U gRn@stdZddlmZmZmZmZddlmZddlm Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZdd lmZdd lmZmZmZdd lmZmZmZmZdd l m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>ddl?m@Z@mAZAmBZBmCZCGddde*ZDGddde*ZEGddde*ZFGddde0ZGGddde3ZHGddde4ZIGddde"ZJGddde3ZKGdd d e7ZLed!d"ZMGd#d$d$e%ZNGd%d&d&e.ZOGd'd(d(e3ZPGd)d*d*e6ZQGd+d,d,e4ZRGd-d.d.e%ZSGd/d0d0e3ZTGd1d2d2e%ZUGd3d4d4e%ZVGd5d6d6e%ZWGd7d8d8e5ZXGd9d:d:e5ZYGd;d<dd>e4Z[Gd?d@d@e3Z\GdAdBdBe3Z]GdCdDdDe4Z^GdEdFdFe3Z_GdGdHdHe4Z`GdIdJdJe%ZaGdKdLdLe%ZbGdMdNdNe5ZcGdOdPdPe4ZdGdQdRdRe5ZeGdSdTdTe3ZfGdUdVdVe6ZgGdWdXdXe3ZhGdYdZdZe%ZiGd[d\d\e+ZjGd]d^d^e+ZkGd_d`d`e3ZlGdadbdbe4ZmGdcdddde3ZnGdedfdfe3ZoGdgdhdhe%ZpGdidjdje4ZqGdkdldle%ZrGdmdndne3ZsGdodpdpe3ZtGdqdrdre3ZuGdsdtdte%ZvGdudvdve"ZwGdwdxdxe3ZxGdydzdze4ZyGd{d|d|e3ZzGd}d~d~e3Z{Gddde4Z|Gddde%Z}Gddde4Z~Gddde3ZGddde3ZGddde.ZGddde3ZGddde4ZGddde.ZGddde3ZGddde4ZGddde3ZGddde4ZGddde3ZGddde.ZGddde4ZGddde.ZGddde3ZGddde4ZGddde4ZGddde4ZGddde3ZGddde"ZGddde+ZGddde3ZGddde6ZGddde3ZGddde3ZGddde6ZGddde'ZGddde'ZGddde'ZGddde'ZGdd„de'ZGddĄde'ZGddƄde3ZGddȄde3ZGddʄde'ZGdd̄de3ZGdd΄de3ZGddЄde6ZGdd҄de.ZGddԄde6ZGddքde6ZGdd؄de6ZGddڄde3ZGdd܄de6ZGddބde3ZGddde4ZGddde.ZGddde3ZGddde4ZGddde3ZGddde3ZGddde4ZGddde4ZGddde3ZGddde&ZdS)z ASN.1 type classes for X.509 certificates. Exports the following items: - Attributes() - Certificate() - Extensions() - GeneralName() - GeneralNames() - Name() Other type classes are defined that help compose the types listed above. )unicode_literalsdivisionabsolute_importprint_function)contextmanager)idnaN)unwrap) iri_to_uri uri_to_iri) OrderedDict) type_namestr_cls bytes_to_list)AlgorithmIdentifierAnyAlgorithmIdentifierDigestAlgorithmSignedDigestAlgorithm)Any BitString BMPStringBooleanChoiceConcat EnumeratedGeneralizedTime GeneralString IA5StringIntegerNull NumericStringObjectIdentifierOctetBitString OctetStringParsableOctetStringPrintableStringSequence SequenceOfSetSetOf TeletexStringUniversalStringUTCTime UTF8String VisibleStringVOID) PublicKeyInfo) int_to_bytesint_from_bytes inet_ntop inet_ptonc@s,eZdZdZdZddZddZddZd S) DNSNamer cCs ||k SNselfotherr:r:3/tmp/pip-unpacked-wheel-etcy_95o/asn1crypto/x509.py__ne__LszDNSName.__ne__cCs&t|tsdS||kS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.2 :param other: Another DNSName object :return: A boolean F) isinstancer5 __unicode__lowerr;r:r:r>__eq__Os zDNSName.__eq__cCsxt|ts"ttdt|t||drFd|dd|j}n ||j}||_||_ d|_ |j dkrtd|_ dS)zd Sets the value of the DNS name :param value: A unicode string K %s value must be a unicode string, not %s ..rN) r@r TypeErrorr r startswithencode _encoding_unicodecontents_header_trailer)r<value encoded_valuer:r:r>set_s    z DNSName.setN)__name__ __module__ __qualname__rK_bad_tagr?rCrRr:r:r:r>r5Gs r5c@s,eZdZddZddZddZddZd S) URIcCsLt|ts"ttdt|t|||_t||_d|_|j dkrHd|_ dS)b Sets the value of the string :param value: A unicode string rDNrG) r@rrHr r rLr rMrNrOr<rPr:r:r>rR~s   zURI.setcCs ||k Sr9r:r;r:r:r>r?sz URI.__ne__cCs&t|tsdSt|jdt|jdkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.4 :param other: Another URI object :return: A boolean FT)r@rWr nativer;r:r:r>rCs z URI.__eq__cCs,|jdkrdS|jdkr&t||_|jS7 :return: A unicode string N)rMrLr _merge_chunksr<r:r:r>rAs   zURI.__unicode__N)rSrTrUrRr?rCrAr:r:r:r>rW|srWc@sReZdZdZdZdZeddZejddZddZ d d Z d d Z d dZ dS) EmailAddressNFr6cCs|jS)z` :return: A byte string of the DER-encoded contents of the sequence ) _contentsr_r:r:r>rMszEmailAddress.contentscCsd|_||_dS)ze :param value: A byte string of the DER-encoded contents of the sequence FN) _normalizedrarYr:r:r>rMscCst|ts"ttdt|t||ddkrZ|dd\}}|dd|d}n |d}d|_||_ ||_ d |_ |j d krd |_ d S) rXrD@rascii@rTNrG) r@rrHr r findrsplitrJrbrLrMrNrO)r<rPmailboxhostnamerQr:r:r>rRs    zEmailAddress.setcCs^|jdkrX|}|ddkr.|d|_n*|dd\}}|dd|d|_|jS)r\Nrfrdcp1252rrcr)rLr^rgdecoderh)r<rMrirjr:r:r>rAs zEmailAddress.__unicode__cCs ||k Sr9r:r;r:r:r>r?szEmailAddress.__ne__cCst|tsdS|js ||j|js2||j|jddksR|jddkr^|j|jkS|jdd\}}|jdd\}}||krdS||krdSdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.5 :param other: Another EmailAddress object :return: A boolean FrfrdrT) r@r`rbrRrZrargrhrB)r<r=Z other_mailboxZother_hostnamerirjr:r:r>rCs     zEmailAddress.__eq__) rSrTrUrarbrVpropertyrMsetterrRrAr?rCr:r:r:r>r`s  r`c@s:eZdZd ddZddZeddZdd Zd d ZdS) IPAddressNcCsttddS)z? This method is not applicable to IP addresses z= IP address values can not be parsed N) ValueErrorr )r<specZ spec_paramsr:r:r>parse'szIPAddress.parsec CsTt|ts"ttdt|t||}|ddk}d}|rv|dd}|d}t|d}|dkrvttdt||ddkrt j }|dkrttd t|d}n$t j }|d krttd t|d }d }|rd |} | d|t | 7} t t| d}d|dt ||}||_t||||_|j|_d|_|jd krPd |_dS)z Sets the value of the object :param value: A unicode string containing an IPv4 address, IPv4 address with CIDR, an IPv6 address or IPv6 address with CIDR rD/rdrrzT %s value contains a CIDR range less than 0 :z %s value contains a CIDR range bigger than 128, the maximum value for an IPv6 address z %s value contains a CIDR range bigger than 32, the maximum value for an IPv4 address rG10N)r@rrHr r rgsplitintrpsocketAF_INET6AF_INETlenr1_nativer4rMZ_bytesrNrO) r<rPoriginal_valueZhas_cidrcidrpartsfamilyZ cidr_sizeZ cidr_bytesZ cidr_maskr:r:r>rR2sZ    z IPAddress.setcCs|jdkrdS|jdkr|}t|}d}d}|tddgkrnttj|dd}|dkrt|dd}n<|tddgkrttj |dd}|dkrt|dd}|dk rd |}t| d}|d t |}||_|jS) z The native Python datatype representation of this value :return: A unicode string or None Nrvrr{z{0:b}rxrs) rMr __bytes__rrRr3r~rr2rformatrstripr)r<Z byte_stringZbyte_lenrPZcidr_intZ cidr_bitsrr:r:r>rZys*   zIPAddress.nativecCs ||k Sr9r:r;r:r:r>r?szIPAddress.__ne__cCst|tsdS||kS)zl :param other: Another IPAddress object :return: A boolean F)r@rorr;r:r:r>rCs zIPAddress.