B B B S[B B B B J T%&&& d'(((D3444Q.Q.Q.Q.Q.Q.Q.Q.hzLzLzLzLzLzLzLzLz24r