o vhDV@s`ddlZddlZddlmZddlmZmZmZmZm Z m Z ddl m Z ddl mZddlmZmZddlmZdd lmZdd lmZdd lmZmZGd d d ejZGdddeejZGdddeZee e jefZ GdddZ!Gddde!Z"GdddeZ#GdddZ$GdddZ%GdddZ&GdddeeZ'Gd d!d!eZ(dS)"N) defaultdict)AsyncGeneratorIterableIteratorListOptionalUnion)x509) trust_list)CertTrustAnchor TrustAnchor)PathBuildingError)CertificateFetcher)ValidationPath)CancelableAsyncIteratorConsListc@sDeZdZdZdefddZdefddZdejfdd Z d d Z d S) CertificateCollectionzS Abstract base class for read-only access to a collection of certificates. key_identifiercCs||}|s dS|dS)z Retrieves a cert via its key identifier :param key_identifier: A byte string of the key identifier :return: None or an asn1crypto.x509.Certificate object Nr)retrieve_many_by_key_identifier)selfr candidatesr\/var/www/html/hyperkenya/venv/lib/python3.10/site-packages/pyhanko_certvalidator/registry.pyretrieve_by_key_identifiers z0CertificateCollection.retrieve_by_key_identifiercCt)z Retrieves possibly multiple certs via the corresponding key identifiers :param key_identifier: A byte string of the key identifier :return: A list of asn1crypto.x509.Certificate objects NotImplementedErrorrrrrrr' z5CertificateCollection.retrieve_many_by_key_identifiernamecCr)z Retrieves a list certs via their subject name :param name: An asn1crypto.x509.Name object :return: A list of asn1crypto.x509.Certificate objects rrr rrrretrieve_by_name3rz&CertificateCollection.retrieve_by_namecCr)a] Retrieve a certificate by its ``issuer_serial`` value. :param issuer_serial: The ``issuer_serial`` value of the certificate. :return: The certificate corresponding to the ``issuer_serial`` key passed in. :return: None or an asn1crypto.x509.Certificate object rr issuer_serialrrrretrieve_by_issuer_serial? z/CertificateCollection.retrieve_by_issuer_serialN) __name__ __module__ __qualname____doc__bytesrrr Namer"r%rrrrrs  rc@s<eZdZdejdefddZdeejfddZdd Z d S) CertificateStorecertreturncCr) Register a single certificate. :param cert: Certificate to add. :return: ``True`` if the certificate was added, ``False`` if it already existed in this store. rrr.rrrregisterOrzCertificateStore.registercertscCs d}|D] }|||O}q|S)a Register multiple certificates. :param certs: Certificates to register. :return: ``True`` if at least one certificate was added, ``False`` if all certificates already existed in this store. Fr2)rr3addedr.rrrregister_multiple[s z"CertificateStore.register_multiplecCrNrrrrr__iter__kzCertificateStore.__iter__N) r'r(r)r Certificateboolr2rr6r9rrrrr-Ns r-c@sneZdZdZeddZddZdejde fdd Z d d Z d d Z de fddZdejfddZddZdS)SimpleCertificateStorez- Simple trustless certificate store. cCs|}|D]}||q|Sr7r4)clsr3resultr.rrr from_certsts z!SimpleCertificateStore.from_certscCsi|_tt|_tt|_dSr7)r3rlist _subject_map_key_identifier_mapr8rrr__init__{s zSimpleCertificateStore.__init__r.r/cCsd|j|jvrdS||j|j<|j|jj||jr&|j|j|dS|j|jj |dS)r0FT) r$r3rBsubjecthashableappendrrC public_keysha1r1rrrr2s  zSimpleCertificateStore.registercC |j|Sr7)r3)ritemrrr __getitem__ z"SimpleCertificateStore.__getitem__cCst|jSr7)iterr3valuesr8rrrr9szSimpleCertificateStore.__iter__rcCrJr7)rCrrrrrrMz6SimpleCertificateStore.retrieve_many_by_key_identifierr cCs |j|jSr7)rBrFr!rrrr"s z'SimpleCertificateStore.retrieve_by_namecCs z||WStyYdSwr7)KeyErrorr#rrrr%s   z0SimpleCertificateStore.retrieve_by_issuer_serialN)r'r(r)r* classmethodr@rDr r;r<r2rLr9r+rr,r"r%rrrrr=os  r=c@s<eZdZdZdejdefddZdejdee fddZ dS) TrustManagerz% Abstract trust manager API. r.r/cCrz Checks if a certificate is in the list of trust roots in this registry :param cert: An asn1crypto.x509.Certificate object :return: A boolean - if the certificate is in the CA list rr1rrris_rootrzTrustManager.is_rootcCr)z Find potential issuers that might have (directly) issued a particular certificate. :param cert: Issued certificate. :return: An iterator with potentially relevant trust anchors. rr1rrrfind_potential_issuersr&z#TrustManager.find_potential_issuersN) r'r(r)r*r r;r<rTrr rUrrrrrRs rRc@seZdZdZddZe  ddeedeeddfdd Zd e e e j ffd d Z d e j fddZdee j fddZd e j dee fddZdS)SimpleTrustManagerzk Trust manager backed by a list of trust roots, possibly in addition to the system trust list. cCst|_tt|_dSr7)set_rootsrrA_root_subject_mapr8rrrrDszSimpleTrustManager.