__eq__)NN) rSrTrUrrrRrmrZr?rCr:r:r:r>ro&s  G roc@s"eZdZdefdedeifgZdS) AttributetypevaluesrqN)rSrTrUr!r)r_fieldsr:r:r:r>rs rc@seZdZeZdS) AttributesN)rSrTrUr _child_specr:r:r:r>rsrc @s$eZdZddddddddd d Zd S) KeyUsageZdigital_signatureZnon_repudiationZkey_enciphermentZdata_enciphermentZ key_agreementZ key_cert_signZcrl_signZ encipher_onlyZ decipher_only rrryrr{NrSrTrU_mapr:r:r:r>rsrc@s,eZdZdedddfdedddfgZdS)PrivateKeyUsagePeriod not_beforerTimplicitoptional not_afterrN)rSrTrUrrr:r:r:r>rsrc@seZdZdZdZddZdS)NotReallyTeletexStringa6 OpenSSL (and probably some other libraries) puts ISO-8859-1 into TeletexString instead of ITU T.61. We use Windows-1252 when decoding since it is a superset of ISO-8859-1, and less likely to cause encoding issues, but we stay strict with encoding to prevent us from creating bad data. rkcCs0|jdkrdS|jdkr*||j|_|jSr[)rMrLr^rl_decoding_encodingr_r:r:r>rAs   z"NotReallyTeletexString.__unicode__N)rSrTrU__doc__rrAr:r:r:r>rsrccszdt_dVW5dt_XdS)Nrkteletex)rrr:r:r:r>strict_teletexs rc@s4eZdZdefdefdefdefdefdefgZ dS)DirectoryStringteletex_stringprintable_stringZuniversal_string utf8_string bmp_string ia5_stringN) rSrTrUrr%r+r-rr _alternativesr:r:r:r>rsrc#@seZdZddddddddd d d d d ddddddddddddddddddd d!d"d#"Zdddd ddd ddddd d dd dddddddd dd!d"dddddddg!Zed$d%Zed&d'Zd(S))NameType common_namesurname serial_number country_name locality_namestate_or_province_namestreet_addressorganization_nameorganizational_unit_nametitlebusiness_category postal_codetelephone_numbername given_nameinitialsgeneration_qualifierunique_identifier dn_qualifier pseudonymorganization_identifiertpm_manufacturer tpm_model tpm_versionplatform_manufacturerplatform_modelplatform_version email_addressincorporation_localityincorporation_state_or_provinceincorporation_countryuser_iddomain_componentname_distinguisher)"z2.5.4.3z2.5.4.4z2.5.4.5z2.5.4.6z2.5.4.7z2.5.4.8z2.5.4.9z2.5.4.10z2.5.4.11z2.5.4.12z2.5.4.15z2.5.4.17z2.5.4.20z2.5.4.41z2.5.4.42z2.5.4.43z2.5.4.44z2.5.4.45z2.5.4.46z2.5.4.65z2.5.4.97z 2.23.133.2.1z 2.23.133.2.2z 2.23.133.2.3z 2.23.133.2.4z 2.23.133.2.5z 2.23.133.2.6z1.2.840.113549.1.9.1z1.3.6.1.4.1.311.60.2.1.1z1.3.6.1.4.1.311.60.2.1.2z1.3.6.1.4.1.311.60.2.1.3z0.9.2342.19200300.100.1.1z0.9.2342.19200300.100.1.25z0.2.262.1.10.7.20cCs4||}||jkr"|j|}n t|j}||fS)z Returns an ordering value for a particular attribute key. Unrecognized attributes and OIDs will be sorted lexically at the end. :return: An orderable value. )mappreferred_orderindexr)cls attr_nameZordinalr:r:r>preferred_ordinalKs   zNameType.preferred_ordinalc#CsVddddddddd d d d d ddddddddddddddddddd d!d"d#"|j|jS)$zZ :return: A human-friendly unicode string to display to users z Common NameZSurnamez Serial NumberCountryZLocalityzState/ProvincezStreet AddressZ OrganizationzOrganizational UnitZTitlezBusiness Categoryz Postal CodezTelephone NumberNamez Given NameZInitialszGeneration QualifierzUnique Identifierz DN QualifierZ Pseudonymz Email AddresszIncorporation LocalityzIncorporation State/ProvincezIncorporation CountryzDomain ComponentzName DistinguisherzOrganization IdentifierzTPM Manufacturerz TPM Modelz TPM VersionzPlatform ManufacturerzPlatform ModelzPlatform VersionzUser ID"rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr)getrZr_r:r:r>human_friendly_sL#zNameType.human_friendlyN) rSrTrUrr classmethodrrmrr:r:r:r>rs/$ rc#@seZdZdefdefgZdZeeeeeeeeeeeeeeeeee eee eeee eee e e e e e ed"Z dZeddZdd Zd d Zd d ZdS)NameTypeAndValuerrPrrPrNcCs"|jdkr||dj|_|jS)z Returns the value after being processed by the internationalized string preparation as specified by RFC 5280 :return: A unicode string NrP)_prepped_ldap_string_preprZr_r:r:r> prepped_values zNameTypeAndValue.prepped_valuecCs ||k Sr9r:r;r:r:r>r?szNameTypeAndValue.__ne__cCs2t|tsdS|dj|djkr&dS|j|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another NameTypeAndValue object :return: A boolean Fr)r@rrZrr;r:r:r>rCs zNameTypeAndValue.__eq__cCstdd|}tdd|}tjdkr6tdd|}ntdd|}tdd|}|d d}td d|}dttj|}t d |}|D]}t |rt t d t|rt t d t|rt t dt|rt t dt|rt t d|dkrt t dqd}d}|D](}t|r:d}nt|r$d}q$|rt|d}t|d}|s|r|st t ddtdd|d}|S)a" Implements the internationalized string preparation algorithm from RFC 4518. https://tools.ietf.org/html/rfc4518#section-2 :param string: A unicode string to prepare :return: A prepared unicode string, ready for comparison u[­᠆͏᠋-᠍️-＀]+r]u [ …] iu[-]|[-]|󠀁u[𝅳-𝅺󠀠-󠁿󠀁]u?[---„†-Ÿ۝܏᠎‌-‏‪-‮⁠-⁣--]+u​u[   - 
-
   ]NFKCzc X.509 Name objects may not contain unassigned code points z X.509 Name objects may not contain change display or zzzzdeprecated characters zc X.509 Name objects may not contain private use characters zf X.509 Name objects may not contain non-character code points zb X.509 Name objects may not contain surrogate code points u�zf X.509 Name objects may not contain the replacement character FTrrdz{ X.509 Name object contains a malformed bidirectional sequence z +z )resubsys maxunicodereplacejoinr stringprep map_table_b2 unicodedata normalize in_table_a1rpr in_table_c8 in_table_c3 in_table_c4 in_table_c5 in_table_d1 in_table_d2strip)r<stringcharZhas_r_and_al_catZ has_l_catZfirst_is_r_and_alZlast_is_r_and_alr:r:r>rsn           z"NameTypeAndValue._ldap_string_prep)rSrTrUrrr _oid_pairrr%r"r`r5r- _oid_specsrrmrr?rCrr:r:r:r>rsZ' rc@s<eZdZeZeddZddZddZddZ d d Z d S) RelativeDistinguishedNamecCs@g}||}t|D]}|d|||fqd|S)b :return: A unicode string that can be used as a dict key or in a set %s: %s) _get_valuessortedkeysappendr)r<outputrkeyr:r:r>hashablePs  z"RelativeDistinguishedName.hashablecCs ||k Sr9r:r;r:r:r>r?`sz RelativeDistinguishedName.