o vhn3@sddlZddlZddlmZddlmZmZddlmZm Z m Z m Z m Z m Z mZddlmZddlmZeeZGdddeZd ed ed efd d ZddZdeded efddZdedefddZdedefddZdejdejfddZ Gdddej!Z"e"j#e e"j$ee"j%ee"j&eiZ'Gddde(Z)dej*fdd Z+d!ej,fd"d#Z-Gd$d%d%Z.ed&d'Gd(d)d)Z/e e"e e/fZ0d*e ejd e0fd+d,Z1d-e e/d e0fd.d/Z2d0ej3d e0fd1d2Z4Gd3d4d4Z5Gd5d6d6Z6Gd7d8d8Z7d e0fd9d:Z8d e0fd;d<Z9dS)=N) dataclass) IPv4Address IPv6Address)CallableDictIterableListOptionalSetUnion)x509)urisplitc@s eZdZdS)NameConstraintErrorN)__name__ __module__ __qualname__rr^/var/www/html/hyperkenya/venv/lib/python3.10/site-packages/pyhanko_certvalidator/name_trees.pyr sr base_host other_hostreturncCs6|ddkr||\}}}t|ot| S||kS)Nr.) rpartitionbool)rrpre_postrrrhost_tree_containss rcCs^t|}|rt|ttfr-|durd|dnd}d|d|d}t|t||S)Nz has host rzis not a well-formed URI.zCURI constraints require URIs with a host specified as a FQDN; URI 'z' )r gethost isinstancerrloggerwarningr)cand_uri cand_hosthost_errmsgrrr _host_regnames   r&baseothercCst|}t||SN)r&r)r'r(rrrruri_tree_contains,s r*cCsX|d}|d}t|t|krdSt|t|ko+tddtt|t|DS)NrFcs|] \}}||kVqdSr)r.0xyrrr 9  z$dns_tree_contains..)splitlenallzipreversed)r'r( base_labels other_labelsrrrdns_tree_contains2s  r9cCs6|d\}}}|d\}}}|r||kSt||S)N@)rr)r'r( base_mailboxrbase_host_or_domain other_mailboxother_host_or_domainrrremail_tree_contains>s  r?cCs4|j}|j}t|t|kotddt||DS)Ncsr+r)rr,rrrr0Or1z(dirname_tree_contains..)chosenr3r4r5)r'r(base_rdn_sequenceother_rdn_sequencerrrdirname_tree_containsKs rCc@seZdZeZeZeZeZeZ eZ eZ eZ eZ edeeeeejfeeejfgeffddZedddZdS)GeneralNameTypercCs t|dSr))_name_type_checkersgetselfrrrcheck_membershipbs z GeneralNameType.check_membershipcCst||Sr))getattrupper)clschoicerrr from_choicejszGeneralNameType.from_choiceN)rrD)rrrenumauto OTHER_NAME RFC822_NAMEDNS_NAME X400_ADDRESSDIRECTORY_NAMEEDI_PARTY_NAMEUNIFORM_RESOURCE_IDENTIFIER IP_ADDRESS REGISTERED_IDpropertyr rr strr NamerrI classmethodrNrrrrrDWs$" rDcs"eZdZdeffdd ZZS)UnsupportedNameTypeError name_typecst|jdSr))super__init__namelower)rHr_ __class__rrraxz!UnsupportedNameTypeError.__init__)rrrrDra __classcell__rrrdrr^wsr^gnamecCs*t|j}|j}|tjkr|j}||fSr))rDrNrbr@rUnative)rh gname_typevaluerrr_interpret_general_name|s  rlcertccs~t|jjrtj|jfV|j}|dur3|jjD]}|D]}|djdkr/tj|djfVqqdS|D]}t|Vq5dS)Ntype email_addressrk) r3subjectr@rDrUsubject_alt_name_valuerirRrl)rmsubject_alt_namesrdn name_pairrbrrr_enumerate_names_in_certs   ruc@s@eZdZdeeejffddZeddZ ddZ dd Z d S) _StringOrNamerkcCs ||_dSr))rk)rHrkrrrra z_StringOrName.__init__cCs&|j}t|tjrd|fSd|fS)Nr)rkrr r\dump)rHvalrrr_codes  z_StringOrName._codecCs t|jSr))hashr{rGrrr__hash__rwz_StringOrName.__hash__cCst|to |j|jkSr))rrvr{)rHr(rrr__eq__rfz_StringOrName.__eq__N) rrrr r[r r\rarZr{r}r~rrrrrvs   rvT)frozenc@seZdZUeed<eeed<dZeed<dZ eeed<de e e j fdefd d Zeded e e e j ffd d ZedddZededdfddZdS) NameSubtreer_ tree_baserminNmaxitemrcCsX|jdurdS|jdks|jdurtd|jj}|dur%td|j||jj|S)NTrzuThe minimum/maximum fields on a name constraint are not meaningful in the PKIX (RFC 5280) profile --- not processing.z%No containment checker available for )rrrNotImplementedErrorr_rIrk)rHrcheckerrrr __contains__s  zNameSubtree.__contains__rbcCst|t|dS)Nr_r)rrv)rLr_rbrrr from_nameszNameSubtree.from_namecCs4|d}t|\}}t|t||dj|djdS)Nr'minimummaximum)rr)rlrrvri)rLsubtreerhr_name_objrrrfrom_general_subtrees z NameSubtree.from_general_subtreecCs t|ddS)z Tree that contains all names of a given type. :param name_type: The name type to use. :return: Nr)r)rLr_rrruniversal_trees zNameSubtree.universal_tree)rr)rrrrD__annotations__r rvrintrr r[r r\rrr]rrrrrrrrs     rnamescs(dtjfddtjfdd|DiS)NrbcSstjtj|dS)N)r_rb)rrrDrUrbrrr_subtreesz(x509_names_to_subtrees.._subtreecsh|]}|qSrr)r-nrrr z)x509_names_to_subtrees..)r r\rDrU)rrrrx509_names_to_subtreessrtreesc CsDi}|D]}z ||j|Wqty|h||j<Yqw|Sr))r_addKeyError)rresulttreerrr_group_subtreess rsubtreescCstdd|DS)Ncss|]}t|VqdSr))rr)r-rrrrr0s  z+process_general_subtrees..)r)rrrrprocess_general_subtreessrc@sHeZdZ  d deedeeejdffddZ ddZ e dd Z dS) NameConstraintValidationResultNfailing_name_type failing_namecCs||_||_dSr)rr)rHrrrrrras z'NameConstraintValidationResult.__init__cCs |jduSr))rrGrrr__bool__ rwz'NameConstraintValidationResult.__bool__cCsD|jdusJ|j}t|tjr|j}|jj}d|d|dS)Nz The name 'z ' of type z is not allowed.)rrrr r\human_friendlyrbrc)rHname_strr_rrr error_messages   z,NameConstraintValidationResult.error_message)NN) rrrr rDr r[r r\rarrZrrrrrrs rc@NeZdZdefddZdefddZdedefd d Zd e j de fd d Z dS)PermittedSubtreesinitial_permitted_subtreescsfddtD}||_dS)Ncs i|] }|t|dgqS)r)setrFr-r_rrr 'sz.PermittedSubtrees.__init__..)rD_trees)rHrrrrrras  zPermittedSubtrees.__init__rcC&|D] \}}|j||qdSr))itemsrappend)rHrr_ new_permittedrrrintersect_with-z PermittedSubtrees.intersect_withr_rcs8ztfddt|j|DWStyYdSw)Nc3s&|]}tfdd|DVqdS)c3|]}|vVqdSr)rr-rrrrr09z:PermittedSubtrees.accept_name...N)any)r-trees_in_generationrrrr08s  z0PermittedSubtrees.accept_name..F)r4r6rrrHr_rbrrr accept_name2s   zPermittedSubtrees.accept_namermcFztfddt|D\}}t||dWSty"tYSw)Nc3s(|]\}}||s||fVqdSr))rr-r_rbrGrrr0C  z0PermittedSubtrees.accept_cert..rnextrur StopIterationrHrmrrrrGr accept_cert?    zPermittedSubtrees.accept_certN) rrr PKIXSubtreesrarrDrrr Certificaterrrrrrrs rc@r)ExcludedSubtreesinitial_excluded_subtreescCsdd|D|_dS)NcSsi|] \}}|t|qSrr)r-r_tree_setrrrrUsz-ExcludedSubtrees.__init__..)rr)rHrrrrraPs zExcludedSubtrees.__init__rcCrr))rrupdate)rHrr_ new_excludedrrr union_withZrzExcludedSubtrees.union_withr_rcs4ztfdd|j|DWStyYdSw)Nc3rr)rrrrrr0arz/ExcludedSubtrees.reject_name..T)rrrrrrr reject_name_s  zExcludedSubtrees.reject_namermcr)Nc3s(|]\}}||r||fVqdSr))rrrGrrr0irz/ExcludedSubtrees.accept_cert..rrrrrGrrerzExcludedSubtrees.accept_certN) rrrrrarrDrrr rrrrrrrrOs rcCddtDS)NcSsi|] }|t|hqSr)rrrrrrrvs z.default_permitted_subtrees..rDrrrrdefault_permitted_subtreesusrcCr)NcSsi|]}|tqSrrrrrrr}rz-default_excluded_subtrees..rrrrrdefault_excluded_subtrees|sr):rOlogging dataclassesr ipaddressrrtypingrrrrr r r asn1cryptor uritoolsr getLoggerrr ValueErrorrr[rrr&r*r9r?r\rCEnumrDrUrRrSrWrErr^ GeneralNamerlrrurvrrrrGeneralSubtreesrrrrrrrrrrsH $        3  6&