__init__N trust_rootsextra_trust_rootsr/cCsT|durddtD}nt|}|dur||t}|D]}||q |S)a :param trust_roots: If the operating system's trust list should not be used, instead pass a list of asn1crypto.x509.Certificate objects. These certificates will be used as the trust roots for the path being built. :param extra_trust_roots: If the operating system's trust list should be used, but augmented with one or more extra certificates. This should be a list of asn1crypto.x509.Certificate objects. :return: NcSsg|]}|dqS)rr).0errr sz,SimpleTrustManager.build..)r get_listrAextendrV_register_root)r>rZr[manager trust_rootrrrbuilds  zSimpleTrustManager.buildrccCsPt|tr|}nt|}||jvr&|j}|j||j|jj |dSdSr7) isinstancer r rX authorityaddrYr rFrG)rrcanchorrfrrrras   z!SimpleTrustManager._register_rootr.cCst||jvSrS)r rXr1rrrrTs zSimpleTrustManager.is_rootcCsdd|jDS)Ncss |] }t|tr|jVqdSr7)rer certificate)r\rootrrr s z0SimpleTrustManager.iter_certs..)rXr8rrr iter_certs szSimpleTrustManager.iter_certsccs0|jj}|j|D] }|j|r|Vq dSr7)issuerrFrYrfis_potential_issuer_of)rr.issuer_hashablerjrrrrUs z)SimpleTrustManager.find_potential_issuers)NN)r'r(r)r*rDrQr TrustRootListrdrr r r;rarTrrlrUrrrrrVs*   rVc seZdZdZdddeeffddZe ddddee j deefd d Z dd e j d ee j ffd d Z de j dedeeee j ffddZde j fddZZS)CertificateRegistryz Contains certificate lists used to build validation paths, and is also capable of fetching missing certificates if a certificate fetcher is supplied. N cert_fetcherrscst||_dSr7)superrDfetcher)rrs __class__rrrD#s  zCertificateRegistry.__init__rr3cCs(||d}|D]}||q||_|S)a Convenience method to set up a certificate registry and import certs into it. :param certs: Initial list of certificates to import. :param cert_fetcher: Certificate fetcher to handle retrieval of missing certificates (in situations where that is possible). :return: A populated certificate registry. rr)r2ru)r>r3rsr?r.rrrrd's  zCertificateRegistry.buildr first_certificatecsNg}d}t|D]}|r|j|jkr|}q ||q |r%|d||S)af Retrieves a list certs via their subject name :param name: An asn1crypto.x509.Name object :param first_certificate: An asn1crypto.x509.Certificate object that if found, should be placed first in the result list :return: A list of asn1crypto.x509.Certificate objects Nr)rtr"sha256rGinsert)rr rxoutputfirstr.rvrrr"Bs  z$CertificateRegistry.retrieve_by_namer. trust_managerr/ccsp|jj}||EdH|j|D]#}||rq|jr(|jr(|j|jkr'qn |jr2|j|jkr2q|VqdSr7) rmrFrUrBrTauthority_key_identifierrauthority_issuer_serialr$)rr.r}rormrrrrU`s    z*CertificateRegistry.find_potential_issuerscCsJ|jdurdSdd|j|2IdH}|||D]}|VqdS)Ncsg|z3dHW}|q6Sr7r)r\rmrrrr^|szGCertificateRegistry.fetch_missing_potential_issuers..)rufetch_cert_issuersr6)rr.issuersrmrrrfetch_missing_potential_issuersxs   z3CertificateRegistry.fetch_missing_potential_issuers)rr7)r'r(r)r*rrrDrQrr r;rdr,r"rRrrr rUr __classcell__rrrvrrqs4  rqc@sReZdZdZdedefddZddZdej fd d Z dej d e e fd d Z dS) PathBuilderz( Class to handle path building. r}registrycCs||_||_dSr7)r}r)rr}rrrrrDs zPathBuilder.__init__cCst||S)a Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate .. note:: This is a synchronous equivalent of :meth:`async_build_paths` that calls the latter in a new event loop. As such, it can't be used from within asynchronous code. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: A list of pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs. )asynciorunasync_build_paths)rend_entity_certrrr build_pathsszPathBuilder.build_pathsrcs.g}||2z 3dHW}||q6|S)a1 Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate, returning all paths in a single list. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: A list of pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs. N)async_build_paths_lazyrG)rrpathsr?rrrrs  zPathBuilder.async_build_pathsr/cCs(t|t|t|jgd}t||S)a Builds a list of ValidationPath objects from a certificate in the operating system trust store to the end-entity certificate, and emit them as an asynchronous generator. :param end_entity_cert: A byte string of a DER or PEM-encoded X.509 certificate, or an instance of asn1crypto.x509.Certificate :return: An asynchronous iterator that yields pyhanko_certvalidator.path.ValidationPath objects that represent the possible paths from the end-entity certificate to one of the CA certs, and raises PathBuildingError if no paths could be built )path certs_seen failed_paths) _PathWalkerrsingr$LazyPathIterator)rrwalkerrrrrs  z"PathBuilder.async_build_paths_lazyN)r'r(r)r*rRrqrDrr r;rrrrrrrrrs rc@s|eZdZdddejdeefddZeddZ d d Z d d Z d e e ejffddZd e e ejffddZddZdS)_IssuerFetcher path_builderrr.rcCsL||_||_||_|jj||jj}t||_d|_d|_ d|_ d|_ dS)NrF) r.rrrrUr}rNlocal_iss_iterlocal_issuers_foundfetched_issuers_found _fetched_cas_fetching_done)rrr.r local_issuersrrrrDs  z_IssuerFetcher.__init__cCs |j|jSr7)rrr8rrr issuers_founds z_IssuerFetcher.issuers_foundcC|Sr7rr8rrr __aiter__r:z_IssuerFetcher.__aiter__cCrr7rr8rrrr9r:z_IssuerFetcher.__iter__r/cCsB|jD]}t|tjr|j}||jvrq|jd7_|St)Nr )rrer r;r$rr StopIterationrrmcert_idrrr__next__s   z_IssuerFetcher.__next__cszt|WStyYnw|jdur$|js$|js$|jj|j|_|jdurJ|j2z3dHW}|j }||j vr;q,|j d7_ |S6d|_t )Nr T) nextrrrrrrrr.r$rrStopAsyncIterationrrrr __anext__s2     z_IssuerFetcher.__anext__cs0|jdur|jIdHd|_d|_dSdS)NT)racloserr8rrrcancels   z_IssuerFetcher.cancelN)r'r(r)r r;rr+rDpropertyrrr9rr rrrrrrrrs   rc @sReZdZdddeejdeedeeejfddZdd Z d d Z d d Z dS)rrrrrrcCsF||_||_||_|j}t|tjsJt||||_||_ d|_ dSr7) rrrheadrer r;r_issuer_fetcherr _next_level)rrrrrr.rrrrD%s z_PathWalker.__init__csJ|jdur|jIdHd|_|jdur#|jIdHd|_dSdSr7)rrrr8rrrr5s   z_PathWalker.cancelcCrr7rr8rrrr=r:z_PathWalker.__aiter__c s|jdurtd}|dur~|jdurcz |jIdH}Wnty9}z|jjs0|j|jd|_|d}~wwt|t rPt |j}t ||dd|dSt |j |j||j|j|j|_z |jIdH}Wn tyyd|_Ynw|dus|S)N)rrrrrrrGrrer rArrrconsrr$)r next_path next_issuerr]r3rrrr@s>        z_PathWalker.__anext__N) r'r(r)rr r;r+rrDrrrrrrrr$s   rc@sPeZdZUdZeeed<dedej fddZ ddZ d d Z d efd d Z dS)rN_as_rootrr.cCs:|jj|rtt|gd|_||_d|_|jj |_ dS)Nr) rr}rTrr r_walker emitted_countrEhuman_friendly_name)rrr.rrrrDfs zLazyPathIterator.__init__cs$|jdur|jIdHdSdSr7)rrr8rrrrns zLazyPathIterator.cancelcCrr7rr8rrrrrr:zLazyPathIterator.__aiter__r/cs|jdurt|jdur|jd7_d|_|jSz|jIdH}|jd7_|WSty5Ynw|jdkr]|jjdj}t|tj sJJ|j j }d|_t d|j d|dt)Nr rz7Unable to build a validation path for the certificate "z" - no issuer matching "z " was found)rrrrrrrrer r;rmrrr)rr path_headmissing_issuer_namerrrrus6    zLazyPathIterator.__anext__)r'r(r)rrr__annotations__rr r;rDrrrrrrrrcs rc@sHeZdZdZdeefddZdefddZde j fd d Z d d Z d S)LayeredCertificateStorezi Trustless certificate store that looks up certificates in other stores in a specific order. storescCs ||_dSr7)_stores)rrrrrrDrMz LayeredCertificateStore.__init__rcfdd}t|S)Nc3"jD] }|EdHqdSr7)rrstorerrrr_gen zELayeredCertificateStore.retrieve_many_by_key_identifier.._genrA)rrrrrrr z7LayeredCertificateStore.retrieve_many_by_key_identifierr cr)Nc3rr7)rr"rr rrrrrz6LayeredCertificateStore.retrieve_by_name.._genr)rr rrrrr"rz(LayeredCertificateStore.retrieve_by_namecCs*|jD]}||}|dur|SqdSr7)rr%)rr$rr?rrrr%s  z1LayeredCertificateStore.retrieve_by_issuer_serialN) r'r(r)r*rrrDr+rr r,r"r%rrrrrs  r))abcr collectionsrtypingrrrrrr asn1cryptor oscryptor rfr r errorsrfetchersrrrutilrrABCrr-r=r;rprRrVrqrrrrrrrrrs.       <!8 RiSL?.