__ne__cCszt|tsdSt|t|kr"dS||}||}||krBdS||}||}|D]}||||krZdSqZdS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RelativeDistinguishedName object :return: A boolean FT)r@rr _get_typesr)r<r=Z self_typesZ other_typesZ self_valuesZ other_valuesZ type_name_r:r:r>rCcs     z RelativeDistinguishedName.__eq__cCstdd|DS)z Returns a set of types contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A set object with unicode strings of NameTypeAndValue type field values cSsg|]}|djqSrrZ.0Zntvr:r:r> sz8RelativeDistinguishedName._get_types..)rRr<rdnr:r:r>rs z$RelativeDistinguishedName._get_typescsifdd|DS)a$ Returns a dict of prepped values contained in an RDN :param rdn: A RelativeDistinguishedName object :return: A dict object with unicode strings of NameTypeAndValue value field values that have been prepped for comparison cs$g|]}|dj|jfgqSr)updaterZrrrr:r>rsz9RelativeDistinguishedName._get_values..r:r r:r r>rs z%RelativeDistinguishedName._get_valuesN) rSrTrUrrrmrr?rCrrr:r:r:r>rMs  rc@s,eZdZeZeddZddZddZdS) RDNSequencecCsddd|DS)rcss|] }|jVqdSr9)r)rr r:r:r> sz'RDNSequence.hashable..)rr_r:r:r>rs zRDNSequence.hashablecCs ||k Sr9r:r;r:r:r>r?szRDNSequence.__ne__cCsJt|tsdSt|t|kr"dSt|D]\}}|||kr*dSq*dS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another RDNSequence object :return: A boolean FT)r@r r enumerate)r<r=rZself_rdnr:r:r>rCs  zRDNSequence.__eq__N) rSrTrUrrrmrr?rCr:r:r:r>r s  r c@seZdZdefgZdZdZdZedddZ e ddZ dd Z d d Z d d Ze ddZe ddZddZe ddZe ddZdS)rr]NFc Csg}|sd}t}nd}t}tt|ddd}|D]\}}t|}|dkr^t|}nF|dkrpt|}n4|t dd d gkrt dt|d }nt |||d }| t t ||d gq:|d t|d S)aY Creates a Name object from a dict of unicode string keys and values. The keys should be from NameType._map, or a dotted-integer OID unicode string. :param name_dict: A dict of name information, e.g. {"common_name": "Will Bond", "country_name": "US", "organization_name": "Codex Non Sufficit LC"} :param use_printable: A bool - if PrintableString should be used for encoding instead of UTF8String. This is for backwards compatibility with old software. :return: An x509.Name object rrcSst|dS)Nr)rr)itemr:r:r>rGzName.build..)rrrrrr)rrPrr])r-r%r ritemsrrr`r5rRrrrrr ) rZ name_dictZ use_printableZrdnsZ encoding_nameZencoding_classattribute_nameZattribute_valuerPr:r:r>buildsD    z Name.buildcCs|jjS)r)chosenrr_r:r:r>rsz Name.hashablecCs t|jSr9)rrr_r:r:r>__len__sz Name.__len__cCs ||k Sr9r:r;r:r:r>r?sz Name.__ne__cCst|tsdS|j|jkS)z Equality as defined by https://tools.ietf.org/html/rfc5280#section-7.1 :param other: Another Name object :return: A boolean F)r@rrr;r:r:r>rC!s z Name.__eq__cCs|jdkr~t|_|jjD]b}|D]X}|d}||jkrl|j|}t|ts\|g}|j|<||dq"|d|j|<q"q|jS)NrrP)rr rrZr@listr)r<r type_val field_nameexistingr:r:r>rZ0s     z Name.nativecCs |jdkrt}d}|jD]R}|D]H}|dj}|}||kr`||g||<|||dq$|d||<q$qg}|}|dkrtt|}|D](}||} || } |d|| fqd} |D]} | ddkrd } qq| sd nd } | |ddd|_|jS) zg :return: A human-friendly unicode string containing the parts of the name NrrPrrF,rdT, z; ) _human_friendlyr rrrrreversedr_recursive_humanizergr)r<dataZ last_fieldr rrZto_joinrrrPZ native_valueZ has_commaelement separatorr:r:r>r@s6      zName.human_friendlycs,t|tr&dtfdd|DS|jS)z Recursively serializes data compiled from the RDNSequence :param value: An Asn1Value object, or a list of Asn1Value objects :return: A unicode string rcsg|]}|qSr:)r )rZ sub_valuer_r:r>rtsz,Name._recursive_humanize..)r@rrrrZrYr:r_r>r gs zName._recursive_humanizecCs$|jdkrt||_|jS)zZ :return: The SHA1 hash of the DER-encoded bytes of this name N_sha1hashlibsha1dumpdigestr_r:r:r>r'xs z Name.sha1cCs$|jdkrt||_|jS)z] :return: The SHA-256 hash of the DER-encoded bytes of this name N_sha256r&sha256r(r)r_r:r:r>r,s z Name.sha256)F)rSrTrUr rrr%r+rrrmrrr?rCrZrr r'r,r:r:r:r>rs* <   & rc@s"eZdZdefdeddifgZdS) AnotherNameZtype_idrPexplicitrN)rSrTrUr!rrr:r:r:r>r-s r-c@s$eZdZdZdZdefdefgZdS) CountryNamer x121_dcc_codeiso_3166_alpha2_codeNrSrTrUclass_tagr r%rr:r:r:r>r/s r/c@s$eZdZdZdZdefdefgZdS)AdministrationDomainNamerrynumeric printableNr2r:r:r:r>r5s r5c@seZdZdefdefgZdS)PrivateDomainNamer6r7NrSrTrUr r%rr:r:r:r>r8sr8c@sFeZdZdeddifdedddfded ddfd ed ddfgZd S) PersonalNamerrrrrTrrryrrNrSrTrUr%rr:r:r:r>r:s  r:c@sFeZdZdeddifdedddfded ddfd ed ddfgZd S) TeletexPersonalNamerrrrrTrrryrrNrSrTrUr*rr:r:r:r>r<s  r<c@seZdZeZdS)OrganizationalUnitNamesNrSrTrUr%rr:r:r:r>r>sr>c@seZdZeZdS)TeletexOrganizationalUnitNamesN)rSrTrUr*rr:r:r:r>r@sr@c @seZdZdeddifdeddifdedddfded ddfd ed dd fd edddfdedddfdedddfde dddfg Z dS)BuiltInStandardAttributesrrTZadministration_domain_namenetwork_addressrrZterminal_identifierrZprivate_domain_nameryr.rrrZnumeric_user_identifierrZ personal_namerZorganizational_unit_namesrN) rSrTrUr/r5r r%r8r:r>rr:r:r:r>rAs  rAc@seZdZdefdefgZdS)BuiltInDomainDefinedAttributerrPNr;r:r:r:r>rDsrDc@seZdZeZdS)BuiltInDomainDefinedAttributesN)rSrTrUrDrr:r:r:r>rEsrEc@seZdZdefdefgZdS)TeletexDomainDefinedAttributerrPNr=r:r:r:r>rFsrFc@seZdZeZdS)TeletexDomainDefinedAttributesN)rSrTrUrFrr:r:r:r>rGsrGc@seZdZdefdefgZdS)PhysicalDeliveryCountryNamer0r1Nr9r:r:r:r>rHsrHc@seZdZdefdefgZdS) PostalCodeZ numeric_codeZprintable_codeNr9r:r:r:r>rIsrIc@s(eZdZdeddifdeddifgZdS) PDSParameterrrTrN)rSrTrUr%r*rr:r:r:r>rJs  rJc@seZdZeZdS)PrintableAddressNr?r:r:r:r>rKsrKc@s(eZdZdeddifdeddifgZdS)UnformattedPostalAddressZprintable_addressrTrN)rSrTrUrKr*rr:r:r:r>rLs  rLc@s*eZdZdeddifdedddfgZdS) E1634AddressnumberrrZ sub_addressrTrN)rSrTrUr rr:r:r:r>rMs rMc@seZdZeZdS) NAddressesN)rSrTrUr#rr:r:r:r>rOsrOc@sFeZdZdedddfdedddfdedddfd ed d ifgZd S) PresentationAddressZ p_selectorrTrCZ s_selectorrZ t_selectorryZ n_addressesr.rN)rSrTrUr#rOrr:r:r:r>rPs  rPc@s"eZdZdefdeddifgZdS)ExtendedNetworkAddressZe163_4_addressZ psap_addressrrN)rSrTrUrMrPrr:r:r:r>rQ#s rQc@seZdZdddddddZdS) TerminalTypeZtelexrZ g3_facsimileZ g4_facsimileZ ia5_terminalZvideotex)rrrrrr{Nrr:r:r:r>rR*srRc@s@eZdZddddddddd d d d d dddddddddddZdS)ExtensionAttributeTyperteletex_common_nameteletex_organization_nameteletex_personal_nameteletex_organization_unit_names!teletex_domain_defined_attributespds_namephysical_delivery_country_namerphysical_delivery_office_namephysical_delivery_office_numberextension_of_address_componentsphysical_delivery_personal_name#physical_delivery_organization_name.extension_physical_delivery_address_componentsunformatted_postal_addressrpost_office_box_addressposte_restante_addressunique_postal_namelocal_postal_attributesextended_network_address terminal_type)rryrrrrrr{ r7 rr8Nrr:r:r:r>rS5s0rSc@s`eZdZdeddifdeddifgZdZeeee e e ee e eeeeeeeeeeeeeedZd S) ExtensionAttributeextension_attribute_typerrextension_attribute_valuer.r)rurv)rrTrUrVrWrXrYrZrr[r\r]r^r_r`rarrbrcrdrerfrgN)rSrTrUrSrrrr%r*r<r@rGrHrIrJrLrQrRrr:r:r:r>rtQs8  rtc@seZdZeZdS)ExtensionAttributesN)rSrTrUrtrr:r:r:r>rwssrwc@s.eZdZdefdeddifdeddifgZdS) ORAddressZbuilt_in_standard_attributesZ"built_in_domain_defined_attributesrTZextension_attributesN)rSrTrUrArErwrr:r:r:r>rxws  rxc@s*eZdZdedddfdeddifgZdS) EDIPartyNameZ name_assignerrTrZ party_namerrN)rSrTrUrrr:r:r:r>rys ryc @seZdZdeddifdeddifdeddifdedd ifd ed d ifd eddifde ddifde ddifde ddifg Z ddZ ddZdS) GeneralName other_namerrZ rfc822_namerdns_namery x400_addressrZdirectory_namer.redi_party_nameruniform_resource_identifierr ip_addressrZ registered_idr{cCs ||k Sr9r:r;r:r:r>r?szGeneralName.__ne__cCsP|jdkrttd|j|jdkr4ttd|j|j|jkrDdS|j|jkS)z Does not support other_name, x400_address or edi_party_name :param other: The other GeneralName to compare to :return: A boolean )r{r}r~zr Comparison is not supported for GeneralName objects of choice %s za Comparison is not supported for GeneralName objects of choice %sF)rrpr rr;r:r:r>rCs   zGeneralName.__eq__N)rSrTrUr-r`r5rxrryrWror!rr?rCr:r:r:r>rzs          rzc@seZdZeZdS) GeneralNamesN)rSrTrUrzrr:r:r:r>rsrc@seZdZdefdefgZdS)TimeZutc_timeZ general_timeN)rSrTrUr,rrr:r:r:r>rsrc@seZdZdefdefgZdS)ValidityrrN)rSrTrUrrr:r:r:r>rsrc@s(eZdZdeddifdeddifgZdS)BasicConstraintscadefaultFpath_len_constraintrTN)rSrTrUrrrr:r:r:r>rs  rc@s:eZdZdedddfdedddfdedddfgZd S) AuthorityKeyIdentifierkey_identifierrTrauthority_cert_issuerrauthority_cert_serial_numberryN)rSrTrUr#rrrr:r:r:r>rsrc@s(eZdZdeddifdeddifgZdS)DistributionPointName full_namerrname_relative_to_crl_issuerrN)rSrTrUrrrr:r:r:r>rs  rc @s$eZdZddddddddd d Zd S) ReasonFlagsZunusedZkey_compromiseZ ca_compromiseZaffiliation_changedZ supersededZcessation_of_operationZcertificate_holdZprivilege_withdrawnZ aa_compromiserNrr:r:r:r>rsrc@s2eZdZdefdedddfdedddfgZd S) GeneralSubtreebaseZminimumrrrmaximumrTrN)rSrTrUrzrrr:r:r:r>rsrc@seZdZeZdS)GeneralSubtreesN)rSrTrUrrr:r:r:r>rsrc@s,eZdZdedddfdedddfgZdS)NameConstraintsZpermitted_subtreesrTrZexcluded_subtreesrN)rSrTrUrrr:r:r:r>rsrc@sJeZdZdedddfdedddfded ddfgZd Zed d Z d S)DistributionPointdistribution_pointrTrCZreasonsrrZ crl_issuerryFcCsh|jdkrbd|_|d}|jdkr.ttd|jD],}|jdkr4|j}|dr4||_qbq4|jS)z_ :return: None or a unicode string of the distribution point's URL FNrrz CRL distribution points that are relative to the issuer are not supported rzhttp://zhttps://zldap://zldaps://)_urlrrpr rrZrBrI)r<r general_nameurlr:r:r>r s    zDistributionPoint.urlN) rSrTrUrrrrrrmrr:r:r:r>rsrc@seZdZeZdS)CRLDistributionPointsN)rSrTrUrrr:r:r:r>r&src@s(eZdZdefdefdefdefgZdS) DisplayTextrZvisible_stringrrN)rSrTrUrr.rr-rr:r:r:r>r*s rc@seZdZeZdS) NoticeNumbersNrSrTrUrrr:r:r:r>r3src@seZdZdefdefgZdS)NoticeReferenceZ organizationZnotice_numbersN)rSrTrUrrrr:r:r:r>r7src@s(eZdZdeddifdeddifgZdS) UserNoticeZ notice_refrTZ explicit_textN)rSrTrUrrrr:r:r:r>r>s  rc@seZdZdddZdS)PolicyQualifierId certification_practice_statement user_notice)z1.3.6.1.5.5.7.2.1z1.3.6.1.5.5.7.2.2Nrr:r:r:r>rEsrc@s*eZdZdefdefgZdZeedZ dS)PolicyQualifierInfopolicy_qualifier_id qualifier)rr)rrN) rSrTrUrrrrrrrr:r:r:r>rLsrc@seZdZeZdS)PolicyQualifierInfosN)rSrTrUrrr:r:r:r>rYsrc@seZdZddiZdS)PolicyIdentifierz 2.5.29.32.0Z any_policyNrr:r:r:r>r]src@s"eZdZdefdeddifgZdS)PolicyInformationZpolicy_identifierZpolicy_qualifiersrTN)rSrTrUrrrr:r:r:r>rcs rc@seZdZeZdS)CertificatePoliciesN)rSrTrUrrr:r:r:r>rjsrc@seZdZdefdefgZdS) PolicyMappingZissuer_domain_policyZsubject_domain_policyN)rSrTrUrrr:r:r:r>rnsrc@seZdZeZdS)PolicyMappingsN)rSrTrUrrr:r:r:r>rusrc@s,eZdZdedddfdedddfgZdS)PolicyConstraintsZrequire_explicit_policyrTrZinhibit_policy_mappingrNrSrTrUrrr:r:r:r>rysrcV@seZdZddddddddd d d d d ddddddddddddddddddd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;dd?d@dAdBdCdDdEdFdGdHdIdJdKdLdMdNdOdPdQdRdSdTdUdVUZdWS)X KeyPurposeIdZany_extended_key_usageZ server_authZ client_authZ code_signingZemail_protectionZipsec_end_systemZ ipsec_tunnelZ ipsec_user time_stampingZ ocsp_signingZdvcsZ eap_over_pppZ eap_over_lanZ scvp_serverZ scvp_clientZ ipsec_ikeZ capwap_acZ capwap_wtpZ sip_domainZsecure_shell_clientZsecure_shell_serverZ send_routerZsend_proxied_routerZ send_ownerZsend_proxied_ownerZcmc_caZcmc_raZ cmc_archiveZbgpspec_routerZike_intermediateZmicrosoft_trust_list_signingZmicrosoft_time_stamp_signingZmicrosoft_server_gatedZmicrosoft_serializedZ microsoft_efsZmicrosoft_efs_recoveryZmicrosoft_whqlZ microsoft_nt5Zmicrosoft_oem_whqlZmicrosoft_embedded_ntZmicrosoft_root_list_signerZ!microsoft_qualified_subordinationZmicrosoft_key_recoveryZmicrosoft_document_signingZmicrosoft_lifetime_signingZ microsoft_mobile_device_softwareZmicrosoft_smart_card_logonZapple_x509_basicZ apple_sslZapple_local_cert_genZ apple_csr_genZapple_revocation_crlZapple_revocation_ocspZ apple_smimeZ apple_eapZapple_software_update_signingZ apple_ipsecZ apple_ichatZapple_resource_signingZapple_pkinit_clientZapple_pkinit_serverZapple_code_signingZapple_package_signingZapple_id_validationZapple_time_stampingZapple_revocationZapple_passbook_signingZapple_mobile_storeZapple_escrow_serviceZapple_profile_signerZapple_qa_profile_signerZapple_test_mobile_storeZapple_otapki_signerZapple_test_otapki_signerZ)apple_id_validation_record_signing_policyZapple_smp_encryptionZapple_test_smp_encryptionZapple_server_authenticationZapple_pcs_escrow_serviceZpiv_card_authenticationZpiv_content_signingZpkinit_kpclientauthZ pkinit_kpkdcZadobe_authentic_documents_trustZfpki_pivi_content_signing)Uz 2.5.29.37.0z1.3.6.1.5.5.7.3.1z1.3.6.1.5.5.7.3.2z1.3.6.1.5.5.7.3.3z1.3.6.1.5.5.7.3.4z1.3.6.1.5.5.7.3.5z1.3.6.1.5.5.7.3.6z1.3.6.1.5.5.7.3.7z1.3.6.1.5.5.7.3.8z1.3.6.1.5.5.7.3.9z1.3.6.1.5.5.7.3.10z1.3.6.1.5.5.7.3.13z1.3.6.1.5.5.7.3.14z1.3.6.1.5.5.7.3.15z1.3.6.1.5.5.7.3.16z1.3.6.1.5.5.7.3.17z1.3.6.1.5.5.7.3.18z1.3.6.1.5.5.7.3.19z1.3.6.1.5.5.7.3.20z1.3.6.1.5.5.7.3.21z1.3.6.1.5.5.7.3.22z1.3.6.1.5.5.7.3.23z1.3.6.1.5.5.7.3.24z1.3.6.1.5.5.7.3.25z1.3.6.1.5.5.7.3.26z1.3.6.1.5.5.7.3.27z1.3.6.1.5.5.7.3.28z1.3.6.1.5.5.7.3.29z1.3.6.1.5.5.7.3.30z1.3.6.1.5.5.8.2.2z1.3.6.1.4.1.311.10.3.1z1.3.6.1.4.1.311.10.3.2z1.3.6.1.4.1.311.10.3.3z1.3.6.1.4.1.311.10.3.3.1z1.3.6.1.4.1.311.10.3.4z1.3.6.1.4.1.311.10.3.4.1z1.3.6.1.4.1.311.10.3.5z1.3.6.1.4.1.311.10.3.6z1.3.6.1.4.1.311.10.3.7z1.3.6.1.4.1.311.10.3.8z1.3.6.1.4.1.311.10.3.9z1.3.6.1.4.1.311.10.3.10z1.3.6.1.4.1.311.10.3.11z1.3.6.1.4.1.311.10.3.12z1.3.6.1.4.1.311.10.3.13z1.3.6.1.4.1.311.10.3.14z1.3.6.1.4.1.311.20.2.2z1.2.840.113635.100.1.2z1.2.840.113635.100.1.3z1.2.840.113635.100.1.4z1.2.840.113635.100.1.5z1.2.840.113635.100.1.6z1.2.840.113635.100.1.7z1.2.840.113635.100.1.8z1.2.840.113635.100.1.9z1.2.840.113635.100.1.10z1.2.840.113635.100.1.11z1.2.840.113635.100.1.12z1.2.840.113635.100.1.13z1.2.840.113635.100.1.14z1.2.840.113635.100.1.15z1.2.840.113635.100.1.16z1.2.840.113635.100.1.17z1.2.840.113635.100.1.18z1.2.840.113635.100.1.20z1.2.840.113635.100.1.21z1.2.840.113635.100.1.22z1.2.840.113635.100.1.23z1.2.840.113635.100.1.24z1.2.840.113635.100.1.25z1.2.840.113635.100.1.26z1.2.840.113635.100.1.27z1.2.840.113635.100.1.28z1.2.840.113635.100.1.29z1.2.840.113625.100.1.30z1.2.840.113625.100.1.31z1.2.840.113625.100.1.32z1.2.840.113635.100.1.33z1.2.840.113635.100.1.34z2.16.840.1.101.3.6.8z2.16.840.1.101.3.6.7z1.3.6.1.5.2.3.4z1.3.6.1.5.2.3.5z1.2.840.113583.1.1.5z2.16.840.1.101.3.8.7Nrr:r:r:r>rsrc@seZdZeZdS)ExtKeyUsageSyntaxNrSrTrUrrr:r:r:r>rsrc@seZdZdddddZdS) AccessMethodocspZ ca_issuersrZ ca_repository)z1.3.6.1.5.5.7.48.1z1.3.6.1.5.5.7.48.2z1.3.6.1.5.5.7.48.3z1.3.6.1.5.5.7.48.5Nrr:r:r:r>rs rc@seZdZdefdefgZdS)AccessDescription access_methodaccess_locationN)rSrTrUrrzrr:r:r:r>rsrc@seZdZeZdS)AuthorityInfoAccessSyntaxNrSrTrUrrr:r:r:r>rsrc@seZdZeZdS)SubjectInfoAccessSyntaxNrr:r:r:r>rsrc@seZdZeZdS)FeaturesNrr:r:r:r>r src@seZdZdefdefgZdS)EntrustVersionInfoZ entrust_versZentrust_info_flagsN)rSrTrUrrrr:r:r:r>rsrc @s"eZdZddddddddd Zd S) NetscapeCertificateTypeZ ssl_clientZ ssl_serveremailZobject_signingreservedZssl_caZemail_caZobject_signing_ca)rrryrrrrrNrr:r:r:r>rsrc@seZdZddddZdS)Versionv1Zv2Zv3rrryNrr:r:r:r>r%src@s"eZdZdefdefdefgZdS)TPMSpecificationrlevelrevisionN)rSrTrUr-rrr:r:r:r>r-src@seZdZeZdS)SetOfTPMSpecificationN)rSrTrUrrr:r:r:r>r5src@s"eZdZdefdefdefgZdS)TCGSpecificationVersion major_version minor_versionrNrr:r:r:r>r9src@seZdZdefdefgZdS)TCGPlatformSpecificationversionZplatform_classN)rSrTrUrr#rr:r:r:r>rAsrc@seZdZeZdS)SetOfTCGPlatformSpecificationN)rSrTrUrrr:r:r:r>rHsrc@seZdZdddddZdS)EKGenerationTypeZinternalZinjectedZinternal_revocableZinjected_revocable)rrryrNrr:r:r:r>rLs rc@seZdZddddZdS)EKGenerationLocationrrek_cert_signerrNrr:r:r:r>rUsrc@seZdZddddZdS)EKCertificateGenerationLocationrrrrNrr:r:r:r>r]src@s eZdZddddddddZd S) EvaluationAssuranceLevellevel1level2level3level4Zlevel5Zlevel6Zlevel7)rryrrrrrNrr:r:r:r>resrc@seZdZddddZdS)EvaluationStatusZdesigned_to_meetZevaluation_in_progressZevaluation_completedrNrr:r:r:r>rqsrc@seZdZddddZdS)StrengthOfFunctionbasicZmediumhighrNrr:r:r:r>rysrc@s.eZdZdefdeddifdeddifgZdS) URIReferencerZhash_algorithmrTZ hash_valueN)rSrTrUrrrrr:r:r:r>rs  rc @steZdZdefdefdefdeddifdedd d fd ed d d fd e dd d fdedd d fde dd d fg Z dS)CommonCriteriaMeasuresrZassurance_levelZevaluation_statusplusrFZstrengh_of_functionrTrZ profile_oidrZ profile_urlryZ target_oidrZ target_urirN) rSrTrUrrrrrr!rrr:r:r:r>rs rc@seZdZdddddZdS) SecurityLevelrrrr)rryrrNrr:r:r:r>rs rc@s(eZdZdefdefdeddifgZdS) FIPSLevelrrrrFN)rSrTrUrrrrr:r:r:r>rs rc @seZdZdeddifdeddifdeddd fd ed dd fd ed dd fdeddd fde ddd fdedddfde ddifg Z dS)TPMSecurityAssertionsrrrZfield_upgradableFZek_generation_typerTrZek_generation_locationrZ"ek_certificate_generation_locationryZcc_inforZ fips_levelrZiso_9000_certifiedrrZ iso_9000_urirN) rSrTrUrrrrrrrrrr:r:r:r>rs   rc@seZdZeZdS)SetOfTPMSecurityAssertionsN)rSrTrUrrr:r:r:r>rsrc @s&eZdZddddddddd d d Zd S) SubjectDirectoryAttributeIdsupported_algorithmstpm_specificationtcg_platform_specificationtpm_security_assertionspda_date_of_birthpda_place_of_birth pda_genderpda_country_of_citizenshippda_country_of_residenceZentrust_user_role) z2.5.4.52z 2.23.133.2.16z 2.23.133.2.17z 2.23.133.2.18z1.3.6.1.5.5.7.9.1z1.3.6.1.5.5.7.9.2z1.3.6.1.5.5.7.9.3z1.3.6.1.5.5.7.9.4z1.3.6.1.5.5.7.9.5z1.2.840.113533.7.68.29Nrr:r:r:r>rsrc@seZdZeZdS)SetOfGeneralizedTimeN)rSrTrUrrr:r:r:r>rsrc@seZdZeZdS)SetOfDirectoryStringN)rSrTrUrrr:r:r:r>rsrc@seZdZeZdS)SetOfPrintableStringNr?r:r:r:r>rsrc@s2eZdZdefdedddfdedddfgZdS) SupportedAlgorithmZalgorithm_identifierZintended_usagerTrCZintended_certificate_policiesrN)rSrTrUrrrrr:r:r:r>rsrc@seZdZeZdS)SetOfSupportedAlgorithmN)rSrTrUrrr:r:r:r>rsrc @sHeZdZdefdefgZdZeee e e e e e e d ZddZdeiZdS)SubjectDirectoryAttributerr)rr) rrrrrrrrrcCs"|dj}||jkr|j|StS)Nr)rZrr))r<type_r:r:r> _values_specs   z&SubjectDirectoryAttribute._values_specN)rSrTrUrrrrrrrrrrrrrZ_spec_callbacksr:r:r:r>rs$ rc@seZdZeZdS)SubjectDirectoryAttributesN)rSrTrUrrr:r:r:r>rsrc@sBeZdZddddddddd d d d d ddddddddddddZdS) ExtensionIdsubject_directory_attributesr key_usageprivate_key_usage_periodsubject_alt_nameissuer_alt_namebasic_constraintsname_constraintscrl_distribution_pointscertificate_policiespolicy_mappingsauthority_key_identifierpolicy_constraintsextended_key_usage freshest_crlinhibit_any_policyauthority_information_accesssubject_information_access tls_feature ocsp_no_checkentrust_version_extensionnetscape_certificate_type!signed_certificate_timestamp_listmicrosoft_enroll_certtype)z2.5.29.9z 2.5.29.14z 2.5.29.15z 2.5.29.16z 2.5.29.17z 2.5.29.18z 2.5.29.19z 2.5.29.30z 2.5.29.31z 2.5.29.32z 2.5.29.33z 2.5.29.35z 2.5.29.36z 2.5.29.37z 2.5.29.46z 2.5.29.54z1.3.6.1.5.5.7.1.1z1.3.6.1.5.5.7.1.11z1.3.6.1.5.5.7.1.24z1.3.6.1.5.5.7.48.1.5z1.2.840.113533.7.65.0z2.16.840.1.113730.1.1z1.3.6.1.4.1.11129.2.4.2z1.3.6.1.4.1.311.20.2Nrr:r:r:r>rs2rc@sbeZdZdefdeddifdefgZdZee e e e e e eeeeeeeeeeeeeeee edZdS) Extensionextn_idcriticalrF extn_value)rr)rrrrrrrrrrrrrrrrrrrrr r r r N)rSrTrUrrr$rrrr#rrrrrrrrrrrrrrrrrrrrr:r:r:r>r 's< r c@seZdZeZdS) ExtensionsN)rSrTrUr rr:r:r:r>rMsrc@sleZdZdedddfdefdefdefdefd efd efd e d d dfde dd dfde dd dfg Z dS)TbsCertificaterrr)r.rr signatureissuervaliditysubjectsubject_public_key_infoZissuer_unique_idrTrZsubject_unique_idry extensionsrrCN) rSrTrUrrrrrr0r"rrr:r:r:r>rQsrc@seZdZdefdefdefgZdZdZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&ddZ'e(dd Z)e(d d Z*e(d d Z+e(ddZ,e(ddZ-e(ddZ.e(ddZ/e(ddZ0e(ddZ1e(ddZ2e(ddZ3e(ddZ4e(d d!Z5e(d"d#Z6e(d$d%Z7e(d&d'Z8e(d(d)Z9e(d*d+Z:e(d,d-Z;e(d.d/Ze(d4d5Z?e(d6d7Z@e(d8d9ZAe(d:d;ZBe(dd?ZDe(d@dAZEe(dBdCZFe(dDdEZGe(dFdGZHe(dHdIZIe(dJdKZJe(dLdMZKe(dNdOZLdPdQZMe(dRdSZNe(dTdUZOe(dVdWZPe(dXdYZQe(dZd[ZRe(d\d]ZSe(d^d_ZTe(d`daZUe(dbdcZVe(dddeZWe(dfdgZXdhdiZYdjdkZZdldmZ[dS)n Certificatetbs_certificatesignature_algorithmsignature_valueFNcCsht|_|ddD]H}|dj}d|}t||rFt|||dj|djr|j|qd|_dS) zv Sets common named extensions to private attributes and creates a list of critical extensions rrrz _%s_valuerrTN)rR_critical_extensionsrZhasattrsetattrparsedadd_processed_extensions)r< extensionrrr:r:r>_set_extensionss   zCertificate._set_extensionscCs|js||jS)z Returns a set of the names (or OID if not a known extension) of the extensions marked as critical :return: A set of unicode strings )r"r$rr_r:r:r>critical_extensionss zCertificate.critical_extensionscCs|js||jS)z This extension is used to constrain the period over which the subject private key may be used :return: None or a PrivateKeyUsagePeriod object )r"r$_private_key_usage_period_valuer_r:r:r>private_key_usage_period_values z*Certificate.private_key_usage_period_valuecCs|js||jS)z This extension is used to contain additional identification attributes about the subject. :return: None or a SubjectDirectoryAttributes object )r"r$#_subject_directory_attributes_valuer_r:r:r>"subject_directory_attributes_values z.Certificate.subject_directory_attributes_valuecCs|js||jS)z This extension is used to help in creating certificate validation paths. It contains an identifier that should generally, but is not guaranteed to, be unique. :return: None or an OctetString object )r"r$_key_identifier_valuer_r:r:r>key_identifier_values z Certificate.key_identifier_valuecCs|js||jS)z This extension is used to define the purpose of the public key contained within the certificate. :return: None or a KeyUsage )r"r$_key_usage_valuer_r:r:r>key_usage_values zCertificate.key_usage_valuecCs|js||jS)aT This extension allows for additional names to be associate with the subject of the certificate. While it may contain a whole host of possible names, it is usually used to allow certificates to be used with multiple different domain names. :return: None or a GeneralNames object )r"r$_subject_alt_name_valuer_r:r:r>subject_alt_name_values z"Certificate.subject_alt_name_valuecCs|js||jS)z This extension allows associating one or more alternative names with the issuer of the certificate. :return: None or an x509.GeneralNames object )r"r$_issuer_alt_name_valuer_r:r:r>issuer_alt_name_values z!Certificate.issuer_alt_name_valuecCs|js||jS)a' This extension is used to determine if the subject of the certificate is a CA, and if so, what the maximum number of intermediate CA certs after this are, before an end-entity certificate is found. :return: None or a BasicConstraints object )r"r$_basic_constraints_valuer_r:r:r>basic_constraints_values z#Certificate.basic_constraints_valuecCs|js||jS)z This extension is used in CA certificates, and is used to limit the possible names of certificates issued. :return: None or a NameConstraints object )r"r$_name_constraints_valuer_r:r:r>name_constraints_value s z"Certificate.name_constraints_valuecCs|js||jS)z This extension is used to help in locating the CRL for this certificate. :return: None or a CRLDistributionPoints object extension )r"r$_crl_distribution_points_valuer_r:r:r>crl_distribution_points_value s z)Certificate.crl_distribution_points_valuecCs|js||jS)a; This extension defines policies in CA certificates under which certificates may be issued. In end-entity certificates, the inclusion of a policy indicates the issuance of the certificate follows the policy. :return: None or a CertificatePolicies object )r"r$_certificate_policies_valuer_r:r:r>certificate_policies_value* s z&Certificate.certificate_policies_valuecCs|js||jS)z This extension allows mapping policy OIDs to other OIDs. This is used to allow different policies to be treated as equivalent in the process of validation. :return: None or a PolicyMappings object )r"r$_policy_mappings_valuer_r:r:r>policy_mappings_value: s z!Certificate.policy_mappings_valuecCs|js||jS)z This extension helps in identifying the public key with which to validate the authenticity of the certificate. :return: None or an AuthorityKeyIdentifier object )r"r$_authority_key_identifier_valuer_r:r:r>authority_key_identifier_valueI s z*Certificate.authority_key_identifier_valuecCs|js||jS)z This extension is used to control if policy mapping is allowed and when policies are required. :return: None or a PolicyConstraints object )r"r$_policy_constraints_valuer_r:r:r>policy_constraints_valueW s z$Certificate.policy_constraints_valuecCs|js||jS)z This extension is used to help locate any available delta CRLs :return: None or an CRLDistributionPoints object )r"r$_freshest_crl_valuer_r:r:r>freshest_crl_valuee s zCertificate.freshest_crl_valuecCs|js||jS)z This extension is used to prevent mapping of the any policy to specific requirements :return: None or a Integer object )r"r$_inhibit_any_policy_valuer_r:r:r>inhibit_any_policy_valuer s z$Certificate.inhibit_any_policy_valuecCs|js||jS)z This extension is used to define additional purposes for the public key beyond what is contained in the basic constraints. :return: None or an ExtKeyUsageSyntax object )r"r$_extended_key_usage_valuer_r:r:r>extended_key_usage_value s z$Certificate.extended_key_usage_valuecCs|js||jS)z This extension is used to locate the CA certificate used to sign this certificate, or the OCSP responder for this certificate. :return: None or an AuthorityInfoAccessSyntax object )r"r$#_authority_information_access_valuer_r:r:r>"authority_information_access_value s z.Certificate.authority_information_access_valuecCs|js||jS)z This extension is used to access information about the subject of this certificate. :return: None or a SubjectInfoAccessSyntax object )r"r$!_subject_information_access_valuer_r:r:r> subject_information_access_value s z,Certificate.subject_information_access_valuecCs|js||jS)z This extension is used to list the TLS features a server must respond with if a client initiates a request supporting them. :return: None or a Features object )r"r$_tls_feature_valuer_r:r:r>tls_feature_value s zCertificate.tls_feature_valuecCs|js||jS)a- This extension is used on certificates of OCSP responders, indicating that revocation information for the certificate should never need to be verified, thus preventing possible loops in path validation. :return: None or a Null object (if present) )r"r$_ocsp_no_check_valuer_r:r:r>ocsp_no_check_value s zCertificate.ocsp_no_check_valuecCs |djS)zE :return: A byte string of the signature rrr_r:r:r>r szCertificate.signaturecCs |djS)zj :return: A unicode string of "rsassa_pkcs1v15", "rsassa_pss", "dsa", "ecdsa" r)signature_algor_r:r:r>rN szCertificate.signature_algocCs |djS)z :return: A unicode string of "md2", "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512_224", "sha512_256" r) hash_algor_r:r:r>rO szCertificate.hash_algocCs |ddS)zT :return: The PublicKeyInfo object for this certificate rrr:r_r:r:r> public_key szCertificate.public_keycCs |ddS)zZ :return: The Name object for the subject of this certificate rrr:r_r:r:r>r szCertificate.subjectcCs |ddS)zY :return: The Name object for the issuer of this certificate rrr:r_r:r:r>r szCertificate.issuercCs|ddjS)zT :return: An integer of the certificate's serial number rrrr_r:r:r>r szCertificate.serial_numbercCs|js dS|jjS)z :return: None or a byte string of the certificate's key identifier from the key identifier extension N)r+rZr_r:r:r>r szCertificate.key_identifiercCs.|jdkr(|jjdt|jd|_|jS)z :return: A byte string of the SHA-256 hash of the issuer concatenated with the ascii character ":", concatenated with the serial number as an ascii string N:re)_issuer_serialrr,rrrJr_r:r:r> issuer_serial s zCertificate.issuer_serialcCs|dddjS)zd :return: A datetime of latest time when the certificate is still valid rrrrr_r:r:r>not_valid_after! szCertificate.not_valid_aftercCs|dddjS)zd :return: A datetime of the earliest time when the certificate is valid rrrrr_r:r:r>not_valid_before) szCertificate.not_valid_beforecCs|js dS|jdjS)z :return: None or a byte string of the key_identifier from the authority key identifier extension Nr)r=rZr_r:r:r>r1 sz$Certificate.authority_key_identifiercCsj|jdkrd|j}|r^|djr^|jddj}|}|jdj}|jdt|d|_nd|_|jS)a; :return: None or a byte string of the SHA-256 hash of the isser from the authority key identifier extension concatenated with the ascii character ":", concatenated with the serial number from the authority key identifier extension as an ascii string FrrrrQreN)_authority_issuer_serialr=rZrZuntagr,rrJ)r<ZakivrZauthority_serialr:r:r>authority_issuer_serial> s  z#Certificate.authority_issuer_serialcCs|jdkr||j|_|jS)z Returns complete CRL URLs - does not include delta CRLs :return: A list of zero or more DistributionPoint objects N)_crl_distribution_points!_get_http_crl_distribution_pointsr7r_r:r:r>rT s z#Certificate.crl_distribution_pointscCs|jdkr||j|_|jS)z Returns delta CRL URLs - does not include complete CRLs :return: A list of zero or more DistributionPoint objects N)_delta_crl_distribution_pointsrYrAr_r:r:r>delta_crl_distribution_pointsa s z)Certificate.delta_crl_distribution_pointscCs\g}|dkrgS|D]B}|d}|tkr*q|jdkr6q|jD]}|jdkr<||qrYn s    z-Certificate._get_http_crl_distribution_pointscCs^|js gSg}|jD]D}|djdkr|d}|jdkr:q|j}|dr||q|S)zx :return: A list of zero or more unicode strings of the OCSP URLs for this cert rrrrr)rGrZrrBrIr)r<rentrylocationrr:r:r> ocsp_urls s   zCertificate.ocsp_urlscCs|jdkrg|_|jrH|jD](}|jdkr|j|jkr|j|jqnPtd}|jjD]<}|D]2}|djdkrb|dj}| |rb|j|qbqZ|jS)z :return: A list of unicode strings of valid domain names for the certificate. Wildcard certificates will have a domain in the form: *.example.com Nr|zE^(\*\.)?(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$rrrP) _valid_domainsr/rrZrrcompilerrmatch)r<rpatternr Zname_type_valuerPr:r:r> valid_domains s      zCertificate.valid_domainscCs@|jdkr:g|_|jr:|jD]}|jdkr|j|jq|jS)zj :return: A list of unicode strings of valid IP addresses for the certificate Nr) _valid_ipsr/rrrZ)r<rr:r:r> valid_ips s   zCertificate.valid_ipscCs|jo|jdjS)zW :return; A boolean - if the certificate is marked as a CA r)r3rZr_r:r:r>r szCertificate.cacCs|js dS|jdjS)zT :return; None or an integer of the maximum path length Nr)rr3rZr_r:r:r>max_path_length szCertificate.max_path_lengthcCs|jdkr|j|jk|_|jS)zx :return: A boolean - if the certificate is self-issued, as defined by RFC 5280 N) _self_issuedrrr_r:r:r> self_issued s zCertificate.self_issuedcCsJ|jdkrDd|_|jrD|jr>|js*d|_qD|j|jkrDd|_nd|_|jS)a :return: A unicode string of "no" or "maybe". The "maybe" result will be returned if the certificate issuer and subject are the same. If a key identifier and authority key identifier are present, they will need to match otherwise "no" will be returned. To verify is a certificate is truly self-signed, the signature will need to be verified. See the certvalidator package for one possible solution. Nnomaybe) _self_signedrhrrr_r:r:r> self_signed s  zCertificate.self_signedcCs$|jdkrt||_|jS)zk :return: The SHA-1 hash of the DER-encoded bytes of this complete certificate Nr$r_r:r:r>r' s zCertificate.sha1cCsdddt|jDS)z :return: A unicode string of the SHA-1 hash, formatted using hex encoding with a space between each pair of characters, all uppercase rcss|]}d|VqdSz%02XNr:rcr:r:r>r$ sz/Certificate.sha1_fingerprint..)rrr'r_r:r:r>sha1_fingerprint szCertificate.sha1_fingerprintcCs$|jdkrt||_|jS)zy :return: The SHA-256 hash of the DER-encoded bytes of this complete certificate Nr*r_r:r:r>r,& s zCertificate.sha256cCsdddt|jDS)z :return: A unicode string of the SHA-256 hash, formatted using hex encoding with a space between each pair of characters, all uppercase rcss|]}d|VqdSrmr:rnr:r:r>r: sz1Certificate.sha256_fingerprint..)rrr,r_r:r:r>sha256_fingerprint2 szCertificate.sha256_fingerprintcCsNt|tsttdt||dd}|ddk}| oNt d|}| oZ| }|r|j sjdS| d}|j D]b}|dd}| d} t | t |krqz| |krd S||} | rz||| rzd SqzdS|jsdS|rtjntj} t| |} |jD]<} | ddkr&tjntj}t|| }|| kr d Sq dS) a Check if a domain name or IP address is valid according to the certificate :param domain_ip: A unicode string of a domain name or IP address :return: A boolean - if the domain or IP is valid for the certificate zL domain_ip must be a unicode string, not %s rrertrdz^\d+\.\d+\.\d+\.\d+$FrET)r@rrHr r rJrlrBrgrrarcr|r_is_wildcard_domain_is_wildcard_matchrer~rrr4)r<Z domain_ipZencoded_domain_ipis_ipv6Zis_ipv4Z is_domain domain_labelsZ valid_domainZencoded_valid_domainvalid_domain_labelsZ is_wildcardrZ normalized_ipZvalid_ipZ valid_familyZnormalized_valid_ipr:r:r>is_valid_domain_ip< sD           zCertificate.is_valid_domain_ipcCsZ|ddkrdS|d}|s(dS|dddkr>dS|ddddkrVdSd S) af Checks if a domain is a valid wildcard according to https://tools.ietf.org/html/rfc6125#section-6.4.3 :param domain: A unicode string of the domain name, where any U-labels from an IDN have been converted to A-labels :return: A boolean - if the domain is a valid wildcard domain *rFrErrdrzxn--T)countrBr|rg)r<domainlabelsr:r:r>rr~ szCertificate._is_wildcard_domaincCsl|d}|dd}|d}|dd}||kr4dS|dkr@dStd|ddd }||rhdSdS) a Determines if the labels in a domain are a match for labels from a wildcard valid domain name :param domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in the domain name to check :param valid_domain_labels: A list of unicode strings, with A-label form for IDNs, of the labels in a wildcard domain pattern :return: A boolean - if the domain matches the valid domain rrNFrxT^z.*$)rr`rra)r<rurvZfirst_domain_labelZother_domain_labelsZwildcard_labelZother_valid_domain_labelsZwildcard_regexr:r:r>rs s   zCertificate._is_wildcard_match)\rSrTrUrrr"rr"rr(r*r,r.r0r2r4r6r8r:r<r>r@rBrDrFrHr&rJrLrRrVrXrZr_rdrgrkr%r+r$rmr%r'r)r+r-r/r1r3r5r7r9r;r=r?rArCrErGrIrKrMrrNrOrPrrrrrSrTrUrrWrr[rYr^rcrerrfrhrlr'rpr,rqrwrrrsr:r:r:r>r`s                                      "         B!rc@seZdZeZdS)KeyPurposeIdentifiersNrr:r:r:r>r~ sr~c@seZdZeZdS)SequenceOfAlgorithmIdentifiersN)rSrTrUrrr:r:r:r>r src @sPeZdZdeddifdedddfdeddifdeddifd ed ddfgZd S) CertificateAuxtrustrTrejectrraliasZkeyidr=rN)rSrTrUr~r-r#rrr:r:r:r>r s    rc@seZdZeegZdS)TrustedCertificateN)rSrTrUrrZ _child_specsr:r:r:r>r sr)r __future__rrrr contextlibr encodingsrr&rr~rrr_errorsr Z_irir r Z _ordereddictr _typesr rrZalgosrrrrcorerrrrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/rr0utilr1r2r3r4r5rWr`rorrrrrrrrrrr rr-r/r5r8r:r<r>r@rArDrErFrGrHrIrJrKrLrMrOrPrQrRrSrtrwrxryrzrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr rrrr~rrrr:r:r:r>s     x 59q  BU*D      "2%  p      &o